From 8bd9dc3f361de88ad36d872088aaab403e9635df Mon Sep 17 00:00:00 2001
From: Anusha Hegde <anusha.hegde@nirmata.com>
Date: Mon, 12 Jun 2023 10:59:28 +0530
Subject: [PATCH 1/3] Revert pols

- reverted pols and club-pols
- remediation included in all pss policies
---
 charts/pod-security-baseline/Chart.yaml                       | 2 +-
 .../{templates => pols}/disallow-capabilities.yaml            | 0
 .../{templates => pols}/disallow-host-namespaces.yaml         | 0
 .../{templates => pols}/disallow-host-path.yaml               | 0
 .../{templates => pols}/disallow-host-ports.yaml              | 0
 .../{templates => pols}/disallow-host-process.yaml            | 0
 .../{templates => pols}/disallow-privileged-containers.yaml   | 0
 .../{templates => pols}/disallow-proc-mount.yaml              | 0
 .../{templates => pols}/disallow-selinux.yaml                 | 0
 .../{templates => pols}/restrict-apparmor-profiles.yaml       | 0
 .../{templates => pols}/restrict-seccomp.yaml                 | 0
 .../{templates => pols}/restrict-sysctls.yaml                 | 0
 charts/pod-security-baseline/templates/club-pols.yaml         | 4 ++++
 charts/pod-security-restricted/Chart.yaml                     | 2 +-
 .../{templates => pols}/disallow-capabilities-strict.yaml     | 0
 .../{templates => pols}/disallow-privilege-escalation.yaml    | 0
 .../{templates => pols}/require-run-as-non-root-user.yaml     | 0
 .../{templates => pols}/require-run-as-nonroot.yaml           | 0
 .../{templates => pols}/restrict-seccomp-strict.yaml          | 0
 .../{templates => pols}/restrict-volume-types.yaml            | 0
 charts/pod-security-restricted/templates/club-pols.yaml       | 0
 21 files changed, 6 insertions(+), 2 deletions(-)
 rename charts/pod-security-baseline/{templates => pols}/disallow-capabilities.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-host-namespaces.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-host-path.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-host-ports.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-host-process.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-privileged-containers.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-proc-mount.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/disallow-selinux.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/restrict-apparmor-profiles.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/restrict-seccomp.yaml (100%)
 rename charts/pod-security-baseline/{templates => pols}/restrict-sysctls.yaml (100%)
 create mode 100644 charts/pod-security-baseline/templates/club-pols.yaml
 rename charts/pod-security-restricted/{templates => pols}/disallow-capabilities-strict.yaml (100%)
 rename charts/pod-security-restricted/{templates => pols}/disallow-privilege-escalation.yaml (100%)
 rename charts/pod-security-restricted/{templates => pols}/require-run-as-non-root-user.yaml (100%)
 rename charts/pod-security-restricted/{templates => pols}/require-run-as-nonroot.yaml (100%)
 rename charts/pod-security-restricted/{templates => pols}/restrict-seccomp-strict.yaml (100%)
 rename charts/pod-security-restricted/{templates => pols}/restrict-volume-types.yaml (100%)
 create mode 100644 charts/pod-security-restricted/templates/club-pols.yaml

diff --git a/charts/pod-security-baseline/Chart.yaml b/charts/pod-security-baseline/Chart.yaml
index b02d88fe..dd2505a9 100644
--- a/charts/pod-security-baseline/Chart.yaml
+++ b/charts/pod-security-baseline/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-baseline-policies
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - kubernetes
diff --git a/charts/pod-security-baseline/templates/disallow-capabilities.yaml b/charts/pod-security-baseline/pols/disallow-capabilities.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-capabilities.yaml
rename to charts/pod-security-baseline/pols/disallow-capabilities.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-host-namespaces.yaml b/charts/pod-security-baseline/pols/disallow-host-namespaces.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-host-namespaces.yaml
rename to charts/pod-security-baseline/pols/disallow-host-namespaces.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-host-path.yaml b/charts/pod-security-baseline/pols/disallow-host-path.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-host-path.yaml
rename to charts/pod-security-baseline/pols/disallow-host-path.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-host-ports.yaml b/charts/pod-security-baseline/pols/disallow-host-ports.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-host-ports.yaml
rename to charts/pod-security-baseline/pols/disallow-host-ports.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-host-process.yaml b/charts/pod-security-baseline/pols/disallow-host-process.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-host-process.yaml
rename to charts/pod-security-baseline/pols/disallow-host-process.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-privileged-containers.yaml b/charts/pod-security-baseline/pols/disallow-privileged-containers.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-privileged-containers.yaml
rename to charts/pod-security-baseline/pols/disallow-privileged-containers.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-proc-mount.yaml b/charts/pod-security-baseline/pols/disallow-proc-mount.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-proc-mount.yaml
rename to charts/pod-security-baseline/pols/disallow-proc-mount.yaml
diff --git a/charts/pod-security-baseline/templates/disallow-selinux.yaml b/charts/pod-security-baseline/pols/disallow-selinux.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/disallow-selinux.yaml
rename to charts/pod-security-baseline/pols/disallow-selinux.yaml
diff --git a/charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml b/charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/restrict-apparmor-profiles.yaml
rename to charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml
diff --git a/charts/pod-security-baseline/templates/restrict-seccomp.yaml b/charts/pod-security-baseline/pols/restrict-seccomp.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/restrict-seccomp.yaml
rename to charts/pod-security-baseline/pols/restrict-seccomp.yaml
diff --git a/charts/pod-security-baseline/templates/restrict-sysctls.yaml b/charts/pod-security-baseline/pols/restrict-sysctls.yaml
similarity index 100%
rename from charts/pod-security-baseline/templates/restrict-sysctls.yaml
rename to charts/pod-security-baseline/pols/restrict-sysctls.yaml
diff --git a/charts/pod-security-baseline/templates/club-pols.yaml b/charts/pod-security-baseline/templates/club-pols.yaml
new file mode 100644
index 00000000..c3c51aa7
--- /dev/null
+++ b/charts/pod-security-baseline/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}
diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml
index 9e2ff382..1203e81f 100644
--- a/charts/pod-security-restricted/Chart.yaml
+++ b/charts/pod-security-restricted/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-restricted-policies
 description: Pod Security Standards (restricted) policy set
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: 0.1.0
 keywords:
   - kubernetes
diff --git a/charts/pod-security-restricted/templates/disallow-capabilities-strict.yaml b/charts/pod-security-restricted/pols/disallow-capabilities-strict.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/disallow-capabilities-strict.yaml
rename to charts/pod-security-restricted/pols/disallow-capabilities-strict.yaml
diff --git a/charts/pod-security-restricted/templates/disallow-privilege-escalation.yaml b/charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/disallow-privilege-escalation.yaml
rename to charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml
diff --git a/charts/pod-security-restricted/templates/require-run-as-non-root-user.yaml b/charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/require-run-as-non-root-user.yaml
rename to charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml
diff --git a/charts/pod-security-restricted/templates/require-run-as-nonroot.yaml b/charts/pod-security-restricted/pols/require-run-as-nonroot.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/require-run-as-nonroot.yaml
rename to charts/pod-security-restricted/pols/require-run-as-nonroot.yaml
diff --git a/charts/pod-security-restricted/templates/restrict-seccomp-strict.yaml b/charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/restrict-seccomp-strict.yaml
rename to charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml
diff --git a/charts/pod-security-restricted/templates/restrict-volume-types.yaml b/charts/pod-security-restricted/pols/restrict-volume-types.yaml
similarity index 100%
rename from charts/pod-security-restricted/templates/restrict-volume-types.yaml
rename to charts/pod-security-restricted/pols/restrict-volume-types.yaml
diff --git a/charts/pod-security-restricted/templates/club-pols.yaml b/charts/pod-security-restricted/templates/club-pols.yaml
new file mode 100644
index 00000000..e69de29b

From 11dc574689ce77a36af2f8021e17e8498bb1a048 Mon Sep 17 00:00:00 2001
From: Anusha Hegde <anusha.hegde@nirmata.com>
Date: Mon, 12 Jun 2023 11:00:50 +0530
Subject: [PATCH 2/3] Add club-pols

---
 charts/pod-security-restricted/templates/club-pols.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/pod-security-restricted/templates/club-pols.yaml b/charts/pod-security-restricted/templates/club-pols.yaml
index e69de29b..c3c51aa7 100644
--- a/charts/pod-security-restricted/templates/club-pols.yaml
+++ b/charts/pod-security-restricted/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}

From 3cedb3cf297d76e4d1d903a23507015c7c009f12 Mon Sep 17 00:00:00 2001
From: Anusha Hegde <anusha.hegde@nirmata.com>
Date: Mon, 12 Jun 2023 13:02:12 +0530
Subject: [PATCH 3/3] Fix indentation

---
 .../pols/disallow-capabilities.yaml           | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/charts/pod-security-baseline/pols/disallow-capabilities.yaml b/charts/pod-security-baseline/pols/disallow-capabilities.yaml
index aa03a4e9..8b007501 100644
--- a/charts/pod-security-baseline/pols/disallow-capabilities.yaml
+++ b/charts/pod-security-baseline/pols/disallow-capabilities.yaml
@@ -12,38 +12,38 @@ metadata:
     policies.kyverno.io/subject: Pod
     policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/"
     policies.kyverno.io/description: >-
-    Adding capabilities beyond those listed in the policy must be disallowed.
+      Adding capabilities beyond those listed in the policy must be disallowed.
 spec:
   validationFailureAction: audit
   background: true
   rules:
     - name: adding-capabilities
-    match:
+      match:
         any:
-        - resources:
-            kinds:
-            - Pod
-    validate:
-    message: >-
-        Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
-        FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
-        are disallowed.
-    deny:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+          FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+          are disallowed.
+      deny:
         conditions:
         all:
-        - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}"
+          - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}"
         operator: AnyNotIn
         value:
-            - AUDIT_WRITE
-            - CHOWN
-            - DAC_OVERRIDE
-            - FOWNER
-            - FSETID
-            - KILL
-            - MKNOD
-            - NET_BIND_SERVICE
-            - SETFCAP
-            - SETGID
-            - SETPCAP
-            - SETUID
-            - SYS_CHROOT
+          - AUDIT_WRITE
+          - CHOWN
+          - DAC_OVERRIDE
+          - FOWNER
+          - FSETID
+          - KILL
+          - MKNOD
+          - NET_BIND_SERVICE
+          - SETFCAP
+          - SETGID
+          - SETPCAP
+          - SETUID
+          - SYS_CHROOT