Merge pull request #179 from nirmata/updatePolicies

updated policies in alignment with oss

best-practices/require_drop_all/require_drop_all.yaml

@@ -14,7 +14,7 @@ metadata:
       capabilities should be dropped from a Pod, with only those required added back.
       This policy ensures that all containers explicitly specify the `drop: ["ALL"]`
       ability. Note that this policy also illustrates how to cover drop entries in any
-      case although this may not strictly conform to the Pod Security Standards.
+      case although this may not strictly conform to the Pod Security Standards.      
 spec:
   validationFailureAction: Audit
   background: true
@@ -25,12 +25,14 @@ spec:
         - resources:
             kinds:
               - Pod
-            operations:
-            - CREATE
-            - UPDATE
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
       validate:
         message: >-
-          Containers must drop `ALL` capabilities.
+          Containers must drop `ALL` capabilities.          
         foreach:
           - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             deny:

charts/best-practices-k8s/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubernetes-best-practice-policies
 description: Kubernetes Best Practice policy set
 type: application
-version: 0.3.0-rc1
+version: 0.3.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/best-practices-k8s/pols/require_drop_all.yaml

@@ -14,7 +14,7 @@ metadata:
       capabilities should be dropped from a Pod, with only those required added back.
       This policy ensures that all containers explicitly specify the `drop: ["ALL"]`
       ability. Note that this policy also illustrates how to cover drop entries in any
-      case although this may not strictly conform to the Pod Security Standards.
+      case although this may not strictly conform to the Pod Security Standards.      
 spec:
   validationFailureAction: Audit
   background: true
@@ -25,12 +25,14 @@ spec:
         - resources:
             kinds:
               - Pod
-            operations:
-            - CREATE
-            - UPDATE
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
       validate:
         message: >-
-          Containers must drop `ALL` capabilities.
+          Containers must drop `ALL` capabilities.          
         foreach:
           - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             deny:

charts/pod-security-restricted/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-restricted-policies
 description: Pod Security Standards (restricted) policy set
 type: application
-version: 0.4.1
+version: 0.4.2
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/pod-security-restricted/pols/restrict-volume-types.yaml

@@ -10,37 +10,42 @@ metadata:
     policies.kyverno.io/minversion: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
     kyverno.io/kyverno-version: 1.10.0
-    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/restricted/baseline/restrict-volume-types/"
     policies.kyverno.io/description: >-
       In addition to restricting HostPath volumes, the restricted pod security profile
       limits usage of non-core volume types to those defined through PersistentVolumes.
-      This policy blocks any other type of volume other than those in the allow list.
+      This policy blocks any other type of volume other than those in the allow list.      
 spec:
   validationFailureAction: Audit
   background: true
   rules:
     - name: restricted-volumes
       match:
         any:
-          - resources:
-              kinds:
-                - Pod
+        - resources:
+            kinds:
+              - Pod
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
       validate:
         message: >-
-          Using volume types beyond those listed in the policy rule is disallowed.
+          Only the following types of volumes may be used: configMap, csi, downwardAPI,
+          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.          
         deny:
           conditions:
             all:
-              - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
-                operator: AnyNotIn
-                value:
-                  - name
-                  - configMap
-                  - csi
-                  - downwardAPI
-                  - emptyDir
-                  - ephemeral
-                  - persistentVolumeClaim
-                  - projected
-                  - secret
-                  - ""
+            - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
+              operator: AnyNotIn
+              value:
+              - name
+              - configMap
+              - csi
+              - downwardAPI
+              - emptyDir
+              - ephemeral
+              - persistentVolumeClaim
+              - projected
+              - secret
+              - ''

pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml

@@ -9,38 +9,43 @@ metadata:
     policies.kyverno.io/subject: Pod,Volume
     policies.kyverno.io/minversion: 1.6.0
     kyverno.io/kubernetes-version: "1.22-1.23"
-    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-volume-types/"
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       In addition to restricting HostPath volumes, the restricted pod security profile
       limits usage of non-core volume types to those defined through PersistentVolumes.
-      This policy blocks any other type of volume other than those in the allow list 
-      (configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret).
+      This policy blocks any other type of volume other than those in the allow list.      
 spec:
   validationFailureAction: Audit
   background: true
   rules:
     - name: restricted-volumes
       match:
         any:
-          - resources:
-              kinds:
-                - Pod
+        - resources:
+            kinds:
+              - Pod
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
       validate:
         message: >-
-          Using volume types beyond those listed in the policy rule is disallowed.
+          Only the following types of volumes may be used: configMap, csi, downwardAPI,
+          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.          
         deny:
           conditions:
             all:
-              - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
-                operator: AnyNotIn
-                value:
-                  - name
-                  - configMap
-                  - csi
-                  - downwardAPI
-                  - emptyDir
-                  - ephemeral
-                  - persistentVolumeClaim
-                  - projected
-                  - secret
-                  - ""
+            - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
+              operator: AnyNotIn
+              value:
+              - name
+              - configMap
+              - csi
+              - downwardAPI
+              - emptyDir
+              - ephemeral
+              - persistentVolumeClaim
+              - projected
+              - secret
+              - ''