upstream: upgrade nix, helm upstream, GHA

.envrc

@@ -1,2 +1,2 @@
-nix_direnv_watch_file "./nix/env.nix" "./nix/fmt.nix" "./nix/packages.nix" "./nix/shells.nix" "./nix/pre-commit.nix" "./flake.nix" "./parse.nix"
+watch_file "./nix/env.nix" "./nix/fmt.nix" "./nix/packages.nix" "./nix/shells.nix" "./nix/pre-commit.nix" "./flake.nix" "./parse.nix"
 use flake

.github/workflows/deployment.yaml

@@ -6,11 +6,13 @@ on:
 jobs:
   precommit:
     name: Pre-commit Check
-    runs-on: ubuntu-22.04
+    runs-on:
+      - nscloud-ubuntu-22.04-amd64-4x8-with-cache
+      - nscloud-cache-size-50gb
+      - nscloud-cache-tag-sulfoxide-sodium-nix-store-cache
+      - nscloud-git-mirror-1gb
     steps:
-      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: AtomiCloud/actions.setup-nix@v1.2.1
       - name: Run pre-commit
         run: nix develop .#ci -c ./scripts/ci/pre-commit.sh
 
@@ -19,12 +21,14 @@ jobs:
     needs:
       - precommit
     if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
+    runs-on:
+      - nscloud-ubuntu-22.04-amd64-4x8-with-cache
+      - nscloud-cache-size-50gb
+      - nscloud-cache-tag-sulfoxide-sodium-releaser-nix-store-cache
+      - nscloud-git-mirror-1gb
     steps:
-      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: rlespinasse/github-slug-action@v3.x
+      - uses: AtomiCloud/actions.setup-nix@v1.2.1
+      - uses: AtomiCloud/actions.cache-npm@v1.0.1
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

chart/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: kyverno-policies
   repository: https://kyverno.github.io/kyverno/
-  version: 3.0.4
-digest: sha256:83d6a2a0026ba5fb195530cd342523418f6a495038d1d6c2bf2c979c9a2d24a4
-generated: "2023-10-09T14:08:20.917656+08:00"
+  version: 3.2.5
+digest: sha256:219ab2a6a3971b9ade6c32671edbd1cb6d78b856d11e3ddbc4763ce185569910
+generated: "2024-08-11T14:31:30.899046+08:00"

chart/Chart.yaml

@@ -3,9 +3,9 @@ name: atomi-policies
 description: Chart to install AtomiCloud's Cluster Policies
 type: application
 version: 1.7.0
-appVersion: "3.1.0"
+appVersion: "3.2.5"
 dependencies:
   - name: kyverno-policies
     condition: basePolicies
-    version: 3.1.0
+    version: 3.2.5
     repository: https://kyverno.github.io/kyverno/

chart/README.md

@@ -1,14 +1,14 @@
 # atomi-policies
 
-![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.1.0](https://img.shields.io/badge/AppVersion-3.1.0-informational?style=flat-square)
+![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.5](https://img.shields.io/badge/AppVersion-3.2.5-informational?style=flat-square)
 
 Chart to install AtomiCloud's Cluster Policies
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://kyverno.github.io/kyverno/ | kyverno-policies | 3.1.0 |
+| https://kyverno.github.io/kyverno/ | kyverno-policies | 3.2.5 |
 
 ## Values
 
@@ -72,4 +72,4 @@ Chart to install AtomiCloud's Cluster Policies
 | serviceTree | object | `{"layer":"1","module":"policies","platform":"sulfoxide","service":"sodium"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.1](https://github.com/norwoodj/helm-docs/releases/v1.11.1)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

chart/values.entei.amber.yaml

@@ -0,0 +1,156 @@
+serviceTree:
+  landscape: &landscape entei
+  cluster: amber
+
+
+commonExclude:
+  annotaions: &annotationExclude
+    - "*-cleanup-controller-*"
+  labels: &labelExclude
+    - "*-cleanup-controller-*"
+    - "*-silicon-*"
+
+globalExcludedNamespace: &globalExcludedNamespace
+  - kube-system
+  - pichu
+  - pikachu
+  - raichu
+
+kyverno-policies:
+  podSecurityStandard: baseline
+  podSecuritySeverity: medium
+  validationFailureAction: Audit
+  policyExclude:
+    disallow-capabilities:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-namespaces:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-path:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+    disallow-host-ports:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-process:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privileged-containers:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-proc-mount:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-selinux:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-apparmor-profiles:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-sysctls:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-seccomp:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privilege-escalation:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-otel*"
+              - "*ingress-nginx-controller*"
+              - "*-target-allocator-targetallocator-*"
+    require-run-as-non-root-user:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-target-allocator-targetallocator-*"
+    require-run-as-nonroot:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-target-allocator-targetallocator-*"
+    restrict-seccomp-strict:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-volume-types:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+policies:
+  requireAtomiCloudAnnotations:
+    exclude:
+      names: *annotationExclude
+
+  requireAtomiCloudLabels:
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeLabel:
+    value: *landscape
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeAnnotation:
+    value: *landscape
+    exclude:
+      names: *annotationExclude
+
+  checkLayerLabel:
+    exclude:
+      names: *labelExclude
+
+  checkLayerAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  checkPlatformLabel:
+    exclude:
+      names: *labelExclude
+
+  checkPlatformAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  requireRequestLimits:
+    exclude:
+      names:
+        - "*-target-allocator-targetallocator-*"