Merge branch 'main' into krishna/deny-default-sa

argo-cel/application-prevent-default-project/application-prevent-default-project.yaml

@@ -28,6 +28,6 @@ spec:
       validate:
         cel:
           expressions:
-            - expression: "has(object.spec.project) && object.spec.project != 'default'"
+            - expression: "object.spec.?project.orValue('') != 'default'"
               message: "The default project may not be used in an Application."
 

argo-cel/application-prevent-default-project/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Argo in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Application"
-digest: aeb2bc00375b7c44bb36ca7a3cd2f5f80ed17548abf98529d4617803be71196d
+digest: 30a66468036d5a7d5f63e5581d7a4dbb33f6d93ecdfca566f9a465b11d441acb
 createdAt: "2024-04-30T16:03:57Z"
 

argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml

@@ -12,6 +12,8 @@ spec:
         file: chainsaw-step-00-assert-1.yaml
   - name: step-01
     try:
+    - apply:
+        file: permissions.yaml
     - apply:
         file: chainsaw-step-01-apply-1.yaml
     - apply:

argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml

@@ -0,0 +1,49 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:secrets:view
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-reports-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+--- 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:secrets:manage
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - update
+  - delete
+--- 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:clusters
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - 'provisioning.cattle.io'
+  resources:
+  - clusters
+  verbs:
+  - get
+  - list
+  - watch

argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml

@@ -19,7 +19,7 @@ metadata:
       "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053
       "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
 spec:
-  generateExistingOnPolicyUpdate: true
+  generateExisting: true
   rules:
   - name: source-rancher-non-local-cluster-and-capi-secret
     match:

argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Secret"
-digest: ddc3b0655fa1302142238ec869466e5f2ce2547f2f683effc7e5b0a813803b54
+digest: 955247857bea3c8e70733e8dc214406319f08ded53700ba42a8bc59dfcf94aa5

aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml

@@ -20,6 +20,6 @@ annotations:
   kyverno/category: "AWS, EKS Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Service"
-digest: 0a2c4fcb1a4aa5900aef0abba83625024def643c47ccfe1c6e0d1314c484f6f5
+digest: e2320be39a69521f5420e33890a87b1195a3658022e1e23909387e9dc0937c2e
 createdAt: "2024-05-11T16:01:13Z"
 

aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml

@@ -34,7 +34,6 @@ spec:
       cel:
         expressions:
           - expression: >-
-              has(object.metadata.annotations) && 
-              'service.beta.kubernetes.io/aws-load-balancer-ssl-cert' in object.metadata.annotations && object.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-ssl-cert'] != ''
+              object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != ''
             message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
 

best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Ingress"
-digest: 0ffe2735a10b721569cf7139d0d7d51dbc9327beae68e50e4f54f560804548e9
+digest: e07447adca26bd41cf44f7cced9f50fef4d6293d142a5092d0a95f4473747043
 createdAt: "2024-03-09T14:19:51Z"
 

best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml

@@ -30,7 +30,6 @@ spec:
         cel:
           expressions:
             - expression: >-
-                !has(object.spec.rules) || 
-                object.spec.rules.all(rule, has(rule.host) && has(rule.http))
+                object.spec.?rules.orValue([]).all(rule, has(rule.host) && has(rule.http))
               message: "The Ingress host name must be defined, not empty."
         

best-practices-cel/require-drop-all/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: c3d8959bdc68460e21ff5495994d0bb1a3aa7cb7a5b31740af33638b2dad466c
+digest: e30e0e6e98ad92017d641eddc650335cb688873b2c14c666fda925f3e809ae40
 createdAt: "2024-03-10T05:05:42Z"
 

best-practices-cel/require-drop-all/require-drop-all.yaml

@@ -32,13 +32,10 @@ spec:
         cel:
           variables:
             - name: allContainers
-              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
           expressions:
             - expression: >-
                 variables.allContainers.all(container, 
-                has(container.securityContext) &&
-                has(container.securityContext.capabilities) &&
-                has(container.securityContext.capabilities.drop) &&
-                container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'ALL'))
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL'))
               message: "Containers must drop `ALL` capabilities."
 

best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: ef4e56b25b29423934e0e21cdea2d6c4e0ae3e67d84a1456f52b3d66fe9fa25a
+digest: 28cac97e2c441528f12158cc0c6d3c8c07067537831a88d5445a2128b42746b4
 createdAt: "2024-03-15T03:05:47Z"
 

best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml

@@ -33,14 +33,11 @@ spec:
         cel:
           variables:
             - name: allContainers
-              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
           expressions:
             - expression: >-
                 variables.allContainers.all(container, 
-                has(container.securityContext) &&
-                has(container.securityContext.capabilities) &&
-                has(container.securityContext.capabilities.drop) &&
-                container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
               message: >-
                 Containers must drop the `CAP_NET_RAW` capability.
         

best-practices-cel/require-labels/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod, Label"
-digest: cdcd97f2977e45e753975a75184c12d37e297a615f50322be925e64885ffa5e0
+digest: 90e1ceb1c27f70169fcd448cb48df4c7694d8252e060da24c7b2e9bb16a4fc88
 createdAt: "2024-03-06T19:31:45Z"
 

best-practices-cel/require-labels/require-labels.yaml

@@ -31,7 +31,6 @@ spec:
       cel:
         expressions:
           - expression: >-
-              has(object.metadata.labels) && 
-              'app.kubernetes.io/name' in object.metadata.labels && object.metadata.labels['app.kubernetes.io/name'] != ""
+              object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != ""
             message: "The label `app.kubernetes.io/name` is required." 
 

best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml

@@ -20,6 +20,6 @@ annotations:
   kyverno/category: "Best Practices, EKS Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 08e28ef463ea200092f19e279fa3da071b276315f555b579786c564bbb8718c5
+digest: fe244b770ce2bc266f6af712404255b2968f26448614498fdf2f103ae82a1343
 createdAt: "2024-03-07T12:35:00Z"
 

best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml

@@ -33,7 +33,6 @@ spec:
         expressions:
           - expression: >-
               object.spec.containers.all(container,
-              has(container.securityContext) &&
-              container.securityContext.readOnlyRootFilesystem == true)
+              container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true)
             message: "Root filesystem must be read-only."
           

best-practices-cel/restrict-image-registries/artifacthub-pkg.yml

@@ -20,6 +20,6 @@ annotations:
   kyverno/category: "Best Practices, EKS Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: cac6e95f5ac6f7d7235349ac935745672c2112a0a5400e8fb1f59c9750850ad0
+digest: 8fbe80e4d4b26e2a2acc2160d52bf5b88c4f137567ea569e086439fc1fe1bd49
 createdAt: "2024-03-07T13:35:11Z"
 

best-practices-cel/restrict-image-registries/restrict-image-registries.yaml

@@ -32,7 +32,7 @@ spec:
       cel:
         variables:
           - name: allContainers
-            expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+            expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
         expressions:
           - expression: "variables.allContainers.all(container, container.image.startsWith('eu.foo.io/') || container.image.startsWith('bar.io/'))"
             message: "Unknown image registry."

best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml

@@ -19,3 +19,8 @@ spec:
         name: busybox
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: busybox
+        name: busyboxinit
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml

@@ -8,3 +8,8 @@ spec:
     image: docker.io/tiller:latest
   - name: somebox
     image: busybox:1.35
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+  - name: someboxinit
+    image: busybox:1.35

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml

@@ -7,4 +7,9 @@ spec:
   - name: somebox
     image: busybox:1.35
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: someboxinit
+    image: busybox:1.35
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml

@@ -5,4 +5,7 @@ metadata:
 spec:
   containers:
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest

best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml

@@ -17,4 +17,8 @@ spec:
       containers:
       - image: busybox:v1.35
         name: busybox
-        command: ["sleep", "3600"]
+        command: ["sleep", "3600"]
+      initContainers:
+      - image: busybox:v1.35
+        name: busyboxinit
+        command: ["sleep", "3600"]

best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml

@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:v1.35
   - name: nothelmbox
-    image: busybox:v1.35
+    image: busybox:v1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:v1.35
+  - name: nothelmboxinit
+    image: busybox:v1.35

best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml

@@ -6,6 +6,10 @@ spec:
   containers:
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+
 ---
 apiVersion: v1
 kind: Pod
@@ -17,6 +21,11 @@ spec:
     image: busybox:1.28
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
 ---
 apiVersion: v1
 kind: Pod
@@ -26,6 +35,9 @@ spec:
   containers:
   - name: busybox
     image: busybox
+  initContainers:
+  - name: busyboxinit
+    image: busybox
 ---
 apiVersion: v1
 kind: Pod
@@ -37,6 +49,11 @@ spec:
     image: busybox
   - name: nginx
     image: nginx
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -59,6 +76,10 @@ spec:
       - image: busybox:1.28
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:1.28
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -80,3 +101,6 @@ spec:
       containers:
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit

best-practices/disallow-helm-tiller/artifacthub-pkg.yml

@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Sample"
   kyverno/subject: "Pod"
-digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
+digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2

best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml

@@ -11,7 +11,7 @@ metadata:
     policies.kyverno.io/description: >-
       Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
       resource accessible to any authenticated user. Tiller can lead to privilege escalation as
-      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+      restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
@@ -26,8 +26,13 @@ spec:
               - Pod
       validate:
         message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*tiller*"

best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml

@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:latest
   - name: nginx
-    image: nginx:1.35
+    image: nginx:1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:latest
+  - name: nginxinit
+    image: nginx:1.35