Kyverno Policies merge requestshttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests2024-03-21T16:32:57Zhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/146global exclude add kube-system2024-03-21T16:32:57ZRyan Garciaglobal exclude add kube-system# General MR
## Summary
Ensuring we aren't blocking or acting on anything in `kube-system` since different distros and environments have different images/services/templates which are instantiated into the `kube-system` namespace. This ...# General MR
## Summary
Ensuring we aren't blocking or acting on anything in `kube-system` since different distros and environments have different images/services/templates which are instantiated into the `kube-system` namespace. This is becoming a headache in CI, for helm_tests and upgrade stages:
`Warning PolicyViolation pod/coredns-67f877bcd9-hk4b9 policy restrict-image-registries/validate-registries fail: validation failure: validation error`
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->Ryan GarciaRyan Garciahttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/145Draft: Update dependency registry1.dso.mil/ironbank/opensource/kubernetes/kub...2024-03-22T06:07:28Zbigbang botDraft: Update dependency registry1.dso.mil/ironbank/opensource/kubernetes/kubectl to v1.28.8This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [registry1.dso.mil/ironbank/opensource/kubernetes/kubectl](https://repo1.dso.mil/dsop/opensource/kubernetes/1.28/kubectl) | patch | `v1.28.7` -> `v1.2...This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [registry1.dso.mil/ironbank/opensource/kubernetes/kubectl](https://repo1.dso.mil/dsop/opensource/kubernetes/1.28/kubectl) | patch | `v1.28.7` -> `v1.28.8` |
---
### Configuration
📅 **Schedule**: At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
â™» **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this MR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this MR, click this checkbox.
---
This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate)
## Upgrade Notices
(Include any relevant notes about upgrades here or write "N/A" if there are none)https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/144BigBangBot: Update SBOM2024-03-14T16:28:41Zbigbang botBigBangBot: Update SBOMCloses #99Closes #99Robert MasseyRobert Masseyhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/143Remove double annotation causing helm failure2024-03-07T17:05:32ZRobert MasseyRemove double annotation causing helm failure# General MR
## Summary
This MR removes the double annotation of `pod-policies.kyverno.io/autogen-controllers`. values.autogenControllers got updated from "" to none causing the prior `with` logic block to always be executed.
## Relev...# General MR
## Summary
This MR removes the double annotation of `pod-policies.kyverno.io/autogen-controllers`. values.autogenControllers got updated from "" to none causing the prior `with` logic block to always be executed.
## Relevant logs/screenshots
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/97)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->
Relates #97Robert MasseyRobert Masseyhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/142BigBangBot: Update SBOM2024-03-08T16:25:16Zbigbang botBigBangBot: Update SBOMCloses #98Closes #98Robert MasseyRobert Masseyhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/141Draft: Debug disallow tolerations2024-03-07T16:46:03ZRobert MasseyDraft: Debug disallow tolerations# General MR
## Summary
(Summarize the purpose of the MR)
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<number>)
## Upgrade Notices
(...# General MR
## Summary
(Summarize the purpose of the MR)
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<number>)
## Upgrade Notices
(Include any relevant notes about upgrades here or write "N/A" if there are none)
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/140Fix automount serviceaccount token audit / mutator for StatefulSet and Deploy...2024-03-05T19:03:36ZDustin HilgaertnerFix automount serviceaccount token audit / mutator for StatefulSet and Deployments# General MR
## Summary
Fix automount serviceaccount token audit / mutator for StatefulSet and Deployments
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/95)
## Upgrade Notices
N/A...# General MR
## Summary
Fix automount serviceaccount token audit / mutator for StatefulSet and Deployments
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/95)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->2.23.0Dustin HilgaertnerDustin Hilgaertnerhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/139update policies doc2024-02-20T20:54:00ZRobert Masseyupdate policies doc# General MR
## Summary
The `docs/policies.md` is a little out of date with current policies available - need to update accordingly
## Relevant logs/screenshots
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages...# General MR
## Summary
The `docs/policies.md` is a little out of date with current policies available - need to update accordingly
## Relevant logs/screenshots
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/76)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->
Closes https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/762.22.0Robert MasseyRobert Masseyhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/138Update dependency registry1.dso.mil/ironbank/opensource/kubernetes/kubectl to...2024-02-23T18:10:18Zbigbang botUpdate dependency registry1.dso.mil/ironbank/opensource/kubernetes/kubectl to v1.28.7This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [registry1.dso.mil/ironbank/opensource/kubernetes/kubectl](https://repo1.dso.mil/dsop/opensource/kubernetes/1.27/kubectl) | patch | `v1.28.6` -> `v1.2...This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [registry1.dso.mil/ironbank/opensource/kubernetes/kubectl](https://repo1.dso.mil/dsop/opensource/kubernetes/1.27/kubectl) | patch | `v1.28.6` -> `v1.28.7` |
---
### Configuration
📅 **Schedule**: At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
â™» **Rebasing**: Renovate will not automatically rebase this PR, because other commits have been found.
🔕 **Ignore**: Close this MR and you won't be reminded about these updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this MR, click this checkbox.
---
This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate)
## Upgrade Notices
N/A2.22.0Megan WolfMegan Wolfhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/137BigBangBot: Update SBOM2024-02-08T15:20:50Zbigbang botBigBangBot: Update SBOMCloses #93Closes #93https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/136BigBangBot: Update SBOM2024-02-07T14:37:45Zbigbang botBigBangBot: Update SBOMCloses #91Closes #91https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/135Docs: Add additional methods for integration testing SKIP UPGRADE SKIP UPDATE...2024-02-05T18:40:20ZNoah BirrerDocs: Add additional methods for integration testing SKIP UPGRADE SKIP UPDATE CHECK# General MR
## Summary
`./docs/integration_testing` includes methods for testing Kyverno policies within Big Bang as a whole using the Big Bang pipeline. This MR outlines some additional methods for testing policies that one can run i...# General MR
## Summary
`./docs/integration_testing` includes methods for testing Kyverno policies within Big Bang as a whole using the Big Bang pipeline. This MR outlines some additional methods for testing policies that one can run in their own development environment or without access to the Big Bang pipeline.
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/88)
## Upgrade Notices
N/ANoah BirrerNoah Birrerhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/134updated allowed sysctls2024-02-01T16:50:11ZMegan Wolfupdated allowed sysctls# General MR
## Summary
Per [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) there are updated allowed `sysctls`, so updating the kyverno policy allowance list accordingly
## Relevant logs...# General MR
## Summary
Per [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) there are updated allowed `sysctls`, so updating the kyverno policy allowance list accordingly
## Relevant logs/screenshots
N/A
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/67)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->
Closes #672.20.0Megan WolfMegan Wolfhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/133Fix bug in automountSA to allow SAs to be wildcarded2024-01-30T20:08:00ZChris HardenFix bug in automountSA to allow SAs to be wildcarded# General MR
## Summary
Fix automountServiceAccountToken to allow SAs to be wildcarded
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<nu...# General MR
## Summary
Fix automountServiceAccountToken to allow SAs to be wildcarded
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<number>)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->Chris HardenChris Hardenhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/132Add policy test doc2024-01-29T18:23:04ZMegan WolfAdd policy test doc# General MR
## Summary
Added document to describe method of testing Kyverno Policies in big bang pipelines
Related to [epic](https://repo1.dso.mil/groups/big-bang/-/epics/188)
## Relevant logs/screenshots
None
## Linked Issue
Non...# General MR
## Summary
Added document to describe method of testing Kyverno Policies in big bang pipelines
Related to [epic](https://repo1.dso.mil/groups/big-bang/-/epics/188)
## Relevant logs/screenshots
None
## Linked Issue
None
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->Megan WolfMegan Wolfhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/131Fix annotations issue 622024-01-30T20:18:59ZDean NaqviFix annotations issue 62# General MR
## Summary
- Hardcoded annotation pod-policies.kyverno.io/autogen-controllers removed from disallowed-namespaces ClusterPolicy.
- Default value for {{.Values.autogenController}} set to none instead of empty string
## Rele...# General MR
## Summary
- Hardcoded annotation pod-policies.kyverno.io/autogen-controllers removed from disallowed-namespaces ClusterPolicy.
- Default value for {{.Values.autogenController}} set to none instead of empty string
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/62
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->2.20.0Dean NaqviDean Naqvihttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/130Fix bug in automountSA to allow SAs to be wildcarded2024-01-30T16:26:38ZChris HardenFix bug in automountSA to allow SAs to be wildcarded# General MR
## Summary
Fix automountServiceAccountToken to allow SAs to be wildcarded
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<nu...# General MR
## Summary
Fix automountServiceAccountToken to allow SAs to be wildcarded
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<number>)
## Upgrade Notices
(Include any relevant notes about upgrades here or write "N/A" if there are none)
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->Chris HardenChris Hardenhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/129Fix automountServiceAccountToken to allow SAs to be wildcarded2024-01-26T15:15:06ZChris HardenFix automountServiceAccountToken to allow SAs to be wildcarded# General MR
## Summary
This MR reverts a change that prevented the `automountServiceAccountToken` clusterPolicy to apply the policy to all SAs in a namespace with wildcards
## Relevant logs/screenshots
(Include any relevant logs/sc...# General MR
## Summary
This MR reverts a change that prevented the `automountServiceAccountToken` clusterPolicy to apply the policy to all SAs in a namespace with wildcards
## Relevant logs/screenshots
(Include any relevant logs/screenshots)
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/bigbang/-/issues/<number>)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->2.20.0Chris HardenChris Hardenhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/128Refactor PodsToHarden format2024-01-29T16:37:51ZDustin HilgaertnerRefactor PodsToHarden format# General MR
## Summary
Refactor PodsToHarden format
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/64)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected pack...# General MR
## Summary
Refactor PodsToHarden format
## Linked Issue
[issue](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/64)
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->
Closes #64Dustin HilgaertnerDustin Hilgaertnerhttps://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/merge_requests/127Document service account token hardening epic work2024-01-17T16:47:54ZJusten MehlDocument service account token hardening epic work# General MR
## Summary
Adds final documentation for the [Disable automatic mounting of service account tokens](https://repo1.dso.mil/groups/big-bang/-/epics/146) epic.
## Relevant logs/screenshots
N/A
## Linked Issue
Closes https:...# General MR
## Summary
Adds final documentation for the [Disable automatic mounting of service account tokens](https://repo1.dso.mil/groups/big-bang/-/epics/146) epic.
## Relevant logs/screenshots
N/A
## Linked Issue
Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1861
## Upgrade Notices
N/A
<!--
#### BB Processes
Add labels for affected packages so that they are deployed in CI as well as a status label:
/label ~packageX ~dependencyx ~status::doing
Be sure to assign to yourself:
/assign @yourself
Once it is ready for review switch the status and assign reviewers:
place label status::review
/assign_reviewer @reviewer1 @reviewer2
-->Justen MehlJusten Mehl