From 74863db31d8201f25455f55418a27d38318bf8c6 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Mon, 5 Aug 2024 17:36:29 -0300 Subject: [PATCH 01/34] Update disallow-helm-tiller.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 61dd8c74d..2e9ceb550 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/description: >- Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as - restricted users can impact other users. It is recommend to use Helm v3+ which does not contain + restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: @@ -26,8 +26,13 @@ spec: - Pod validate: message: "Helm Tiller is not allowed" - pattern: - spec: - containers: - - name: "*" - image: "!*tiller*" + foreach: + - list: "request.object.spec.initContainers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.initContainers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*tiller*" From 6313df2d8912867aba20de7b6ebd4a6f6a4b8e94 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Mon, 5 Aug 2024 17:37:40 -0300 Subject: [PATCH 02/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-helm-tiller/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml index e34f3355c..2b55a16c2 100644 --- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml +++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4 +digest: 31126cee424a796fe9a4078d879a2d650fa6a3efc267d714a90a54604d91a9de From f7c7605545bbc1a374e9dfccc9d8c2ef6d71d06d Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:25:22 -0300 Subject: [PATCH 03/34] Update disallow-latest-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-latest-tag.yaml | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index c83cd565e..a5d98c754 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -25,10 +25,16 @@ spec: - Pod validate: message: "An image tag is required." - pattern: - spec: - containers: - - image: "*:*" + foreach: + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "*:*" - name: validate-image-tag match: any: @@ -37,7 +43,13 @@ spec: - Pod validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." - pattern: - spec: - containers: - - image: "!*:latest" \ No newline at end of file + foreach: + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*:latest" From ca010a2a89b4566da5a08defe72bcecec9795eb6 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:26:19 -0300 Subject: [PATCH 04/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cfd7a6095..cc3d90ccf 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 +digest: 3e299e0f018ff57ee78cfff4119df58d72e11669908eff9dfe8294f3be7a6e60 From 63c511ec3df1d0d4c962126efb1e9d81fb2643a6 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:28:58 -0300 Subject: [PATCH 05/34] Update bad-pod-latest-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-latest-fail-first.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml index 2184f875b..819a91ea2 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:latest - name: nginx - image: nginx:1.35 \ No newline at end of file + image: nginx:1.35 + initContainers: + - name: busybox + image: busybox:latest + - name: nginx + image: nginx:1.35 From 0f4cf5bc2718782fe8fb6c5ae6337781bd3a26f9 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:29:36 -0300 Subject: [PATCH 06/34] Update bad-pod-latest-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-latest-success-first.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml index 43e17164c..cc6696f1e 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: nginx image: nginx:1.35 - name: busybox - image: busybox:latest \ No newline at end of file + image: busybox:latest + initContainers: + - name: nginx + image: nginx:1.35 + - name: busybox + image: busybox:latest From 5e6cb53bd076c7fb9be35efc7b6ac86863dca4a6 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:30:23 -0300 Subject: [PATCH 07/34] Update bad-pod-no-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-no-tag.yaml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml index 7a599f75c..1d25ca328 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml @@ -8,6 +8,11 @@ spec: image: busybox - name: nginx image: nginx:1.35 + initContainers: + - name: busybox + image: busybox + - name: nginx + image: nginx:1.35 --- apiVersion: v1 kind: Pod @@ -19,6 +24,11 @@ spec: image: nginx:1.35 - name: busybox image: busybox + initContainers: + - name: nginx + image: nginx:1.35 + - name: busybox + image: busybox --- apiVersion: v1 kind: Pod @@ -29,4 +39,9 @@ spec: - name: busybox image: busybox - name: nginx - image: nginx:latest \ No newline at end of file + image: nginx:latest + initContainers: + - name: busybox + image: busybox + - name: nginx + image: nginx:latest From 3b18868350b8742baa3379b7bda4052132b26755 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:30:50 -0300 Subject: [PATCH 08/34] Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-latest-tag/.chainsaw-test/good-pod.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml index 679a87f5c..86a6ee380 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: busybox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busybox + image: busybox:v1.35 From a773ac701a76bfe1ff457979aa1e060bf0249983 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:41:00 -0300 Subject: [PATCH 09/34] Update bad-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml index e2b85aea5..50c24d3f4 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml @@ -19,3 +19,8 @@ spec: name: busybox - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: busybox + name: busybox + - image: docker.io/tiller:latest + name: helm-tiller From 4381b0eb00ad3630d4e4e8ec7d0961b580f5ed98 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:41:18 -0300 Subject: [PATCH 10/34] Update bad-pod-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-fail-first.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml index 56caf1bbb..9c8661916 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml @@ -8,3 +8,8 @@ spec: image: docker.io/tiller:latest - name: somebox image: busybox:1.35 + initContainers: + - name: helm-tiller + image: docker.io/tiller:latest + - name: somebox + image: busybox:1.35 From 7f26eca03434054b5a926e5f294ed169fa77b9eb Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:41:41 -0300 Subject: [PATCH 11/34] Update bad-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/bad-pod.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml index 447689170..27e1d225a 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: helm-tiller + image: docker.io/tiller:latest From 7e95415813f4bcb599ae026ad2306d8d9204b3de Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:42:01 -0300 Subject: [PATCH 12/34] Update bad-pod-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-success-first.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml index ba3bc5292..790dbf372 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: somebox image: busybox:1.35 - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: somebox + image: busybox:1.35 + - name: helm-tiller + image: docker.io/tiller:latest From f535163184e114fd5a752fc5fc5117db45c260a2 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:42:32 -0300 Subject: [PATCH 13/34] Update good-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/good-deploy.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml index 915bbaf8c..028fe6eb2 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml @@ -17,4 +17,8 @@ spec: containers: - image: busybox:v1.35 name: busybox - command: ["sleep", "3600"] \ No newline at end of file + command: ["sleep", "3600"] + initContainers: + - image: busybox:v1.35 + name: busybox + command: ["sleep", "3600"] From 7a425bae8376c44104c5429a72cc9feb220ad9a0 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 16:42:51 -0300 Subject: [PATCH 14/34] Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/good-pod.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml index 0743299d4..9e01d171c 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:v1.35 - name: nothelmbox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busybox + image: busybox:v1.35 + - name: nothelmbox + image: busybox:v1.35 From 48db9a2dfdedfb100cb7c8f92ea39e730ea90a63 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:33:20 -0300 Subject: [PATCH 15/34] Update disallow-latest-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/disallow-latest-tag.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index a5d98c754..2f40ef15c 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -26,7 +26,7 @@ spec: validate: message: "An image tag is required." foreach: - - list: "request.object.spec.initContainers" + - list: "request.object.spec.containers" pattern: image: "*:*" - list: "request.object.spec.initContainers" @@ -44,7 +44,7 @@ spec: validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." foreach: - - list: "request.object.spec.initContainers" + - list: "request.object.spec.containers" pattern: image: "!*:latest" - list: "request.object.spec.initContainers" From 93246282347cf5bfd78836aaf188f3f00b90b351 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:33:39 -0300 Subject: [PATCH 16/34] Update disallow-helm-tiller.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 2e9ceb550..ef1bb41fa 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -27,7 +27,7 @@ spec: validate: message: "Helm Tiller is not allowed" foreach: - - list: "request.object.spec.initContainers" + - list: "request.object.spec.containers" pattern: image: "!*tiller*" - list: "request.object.spec.initContainers" From 1e998b28ccf78398cefbebe550490beca8c6939f Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:35:35 -0300 Subject: [PATCH 17/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-helm-tiller/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml index 2b55a16c2..1d47fd83a 100644 --- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml +++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 31126cee424a796fe9a4078d879a2d650fa6a3efc267d714a90a54604d91a9de +digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2 From ba7245b6d17451bba223ae1313b882a91c5e55d0 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 6 Aug 2024 17:36:27 -0300 Subject: [PATCH 18/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cc3d90ccf..b47c8b23b 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3e299e0f018ff57ee78cfff4119df58d72e11669908eff9dfe8294f3be7a6e60 +digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a From 408fe22c98596b678d612a0872e4e427011fd3b9 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:31:04 -0300 Subject: [PATCH 19/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index b47c8b23b..cfd7a6095 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a +digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 From 3df3b440b803f820adefcd97698682aad37b3333 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:46:29 -0300 Subject: [PATCH 20/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cfd7a6095..cc3d90ccf 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 +digest: 3e299e0f018ff57ee78cfff4119df58d72e11669908eff9dfe8294f3be7a6e60 From 72e9cdcc2cf4605861c843df8fb46b8dd0eb2668 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Mon, 12 Aug 2024 17:15:21 -0300 Subject: [PATCH 21/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cc3d90ccf..b47c8b23b 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3e299e0f018ff57ee78cfff4119df58d72e11669908eff9dfe8294f3be7a6e60 +digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a From 44f4af4760b4a84a8887ebb1d092eb1f88860683 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:56:10 -0300 Subject: [PATCH 22/34] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index b47c8b23b..24d3bf026 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -1,6 +1,6 @@ name: disallow-latest-tag version: 1.0.0 -displayName: Disallow Latest Tag +displayName: Disallow Latest Tags createdAt: "2023-04-10T19:47:15.000Z" description: >- The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. From f46de986182f7cabf95aacd64a7cb2d1fa2cb976 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:44:55 -0300 Subject: [PATCH 23/34] Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/good-pod.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml index 9e01d171c..f0c0a6913 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml @@ -9,7 +9,7 @@ spec: - name: nothelmbox image: busybox:v1.35 initContainers: - - name: busybox + - name: busyboxinit image: busybox:v1.35 - - name: nothelmbox + - name: nothelmboxinit image: busybox:v1.35 From ccef2fff203c2a6332779b54ce3c055de995a3b1 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:45:12 -0300 Subject: [PATCH 24/34] Update bad-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml index 50c24d3f4..37c6850cd 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml @@ -21,6 +21,6 @@ spec: name: helm-tiller initContainers: - image: busybox - name: busybox + name: busyboxinit - image: docker.io/tiller:latest - name: helm-tiller + name: helm-tillerinit From 4ef4d0407883281d339ebac6fc65bfe369923c47 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:45:29 -0300 Subject: [PATCH 25/34] Update bad-pod-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-fail-first.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml index 9c8661916..3c6000019 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml @@ -9,7 +9,7 @@ spec: - name: somebox image: busybox:1.35 initContainers: - - name: helm-tiller + - name: helm-tillerinit image: docker.io/tiller:latest - - name: somebox + - name: someboxinit image: busybox:1.35 From 74ebde2cc6a0364a14e1662811dc39ecf35ca398 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:45:42 -0300 Subject: [PATCH 26/34] Update bad-pod-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-success-first.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml index 790dbf372..9b09e550d 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml @@ -9,7 +9,7 @@ spec: - name: helm-tiller image: docker.io/tiller:latest initContainers: - - name: somebox + - name: someboxinit image: busybox:1.35 - - name: helm-tiller + - name: helm-tillerinit image: docker.io/tiller:latest From c5c11af530604597a71a722470e0356536a9da36 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:45:53 -0300 Subject: [PATCH 27/34] Update bad-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml index 27e1d225a..e35960061 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml @@ -7,5 +7,5 @@ spec: - name: helm-tiller image: docker.io/tiller:latest initContainers: - - name: helm-tiller + - name: helm-tillerinit image: docker.io/tiller:latest From 51446a140b29e263e0767508a0b752bdf7a2cde0 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:46:15 -0300 Subject: [PATCH 28/34] Update good-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../disallow-helm-tiller/.chainsaw-test/good-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml index 028fe6eb2..687ebc84c 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml @@ -20,5 +20,5 @@ spec: command: ["sleep", "3600"] initContainers: - image: busybox:v1.35 - name: busybox + name: busyboxinit command: ["sleep", "3600"] From 7ef76670d631eb49d03211b653fd7da18db219a5 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 10:54:48 -0300 Subject: [PATCH 29/34] Update resource.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.kyverno-test/resource.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml index c015402a8..08dcde836 100644 --- a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml +++ b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml @@ -6,6 +6,10 @@ spec: containers: - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest + --- apiVersion: v1 kind: Pod @@ -17,6 +21,11 @@ spec: image: busybox:1.28 - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: helm-tillerinit + image: docker.io/tiller:latest --- apiVersion: v1 kind: Pod @@ -26,6 +35,9 @@ spec: containers: - name: busybox image: busybox + initContainers: + - name: busyboxinit + image: busybox --- apiVersion: v1 kind: Pod @@ -37,6 +49,11 @@ spec: image: busybox - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx --- apiVersion: apps/v1 kind: Deployment @@ -59,6 +76,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -80,3 +101,6 @@ spec: containers: - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: docker.io/tiller:latest + name: helm-tillerinit From 95207a9e0a9840f5b5cd69b5506f934ffe4ae5f9 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:24:44 -0300 Subject: [PATCH 30/34] Update bad-pod-latest-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-latest-fail-first.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml index 819a91ea2..44ba9c0fb 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml @@ -9,7 +9,7 @@ spec: - name: nginx image: nginx:1.35 initContainers: - - name: busybox + - name: busyboxinit image: busybox:latest - - name: nginx + - name: nginxinit image: nginx:1.35 From f235ddbad2117ad8e715d97ad083b7de7bda965e Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:25:47 -0300 Subject: [PATCH 31/34] Update bad-pod-latest-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-latest-success-first.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml index cc6696f1e..f565170f5 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml @@ -9,7 +9,7 @@ spec: - name: busybox image: busybox:latest initContainers: - - name: nginx + - name: nginxinit image: nginx:1.35 - - name: busybox + - name: busyboxinit image: busybox:latest From 82a713bd6f30224f8488729b8d714abaad1a821f Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:26:15 -0300 Subject: [PATCH 32/34] Update bad-pod-no-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-no-tag.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml index 1d25ca328..3418076ae 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml @@ -9,9 +9,9 @@ spec: - name: nginx image: nginx:1.35 initContainers: - - name: busybox + - name: busyboxinit image: busybox - - name: nginx + - name: nginxinit image: nginx:1.35 --- apiVersion: v1 @@ -25,9 +25,9 @@ spec: - name: busybox image: busybox initContainers: - - name: nginx + - name: nginxinit image: nginx:1.35 - - name: busybox + - name: busyboxinit image: busybox --- apiVersion: v1 @@ -41,7 +41,7 @@ spec: - name: nginx image: nginx:latest initContainers: - - name: busybox + - name: busyboxinit image: busybox - - name: nginx + - name: nginxinit image: nginx:latest From 649f864b336240555fdb8aa0fe4c0adc7ee1eff0 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:26:37 -0300 Subject: [PATCH 33/34] Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml index 86a6ee380..505688d3d 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml @@ -7,5 +7,5 @@ spec: - name: busybox image: busybox:v1.35 initContainers: - - name: busybox + - name: busyboxinit image: busybox:v1.35 From 051e3b94bf2d7e195e54a45984edc6feee8b7a4f Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:30:04 -0300 Subject: [PATCH 34/34] Update resource.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.kyverno-test/resource.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml index 873a0d251..03ed91c15 100644 --- a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml +++ b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml @@ -8,6 +8,9 @@ spec: containers: - name: nginx image: nginx:1.12 + initContainers: + - name: nginxinit + image: nginx:1.12 --- apiVersion: v1 kind: Pod @@ -19,6 +22,9 @@ spec: containers: - name: nginx image: nginx + initContainers: + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -32,6 +38,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -43,6 +54,9 @@ spec: containers: - name: nginx image: nginx:latest + initContainers: + - name: nginxinit + image: nginx:latest --- apiVersion: v1 kind: Pod @@ -56,6 +70,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx:latest --- apiVersion: apps/v1 kind: Deployment @@ -77,6 +96,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -98,6 +121,10 @@ spec: - image: busybox name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -119,3 +146,7 @@ spec: - image: busybox:latest name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:latest + name: busyboxinit + command: ["sleep", "9999"]