feature/global-policy-set : upgrade version for test

charts/test-krish-globalps/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: test-krish
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.4.7
+version: 0.4.8
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/test-krish-globalps/pols/restrict-apparmor-profiles.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-apparmor-profiles
+  annotations:
+    policies.kyverno.io/title: Restrict AppArmor
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Annotation
+    policies.kyverno.io/minversion: 1.3.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-apparmor-profiles/"
+    policies.kyverno.io/description: >-
+      On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
+      The default policy should prevent overriding or disabling the policy, or restrict
+      overrides to an allowed set of profiles. This policy ensures Pods do not
+      specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: app-armor
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Specifying other AppArmor profiles is disallowed.
+        pattern:
+          =(metadata):
+            =(annotations):
+              =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"