diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml index e9e085d4..9599041f 100644 --- a/charts/test-krish-globalps/Chart.yaml +++ b/charts/test-krish-globalps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: test-krish description: Pod Security Standards (baseline) policy set type: application -version: 0.6.11 +version: 0.6.12 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/test-krish-globalps/pols/disallow-capabilities.yaml b/charts/test-krish-globalps/pols/disallow-capabilities.yaml deleted file mode 100644 index 35d48f47..00000000 --- a/charts/test-krish-globalps/pols/disallow-capabilities.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-capabilities - annotations: - policies.kyverno.io/title: Disallow Capabilities - policies.kyverno.io/category: Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.23" - policies.kyverno.io/subject: Pod - policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/" - policies.kyverno.io/description: >- - Adding capabilities beyond those listed in the policy must be disallowed. -spec: - validationFailureAction: Audit - background: true - rules: - - name: adding-capabilities - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - Adding capabilities beyond those listed in the policy rule is disallowed. - deny: - conditions: - all: - - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}" - operator: AnyNotIn - value: - - AUDIT_WRITE - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - MKNOD - - NET_BIND_SERVICE - - SETFCAP - - SETGID - - SETPCAP - - SETUID - - SYS_CHROOT