Merge branch 'main' into main

.github/actions/run-tests/action.yaml

@@ -7,8 +7,12 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
     - name: Install Chainsaw
-      uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
+      uses: kyverno/action-install-chainsaw@b2f61a8d0459a65c476ac802514d88e1612b3396 # v0.2.9
+      with:
+        verify: true
     - name: Test with Chainsaw
       shell: bash
       run: |

.github/dependabot.yml

@@ -1,6 +1,8 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directories:
+      - /
+      - /.github/actions/*/
     schedule:
       interval: daily

.github/workflows/cel-test.yml

@@ -3,10 +3,10 @@ name: E2E Tests - CEL
 permissions: {}
 
 on:
-  workflow_dispatch: {}
   pull_request:
     branches:
-      - 'main'
+      - main
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/check-actions.yaml

@@ -3,13 +3,10 @@ name: Check actions
 permissions: {}
 
 on:
-  push:
-    branches:
-      - '*'
   pull_request:
     branches:
-      - 'main'
-      - 'release*'
+      - main
+      - release-*
 
 jobs:
   check:
@@ -18,7 +15,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@3c16e895bb662b4d7e284f032cbe8835a57773cc # v3.0.11
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@0901cf7b71c7ea6261ec69a3dc2bd3f9264f893e # v3.0.12
         with:
           allowlist: |
             kyverno/chainsaw

.github/workflows/check-codegen.yml

@@ -6,6 +6,7 @@ on:
   pull_request:
     branches:
       - main
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/ci.yml

@@ -3,13 +3,10 @@ name: Policy Test
 permissions: {}
 
 on:
-  push:
-    branches:
-      - '*'
   pull_request:
     branches:
       - main
-      - release*
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,6 +26,7 @@ jobs:
       - name: Run ah lint
         working-directory: .
         run: ah lint -k kyverno
+
   test:
     runs-on: ubuntu-latest
     steps:

.github/workflows/test.yml

@@ -8,10 +8,10 @@ name: E2E Tests
 permissions: {}
 
 on:
-  workflow_dispatch: {}
   pull_request:
     branches:
-      - 'main'
+      - main
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -408,7 +408,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images|block-updates-deletes|check-env-vars|check-hpa-exists|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration|concatenate-configmaps)$
+          tests: ^other$/^(block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images|block-updates-deletes|check-env-vars|check-hpa-exists|check-ingress-nginx-controller-version-and-annotation-policy|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration)$
   other-48:
     strategy:
       fail-fast: false
@@ -425,7 +425,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe|deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars|dns-policy-and-dns-config)$
+          tests: ^other$/^(concatenate-configmaps|copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe|deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars)$
   other-60:
     strategy:
       fail-fast: false
@@ -442,7 +442,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging|ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always|ingress-host-match-tls)$
+          tests: ^other$/^(dns-policy-and-dns-config|docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging|ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always)$
   other-72:
     strategy:
       fail-fast: false
@@ -459,7 +459,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri|limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits|metadata-match-regex)$
+          tests: ^other$/^(ingress-host-match-tls|inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri|limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits)$
   other-84:
     strategy:
       fail-fast: false
@@ -476,7 +476,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable|pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry|prevent-bare-pods)$
+          tests: ^other$/^(metadata-match-regex|mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable|pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry)$
   other-96:
     strategy:
       fail-fast: false
@@ -493,7 +493,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes|remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor|replace-ingress-hosts)$
+          tests: ^other$/^(prevent-bare-pods|prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes|remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor)$
   other-108:
     strategy:
       fail-fast: false
@@ -510,7 +510,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets|require-ingress-https|require-netpol|require-non-root-groups)$
+          tests: ^other$/^(replace-ingress-hosts|require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets|require-ingress-https|require-netpol)$
   other-120:
     strategy:
       fail-fast: false
@@ -527,7 +527,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload|resolve-image-to-digest|resource-creation-updating-denied)$
+          tests: ^other$/^(require-non-root-groups|require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload|resolve-image-to-digest)$
   other-132:
     strategy:
       fail-fast: false
@@ -544,7 +544,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles|restrict-ingress-classes)$
+          tests: ^other$/^(resource-creation-updating-denied|restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles)$
   other-144:
     strategy:
       fail-fast: false
@@ -561,7 +561,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates|restrict-sa-automount-sa-token)$
+          tests: ^other$/^(restrict-ingress-classes|restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates)$
   other-156:
     strategy:
       fail-fast: false
@@ -578,7 +578,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets|topologyspreadconstraints-policy)$
+          tests: ^other$/^(restrict-sa-automount-sa-token|restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets)$
   other-168:
     strategy:
       fail-fast: false
@@ -595,7 +595,7 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ^other$/^(unique-ingress-host-and-path|unique-ingress-paths|update-image-tag|verify-vpa-target)$
+          tests: ^other$/^(topologyspreadconstraints-policy|unique-ingress-host-and-path|unique-ingress-paths|update-image-tag|verify-vpa-target)$
   pod-security_baseline:
     strategy:
       fail-fast: false

.hack/chainsaw-matrix/workflow.yaml

@@ -8,10 +8,10 @@ name: E2E Tests
 permissions: {}
 
 on:
-  workflow_dispatch: {}
   pull_request:
     branches:
-      - 'main'
+      - main
+      - release-*
 
 concurrency:
   group: {{ print "${{ github.workflow }}-${{ github.ref }}" }}

README.md

@@ -59,7 +59,7 @@ metadata:
     policies.kyverno.io/description: >-
       Adding capabilities beyond those listed in the policy must be disallowed.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: my-rule-name

argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-field-validation
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-prevent-default-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-prevent-updates-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: applicationset-name-matches-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: appproject-clusterresourceblacklist
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-field-validation
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/application-field-validation/application-field-validation.yaml

@@ -15,7 +15,7 @@ metadata:
       Path or chart must be specified but never both. And destination.name or
       destination.server must be specified but never both.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: source-path-chart

argo/application-field-validation/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Application"
-digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416
+digest: 9f6e56fb8532ee2f043a3a623b4dabde1c419ec4858a4b50261cc392069a4b6d

argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-prevent-default-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/application-prevent-default-project/application-prevent-default-project.yaml

@@ -13,7 +13,7 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents the use of the default project in an Application.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: default-project

argo/application-prevent-default-project/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Application"
-digest: cd52206b53b7fd1fc1d73ed2b127d70cead0eecf19f43e8b9b4192bb0b418c25
+digest: 90789fabae88fe5b601404793bf67e28fe06f19d2ec33a351e6a4b1199de4b45

argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: application-prevent-updates-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/application-prevent-updates-project/application-prevent-updates-project.yaml

@@ -13,7 +13,7 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents updates to the project field after an Application is created.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: project-updates

argo/application-prevent-updates-project/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Application"
-digest: be410b40b2df93914851faffdefb7a02d036367ba89ffcd600ddc57f15efc21f
+digest: 604c05775c80ab521492bb326139a635cab9acfae7d8eac06b8f22fc51b831b9

argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: applicationset-name-matches-project
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml

@@ -14,7 +14,7 @@ metadata:
       This policy ensures that the name of the ApplicationSet is the
       same value provided in the project.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: match-name

argo/applicationset-name-matches-project/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "ApplicationSet"
-digest: 7eabf25e8af8b90e044164d4ff2acb12503332f2c40360edebd4e1a908c773c3
+digest: 2b60af2ba640e7cc5edf7fada97d92c3a4fd72354e25f613a83c0287cc43f519

argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -3,4 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: appproject-clusterresourceblacklist
 status:
-  ready: true
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml

@@ -17,7 +17,7 @@ metadata:
       enforce that all AppProjects specify clusterResourceBlacklist and that their group
       and kind have wildcards as values.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: has-wildcard