Update templates to be compatible with Kyverno v1.13.2

CHANGELOG.md

@@ -4,6 +4,12 @@ Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ---
 
+## [3.3.4-bb.0] - 2024-12-10
+
+### Changed
+
+- Updated chart from `kyverno-chart-3.2.6` to `kyverno-chart-3.3.4` and app version from `v1.12.6` to `v1.13.2`
+
 ## [3.2.6-bb.3] - 2024-12-03
 
 ### Changed

README.md

 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # kyverno-policies
 
-![Version: 3.2.6-bb.3](https://img.shields.io/badge/Version-3.2.6--bb.3-informational?style=flat-square) ![AppVersion: v1.12.6](https://img.shields.io/badge/AppVersion-v1.12.6-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)
+![Version: 3.3.4-bb.0](https://img.shields.io/badge/Version-3.3.4--bb.0-informational?style=flat-square) ![AppVersion: v1.13.2](https://img.shields.io/badge/AppVersion-v1.13.2-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)
 
 Collection of Kyverno security and best-practice policies for Kyverno
 
@@ -56,7 +56,7 @@ helm install kyverno-policies chart/
 | customLabels | object | `{}` | Additional labels to apply to all policies. |
 | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
 | waitforready.enabled | bool | `false` | Controls wait for ready deployment |
-| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.30.5"}` | Image to use in wait for ready job.  This must contain kubectl. |
+| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.30.6"}` | Image to use in wait for ready job.  This must contain kubectl. |
 | waitforready.imagePullSecrets | list | `[]` | Pull secret for wait for ready job |
 | policies.sample | object | `{"enabled":false,"exclude":{},"match":{},"parameters":{"excludeContainers":[]},"validationFailureAction":"Audit","webhookTimeoutSeconds":""}` | Sample policy showing values that can be added to any policy |
 | policies.sample.enabled | bool | `false` | Controls policy deployment |
@@ -98,8 +98,8 @@ helm install kyverno-policies chart/
 | policies.require-image-signature | object | `{"enabled":true,"parameters":{"require":[{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh\neNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y\nWDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R\nY93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J\nz5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0\nrB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke\nQfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq\nEJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL\nxI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj\nB5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM\nVardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA\nk+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]},"validationFailureAction":"Enforce"}` | Require specified images to be signed and verified |
 | policies.require-image-signature.parameters.require | list | `[{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh\neNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y\nWDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R\nY93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J\nz5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0\nrB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke\nQfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq\nEJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL\nxI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj\nB5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM\nVardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA\nk+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]` | List of images that must be signed and the public key to verify.  Use `kubectl explain clusterpolicy.spec.rules.verifyImages` for fields. |
 | policies.require-istio-on-namespaces | object | `{"enabled":false,"validationFailureAction":"Audit"}` | Require Istio sidecar injection label on namespaces |
-| policies.require-labels | object | `{"enabled":true,"parameters":{"require":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app","version"]},"validationFailureAction":"Audit"}` | Require specified labels to be on all pods |
-| policies.require-labels.parameters.require | list | `["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app","version"]` | List of labels required on all pods.  Entries can be just a "key", or a quoted "key: value".  Wildcards '*' and '?' are supported. See <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels> See <https://helm.sh/docs/chart_best_practices/labels/#standard-labels> |
+| policies.require-labels | object | `{"enabled":true,"parameters":{"require":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]},"validationFailureAction":"Audit"}` | Require specified labels to be on all pods |
+| policies.require-labels.parameters.require | list | `["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]` | List of labels required on all pods.  Entries can be just a "key", or a quoted "key: value".  Wildcards '*' and '?' are supported. See <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels> See <https://helm.sh/docs/chart_best_practices/labels/#standard-labels> |
 | policies.require-memory-limit | object | `{"enabled":false,"parameters":{"require":["<64Gi"]},"validationFailureAction":"Audit"}` | Require containers have memory limits defined and within the specified range |
 | policies.require-memory-limit.parameters.require | list | `["<64Gi"]` | Memory limitations (only one required condition needs to be met).  Can use standard Kubernetes resource units (e.g. Mi, Gi).  The following operators are valid: >, <, >=, <=, !, \|, &. |
 | policies.require-non-root-group | object | `{"enabled":true,"validationFailureAction":"Enforce"}` | Require containers to run with non-root group |
@@ -161,10 +161,10 @@ helm install kyverno-policies chart/
 | additionalPolicies.samplePolicy.spec | object | `{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}` | Policy specification.  See `kubectl explain clusterpolicies.spec` |
 | additionalPolicies.samplePolicy.spec.rules | list | `[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]` | Policy rules.  At least one is required |
 | istio | object | `{"enabled":false}` | BigBang Istio Toggle and Configuration |
-| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"}}` | Reserved values for Big Bang test automation |
+| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"}}` | Reserved values for Big Bang test automation |
 | waitJob.enabled | bool | `true` |  |
 | waitJob.kind | string | `"ClusterRole"` |  |
-| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"` |  |
+| waitJob.scripts.image | string | `"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"` |  |
 | waitJob.permissions.apiGroups[0] | string | `"kyverno.io"` |  |
 | waitJob.permissions.resources[0] | string | `"clusterpolicies"` |  |
 | waitJob.permissions.resources[1] | string | `"policies"` |  |

chart/Chart.yaml

 apiVersion: v2
 name: kyverno-policies
-version: 3.2.6-bb.3
-appVersion: v1.12.6
+version: 3.3.4-bb.0
+appVersion: v1.13.2
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Collection of Kyverno security and best-practice policies for Kyverno
 keywords:
@@ -19,11 +19,11 @@ dependencies:
 annotations:
   bigbang.dev/maintenanceTrack: bb_integrated
   bigbang.dev/applicationVersions: |
-    - Kyverno Policies: 3.2.6
+    - Kyverno Policies: 3.3.4
   # Kubectl image is used if waitJob.enabled or bbtests.enabled
   helm.sh/images: |
     - name: kubectl
-      image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+      image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
       condition: waitJob.enabled
   bigbang.dev/upstreamReleaseNotesMarkdown: |
     - [Find our upstream chart's CHANGELOG here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/CHANGELOG.md)

chart/templates/tests/test-wait-job.yaml

-{{- include "gluon.wait.wait-job-configmap.overrides" (list . "kyverno-policies-wait.wait-configmap") }}
-{{- define "kyverno-policies-wait.wait-configmap" }}
-metadata:
-  labels:
-    {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job.overrides" (list . "kyverno-policies-wait.wait-job") }}
-{{- define "kyverno-policies-wait.wait-job" }}
-metadata:
-  labels:
-    {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-sa.overrides" (list . "kyverno-policies-wait.wait-job-sa") }}
-{{- define "kyverno-policies-wait.wait-job-sa" }}
-metadata:
-  labels:
-    {{- include "kyverno-policies.labels" . | nindent 4 }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-role.overrides" (list . "kyverno-policies-wait.wait-job-role") }}
-{{- define "kyverno-policies-wait.wait-job-role" }}
-kind: {{ .Values.waitJob.kind | default "Role" }}
-metadata:
-  labels:
-    {{- include "kyverno-policies.labels" . | nindent 4 }}
-  {{- if ne .Values.waitJob.kind "ClusterRole" }}
-  namespace: {{ .Release.Namespace }}
-  {{- end }}
-{{- end }}
----
-{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "kyverno-policies-wait.wait-job-rolebinding") }}
-{{- define "kyverno-policies-wait.wait-job-rolebinding" }}
-kind: ClusterRoleBinding 
-metadata:
-  labels:
-    {{- include "kyverno-policies.labels" . | nindent 4 }}
-  {{- if ne .Values.waitJob.kind "ClusterRole" }}
-  namespace: {{ .Release.Namespace }}
-  {{- end }}
-roleRef:
-  kind: ClusterRole
-  name: "{{ .Chart.Name }}-wait-job-role"
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
\ No newline at end of file
+{{- include "gluon.wait.wait-job-configmap.overrides" (list . "kyverno-policies-wait.wait-configmap") }}
+{{- define "kyverno-policies-wait.wait-configmap" }}
+metadata:
+  labels:
+    {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job.overrides" (list . "kyverno-policies-wait.wait-job") }}
+{{- define "kyverno-policies-wait.wait-job" }}
+metadata:
+  labels:
+    {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-sa.overrides" (list . "kyverno-policies-wait.wait-job-sa") }}
+{{- define "kyverno-policies-wait.wait-job-sa" }}
+metadata:
+  labels:
+    {{- include "kyverno-policies.labels" . | nindent 4 }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-role.overrides" (list . "kyverno-policies-wait.wait-job-role") }}
+{{- define "kyverno-policies-wait.wait-job-role" }}
+kind: {{ .Values.waitJob.kind | default "Role" }}
+metadata:
+  labels:
+    {{- include "kyverno-policies.labels" . | nindent 4 }}
+  {{- if ne .Values.waitJob.kind "ClusterRole" }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+{{- end }}
+---
+{{ include "gluon.wait.wait-job-rolebinding.overrides" (list . "kyverno-policies-wait.wait-job-rolebinding") }}
+{{- define "kyverno-policies-wait.wait-job-rolebinding" }}
+kind: ClusterRoleBinding 
+metadata:
+  labels:
+    {{- include "kyverno-policies.labels" . | nindent 4 }}
+  {{- if ne .Values.waitJob.kind "ClusterRole" }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+roleRef:
+  kind: ClusterRole
+  name: "{{ .Chart.Name }}-wait-job-role"
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

chart/tests/manifests/clone-configs.yaml

@@ -33,4 +33,4 @@ kind: Namespace
 metadata:
   name: clone-configs
   annotations:
-    kyverno-policies-bbtest/type: ignore
\ No newline at end of file
+    kyverno-policies-bbtest/type: ignore

chart/tests/scripts/test-ephemeral.sh

@@ -44,21 +44,22 @@ sleep 10s
 
 set +e
 echo "Step 3: Executing Command: 'kubectl debug $POD_NAME -it --image=busybox'"
-result=$(kubectl debug $POD_NAME -it --image=busybox -n $NAMESPACE 2>&1)
-set -e
+result=$(timeout 10 kubectl debug $POD_NAME -it --image=busybox -n $NAMESPACE 2>&1)
 
 echo "output from command:"
 echo $result
 
-result=$(echo $result | grep "rule block-ephemeral-containers failed"| grep -oP failed)
+result=$(echo $result | grep -oP "rule block-ephemeral-containers failed" | grep -oP failed)
+
+set -e
 
-if [ $result == "failed" ]; then 
+if [ "$result" == "failed" ]; then
   echo "ephemeral container creation was sucessfully blocked"
   echo "Cleanup: Deleting test pod $POD_NAME and $NAMESPACE"
   kubectl delete pod $POD_NAME -n $NAMESPACE
   kubectl delete namespace $NAMESPACE --wait=false
   echo -e "TEST: ${GRN}PASS${NC}"
-else 
+else
   echo "Cleanup: Deleting test pod $POD_NAME and $NAMESPACE"
   kubectl delete pod $POD_NAME -n $NAMESPACE
   kubectl delete namespace $NAMESPACE --wait=false

chart/tests/scripts/test-policies.sh

@@ -53,7 +53,7 @@ done
 #######################################
 
 # Get initial status of deployed policies
-READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
 
 # Test each policy individually
 for POLICY in "${POLICIES[@]}"; do
@@ -92,7 +92,7 @@ for POLICY in "${POLICIES[@]}"; do
   while [ "$ATTEMPT" -le 240 ] && ! echo $READY | grep $POLICY > /dev/null; do
     ((ATTEMPT+=1))
     sleep 1
-    READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+    READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
   done
   if [ "$ATTEMPT" -gt 240 ]; then
     echo -e "${RED}FAIL${NC}"

chart/values.yaml

@@ -71,7 +71,7 @@ waitforready:
   # -- Image to use in wait for ready job.  This must contain kubectl.
   image:
     repository: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
-    tag: v1.30.5
+    tag: v1.30.6
   # -- Pull secret for wait for ready job
   imagePullSecrets: []
 
@@ -606,7 +606,7 @@ istio:
 bbtests:
   enabled: false
   scripts:
-    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
     envs:
       ENABLED_POLICIES: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
       IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
@@ -627,7 +627,7 @@ waitJob:
   enabled: true
   kind: ClusterRole
   scripts:
-    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
   permissions:
     apiGroups:
       - kyverno.io

chart/wait/wait.sh

 #!/bin/sh
 timeElapsed=0
 POLICIES=($(kubectl get cpol -o jsonpath='{.items[*].metadata.name}'))
-READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
+
 echo
 for POLICY in "${POLICIES[@]}"; do
     echo -n "$POLICY:"
@@ -12,8 +13,8 @@ for POLICY in "${POLICIES[@]}"; do
             echo "Timeout"
             exit 1
         fi
-        READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.ready==true)].metadata.name}')
+        READY=$(kubectl get cpol -o jsonpath='{.items[?(.status.conditions[0].status=="True")].metadata.name}')
     done
     echo "Ready"
 done
-echo All policies are ready!
\ No newline at end of file
+echo All policies are ready!

tests/dependencies.yaml

 kyverno:
   git:
     repo: "https://repo1.dso.mil/big-bang/product/packages/kyverno.git"
-    branch: "main"
+    branch: "renovate/ironbank"
   namespace: "kyverno"

tests/images.txt

-registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5
+registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6
\ No newline at end of file

tests/test-values.yaml

@@ -166,14 +166,14 @@ policies:
         to: registry1.dso.mil
   update-automountserviceaccounttokens-default:
     enabled: true
-    namespaces: 
+    namespaces:
       - namespace: update-automountserviceaccounttokens-default
-        
+
   update-automountserviceaccounttokens:
     enabled: true
     namespaces:
       - namespace: update-automountserviceaccounttokens-2
-        serviceAccounts: 
+        serviceAccounts:
         - update-token-automount-2
         pods:
           allow: