Compare revisions

Jordan Olachea · Tunde Oladipupo · Tunde Oladipupo · Micah Nagel · Micah Nagel · 3317f746
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

+## [1.0.1-bb.6] - 2022-10-18
+### Changed
+- ironbank/opensource/kubernetes/kubectl updated from v1.24.4 to v1.25.3
+
 ## [1.0.1-bb.5] - 2022-09-14
 ### Changed
 - Changed `disallow-nodeport-services` to `audit`

--- a/README.md
+++ b/README.md
 # kyverno-policies

-![Version: 1.0.1-bb.5](https://img.shields.io/badge/Version-1.0.1--bb.5-informational?style=flat-square) ![AppVersion: 1.0.1](https://img.shields.io/badge/AppVersion-1.0.1-informational?style=flat-square)
+![Version: 1.0.1-bb.6](https://img.shields.io/badge/Version-1.0.1--bb.6-informational?style=flat-square) ![AppVersion: 1.0.1](https://img.shields.io/badge/AppVersion-1.0.1-informational?style=flat-square)

 Collection of Kyverno security and best-practice policies for Kyverno

@@ -42,7 +42,7 @@ helm install kyverno-policies chart/
 | excludeContainers | list | `[]` | Adds an excludeContainers to all policies.  This is merged with any policy-specific excludeContainers. |
 | customLabels | object | `{}` | Additional labels to apply to all policies. |
 | waitforready.enabled | bool | `true` | Controls wait for ready deployment |
-| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.24.4"}` | Image to use in wait for ready job.  This must contain kubectl. |
+| waitforready.image | object | `{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"v1.25.3"}` | Image to use in wait for ready job.  This must contain kubectl. |
 | waitforready.imagePullSecrets | list | `[]` | Pull secret for wait for ready job |
 | policies.sample | object | `{"enabled":false,"exclude":{},"match":{},"parameters":{"excludeContainers":[]},"validationFailureAction":"audit","webhookTimeoutSeconds":""}` | Sample policy showing values that can be added to any policy |
 | policies.sample.enabled | bool | `false` | Controls policy deployment |
@@ -65,7 +65,7 @@ helm install kyverno-policies chart/
 | policies.disallow-namespaces | object | `{"enabled":false,"parameters":{"disallow":["default"]},"validationFailureAction":"audit"}` | Prevent pods from using the listed namespaces |
 | policies.disallow-namespaces.parameters.disallow | list | `["default"]` | List of namespaces to deny pod deployment |
 | policies.disallow-nodeport-services | object | `{"enabled":true,"validationFailureAction":"audit"}` | Prevent services of the type NodePort |
-| policies.disallow-pod-exec | object | `{"enabled":false,"validationFailureAction":"attach"}` | Prevent the use of `exec` or `attach` on pods |
+| policies.disallow-pod-exec | object | `{"enabled":false,"validationFailureAction":"audit"}` | Prevent the use of `exec` or `attach` on pods |
 | policies.disallow-privilege-escalation | object | `{"enabled":true,"validationFailureAction":"enforce"}` | Prevent privilege escalation on pods |
 | policies.disallow-privileged-containers | object | `{"enabled":true,"validationFailureAction":"enforce"}` | Prevent containers that run as privileged |
 | policies.disallow-selinux-options | object | `{"enabled":true,"parameters":{"disallow":["user","role"]},"validationFailureAction":"enforce"}` | Prevent specified SELinux options from being used on pods. |
@@ -143,7 +143,7 @@ helm install kyverno-policies chart/
 | additionalPolicies.samplePolicy.annotations."policies.kyverno.io/description" | string | `"This sample policy blocks pods from deploying into the 'default' namespace."` | Description of what the policy does, why it is important, and what items are allowed or unallowed. |
 | additionalPolicies.samplePolicy.spec | object | `{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}` | Policy specification.  See `kubectl explain clusterpolicies.spec` |
 | additionalPolicies.samplePolicy.spec.rules | list | `[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]` | Policy rules.  At least one is required |
-| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.24.4"}}` | Reserved values for Big Bang test automation |
+| bbtests | object | `{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.3"}}` | Reserved values for Big Bang test automation |

 ## Contributing


--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: kyverno-policies
-version: 1.0.1-bb.5
+version: 1.0.1-bb.6
 appVersion: 1.0.1
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Collection of Kyverno security and best-practice policies for Kyverno

--- a/chart/templates/tests/clusterrole.yaml
+++ b/chart/templates/tests/clusterrole.yaml
@@ -34,6 +34,8 @@ rules:
  - create
  - delete
  - get
+  - list
+  - watch
 - apiGroups:
  - "rbac.authorization.k8s.io"
  resources:
@@ -44,6 +46,7 @@ rules:
  - create
  - delete
  - get
+  - list
 - apiGroups:
  - "node.k8s.io"
  resources:

--- a/chart/tests/scripts/test-policies.sh
+++ b/chart/tests/scripts/test-policies.sh
@@ -106,7 +106,7 @@ for POLICY in "${POLICIES[@]}"; do
  DEPLOYS=$(kubectl apply -f /yaml/$POLICY.yaml 2>&1)

  # Verify resources were deployed
-  NUM_DEPLOYS=$(echo $DEPLOYS | grep -oP "created$|configured$|blocked" | wc -l)
+  NUM_DEPLOYS=$(echo $DEPLOYS | grep -oP "created$|configured$|denied" | wc -l)
  if [ "${#EXPECTED_RESULTS[@]}" -eq "$NUM_DEPLOYS" ]; then
    echo -e "${GRN}PASS${NC}"
    ((PASS+=1))
@@ -143,7 +143,7 @@ for POLICY in "${POLICIES[@]}"; do
    ##### Validate Test
    if [ "$TESTTYPE" == "validate" ]; then
      ALLOW=$(echo $DEPLOYS | grep -oP "$MANIFEST(?= created)")
-      BLOCK=$(echo $DEPLOYS | grep -oP "$MANIFEST(?= was blocked)")
+      BLOCK=$(echo $DEPLOYS | grep -oP "$MANIFEST(?= for resource (error|violation))")
      if [ "$EXPECTED" == "pass" ]; then
        # Verify manifest is in the allowed list and not in the blocked list
        if [ -n "$ALLOW" ] && [ -z "$BLOCK" ]; then
@@ -294,4 +294,4 @@ echo -e "${CYN}Test Summary:${NC}"
 echo -e "  Passing: $PASS"
 echo -e "  Failing: $FAIL"
 echo -e "  Total  : $TOTAL"
-exit $FAIL
\ No newline at end of file
+exit $FAIL
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -30,7 +30,7 @@ waitforready:
  # -- Image to use in wait for ready job.  This must contain kubectl.
  image:
    repository: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
-    tag: v1.24.4
+    tag: v1.25.3
  # -- Pull secret for wait for ready job
  imagePullSecrets: []

@@ -504,7 +504,7 @@ additionalPolicies:
 bbtests:
  enabled: false
  scripts:
-    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.24.4
+    image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.3
    envs:
      ENABLED_POLICIES: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
      IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
No results found