From f8a789b30dab17e6d37a6b7131a76509fec7bb19 Mon Sep 17 00:00:00 2001
From: krishbajaj1609 <krish.bajaj@nirmata.com>
Date: Thu, 6 Jun 2024 14:50:20 +0530
Subject: [PATCH] feature/global-policy-set : upgrade version for test

---
 charts/test-krish-globalps/Chart.yaml         |  2 +-
 .../pols/disallow-host-process.yaml           | 44 ------------------
 .../pols/disallow-privileged-containers.yaml  |  2 +-
 .../pols/test-disallow-capabilities.yaml      | 46 +++++++++++++++++++
 4 files changed, 48 insertions(+), 46 deletions(-)
 delete mode 100644 charts/test-krish-globalps/pols/disallow-host-process.yaml
 create mode 100644 charts/test-krish-globalps/pols/test-disallow-capabilities.yaml

diff --git a/charts/test-krish-globalps/Chart.yaml b/charts/test-krish-globalps/Chart.yaml
index a51846eb..cf8c7b10 100644
--- a/charts/test-krish-globalps/Chart.yaml
+++ b/charts/test-krish-globalps/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: test-krish
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.6.28
+version: 0.6.29
 appVersion: 0.1.0
 keywords:
   - kubernetes
diff --git a/charts/test-krish-globalps/pols/disallow-host-process.yaml b/charts/test-krish-globalps/pols/disallow-host-process.yaml
deleted file mode 100644
index b67b39b5..00000000
--- a/charts/test-krish-globalps/pols/disallow-host-process.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: disallow-host-process
-  annotations:
-    policies.kyverno.io/title: Disallow hostProcess
-    policies.kyverno.io/category: Pod Security Standards (Baseline)
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod
-    kyverno.io/kubernetes-version: "1.22-1.23"
-    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/"
-    policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-process/remediate-disallow-host-process.yaml"
-    policies.kyverno.io/description: >-
-      Windows pods offer the ability to run HostProcess containers which enables privileged
-      access to the Windows node. Privileged access to the host is disallowed in the baseline
-      policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
-      the `hostProcess` field, if present, is set to `false`.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-    - name: host-process-containers
-      match:
-        any:
-          - resources:
-              kinds:
-                - Pod
-      validate:
-        message: >-
-          HostProcess containers are disallowed.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            =(initContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            containers:
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
diff --git a/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml b/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml
index 16b6437c..a0496a4f 100644
--- a/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml
+++ b/charts/test-krish-globalps/pols/disallow-privileged-containers.yaml
@@ -14,7 +14,7 @@ metadata:
       Privileged mode disables most security mechanisms and must not be allowed. This policy
       ensures Pods do not call for privileged mode.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: Enforce
   background: true
   rules:
     - name: privileged-containers
diff --git a/charts/test-krish-globalps/pols/test-disallow-capabilities.yaml b/charts/test-krish-globalps/pols/test-disallow-capabilities.yaml
new file mode 100644
index 00000000..e2599112
--- /dev/null
+++ b/charts/test-krish-globalps/pols/test-disallow-capabilities.yaml
@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-disallow-capabilities
+  annotations:
+    policies.kyverno.io/title: Disallow Capabilities
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.22-1.23"
+    policies.kyverno.io/subject: Pod
+    policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-capabilities/"
+    policies.kyverno.io/description: >-
+      Adding capabilities beyond those listed in the policy must be disallowed.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: adding-capabilities
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Adding capabilities beyond those listed in the policy rule is disallowed.
+        deny:
+          conditions:
+            all:
+            - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}"
+              operator: AnyNotIn
+              value:
+              - AUDIT_WRITE
+              - CHOWN
+              - DAC_OVERRIDE
+              - FOWNER
+              - FSETID
+              - KILL
+              - MKNOD
+              - NET_BIND_SERVICE
+              - SETFCAP
+              - SETGID
+              - SETPCAP
+              - SETUID
+              - SYS_CHROOT