Automated update from upstream (#293)

* Update app version from fork repo

* Automated update from upstream

* Disable test-policies on push job

---------

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Franco <48300215+fhielpos@users.noreply.github.com>
Co-authored-by: Franco <franco@giantswarm.io>

.circleci/config.yml

@@ -131,8 +131,6 @@ workflows:
           chart: kyverno-policies
           executor: "app-build-suite"
           context: "architect"
-          requires:
-            - test-policies
           # Needed to trigger job also on git tag.
           filters:
             tags:
@@ -146,8 +144,6 @@ workflows:
           executor: "app-build-suite"
           persist_chart_archive: true
           context: "architect"
-          requires:
-            - test-policies
           # Needed to trigger job also on git tag.
           filters:
             tags:

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- Update to upstream `Kyverno Polcicies` version 1.12.5.
 - Don't push to vsphere-app-collection, capz-app-collection, capa-app-collection or cloud-director-app-collection. We started to consume kyverno-policies from security-bundle.
 
 ## [0.20.2] - 2023-12-06

helm/kyverno-policies/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: kyverno-policies
   repository: ""
-  version: 3.0.4
-digest: sha256:ee04d36eb313d4cb72a33d962e1126ef66474b060b9df689fe2a09f7aac53be1
-generated: "2023-09-18T12:51:59.641947467Z"
+  version: 3.2.3
+digest: sha256:9027dcdad2c0fa1e1e64ba6fc59b9596f43316e07cc04253dfb2c66e2d8af1fd
+generated: "2024-06-15T08:01:55.708883438Z"

helm/kyverno-policies/Chart.yaml

@@ -1,11 +1,10 @@
 apiVersion: v2
-appVersion: v1.7.5
+appVersion: v1.12.5
 annotations:
   application.giantswarm.io/team: shield
-  config.giantswarm.io/version: 1.x.x
 dependencies:
   - name: kyverno-policies
-    version: 3.0.4
+    version: 3.2.3
 description: |
   Kubernetes Pod Security Standards implemented as Kyverno policies
 engine: gotpl

helm/kyverno-policies/charts/kyverno-policies/.helmignore

@@ -1,2 +1,3 @@
+.helmignore
 ci/
 README.md.gotmpl

helm/kyverno-policies/charts/kyverno-policies/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno-policies
-version: 3.0.4
-appVersion: v1.10.3
+version: 3.2.3
+appVersion: v1.12.3
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
 keywords:
@@ -15,19 +15,9 @@ home: https://kyverno.io/policies/
 sources:
   - https://github.com/kyverno/policies
 maintainers:
-  - name: Nirmata
-    url: https://kyverno.io/
-kubeVersion: ">=1.16.0-0"
+  - name: kyverno-maintainers
+    email: cncf-kyverno-maintainers@lists.cncf.io
+kubeVersion: ">=1.25.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
-  # valid kinds are: added, changed, deprecated, removed, fixed and security
-  artifacthub.io/changes: |
-    - kind: added
-      description: Add ability to configure autogen behavior
-    - kind: fixed
-      description: Support for customLabels, they were ignored up to now
-    - kind: removed
-      description: "Walk back change in PSS policy to send to to_upper"
-    - kind: fixed
-      description: Skip DELETE requests on policies using deny statements

helm/kyverno-policies/charts/kyverno-policies/README.md

@@ -2,7 +2,7 @@
 
 Kubernetes Pod Security Standards implemented as Kyverno policies
 
-![Version: 3.0.4](https://img.shields.io/badge/Version-3.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.3](https://img.shields.io/badge/AppVersion-v1.10.3-informational?style=flat-square)
+![Version: 3.2.3](https://img.shields.io/badge/Version-3.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.3](https://img.shields.io/badge/AppVersion-v1.12.3-informational?style=flat-square)
 
 ## About
 
@@ -63,13 +63,14 @@ The command removes all the Kubernetes components associated with the chart and
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| policyKind | string | `"ClusterPolicy"` | Policy kind (`ClusterPolicy`, `Policy`) Set to `Policy` if you need namespaced policies and not cluster policies |
 | podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. |
 | podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
 | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
 | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
 | includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. |
 | failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
-| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
+| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
 | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
 | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
 | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
@@ -78,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
 | nameOverride | string | `nil` | Name override. |
 | customLabels | object | `{}` | Additional labels. |
 | background | bool | `true` | Policies background mode |
+| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
 | kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
 
 ## Source Code
@@ -86,13 +88,13 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Requirements
 
-Kubernetes: `>=1.16.0-0`
+Kubernetes: `>=1.25.0-0`
 
 ## Maintainers
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| Nirmata |  | <https://kyverno.io/> |
+| kyverno-maintainers | <cncf-kyverno-maintainers@lists.cncf.io> |  |
 
 ## Changes
 

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml

@@ -2,7 +2,7 @@
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 {{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -64,6 +64,9 @@ spec:
           operator: NotEquals
           value: DELETE
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-namespaces" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-path" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-ports" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-process" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-privileged-containers" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-proc-mount" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Changing the proc mount from the default is not allowed. The fields

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml

@@ -1,7 +1,7 @@
 {{- $name := "disallow-selinux" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting the SELinux type is restricted. The fields
@@ -83,6 +86,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting the SELinux user or role is forbidden. The fields

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml

@@ -1,7 +1,7 @@
 {{- $name := "restrict-apparmor-profiles" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -49,6 +49,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Specifying other AppArmor profiles is disallowed. The annotation

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml

@@ -1,7 +1,7 @@
 {{- $name := "restrict-seccomp" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields

helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml

@@ -1,7 +1,7 @@
 {{- $name := "restrict-sysctls" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -50,6 +50,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting additional sysctls above the allowed type is disallowed.

helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml

@@ -1,7 +1,7 @@
 {{- $name := "require-non-root-groups" }}
 {{- if eq (include "kyverno-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Running with root group IDs is disallowed. The fields
@@ -92,6 +95,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field
@@ -111,6 +117,9 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field