diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c5268a55a6d78eaab05b2b4714e9affb255813a..aeac65dcf7fc9667e3feafa112c2efca09b399a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
---
+## [3.3.4-bb.0] - 2024-12-10
+
+### Changed
+
+- Updated chart from `kyverno-chart-3.2.6` to `kyverno-chart-3.3.4` and app version from `v1.12.6` to `v1.13.2`
+
## [3.2.6-bb.3] - 2024-12-03
### Changed
diff --git a/README.md b/README.md
index f33bb515df2c5d1d13216aa7639e56fbcfb59007..f61994be40cd6ef5dafb8aafc2761d8e83c5e7ed 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# kyverno-policies
-  
+  
Collection of Kyverno security and best-practice policies for Kyverno
@@ -56,7 +56,7 @@ helm install kyverno-policies chart/
| customLabels | object | `{}` | Additional labels to apply to all policies. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
| waitforready.enabled | bool | `false` | Controls wait for ready deployment |
-| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.30.5"}` | Image to use in wait for ready job. This must contain kubectl. |
+| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.30.6"}` | Image to use in wait for ready job. This must contain kubectl. |
| waitforready.imagePullSecrets | list | `[]` | Pull secret for wait for ready job |
| policies.sample | object | `{"enabled":false,"exclude":{},"match":{},"parameters":{"excludeContainers":[]},"validationFailureAction":"Audit","webhookTimeoutSeconds":""}` | Sample policy showing values that can be added to any policy |
| policies.sample.enabled | bool | `false` | Controls policy deployment |
@@ -98,8 +98,8 @@ helm install kyverno-policies chart/
| policies.require-image-signature | object | `{"enabled":true,"parameters":{"require":[{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh\neNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y\nWDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R\nY93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J\nz5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0\nrB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke\nQfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq\nEJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL\nxI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj\nB5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM\nVardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA\nk+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]},"validationFailureAction":"Enforce"}` | Require specified images to be signed and verified |
| policies.require-image-signature.parameters.require | list | `[{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh\neNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y\nWDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R\nY93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J\nz5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0\nrB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke\nQfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq\nEJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL\nxI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj\nB5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM\nVardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA\nk+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]` | List of images that must be signed and the public key to verify. Use `kubectl explain clusterpolicy.spec.rules.verifyImages` for fields. |
| policies.require-istio-on-namespaces | object | `{"enabled":false,"validationFailureAction":"Audit"}` | Require Istio sidecar injection label on namespaces |
-| policies.require-labels | object | `{"enabled":true,"parameters":{"require":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app","version"]},"validationFailureAction":"Audit"}` | Require specified labels to be on all pods |
-| policies.require-labels.parameters.require | list | `["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app","version"]` | List of labels required on all pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. See <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels> See <https://helm.sh/docs/chart_best_practices/labels/#standard-labels> |
+| policies.require-labels | object | `{"enabled":true,"parameters":{"require":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]},"validationFailureAction":"Audit"}` | Require specified labels to be on all pods |
+| policies.require-labels.parameters.require | list | `["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]` | List of labels required on all pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. See <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels> See <https://helm.sh/docs/chart_best_practices/labels/#standard-labels> |
| policies.require-memory-limit | object | `{"enabled":false,"parameters":{"require":["<64Gi"]},"validationFailureAction":"Audit"}` | Require containers have memory limits defined and within the specified range |
| policies.require-memory-limit.parameters.require | list | `["<64Gi"]` | Memory limitations (only one required condition needs to be met). Can use standard Kubernetes resource units (e.g. Mi, Gi). The following operators are valid: >, <, >=, <=, !, \|, &. |
| policies.require-non-root-group | object | `{"enabled":true,"validationFailureAction":"Enforce"}` | Require containers to run with non-root group |
@@ -161,10 +161,10 @@ helm install kyverno-policies chart/
| additionalPolicies.samplePolicy.spec | object | `{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}` | Policy specification. See `kubectl explain clusterpolicies.spec` |
| additionalPolicies.samplePolicy.spec.rules | list | `[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]` | Policy rules. At least one is required |
| istio | object | `{"enabled":false}` | BigBang Istio Toggle and Configuration |
-| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"}}` | Reserved values for Big Bang test automation |
+| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"}}` | Reserved values for Big Bang test automation |
| waitJob.enabled | bool | `true` | |
| waitJob.kind | string | `"ClusterRole"` | |
-| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"` | |
+| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"` | |
| waitJob.permissions.apiGroups[0] | string | `"kyverno.io"` | |
| waitJob.permissions.resources[0] | string | `"clusterpolicies"` | |
| waitJob.permissions.resources[1] | string | `"policies"` | |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 7156d04ae3a03391fedce307fa5bdc76bfb61ba3..cf35219b804d5c1b9a418b8e004f24559f59c33e 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: kyverno-policies
-version: 3.2.6-bb.3
-appVersion: v1.12.6
+version: 3.3.4-bb.0
+appVersion: v1.13.2
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Collection of Kyverno security and best-practice policies for Kyverno
keywords:
@@ -19,11 +19,11 @@ dependencies:
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
bigbang.dev/applicationVersions: |
- - Kyverno Policies: 3.2.6
+ - Kyverno Policies: 3.3.4
# Kubectl image is used if waitJob.enabled or bbtests.enabled
helm.sh/images: |
- name: kubectl
- image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
condition: waitJob.enabled
bigbang.dev/upstreamReleaseNotesMarkdown: |
- [Find our upstream chart's CHANGELOG here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/CHANGELOG.md)
diff --git a/chart/templates/tests/test-wait-job.yaml b/chart/templates/tests/test-wait-job.yaml
index 9b11feaab507e1390bfc1129f463f5ae3e67daaf..5e7299e4c8aed19a2289b51e33ee33588ea99fbb 100644
--- a/chart/templates/tests/test-wait-job.yaml
+++ b/chart/templates/tests/test-wait-job.yaml
@@ -1,46 +1,46 @@
-{{- include "gluon.wait.wait-job-configmap.overrides" (list . "kyverno-policies-wait.wait-configmap") }}
-{{- define "kyverno-policies-wait.wait-configmap" }}
-metadata:
- labels:
- {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job.overrides" (list . "kyverno-policies-wait.wait-job") }}
-{{- define "kyverno-policies-wait.wait-job" }}
-metadata:
- labels:
- {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-sa.overrides" (list . "kyverno-policies-wait.wait-job-sa") }}
-{{- define "kyverno-policies-wait.wait-job-sa" }}
-metadata:
- labels:
- {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-role.overrides" (list . "kyverno-policies-wait.wait-job-role") }}
-{{- define "kyverno-policies-wait.wait-job-role" }}
-kind: {{ .Values.waitJob.kind | default "Role" }}
-metadata:
- labels:
- {{- include "kyverno-policies.labels" . | nindent 4 }}
- {{- if ne .Values.waitJob.kind "ClusterRole" }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "kyverno-policies-wait.wait-job-rolebinding") }}
-{{- define "kyverno-policies-wait.wait-job-rolebinding" }}
-kind: ClusterRoleBinding
-metadata:
- labels:
- {{- include "kyverno-policies.labels" . | nindent 4 }}
- {{- if ne .Values.waitJob.kind "ClusterRole" }}
- namespace: {{ .Release.Namespace }}
- {{- end }}
-roleRef:
- kind: ClusterRole
- name: "{{ .Chart.Name }}-wait-job-role"
- apiGroup: rbac.authorization.k8s.io
-{{- end }}
\ No newline at end of file
+{{- include "gluon.wait.wait-job-configmap.overrides" (list . "kyverno-policies-wait.wait-configmap") }}
+{{- define "kyverno-policies-wait.wait-configmap" }}
+metadata:
+ labels:
+ {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job.overrides" (list . "kyverno-policies-wait.wait-job") }}
+{{- define "kyverno-policies-wait.wait-job" }}
+metadata:
+ labels:
+ {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-sa.overrides" (list . "kyverno-policies-wait.wait-job-sa") }}
+{{- define "kyverno-policies-wait.wait-job-sa" }}
+metadata:
+ labels:
+ {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-role.overrides" (list . "kyverno-policies-wait.wait-job-role") }}
+{{- define "kyverno-policies-wait.wait-job-role" }}
+kind: {{ .Values.waitJob.kind | default "Role" }}
+metadata:
+ labels:
+ {{- include "kyverno-policies.labels" . | nindent 4 }}
+ {{- if ne .Values.waitJob.kind "ClusterRole" }}
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "kyverno-policies-wait.wait-job-rolebinding") }}
+{{- define "kyverno-policies-wait.wait-job-rolebinding" }}
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ {{- include "kyverno-policies.labels" . | nindent 4 }}
+ {{- if ne .Values.waitJob.kind "ClusterRole" }}
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+roleRef:
+ kind: ClusterRole
+ name: "{{ .Chart.Name }}-wait-job-role"
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/chart/tests/manifests/clone-configs.yaml b/chart/tests/manifests/clone-configs.yaml
index e92f0b716881eddc3b1f0c93b35ea306c3c26a1c..07b57ae3bdadae141a13e8b91e9e17b40db0143a 100644
--- a/chart/tests/manifests/clone-configs.yaml
+++ b/chart/tests/manifests/clone-configs.yaml
@@ -33,4 +33,4 @@ kind: Namespace
metadata:
name: clone-configs
annotations:
- kyverno-policies-bbtest/type: ignore
\ No newline at end of file
+ kyverno-policies-bbtest/type: ignore
diff --git a/chart/tests/scripts/test-ephemeral.sh b/chart/tests/scripts/test-ephemeral.sh
index b94ca7a0b47116447d65545672040e997c140499..67339739052996853f175a95888954710b4abc5c 100755
--- a/chart/tests/scripts/test-ephemeral.sh
+++ b/chart/tests/scripts/test-ephemeral.sh
@@ -44,21 +44,22 @@ sleep 10s
set +e
echo "Step 3: Executing Command: 'kubectl debug $POD_NAME -it --image=busybox'"
-result=$(kubectl debug $POD_NAME -it --image=busybox -n $NAMESPACE 2>&1)
-set -e
+result=$(timeout 10 kubectl debug $POD_NAME -it --image=busybox -n $NAMESPACE 2>&1)
echo "output from command:"
echo $result
-result=$(echo $result | grep "rule block-ephemeral-containers failed"| grep -oP failed)
+result=$(echo $result | grep -oP "rule block-ephemeral-containers failed" | grep -oP failed)
+
+set -e
-if [ $result == "failed" ]; then
+if [ "$result" == "failed" ]; then
echo "ephemeral container creation was sucessfully blocked"
echo "Cleanup: Deleting test pod $POD_NAME and $NAMESPACE"
kubectl delete pod $POD_NAME -n $NAMESPACE
kubectl delete namespace $NAMESPACE --wait=false
echo -e "TEST: ${GRN}PASS${NC}"
-else
+else
echo "Cleanup: Deleting test pod $POD_NAME and $NAMESPACE"
kubectl delete pod $POD_NAME -n $NAMESPACE
kubectl delete namespace $NAMESPACE --wait=false
diff --git a/chart/tests/scripts/test-policies.sh b/chart/tests/scripts/test-policies.sh
index 0735c7bfe445361f4a8276859dc0a743a0c1096d..d280901f6edf68485148c703e166d9a995763e92 100755
--- a/chart/tests/scripts/test-policies.sh
+++ b/chart/tests/scripts/test-policies.sh
@@ -53,7 +53,7 @@ done
#######################################
# Get initial status of deployed policies
-READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
# Test each policy individually
for POLICY in "${POLICIES[@]}"; do
@@ -92,7 +92,7 @@ for POLICY in "${POLICIES[@]}"; do
while [ "$ATTEMPT" -le 240 ] && ! echo $READY | grep $POLICY > /dev/null; do
((ATTEMPT+=1))
sleep 1
- READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+ READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
done
if [ "$ATTEMPT" -gt 240 ]; then
echo -e "${RED}FAIL${NC}"
diff --git a/chart/values.yaml b/chart/values.yaml
index 6296e739d6861958d9f066f4c1678268dd201010..296ef35497123797ad4b79f0aa2c7d5dc0c6a3dc 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -71,7 +71,7 @@ waitforready:
# -- Image to use in wait for ready job. This must contain kubectl.
image:
repository: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
- tag: v1.30.5
+ tag: v1.30.6
# -- Pull secret for wait for ready job
imagePullSecrets: []
@@ -606,7 +606,7 @@ istio:
bbtests:
enabled: false
scripts:
- image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
envs:
ENABLED_POLICIES: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
@@ -627,7 +627,7 @@ waitJob:
enabled: true
kind: ClusterRole
scripts:
- image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+ image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
permissions:
apiGroups:
- kyverno.io
diff --git a/chart/wait/wait.sh b/chart/wait/wait.sh
index a2bd834c354053f4a7707f9a9b3e4db69c92226d..1709d9ced7792e1dd09f7b3b7a15cfc57009d7ed 100644
--- a/chart/wait/wait.sh
+++ b/chart/wait/wait.sh
@@ -1,7 +1,8 @@
#!/bin/sh
timeElapsed=0
POLICIES=($(kubectl get cpol -o jsonpath='{.items[*].metadata.name}'))
-READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
+
echo
for POLICY in "${POLICIES[@]}"; do
echo -n "$POLICY:"
@@ -12,8 +13,8 @@ for POLICY in "${POLICIES[@]}"; do
echo "Timeout"
exit 1
fi
- READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+ READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
done
echo "Ready"
done
-echo All policies are ready!
\ No newline at end of file
+echo All policies are ready!
diff --git a/tests/dependencies.yaml b/tests/dependencies.yaml
index 1b341f489232467deace21761345c580b51042a3..924df474b8b583cb768a4a9b6cac306488024bc9 100644
--- a/tests/dependencies.yaml
+++ b/tests/dependencies.yaml
@@ -1,5 +1,5 @@
kyverno:
git:
repo: "https://repo1.dso.mil/big-bang/product/packages/kyverno.git"
- branch: "main"
+ branch: "renovate/ironbank"
namespace: "kyverno"
diff --git a/tests/images.txt b/tests/images.txt
index a1c283a198026cf7ec9c7fe70209d399b1340b40..9a036da3dcfc733a581a51eafd139ff9f896cdc5 100644
--- a/tests/images.txt
+++ b/tests/images.txt
@@ -1 +1 @@
-registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
\ No newline at end of file
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index cd762ac7f41f09222c91617b70a90c05b7444737..c8320915ad470a56fd61dcc413390e77bafbc1e2 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -166,14 +166,14 @@ policies:
to: registry1.dso.mil
update-automountserviceaccounttokens-default:
enabled: true
- namespaces:
+ namespaces:
- namespace: update-automountserviceaccounttokens-default
-
+
update-automountserviceaccounttokens:
enabled: true
namespaces:
- namespace: update-automountserviceaccounttokens-2
- serviceAccounts:
+ serviceAccounts:
- update-token-automount-2
pods:
allow: