diff --git a/.chainsaw.yaml b/.chainsaw.yaml
index 8de72b59c..b0ecc8115 100755
--- a/.chainsaw.yaml
+++ b/.chainsaw.yaml
@@ -16,3 +16,4 @@ spec:
fullName: true
forceTerminationGracePeriod: 5s
delayBeforeCleanup: 3s
+
diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml
index 9da5ca54e..c96492075 100644
--- a/.github/actions/run-tests/action.yaml
+++ b/.github/actions/run-tests/action.yaml
@@ -7,8 +7,12 @@ inputs:
runs:
using: "composite"
steps:
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Install Chainsaw
- uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
+ uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
+ with:
+ verify: true
- name: Test with Chainsaw
shell: bash
run: |
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 86a2b2050..980b164e5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,8 @@
version: 2
updates:
- package-ecosystem: github-actions
- directory: /
+ directories:
+ - /
+ - /.github/actions/*/
schedule:
interval: daily
\ No newline at end of file
diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml
index ec7564140..262e4dca9 100644
--- a/.github/workflows/cel-test.yml
+++ b/.github/workflows/cel-test.yml
@@ -3,10 +3,10 @@ name: E2E Tests - CEL
permissions: {}
on:
- workflow_dispatch: {}
pull_request:
branches:
- - 'main'
+ - main
+ - release-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,16 +18,14 @@ jobs:
fail-fast: false
matrix:
k8s-version:
- - name: v1.25
- version: v1.25.16
- - name: v1.26
- version: v1.26.14
- - name: v1.27
- version: v1.27.11
- name: v1.28
- version: v1.28.7
+ version: v1.28.13
- name: v1.29
- version: v1.29.2
+ version: v1.29.8
+ - name: v1.30
+ version: v1.30.4
+ - name: v1.31
+ version: v1.31.0
tests:
- ^argo-cel$
- ^aws-cel$
@@ -49,7 +47,10 @@ jobs:
- ^other-cel$/^[s-z]
- ^pod-security-cel$
- ^psa-cel$
+ - ^psp-migration-cel$
- ^traefik-cel$
+ - ^tekton-cel$
+ - ^velero-cel$
runs-on: ubuntu-latest
name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
steps:
diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml
index 730ebc85d..5399f46a9 100644
--- a/.github/workflows/check-actions.yaml
+++ b/.github/workflows/check-actions.yaml
@@ -3,13 +3,10 @@ name: Check actions
permissions: {}
on:
- push:
- branches:
- - '*'
pull_request:
branches:
- - 'main'
- - 'release*'
+ - main
+ - release-*
jobs:
check:
@@ -18,7 +15,7 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Ensure SHA pinned actions
- uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
+ uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
with:
allowlist: |
kyverno/chainsaw
diff --git a/.github/workflows/check-codegen.yml b/.github/workflows/check-codegen.yml
new file mode 100644
index 000000000..604cdf59d
--- /dev/null
+++ b/.github/workflows/check-codegen.yml
@@ -0,0 +1,34 @@
+name: Verify codegen
+
+permissions: {}
+
+on:
+ pull_request:
+ branches:
+ - main
+ - release-*
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ verify-e2e-workflow:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Set up Go
+ uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+ with:
+ go-version-file: .hack/chainsaw-matrix/go.mod
+ cache-dependency-path: .hack/chainsaw-matrix/go.sum
+ - name: Generate workflow
+ run: |
+ set -e
+ (cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)
+ - name: Check diff
+ run: |
+ set -e
+ git --no-pager diff .
+ git diff --quiet --exit-code .
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 056dd9607..141d2df7a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,13 +3,10 @@ name: Policy Test
permissions: {}
on:
- push:
- branches:
- - '*'
pull_request:
branches:
- main
- - release*
+ - release-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,6 +26,7 @@ jobs:
- name: Run ah lint
working-directory: .
run: ah lint -k kyverno
+
test:
runs-on: ubuntu-latest
steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index be3ccbb61..c417189d2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,78 +1,851 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# to update the workflow jobs, run the script below from the repository root:
+# `(cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)`
+
name: E2E Tests
permissions: {}
on:
- workflow_dispatch: {}
pull_request:
branches:
- - 'main'
+ - main
+ - release-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
- chainsaw:
- strategy:
- fail-fast: false
- matrix:
- k8s-version:
- - name: v1.25
- version: v1.25.16
- - name: v1.26
- version: v1.26.14
- - name: v1.27
- version: v1.27.11
- - name: v1.28
- version: v1.28.7
- - name: v1.29
- version: v1.29.2
- tests:
- - ^argo$
- - ^aws$
- - ^best-practices$
- - ^castai$
- - ^cert-manager$
- - ^cleanup$
- - ^consul$
- - ^external-secret-operator$
- - ^flux$
- - ^istio$
- - ^karpenter$
- - ^kasten$
- - ^kubecost$
- - ^kubeops$
- - ^kubevirt$
- - ^linkerd$
- - ^nginx-ingress$
- - ^openshift$
- - ^other$/^a
- - ^other$/^[b-d]
- - ^other$/^[e-l]
- - ^other$/^[m-q]
- - ^other$/^re[c-q]
- - ^other$/^res
- - ^other$/^[s-z]
- - ^pod-security$
- - ^psa$
- - ^psp-migration$
- - ^psp-migration-cel$
- - ^tekton$
- - ^tekton-cel$
- - ^traefik$
- - ^velero$
- - ^velero-cel$
- runs-on: ubuntu-latest
- name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
- steps:
- - name: Checkout
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- - name: Setup Environment
- uses: ./.github/actions/setup-env
- with:
- k8s-version: ${{ matrix.k8s-version.version }}
- - name: Run Tests
- uses: ./.github/actions/run-tests
- with:
- tests: ${{ matrix.tests }}
+ argo:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^argo$/^(application-field-validation|application-prevent-default-project|application-prevent-updates-project|applicationset-name-matches-project|appproject-clusterresourceblacklist|argo-cluster-generation-from-rancher-capi)$
+ aws:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^aws$/^(require-encryption-aws-loadbalancers)$
+ best-practices:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^best-practices$/^(add-network-policy|add-networkpolicy-dns|add-ns-quota|add-rolebinding|add-safe-to-evict|disallow-cri-sock-mount|disallow-default-namespace|disallow-empty-ingress-host|disallow-helm-tiller|disallow-latest-tag|require-drop-all|require-drop-cap-net-raw)$
+ best-practices-12:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^best-practices$/^(require-labels|require-pod-requests-limits|require-probes|require-ro-rootfs|restrict-image-registries|restrict-node-port|restrict-service-external-ips)$
+ castai:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^castai$/^(add-castai-removal-disabled)$
+ cert-manager:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^cert-manager$/^(limit-dnsnames|limit-duration|restrict-issuer)$
+ cleanup:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^cleanup$/^(cleanup-bare-pods|cleanup-empty-replicasets)$
+ consul:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^consul$/^(enforce-min-tls-version)$
+ external-secret-operator:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^external-secret-operator$/^(add-external-secret-prefix)$
+ flux:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^flux$/^(generate-flux-multi-tenant-resources|verify-flux-images|verify-flux-sources|verify-git-repositories)$
+ istio:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^istio$/^(add-ambient-mode-namespace|add-sidecar-injection-namespace|create-authorizationpolicy|enforce-ambient-mode-namespace|enforce-sidecar-injection-namespace|enforce-strict-mtls|enforce-tls-hosts-host-subnets|prevent-disabling-injection-pods|require-authorizationpolicy|restrict-virtual-service-wildcard|service-mesh-disallow-capabilities|service-mesh-require-run-as-nonroot)$
+ karpenter:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^karpenter$/^(add-karpenter-daemonset-priority-class|add-karpenter-donot-evict|add-karpenter-nodeselector|set-karpenter-non-cpu-limits)$
+ kasten:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^kasten$/^(kasten-3-2-1-backup|kasten-data-protection-by-label|kasten-generate-policy-by-preset-label|kasten-hourly-rpo|kasten-minimum-retention|kasten-validate-ns-by-preset-label)$
+ kubecost:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^kubecost$/^(enable-kubecost-continuous-rightsizing|require-kubecost-labels)$
+ kubeops:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^kubeops$/^(config-syncer-secret-generation-from-rancher-capi)$
+ kubevirt:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^kubevirt$/^(add-services|enforce-instancetype)$
+ linkerd:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^linkerd$/^(add-linkerd-mesh-injection|add-linkerd-policy-annotation|check-linkerd-authorizationpolicy|prevent-linkerd-pod-injection-override|prevent-linkerd-port-skipping|require-linkerd-mesh-injection|require-linkerd-server)$
+ nginx-ingress:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^nginx-ingress$/^(disallow-ingress-nginx-custom-snippets|restrict-annotations|restrict-ingress-paths)$
+ openshift:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^openshift$/^(check-routes|disallow-security-context-constraint-anyuid|disallow-self-provisioner-binding)$
+ other:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(add-certificates-volume|add-default-resources|add-default-securitycontext|add-emptydir-sizelimit|add-env-vars-from-cm|add-image-as-env-var|add-imagepullsecrets|add-imagepullsecrets-for-containers-and-initcontainers|add-labels|add-ndots|add-node-affinity|add-node-labels-pod)$
+ other-12:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(add-nodeSelector|add-pod-priorityclassname|add-pod-proxies|add-tolerations|add-ttl-jobs|add-volume-deployment|advanced-restrict-image-registries|allowed-annotations|allowed-base-images|allowed-image-repos|allowed-label-changes|allowed-pod-priorities)$
+ other-24:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(always-pull-images|annotate-base-images|apply-pss-restricted-profile|audit-event-on-delete|audit-event-on-exec|block-cluster-admin-from-ns|block-ephemeral-containers|block-images-with-volumes|block-large-images|block-pod-exec-by-namespace|block-pod-exec-by-namespace-label|block-pod-exec-by-pod-and-container)$
+ other-36:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images|block-updates-deletes|check-env-vars|check-hpa-exists|check-ingress-nginx-controller-version-and-annotation-policy|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration)$
+ other-48:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(concatenate-configmaps|copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe|deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars)$
+ other-60:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(dns-policy-and-dns-config|docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging|ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always)$
+ other-72:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(ingress-host-match-tls|inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri|limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits)$
+ other-84:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(metadata-match-regex|mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable|pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry)$
+ other-96:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(prevent-bare-pods|prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes|remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor)$
+ other-108:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(replace-ingress-hosts|require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets|require-ingress-https|require-netpol)$
+ other-120:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(require-non-root-groups|require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload|resolve-image-to-digest)$
+ other-132:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(resource-creation-updating-denied|restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles)$
+ other-144:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(restrict-ingress-classes|restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates)$
+ other-156:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(restrict-sa-automount-sa-token|restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets)$
+ other-168:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^other$/^(topologyspreadconstraints-policy|unique-ingress-host-and-path|unique-ingress-paths|update-image-tag|verify-vpa-target)$
+ pod-security_baseline:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^pod-security$/^baseline$/^(disallow-capabilities|disallow-host-namespaces|disallow-host-path|disallow-host-ports|disallow-host-ports-range|disallow-host-process|disallow-privileged-containers|disallow-proc-mount|disallow-selinux|restrict-apparmor-profiles|restrict-seccomp|restrict-sysctls)$
+ pod-security_restricted:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^pod-security$/^restricted$/^(disallow-capabilities-strict|disallow-privilege-escalation|require-run-as-non-root-user|require-run-as-nonroot|restrict-seccomp-strict|restrict-volume-types)$
+ pod-security_subrule_restricted:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^pod-security$/^subrule$/^restricted$/^(restricted-exclude-capabilities|restricted-exclude-seccomp|restricted-latest)$
+ psa:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^psa$/^(add-privileged-existing-namespaces|add-psa-labels|add-psa-namespace-reporting|deny-privileged-profile)$
+ psp-migration:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^psp-migration$/^(add-apparmor|add-capabilities|add-runtimeClassName|check-supplemental-groups|restrict-adding-capabilities|restrict-runtimeClassName)$
+ tekton:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^tekton$/^(block-tekton-task-runs|require-tekton-bundle|require-tekton-namespace-pipelinerun)$
+ traefik:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^traefik$/^(disallow-default-tlsoptions)$
+ velero:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^velero$/^(backup-all-volumes|block-velero-restore|validate-cron-schedule)$
+ windows-security:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: ${{ matrix.k8s-version }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: ^windows-security$/^(require-run-as-containeruser)$
+ e2e-required-success:
+ name: e2e-required
+ needs:
+ - argo
+ - aws
+ - best-practices
+ - best-practices-12
+ - castai
+ - cert-manager
+ - cleanup
+ - consul
+ - external-secret-operator
+ - flux
+ - istio
+ - karpenter
+ - kasten
+ - kubecost
+ - kubeops
+ - kubevirt
+ - linkerd
+ - nginx-ingress
+ - openshift
+ - other
+ - other-12
+ - other-24
+ - other-36
+ - other-48
+ - other-60
+ - other-72
+ - other-84
+ - other-96
+ - other-108
+ - other-120
+ - other-132
+ - other-144
+ - other-156
+ - other-168
+ - pod-security_baseline
+ - pod-security_restricted
+ - pod-security_subrule_restricted
+ - psa
+ - psp-migration
+ - tekton
+ - traefik
+ - velero
+ - windows-security
+ runs-on: ubuntu-latest
+ if: ${{ success() }}
+ steps:
+ - run: ${{ true }}
+ e2e-required-failure:
+ name: e2e-required
+ needs:
+ - argo
+ - aws
+ - best-practices
+ - best-practices-12
+ - castai
+ - cert-manager
+ - cleanup
+ - consul
+ - external-secret-operator
+ - flux
+ - istio
+ - karpenter
+ - kasten
+ - kubecost
+ - kubeops
+ - kubevirt
+ - linkerd
+ - nginx-ingress
+ - openshift
+ - other
+ - other-12
+ - other-24
+ - other-36
+ - other-48
+ - other-60
+ - other-72
+ - other-84
+ - other-96
+ - other-108
+ - other-120
+ - other-132
+ - other-144
+ - other-156
+ - other-168
+ - pod-security_baseline
+ - pod-security_restricted
+ - pod-security_subrule_restricted
+ - psa
+ - psp-migration
+ - tekton
+ - traefik
+ - velero
+ - windows-security
+ runs-on: ubuntu-latest
+ if: ${{ failure() || cancelled() }}
+ steps:
+ - run: ${{ false }}
diff --git a/.gitignore b/.gitignore
index 5da35b529..f01417fc7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ settings.json
.idea
.DS_Store
kubeconfig
+.hack/chainsaw-matrix/chainsaw-matrix
diff --git a/.hack/chainsaw-matrix/go.mod b/.hack/chainsaw-matrix/go.mod
new file mode 100644
index 000000000..10ae32083
--- /dev/null
+++ b/.hack/chainsaw-matrix/go.mod
@@ -0,0 +1,100 @@
+module github.com/kyverno/policies/hack/chainsaw-matrix
+
+go 1.23.0
+
+require github.com/kyverno/chainsaw v0.2.8
+
+require (
+ github.com/NYTimes/gziphandler v1.1.1 // indirect
+ github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+ github.com/beorn7/perks v1.0.1 // indirect
+ github.com/blang/semver/v4 v4.0.0 // indirect
+ github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+ github.com/cespare/xxhash/v2 v2.3.0 // indirect
+ github.com/coreos/go-semver v0.3.1 // indirect
+ github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+ github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+ github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+ github.com/felixge/httpsnoop v1.0.4 // indirect
+ github.com/fsnotify/fsnotify v1.7.0 // indirect
+ github.com/go-logr/logr v1.4.2 // indirect
+ github.com/go-logr/stdr v1.2.2 // indirect
+ github.com/go-openapi/jsonpointer v0.21.0 // indirect
+ github.com/go-openapi/jsonreference v0.21.0 // indirect
+ github.com/go-openapi/swag v0.23.0 // indirect
+ github.com/gogo/protobuf v1.3.2 // indirect
+ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+ github.com/golang/protobuf v1.5.4 // indirect
+ github.com/google/cel-go v0.17.8 // indirect
+ github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
+ github.com/google/go-cmp v0.6.0 // indirect
+ github.com/google/gofuzz v1.2.0 // indirect
+ github.com/google/uuid v1.6.0 // indirect
+ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect
+ github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0 // indirect
+ github.com/imdario/mergo v0.3.16 // indirect
+ github.com/inconshreveable/mousetrap v1.1.0 // indirect
+ github.com/jinzhu/copier v0.4.0 // indirect
+ github.com/josharian/intern v1.0.0 // indirect
+ github.com/json-iterator/go v1.1.12 // indirect
+ github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e // indirect
+ github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c // indirect
+ github.com/mailru/easyjson v0.7.7 // indirect
+ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+ github.com/modern-go/reflect2 v1.0.2 // indirect
+ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+ github.com/pkg/errors v0.9.1 // indirect
+ github.com/prometheus/client_golang v1.18.0 // indirect
+ github.com/prometheus/client_model v0.6.0 // indirect
+ github.com/prometheus/common v0.47.0 // indirect
+ github.com/prometheus/procfs v0.12.0 // indirect
+ github.com/spf13/cobra v1.8.1 // indirect
+ github.com/spf13/pflag v1.0.5 // indirect
+ github.com/stoewer/go-strcase v1.3.0 // indirect
+ go.etcd.io/etcd/api/v3 v3.5.15 // indirect
+ go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect
+ go.etcd.io/etcd/client/v3 v3.5.15 // indirect
+ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+ go.opentelemetry.io/otel v1.28.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
+ go.opentelemetry.io/otel/metric v1.28.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+ go.opentelemetry.io/otel/trace v1.28.0 // indirect
+ go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+ go.uber.org/multierr v1.11.0 // indirect
+ go.uber.org/zap v1.27.0 // indirect
+ golang.org/x/crypto v0.25.0 // indirect
+ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+ golang.org/x/net v0.27.0 // indirect
+ golang.org/x/oauth2 v0.21.0 // indirect
+ golang.org/x/sync v0.7.0 // indirect
+ golang.org/x/sys v0.22.0 // indirect
+ golang.org/x/term v0.22.0 // indirect
+ golang.org/x/text v0.16.0 // indirect
+ golang.org/x/time v0.5.0 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f // indirect
+ google.golang.org/grpc v1.65.0 // indirect
+ google.golang.org/protobuf v1.34.2 // indirect
+ gopkg.in/inf.v0 v0.9.1 // indirect
+ gopkg.in/yaml.v2 v2.4.0 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+ k8s.io/api v0.30.3 // indirect
+ k8s.io/apiextensions-apiserver v0.30.3 // indirect
+ k8s.io/apimachinery v0.30.3 // indirect
+ k8s.io/apiserver v0.30.3 // indirect
+ k8s.io/client-go v0.30.3 // indirect
+ k8s.io/component-base v0.30.3 // indirect
+ k8s.io/klog/v2 v2.130.1 // indirect
+ k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c // indirect
+ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
+ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+ sigs.k8s.io/kubectl-validate v0.0.4 // indirect
+ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+ sigs.k8s.io/yaml v1.4.0 // indirect
+)
diff --git a/.hack/chainsaw-matrix/go.sum b/.hack/chainsaw-matrix/go.sum
new file mode 100644
index 000000000..d8dd6dbca
--- /dev/null
+++ b/.hack/chainsaw-matrix/go.sum
@@ -0,0 +1,325 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
+github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
+github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
+github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto=
+github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
+github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 h1:JYghRBlGCZyCF2wNUJ8W0cwaQdtpcssJ4CgC406g+WU=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99/go.mod h1:3bDW6wMZJB7tiONtC/1Xpicra6Wp5GgbTbQWCbI5fkc=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0 h1:CWyXh/jylQWp2dtiV33mY4iSSp6yf4lmn+c7/tN+ObI=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0/go.mod h1:nCLIt0w3Ept2NwF8ThLmrppXsfT07oC8k0XNDxd8sVU=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
+github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kyverno/chainsaw v0.2.8 h1:E+zUQ8SuOxUBeQC5i/0RYUPOXIeOKi69gOqFN5w256c=
+github.com/kyverno/chainsaw v0.2.8/go.mod h1:ttTQJepYvp8Uy+aATNZ4EpEgh39A3HjIphSdCCyppkI=
+github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e h1:gh9iMuJS8yloxo3JIzvgLWZWwy5iRjEkA8/U7rK3iu8=
+github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e/go.mod h1:3LgZogzltja+Sx0o5CIa7d7+991v8sWXHskU0fWSOsQ=
+github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c h1:lAolpR9H8BwM5lRRvgCQ8JowswyxZRH+fgtIQzHFVCk=
+github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c/go.mod h1:02vxM0GNXz9+B/i6+rMfWAIwibUuAH+qFsd73IFskgQ=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
+github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
+github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
+github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
+github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.47.0 h1:p5Cz0FNHo7SnWOmWmoRozVcjEp0bIVU8cV7OShpjL1k=
+github.com/prometheus/common v0.47.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
+go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk=
+go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM=
+go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA=
+go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU=
+go.etcd.io/etcd/client/v2 v2.305.10 h1:MrmRktzv/XF8CvtQt+P6wLUlURaNpSDJHFZhe//2QE4=
+go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA=
+go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4=
+go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU=
+go.etcd.io/etcd/pkg/v3 v3.5.10 h1:WPR8K0e9kWl1gAhB5A7gEa5ZBTNkT9NdNWrR8Qpo1CM=
+go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs=
+go.etcd.io/etcd/raft/v3 v3.5.10 h1:cgNAYe7xrsrn/5kXMSaH8kM/Ky8mAdMqGOxyYwpP0LA=
+go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc=
+go.etcd.io/etcd/server/v3 v3.5.10 h1:4NOGyOwD5sUZ22PiWYKmfxqoeh72z6EhYjNosKGLmZg=
+go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20240725223205-93522f1f2a9f h1:htT2I9bZvGm+110zq8bIErMX+WgBWxCzV3ChwbvnKnc=
+google.golang.org/genproto v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:Sk3mLpoDFTAp6R4OvlcUgaG4ISTspKeFsIAXMn9Bm4Y=
+google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f h1:b1Ln/PG8orm0SsBbHZWke8dDp2lrCD4jSmfglFpTZbk=
+google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:AHT0dDg3SoMOgZGnZk29b5xTbPHMoEC8qthmBLJCpys=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f h1:RARaIm8pxYuxyNPbBQf5igT7XdOyCNtat1qAT2ZxjU4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
+google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
+k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
+k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U=
+k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4=
+k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
+k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
+k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
+k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
+k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
+k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
+k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho=
+k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
+k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c h1:CHL3IcTrTI3csK36iwYJy36uQRic+IpSoRMNH+0I8SE=
+k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c/go.mod h1:0CVn9SVo8PeW5/JgsBZZIFmmTk5noOM8WXf2e1tCihE=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/kubectl-validate v0.0.4 h1:tGKuv0awYHn11Cb6KPsZKxUmHgavF46K3NvVH0Nse9U=
+sigs.k8s.io/kubectl-validate v0.0.4/go.mod h1:JTm3G+JZLPISqABh73uV7s/sW28q2zZqnTghOzahEKA=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/.hack/chainsaw-matrix/main.go b/.hack/chainsaw-matrix/main.go
new file mode 100644
index 000000000..5f62d1ab3
--- /dev/null
+++ b/.hack/chainsaw-matrix/main.go
@@ -0,0 +1,97 @@
+package main
+
+import (
+ "fmt"
+ "maps"
+ "os"
+ "path/filepath"
+ "slices"
+ "strings"
+ "text/template"
+
+ "github.com/kyverno/chainsaw/pkg/discovery"
+)
+
+const chunkSize = 12
+
+type testSuite struct {
+ Name string
+ Pattern string
+ Folder string
+ Required bool
+}
+
+type values struct {
+ TestSuites []testSuite
+}
+
+type payload struct {
+ Values values
+}
+
+func main() {
+ tests, err := discovery.DiscoverTests("chainsaw-test.yaml", nil, false, "../..")
+ if err != nil {
+ panic(err)
+ }
+ var paths []string
+ for _, test := range tests {
+ path, err := filepath.Rel("../..", test.BasePath)
+ if err != nil {
+ panic(err)
+ }
+ parts := strings.Split(path, "/")
+ if len(parts) < 3 {
+ panic("not enough folder parts: " + path)
+ }
+ if strings.HasSuffix(parts[0], "-cel") {
+ continue
+ }
+ parts = parts[:len(parts)-1]
+ paths = append(paths, strings.Join(parts, "/"))
+ }
+ suites := map[string][]string{}
+ for _, path := range paths {
+ parts := strings.Split(path, "/")
+ root := strings.Join(parts[:len(parts)-1], "/")
+ suites[root] = append(suites[root], parts[len(parts)-1])
+ }
+ var ts []testSuite
+ for _, key := range slices.Sorted(maps.Keys(suites)) {
+ root := ""
+ for _, part := range strings.Split(key, "/") {
+ root += "^" + part + "$" + "/"
+ }
+ slices.Sort(suites[key])
+ for i := 0; i < len(suites[key]); i += chunkSize {
+ end := i + chunkSize
+ if end > len(suites[key]) {
+ end = len(suites[key])
+ }
+ pattern := root + "^" + "(" + strings.Join(suites[key][i:end], "|") + ")" + "$"
+ name := strings.ReplaceAll(key, "/", "_")
+ if i >= chunkSize {
+ name = fmt.Sprintf("%s-%d", name, i)
+ }
+ ts = append(ts, testSuite{
+ Required: true,
+ Name: name,
+ Folder: key,
+ Pattern: pattern,
+ })
+ }
+ }
+ var tmplFile = "workflow.yaml"
+ tmpl, err := template.New(tmplFile).ParseFiles(tmplFile)
+ if err != nil {
+ panic(err)
+ }
+ err = tmpl.Execute(os.Stdout, payload{
+ Values: values{
+ TestSuites: ts,
+ },
+ })
+ if err != nil {
+ panic(err)
+ }
+}
diff --git a/.hack/chainsaw-matrix/workflow.yaml b/.hack/chainsaw-matrix/workflow.yaml
new file mode 100644
index 000000000..c9b84ac9d
--- /dev/null
+++ b/.hack/chainsaw-matrix/workflow.yaml
@@ -0,0 +1,59 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# to update the workflow jobs, run the script below from the repository root:
+# `(cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)`
+
+name: E2E Tests
+
+permissions: {}
+
+on:
+ pull_request:
+ branches:
+ - main
+ - release-*
+
+concurrency:
+ group: {{ print "${{ github.workflow }}-${{ github.ref }}" }}
+ cancel-in-progress: true
+
+jobs:
+ {{- range .Values.TestSuites }}
+ {{ .Name }}:
+ strategy:
+ fail-fast: false
+ matrix:
+ k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Setup Environment
+ uses: ./.github/actions/setup-env
+ with:
+ k8s-version: {{ print "${{ matrix.k8s-version }}" }}
+ - name: Run Tests
+ uses: ./.github/actions/run-tests
+ with:
+ tests: {{ .Pattern }}
+ {{- end }}
+ e2e-required-success:
+ name: e2e-required
+ needs:
+ {{- range .Values.TestSuites }}
+ - {{ .Name }}
+ {{- end }}
+ runs-on: ubuntu-latest
+ if: {{ print "${{ success() }}" }}
+ steps:
+ - run: {{ print "${{ true }}" }}
+ e2e-required-failure:
+ name: e2e-required
+ needs:
+ {{- range .Values.TestSuites }}
+ - {{ .Name }}
+ {{- end }}
+ runs-on: ubuntu-latest
+ if: {{ print "${{ failure() || cancelled() }}" }}
+ steps:
+ - run: {{ print "${{ false }}" }}
diff --git a/README.md b/README.md
index 7e5ab011f..941d42653 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ metadata:
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: my-rule-name
diff --git a/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml b/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml
index 4f0ddbf67..6dc354021 100755
--- a/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml
+++ b/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-field-validation
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml
index 0edbc929b..cbef78483 100755
--- a/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml
+++ b/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-prevent-default-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml
index 820069362..24cddb73a 100755
--- a/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml
+++ b/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-prevent-updates-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml
index 5e891f2a0..9630ddada 100755
--- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml
+++ b/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: applicationset-name-matches-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml
index 745e7b98b..8c0d37ede 100755
--- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml
+++ b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: appproject-clusterresourceblacklist
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml
index 4f0ddbf67..6dc354021 100755
--- a/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml
+++ b/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-field-validation
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/application-field-validation/application-field-validation.yaml b/argo/application-field-validation/application-field-validation.yaml
index 0277f7737..d71905b2b 100644
--- a/argo/application-field-validation/application-field-validation.yaml
+++ b/argo/application-field-validation/application-field-validation.yaml
@@ -15,7 +15,7 @@ metadata:
Path or chart must be specified but never both. And destination.name or
destination.server must be specified but never both.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: source-path-chart
diff --git a/argo/application-field-validation/artifacthub-pkg.yml b/argo/application-field-validation/artifacthub-pkg.yml
index e97a0a7af..e37eb3830 100644
--- a/argo/application-field-validation/artifacthub-pkg.yml
+++ b/argo/application-field-validation/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Application"
-digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416
+digest: 9f6e56fb8532ee2f043a3a623b4dabde1c419ec4858a4b50261cc392069a4b6d
diff --git a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
index 0edbc929b..cbef78483 100755
--- a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
+++ b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-prevent-default-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/application-prevent-default-project/application-prevent-default-project.yaml b/argo/application-prevent-default-project/application-prevent-default-project.yaml
index 6a6373cb1..766871740 100644
--- a/argo/application-prevent-default-project/application-prevent-default-project.yaml
+++ b/argo/application-prevent-default-project/application-prevent-default-project.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
This policy prevents the use of the default project in an Application.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: default-project
diff --git a/argo/application-prevent-default-project/artifacthub-pkg.yml b/argo/application-prevent-default-project/artifacthub-pkg.yml
index 91010fb5b..aabcbb895 100644
--- a/argo/application-prevent-default-project/artifacthub-pkg.yml
+++ b/argo/application-prevent-default-project/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Application"
-digest: cd52206b53b7fd1fc1d73ed2b127d70cead0eecf19f43e8b9b4192bb0b418c25
+digest: 90789fabae88fe5b601404793bf67e28fe06f19d2ec33a351e6a4b1199de4b45
diff --git a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
index 820069362..24cddb73a 100755
--- a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
+++ b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: application-prevent-updates-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml
index 62bf3c036..f4eac4f05 100644
--- a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml
+++ b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
This policy prevents updates to the project field after an Application is created.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: project-updates
diff --git a/argo/application-prevent-updates-project/artifacthub-pkg.yml b/argo/application-prevent-updates-project/artifacthub-pkg.yml
index 9026c5c3f..5f28adcea 100644
--- a/argo/application-prevent-updates-project/artifacthub-pkg.yml
+++ b/argo/application-prevent-updates-project/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Application"
-digest: be410b40b2df93914851faffdefb7a02d036367ba89ffcd600ddc57f15efc21f
+digest: 604c05775c80ab521492bb326139a635cab9acfae7d8eac06b8f22fc51b831b9
diff --git a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
index 5e891f2a0..9630ddada 100755
--- a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
+++ b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: applicationset-name-matches-project
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml
index d2ff71bca..38529a89e 100644
--- a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml
+++ b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml
@@ -14,7 +14,7 @@ metadata:
This policy ensures that the name of the ApplicationSet is the
same value provided in the project.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: match-name
diff --git a/argo/applicationset-name-matches-project/artifacthub-pkg.yml b/argo/applicationset-name-matches-project/artifacthub-pkg.yml
index 9e2e7fbc8..6922ea295 100644
--- a/argo/applicationset-name-matches-project/artifacthub-pkg.yml
+++ b/argo/applicationset-name-matches-project/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "ApplicationSet"
-digest: 7eabf25e8af8b90e044164d4ff2acb12503332f2c40360edebd4e1a908c773c3
+digest: 2b60af2ba640e7cc5edf7fada97d92c3a4fd72354e25f613a83c0287cc43f519
diff --git a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml
index 745e7b98b..8c0d37ede 100755
--- a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml
+++ b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: appproject-clusterresourceblacklist
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
index c5a0aed03..52dc4d289 100644
--- a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
+++ b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
@@ -17,7 +17,7 @@ metadata:
enforce that all AppProjects specify clusterResourceBlacklist and that their group
and kind have wildcards as values.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: has-wildcard
diff --git a/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml b/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml
index cca1ca18a..0687ba404 100644
--- a/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml
+++ b/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "AppProject"
-digest: d4842e3c136e9e581cf090d5843cf0eb54cfb1e9638f80e85f7dfbfda7e01b97
+digest: 7468b37dca594f3dad0d2b0909a89bdab9eafa1aaf1d680bf5faf5f57981ccba
diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
index e1c518a70..24b9d4502 100644
--- a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
+++ b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: argo-cluster-generation-from-rancher-capi
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml
index 7806e1591..169f02e73 100755
--- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml
+++ b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-encryption-aws-loadbalancers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/aws/require-aws-node-irsa/artifacthub-pkg.yml b/aws/require-aws-node-irsa/artifacthub-pkg.yml
index 2c9c7169f..142cf90fa 100644
--- a/aws/require-aws-node-irsa/artifacthub-pkg.yml
+++ b/aws/require-aws-node-irsa/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "AWS, EKS Best Practices"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "DaemonSet"
-digest: 87f310a81a0f34889ac3664f0a5ff0aa5553cbb2b3223bc0ef6dae0d10bf0e92
+digest: a39c0908e2bdff2fa166dd9491d604324f06dbd8872070d9a59effc6bbdec898
diff --git a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml
index 4c42d9998..48670fa02 100644
--- a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml
+++ b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml
@@ -19,7 +19,7 @@ metadata:
the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet
running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-node-daemonset-irsa
diff --git a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 7806e1591..169f02e73 100755
--- a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-encryption-aws-loadbalancers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml b/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml
index 0978b271a..0e0cc2d37 100644
--- a/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml
+++ b/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "AWS, EKS Best Practices"
kyverno/kubernetesVersion: "1.23-1.24"
kyverno/subject: "Service"
-digest: 6e54a5bb0c445d0f619c75369e8e47a3d0ccebef9ebc44bc7567f3b850c40d27
+digest: 2d174428edf213e9f4f2368e5fbe430ff07ad2cf11628e2401021f1a6994d9cc
diff --git a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
index cdc79ee74..a2b0c4558 100644
--- a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
+++ b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
@@ -16,7 +16,7 @@ metadata:
that Services of type LoadBalancer contain the annotation
service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: aws-loadbalancer-has-ssl-cert
diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
index d9fc1691f..533ddd8d5 100644
--- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
+++ b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
index 2609b3d82..4096734b0 100644
--- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
+++ b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
@@ -6,7 +6,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
index 24674e4c7..0e6bde6b2 100755
--- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
index 2d193c349..06d961397 100644
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml
index 98be9a803..6dc05dc9f 100644
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml
@@ -13,7 +13,7 @@ spec:
name: good-daemonset
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml
index 9d3b757a7..3ad7b9b85 100644
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml
@@ -29,7 +29,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -50,7 +50,7 @@ spec:
name: good-daemonset
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -65,7 +65,7 @@ spec:
template:
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -90,7 +90,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml
index 6507f7b52..fca60baab 100644
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml
@@ -7,7 +7,7 @@ spec:
template:
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
index 1ce933d92..077564486 100755
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-default-namespace
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml
index aacb55f86..a055a4dec 100644
--- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml
+++ b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
index 9a61e3f0d..957e645c5 100644
--- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-empty-ingress-host
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
index bf734c173..d8be1168b 100644
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox
+ - image: ghcr.io/kyverno/test-busybox
name: busybox
- image: docker.io/tiller:latest
name: helm-tiller
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
index 8bb9976d8..b52f86301 100644
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
@@ -7,5 +7,5 @@ spec:
- name: helm-tiller
image: docker.io/tiller:latest
- name: somebox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
index 0080cc324..1d5374d5c 100644
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: somebox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: helm-tiller
image: docker.io/tiller:latest
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
index 3e280723c..a06416819 100644
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep", "3600"]
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
index a4dba0e32..d05317000 100644
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: nothelmbox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
index ee708ab7e..e97801af1 100755
--- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-helm-tiller
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
index 8c0b1647f..6c85b62e3 100644
--- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
+++ b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
index a0d5d9557..906af4a7f 100644
--- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
+++ b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
index 8645ee32e..a4410ed4a 100644
--- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
+++ b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
---
apiVersion: v1
kind: Pod
@@ -16,9 +16,9 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
---
apiVersion: v1
kind: Pod
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginx
- image: nginx:latest
+ image: ghcr.io/kyverno/test-nginx:latest
diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml
index 588b2187c..1863965ef 100644
--- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml
+++ b/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
index 86e057994..19f475312 100755
--- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-latest-tag
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
index 0584b0c55..8ce6c3584 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -20,14 +20,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -36,14 +36,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -51,9 +51,9 @@ spec:
- ALL
containers:
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
index bad0b495a..acd742fde 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -26,12 +26,12 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -45,11 +45,11 @@ metadata:
spec:
containers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
index de67854b4..cdb6ec865 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
@@ -5,17 +5,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,9 +29,9 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -39,7 +39,7 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
index 254904bfb..6b5811341 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -54,24 +54,24 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -91,24 +91,24 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -128,14 +128,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -143,12 +143,12 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml
index c8dc9dc3a..52d96bbea 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml
@@ -5,21 +5,21 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
index ddbf2e531..9224abaf0 100644
--- a/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -56,14 +56,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -71,14 +71,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml
index 8a4a66d15..bfb8f0860 100755
--- a/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: drop-all-capabilities
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
index c539b4c54..52603dfff 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -20,14 +20,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -36,14 +36,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -51,9 +51,9 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
index a055093a4..db8aba8e8 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -24,12 +24,12 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -42,11 +42,11 @@ metadata:
spec:
containers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
index a4eb4653f..0be20ff85 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
@@ -5,17 +5,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,9 +29,9 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -39,7 +39,7 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
index 5bfc7255b..4f1b188ef 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -54,24 +54,24 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -91,24 +91,24 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -128,14 +128,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -143,12 +143,12 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
index 39741ccf6..ee9c97a56 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
@@ -5,20 +5,20 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
index 364041d70..68ffcadd9 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -56,14 +56,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -71,14 +71,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
index d82e1d543..ce4466741 100755
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: drop-cap-net-raw
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
index 7fbad4d90..03b941537 100644
--- a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
index a59c30368..cdc4a24b7 100644
--- a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
@@ -7,5 +7,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml
index 28ac33460..8ed5205aa 100644
--- a/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -32,5 +32,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml
index 189506972..942a80f75 100644
--- a/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,5 +35,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml
index a9d4d01d1..c8603ede8 100644
--- a/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,5 +19,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml
index 90301b18d..b0bd73c54 100755
--- a/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-labels
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
index 3ec91afb5..96298e35e 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
index 15789fbda..c44ecdabd 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
@@ -7,9 +7,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
@@ -26,7 +26,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
@@ -34,5 +34,5 @@ spec:
limits:
memory: "256Mi"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
index 795085c5b..a411df45b 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
@@ -8,5 +8,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
index 69c12e6dd..13d8c4af1 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -37,9 +37,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
index 9dc42294a..e6f246f66 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -22,7 +22,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -43,7 +43,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -51,7 +51,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
index 55a53791e..7129d56dc 100644
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -24,7 +24,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -32,7 +32,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
index b874ffaeb..f6710ff99 100755
--- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-requests-limits
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml
index ef8c7b298..16db057b5 100644
--- a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
readinessProbe:
@@ -15,7 +15,7 @@ spec:
port: 8080
periodSeconds: 10
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,9 +26,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
readinessProbe:
diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml
index 6e820cce1..3bd091b3d 100644
--- a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml
@@ -7,5 +7,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml
index 8735991ba..c01e7dd10 100644
--- a/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,11 +14,11 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml
index dc19a7f29..1d456fd8c 100644
--- a/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml
@@ -14,13 +14,13 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
readinessProbe:
tcpSocket:
port: 8080
diff --git a/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml
index 128a793af..ed297dab1 100644
--- a/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
@@ -22,13 +22,13 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
readinessProbe:
tcpSocket:
port: 8080
@@ -43,7 +43,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
startupProbe:
grpc:
port: 8888
diff --git a/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml
index 7087bf19f..c93bde46e 100755
--- a/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-pod-probes
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
index 2893d42cb..f6a698dcc 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: false
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
index ae5f1e2b3..137ed694b 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -18,9 +18,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
index d37b2c900..8bf520fc5 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
index 6fb05b66e..3ee6cb481 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -33,9 +33,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
index 4362709c5..17d8fbfab 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
@@ -14,11 +14,11 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -35,11 +35,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml
index f5d4e8831..e85753a35 100644
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -16,11 +16,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
index c1fea112c..0e1123025 100755
--- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-ro-rootfs
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
index b4b56ebd3..d99cb3c8c 100644
--- a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
@@ -16,10 +16,10 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: k8s-nginx
image: bar.io/nginx
---
@@ -46,7 +46,7 @@ spec:
- name: k8s-nginx
image: bar.io/nginx
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -66,7 +66,7 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: k8s-nginx
image: bar.io/nginx
@@ -88,10 +88,10 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: k8s-nginx
image: bar.io/nginx
---
@@ -115,7 +115,7 @@ spec:
- name: k8s-nginx
image: bar.io/nginx
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -132,7 +132,7 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: k8s-nginx
image: bar.io/nginx
diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml
index 5924c7b49..5bb42adbe 100755
--- a/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-image-registries
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml
index 71a3f4715..d6c481fb7 100755
--- a/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-nodeport
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
index 24f285eed..164fecbff 100755
--- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
+++ b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-external-ips
status:
- ready: true
-
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml b/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml
index cf7a8d910..0cda6e225 100644
--- a/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-networkpolicy
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml b/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml
index caeb4c6cc..9e5775610 100644
--- a/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-networkpolicy-dns
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml b/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml
index 4b51cee90..b4aa53546 100644
--- a/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-ns-quota
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml
index fcf6df6b7..00d533e11 100755
--- a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml
+++ b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml
@@ -5,6 +5,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
+ rbac.kyverno.io/aggregate-to-admission-controller: "true"
name: kyverno:background-controller:addrolebinding
rules:
- apiGroups:
diff --git a/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml b/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml
index 50f7cff4e..4c84112c8 100644
--- a/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-rolebinding
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml b/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml
index 07388b1b3..d3497a788 100644
--- a/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-safe-to-evict
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml b/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml
index 0b11299ff..1f7263ed5 100644
--- a/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml
+++ b/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/local/aaa
name: myfile
@@ -34,7 +34,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/local/aaa
name: myfile
diff --git a/best-practices/check-deprecated-apis/artifacthub-pkg.yml b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
index a3eb252f5..9867bc3e1 100644
--- a/best-practices/check-deprecated-apis/artifacthub-pkg.yml
+++ b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Kubernetes APIs"
-digest: 9dedc3fa982568993975fdc213018f1eca5e0a6bea9bab2111bcfb5b86cdbb7a
+digest: 09653e37ea3310586e5df7cec4acff0324adb3fe9320b678603a17aba3a533f6
diff --git a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
index 2b49b4421..53cddac2c 100644
--- a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
+++ b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
@@ -21,7 +21,7 @@ metadata:
so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
This policy requires Kyverno v1.7.4+ to function properly.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-v1-25-removals
diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
index 9d277ba40..f06eb8761 100644
--- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
+++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
index 38ed58659..aad47b636 100644
--- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
+++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
@@ -6,7 +6,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
\ No newline at end of file
diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
index dff1a66ea..0e6bde6b2 100755
--- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml
index 74eca9731..9faedfd9c 100644
--- a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml
+++ b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 1e927de12a6f539378e0710992be05671bbb0dc0fee04a74e2f6602645b4158c
+digest: b7aacfae0ed85dc7afb57577522918326e09091e249c0a92a8d95dbab4043430
diff --git a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
index 8d9beb5f9..b23b555e0 100644
--- a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
+++ b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
@@ -16,7 +16,7 @@ metadata:
to or replacement of this policy, preventing users from mounting the parent directories
(/var/run and /var) may be necessary to completely prevent socket bind mounts.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-docker-sock-mount
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
index 04bbabfd3..9f6a91e16 100644
--- a/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml
index a0750b55b..27dd35dcf 100644
--- a/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml
@@ -13,7 +13,7 @@ spec:
name: good-daemonset
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml
index 972e5f5f8..909ea1956 100644
--- a/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml
@@ -29,7 +29,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -50,7 +50,7 @@ spec:
name: good-daemonset
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -65,7 +65,7 @@ spec:
template:
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
@@ -90,7 +90,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml
index da19ac9c9..a32cc5859 100644
--- a/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml
@@ -7,7 +7,7 @@ spec:
template:
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
index 1251ec4c8..077564486 100755
--- a/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-default-namespace
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml
index be2fca2fb..6c14a6d06 100644
--- a/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml
+++ b/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command:
- "sleep"
diff --git a/best-practices/disallow-default-namespace/artifacthub-pkg.yml b/best-practices/disallow-default-namespace/artifacthub-pkg.yml
index 974742f52..d348b763a 100644
--- a/best-practices/disallow-default-namespace/artifacthub-pkg.yml
+++ b/best-practices/disallow-default-namespace/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Multi-Tenancy"
kyverno/subject: "Pod"
-digest: 6b0d2126956d201e29d7303a09d913a4708a24ab011973c7d3b16e23f254cdd5
+digest: 955cfe7ba81e4c1d8f8aeea55a675138a8aea710342a7691a12feeb13b316bc4
diff --git a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml
index a1afe3a84..10aa9a6d5 100644
--- a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml
+++ b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml
@@ -18,7 +18,7 @@ metadata:
due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
object and not at the Pod template level.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-namespace
diff --git a/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
index 36ff57cd3..957e645c5 100644
--- a/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-empty-ingress-host
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
index 37c6850cd..ba78801ea 100644
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
@@ -15,12 +15,12 @@ spec:
app: busybox
spec:
containers:
- - image: busybox
+ - image: ghcr.io/kyverno/test-busybox
name: busybox
- image: docker.io/tiller:latest
name: helm-tiller
initContainers:
- - image: busybox
+ - image: ghcr.io/kyverno/test-busybox
name: busyboxinit
- image: docker.io/tiller:latest
name: helm-tillerinit
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
index 3c6000019..5d43c5e2f 100644
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
@@ -7,9 +7,9 @@ spec:
- name: helm-tiller
image: docker.io/tiller:latest
- name: somebox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
initContainers:
- name: helm-tillerinit
image: docker.io/tiller:latest
- name: someboxinit
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
index 9b09e550d..6a90dc9e0 100644
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
@@ -5,11 +5,11 @@ metadata:
spec:
containers:
- name: somebox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: helm-tiller
image: docker.io/tiller:latest
initContainers:
- name: someboxinit
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: helm-tillerinit
image: docker.io/tiller:latest
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
index 687ebc84c..7026f8506 100644
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
@@ -15,10 +15,10 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep", "3600"]
initContainers:
- - image: busybox:v1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busyboxinit
command: ["sleep", "3600"]
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
index f0c0a6913..8db8c9b8a 100644
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
@@ -5,11 +5,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: nothelmbox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
initContainers:
- name: busyboxinit
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: nothelmboxinit
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
index 60a2fd6e4..e97801af1 100755
--- a/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-helm-tiller
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml
index 1d47fd83a..7ec212d25 100644
--- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml
+++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2
+digest: 805b3c00f0620c83eea3c1e0acb2c39aa3dfd8b4414e05a369083565ab4c6652
diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
index ef1bb41fa..1ab0c4f4b 100644
--- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
+++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
@@ -15,7 +15,7 @@ metadata:
Tiller for these reasons. This policy validates that there is not an image
containing the name `tiller`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-helm-tiller
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
index 44ba9c0fb..df5287644 100644
--- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
+++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
@@ -5,11 +5,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
initContainers:
- name: busyboxinit
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: nginxinit
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
index f565170f5..5d2719a63 100644
--- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
+++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
@@ -5,11 +5,11 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
initContainers:
- name: nginxinit
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busyboxinit
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
index 3418076ae..8f3d04168 100644
--- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
+++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
initContainers:
- name: busyboxinit
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginxinit
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
---
apiVersion: v1
kind: Pod
@@ -21,14 +21,14 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
initContainers:
- name: nginxinit
- image: nginx:1.35
+ image: ghcr.io/kyverno/test-nginx:1.35
- name: busyboxinit
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
---
apiVersion: v1
kind: Pod
@@ -37,11 +37,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginx
- image: nginx:latest
+ image: ghcr.io/kyverno/test-nginx:latest
initContainers:
- name: busyboxinit
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: nginxinit
- image: nginx:latest
+ image: ghcr.io/kyverno/test-nginx:latest
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml
index 505688d3d..16cb4772a 100644
--- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml
+++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
initContainers:
- name: busyboxinit
- image: busybox:v1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
index 4431d2055..19f475312 100755
--- a/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-latest-tag
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml
index 24d3bf026..6cdd02e58 100644
--- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml
+++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Pod"
-digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a
+digest: 6c79240f39687bf4d743144db4a08082c3871b3e68f0944c3bdbeeaa937b54a4
diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
index 2f40ef15c..2f64e7a3c 100644
--- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
+++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
@@ -14,7 +14,7 @@ metadata:
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-image-tag
diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
index 8843ab227..c3d2e36ef 100644
--- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -20,14 +20,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -36,14 +36,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -51,9 +51,9 @@ spec:
- ALL
containers:
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
index 94bf1acf0..e7fed78cb 100644
--- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -26,12 +26,12 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -45,10 +45,10 @@ metadata:
spec:
containers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: init-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
index c6a0e3ecb..7d7051fb8 100644
--- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
@@ -5,17 +5,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,9 +29,9 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -39,7 +39,7 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
index 246e34915..47a1e8a31 100644
--- a/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -54,24 +54,24 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -91,24 +91,24 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -128,14 +128,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -143,11 +143,11 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml
index f7b1fd0e8..1df2853c8 100644
--- a/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml
@@ -5,21 +5,21 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
index b1e546b0d..004c50473 100644
--- a/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -56,14 +56,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -71,14 +71,14 @@ spec:
- ALL
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- ALL
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml b/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml
index 4339ae7c7..bfb8f0860 100755
--- a/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: drop-all-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-drop-all/artifacthub-pkg.yml b/best-practices/require-drop-all/artifacthub-pkg.yml
index de0bdd417..7bbf226f9 100644
--- a/best-practices/require-drop-all/artifacthub-pkg.yml
+++ b/best-practices/require-drop-all/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Pod"
-digest: 739a18805e557ddf99ff76b5cda7e60e15ff4598491a8100407408a526b80674
+digest: e7010854d187b66c99779c08de8587f481ed82d7d72092a1eedc5f38bd85cdd6
diff --git a/best-practices/require-drop-all/require-drop-all.yaml b/best-practices/require-drop-all/require-drop-all.yaml
index 3482ea858..1a8750ee5 100644
--- a/best-practices/require-drop-all/require-drop-all.yaml
+++ b/best-practices/require-drop-all/require-drop-all.yaml
@@ -15,7 +15,7 @@ metadata:
ability. Note that this policy also illustrates how to cover drop entries in any
case although this may not strictly conform to the Pod Security Standards.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-drop-all
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
index 980550826..bc5d08148 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -20,14 +20,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -36,14 +36,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -51,9 +51,9 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
index a4702dbce..379fa07a8 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -24,12 +24,12 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -42,10 +42,10 @@ metadata:
spec:
containers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: init-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
index 961ae740e..ae20fb8e5 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
@@ -5,17 +5,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,9 +29,9 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -39,7 +39,7 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
index 35a918b7e..f54e57fb4 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -54,24 +54,24 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -91,24 +91,24 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -128,14 +128,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -143,11 +143,11 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
index effc2d403..45be727bd 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
@@ -5,20 +5,20 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
index 8c0462d4f..e006f6734 100644
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -29,14 +29,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -56,14 +56,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: init2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
@@ -71,14 +71,14 @@ spec:
- CAP_NET_RAW
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_TIME"]
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
index 03b0391c4..ce4466741 100755
--- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: drop-cap-net-raw
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
index 6c8c1695f..3057417f0 100644
--- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
+++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Pod"
-digest: d7463ea035958a2bcf718a8a8120eae3053fdce67cd09135b3859a6ba5230106
+digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784
diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
index 0f1827211..68e92d525 100644
--- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
+++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
@@ -16,7 +16,7 @@ metadata:
ability. Note that this policy also illustrates how to cover drop entries in any
case although this may not strictly conform to the Pod Security Standards.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-drop-cap-net-raw
diff --git a/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml b/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
index b4c5a0097..868448919 100644
--- a/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
+++ b/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml b/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
index 215d515a2..646280fd6 100644
--- a/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
+++ b/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml
@@ -7,4 +7,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml
index 71a7e6e1b..9795d2fe0 100644
--- a/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -32,4 +32,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml
index c341a2c38..0456d97fc 100644
--- a/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,4 +35,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-labels/.chainsaw-test/good-pods.yaml b/best-practices/require-labels/.chainsaw-test/good-pods.yaml
index 0df55f783..5dd3b49be 100644
--- a/best-practices/require-labels/.chainsaw-test/good-pods.yaml
+++ b/best-practices/require-labels/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,4 +19,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/best-practices/require-labels/.chainsaw-test/policy-ready.yaml b/best-practices/require-labels/.chainsaw-test/policy-ready.yaml
index fa7e963f6..b0bd73c54 100755
--- a/best-practices/require-labels/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-labels/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-labels
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-labels/artifacthub-pkg.yml b/best-practices/require-labels/artifacthub-pkg.yml
index d6797dc30..5009eef6c 100644
--- a/best-practices/require-labels/artifacthub-pkg.yml
+++ b/best-practices/require-labels/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Pod, Label"
-digest: 79836f1230681e6c6738f1067bec25d5d3723058e9dda83d7d619283cba442c0
+digest: f5dde85236dc3b3361c5ca9ee753dfc02b07e67e3e224cebf42f4b0f7a0b81d4
diff --git a/best-practices/require-labels/require-labels.yaml b/best-practices/require-labels/require-labels.yaml
index f5108615f..11b03c038 100644
--- a/best-practices/require-labels/require-labels.yaml
+++ b/best-practices/require-labels/require-labels.yaml
@@ -14,7 +14,7 @@ metadata:
all tools can understand. The recommended labels describe applications in a way that can be
queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-for-labels
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
index 14c25b95f..fadcd22c9 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
index ba5b0176b..3023d227a 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml
@@ -7,9 +7,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
@@ -26,7 +26,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "256Mi"
@@ -34,4 +34,4 @@ spec:
limits:
memory: "256Mi"
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
index d77973a49..99f09b303 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml
@@ -8,4 +8,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:v1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
index 9ca37c8aa..f440451d2 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -37,9 +37,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
index 3afe5ff2d..015b89d27 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -22,7 +22,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -43,7 +43,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -51,7 +51,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
index 109162bdd..e1e2b4aad 100644
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -24,7 +24,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
@@ -32,7 +32,7 @@ spec:
limits:
memory: "100Mi"
- name: busybox-again
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
requests:
memory: "50Mi"
diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
index b009150b5..f6710ff99 100755
--- a/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-requests-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml b/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml
index e13d87ed4..c09016963 100644
--- a/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml
+++ b/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
readinessProbe:
@@ -15,7 +15,7 @@ spec:
port: 8080
periodSeconds: 10
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,9 +26,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
readinessProbe:
diff --git a/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml
index d55f6705c..37bbc995c 100644
--- a/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml
@@ -7,4 +7,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml
index cae8ec656..508a55026 100644
--- a/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,10 +14,10 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml
index 04fca84f9..58ba591d2 100644
--- a/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml
@@ -14,13 +14,13 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
readinessProbe:
tcpSocket:
port: 8080
diff --git a/best-practices/require-probes/.chainsaw-test/good-pods.yaml b/best-practices/require-probes/.chainsaw-test/good-pods.yaml
index c49a7839a..3dc949bce 100644
--- a/best-practices/require-probes/.chainsaw-test/good-pods.yaml
+++ b/best-practices/require-probes/.chainsaw-test/good-pods.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
@@ -22,13 +22,13 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
livenessProbe:
tcpSocket:
port: 7070
periodSeconds: 20
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
readinessProbe:
tcpSocket:
port: 8080
@@ -43,7 +43,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
startupProbe:
grpc:
port: 8888
\ No newline at end of file
diff --git a/best-practices/require-probes/.chainsaw-test/policy-ready.yaml b/best-practices/require-probes/.chainsaw-test/policy-ready.yaml
index a6dc7d083..c93bde46e 100755
--- a/best-practices/require-probes/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-probes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-pod-probes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-probes/artifacthub-pkg.yml b/best-practices/require-probes/artifacthub-pkg.yml
index c3b224d6d..7bb2982d4 100644
--- a/best-practices/require-probes/artifacthub-pkg.yml
+++ b/best-practices/require-probes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 8160370e07d5daa9a9ff342cc1c923015cadd3101e837f47af6fe2361e69993a
+digest: d05fc4fc2ae4a7827c91eff5b55076ee4d4f7cd92bb19fd5d6e579f55b4e2ea5
diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml
index ac3036c25..b79b64003 100644
--- a/best-practices/require-probes/require-probes.yaml
+++ b/best-practices/require-probes/require-probes.yaml
@@ -17,7 +17,7 @@ metadata:
This policy validates that all containers have one of livenessProbe, readinessProbe,
or startupProbe defined.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-probes
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
index 993ccd1f3..0c76d4e3f 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml
@@ -5,6 +5,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: false
\ No newline at end of file
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
index df4910577..eef1dbb8e 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -18,8 +18,8 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
index faff7f3d0..8373d44b6 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
index 29a800931..4f6b3cbcc 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -33,8 +33,8 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
\ No newline at end of file
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
index 70a8355c4..9568d71ec 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml
@@ -14,11 +14,11 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -35,10 +35,10 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
\ No newline at end of file
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml
index 7374c2e9d..2e472fd4c 100644
--- a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
---
@@ -16,10 +16,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
readOnlyRootFilesystem: true
diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
index 072aa7a74..0e1123025 100755
--- a/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-ro-rootfs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/require-ro-rootfs/artifacthub-pkg.yml b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
index 753894818..6281a4204 100644
--- a/best-practices/require-ro-rootfs/artifacthub-pkg.yml
+++ b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14
+digest: a255760512816ecfdf5f50ef3381990dc9bd9b604bbf360ef8fcdb3c68f0d9df
diff --git a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml
index 4ababccd8..099ee450f 100644
--- a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml
+++ b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml
@@ -15,7 +15,7 @@ metadata:
host system. This policy validates that containers define a securityContext
with `readOnlyRootFilesystem: true`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-readOnlyRootFilesystem
diff --git a/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml b/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml
index 8a09ffeaf..e7ffb49b4 100644
--- a/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml
+++ b/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: k8s-nginx
- image: nginx
\ No newline at end of file
+ image: ghcr.io/kyverno/test-nginx
\ No newline at end of file
diff --git a/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
index 1a0180e09..fde75f33a 100644
--- a/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
+++ b/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml
@@ -16,10 +16,10 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: k8s-nginx
image: bar.io/nginx
---
@@ -46,7 +46,7 @@ spec:
- name: k8s-nginx
image: bar.io/nginx
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -66,7 +66,7 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: k8s-nginx
image: bar.io/nginx
@@ -88,10 +88,10 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: k8s-nginx
image: bar.io/nginx
---
@@ -115,7 +115,7 @@ spec:
- name: k8s-nginx
image: bar.io/nginx
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -132,7 +132,7 @@ spec:
- name: k8s-nginx-init
image: bar.io/nginx
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: k8s-nginx
image: bar.io/nginx
diff --git a/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml
index 579108a78..5bb42adbe 100755
--- a/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-image-registries
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/restrict-image-registries/artifacthub-pkg.yml b/best-practices/restrict-image-registries/artifacthub-pkg.yml
index d1b0117fe..6b91bf19b 100644
--- a/best-practices/restrict-image-registries/artifacthub-pkg.yml
+++ b/best-practices/restrict-image-registries/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 59d0b33549e706cca0bf26d1da1e190cf8d9d7f93d310f3f8bd3d70475e53a59
+digest: 09f0bae36973d59c6f234bdddd0e66bf4dc83ea2cf3c72a69f925dee7c20e036
diff --git a/best-practices/restrict-image-registries/restrict-image-registries.yaml b/best-practices/restrict-image-registries/restrict-image-registries.yaml
index aaf442815..db32beb68 100644
--- a/best-practices/restrict-image-registries/restrict-image-registries.yaml
+++ b/best-practices/restrict-image-registries/restrict-image-registries.yaml
@@ -16,7 +16,7 @@ metadata:
policy validates that container images only originate from the registry `eu.foo.io` or
`bar.io`. Use of this policy requires customization to define your allowable registries.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-registries
diff --git a/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml
index 4dd4e0f7f..d6c481fb7 100755
--- a/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-nodeport
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/restrict-node-port/artifacthub-pkg.yml b/best-practices/restrict-node-port/artifacthub-pkg.yml
index 4d8c3b06c..edf0d7536 100644
--- a/best-practices/restrict-node-port/artifacthub-pkg.yml
+++ b/best-practices/restrict-node-port/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Service"
-digest: 4fdce61d73a7f5d09a4075fa6ea9e3ae6398bd61bff57e89cd8b40e0129a7375
+digest: fb96c73e7ddc6d9001b01945c3d94f8e7a9ac30c03b64e10603bc31579f92e81
diff --git a/best-practices/restrict-node-port/restrict-node-port.yaml b/best-practices/restrict-node-port/restrict-node-port.yaml
index 5c5cfdb21..7fad2977b 100644
--- a/best-practices/restrict-node-port/restrict-node-port.yaml
+++ b/best-practices/restrict-node-port/restrict-node-port.yaml
@@ -15,7 +15,7 @@ metadata:
with additional upstream security checks. This policy validates that any new Services
do not use the `NodePort` type.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-nodeport
diff --git a/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
index b6103cad3..164fecbff 100755
--- a/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
+++ b/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-external-ips
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/best-practices/restrict-service-external-ips/artifacthub-pkg.yml b/best-practices/restrict-service-external-ips/artifacthub-pkg.yml
index 309794138..9868e9812 100644
--- a/best-practices/restrict-service-external-ips/artifacthub-pkg.yml
+++ b/best-practices/restrict-service-external-ips/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Service"
-digest: 0c57e3d085fa8dff2afba042c8e7f9055b76b92eab31d37b1cc299ee83201d14
+digest: 8d219b29ab7540eea32218db186c550c975eda307bf4cebd48246c07ffaef79f
diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
index 4d5fdaa95..78fd6bd89 100644
--- a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
+++ b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
@@ -14,7 +14,7 @@ metadata:
See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
that the `externalIPs` field is not set on a Service.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-ips
diff --git a/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml b/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml
index d28d8cede..a80dac8d0 100644
--- a/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml
+++ b/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-castai-removal-disabled
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e274fbacf..fcf8c1a7b 100755
--- a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: cert-manager-limit-dnsnames
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/cert-manager/limit-dnsnames/artifacthub-pkg.yml b/cert-manager/limit-dnsnames/artifacthub-pkg.yml
index 706d001af..a3cee17ae 100644
--- a/cert-manager/limit-dnsnames/artifacthub-pkg.yml
+++ b/cert-manager/limit-dnsnames/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Cert-Manager"
kyverno/subject: "Certificate"
-digest: 495d98b2a3568a1123822832d34200d6c0bcec3c99572ef744135d965da905c1
+digest: ec8a0e1f53ebceb71584f40cab8d3812bb744d2020594178eb6c5afcd4756df4
diff --git a/cert-manager/limit-dnsnames/limit-dnsnames.yaml b/cert-manager/limit-dnsnames/limit-dnsnames.yaml
index 93f62430e..40c50708b 100644
--- a/cert-manager/limit-dnsnames/limit-dnsnames.yaml
+++ b/cert-manager/limit-dnsnames/limit-dnsnames.yaml
@@ -13,7 +13,7 @@ metadata:
This policy ensures that each certificate request contains
only one DNS name entry.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: limit-dnsnames
diff --git a/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 96c5357e0..dd325c6ac 100755
--- a/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: cert-manager-limit-duration
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/cert-manager/limit-duration/artifacthub-pkg.yml b/cert-manager/limit-duration/artifacthub-pkg.yml
index 17df82d4e..d08004ded 100644
--- a/cert-manager/limit-duration/artifacthub-pkg.yml
+++ b/cert-manager/limit-duration/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Cert-Manager"
kyverno/subject: "Certificate"
-digest: b205b4f94a9d5b68f571d8c6daa734d257af73a1ec958c283053d5831280cfd6
+digest: b3f3f27337f433e5dcc9e857fd10d66a41e8fa96b16f95559c22437b24d91262
diff --git a/cert-manager/limit-duration/limit-duration.yaml b/cert-manager/limit-duration/limit-duration.yaml
index 48c47bebc..c7fadc905 100644
--- a/cert-manager/limit-duration/limit-duration.yaml
+++ b/cert-manager/limit-duration/limit-duration.yaml
@@ -11,7 +11,7 @@ metadata:
policies.kyverno.io/description: >-
Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: certificate-duration-max-100days
diff --git a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 954ef628c..d63370368 100755
--- a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: cert-manager-restrict-issuer
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/cert-manager/restrict-issuer/artifacthub-pkg.yml b/cert-manager/restrict-issuer/artifacthub-pkg.yml
index 1757d8c76..f59691e1f 100644
--- a/cert-manager/restrict-issuer/artifacthub-pkg.yml
+++ b/cert-manager/restrict-issuer/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Cert-Manager"
kyverno/subject: "Certificate"
-digest: 2a7b90409b62e51572452487e28b762e6f52c67965a429b5f9981a98906be760
+digest: 9c8afac5d46856c8a40fd438f7bf00b4cf4ef11503f8536cf284613089dccd57
diff --git a/cert-manager/restrict-issuer/restrict-issuer.yaml b/cert-manager/restrict-issuer/restrict-issuer.yaml
index 8e731a9c6..877737107 100644
--- a/cert-manager/restrict-issuer/restrict-issuer.yaml
+++ b/cert-manager/restrict-issuer/restrict-issuer.yaml
@@ -13,7 +13,7 @@ metadata:
able to create their own issuers and sign certificates for other domains. This policy
ensures that a certificate request for a specific domain uses a designated ClusterIssuer.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: restrict-corp-cert-issuer
diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml
index 966df958a..fc66231b2 100644
--- a/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml
+++ b/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.14.1
+ image: ghcr.io/kyverno/test-nginx:1.14.1
diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
index be7a47e8e..96fdaebc2 100644
--- a/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
+++ b/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-min-tls-version
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml b/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
index be7a47e8e..96fdaebc2 100644
--- a/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
+++ b/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-min-tls-version
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/consul/enforce-min-tls-version/artifacthub-pkg.yml b/consul/enforce-min-tls-version/artifacthub-pkg.yml
index 4469e84a3..1c4e03a56 100644
--- a/consul/enforce-min-tls-version/artifacthub-pkg.yml
+++ b/consul/enforce-min-tls-version/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Consul"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Mesh"
-digest: 26212a00629d858ebf10f2f73e8c7a0f2aafb8c21f95977d6b1688cafafac83a
+digest: ca396c060240139dd41b54743adfd655c5631d8a2e3d12f6043057828d92fab0
diff --git a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml
index c77bec745..33028e27f 100644
--- a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml
+++ b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-for-tls-version
diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml
index 30e325f84..262f00af3 100755
--- a/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml
+++ b/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-flux-sources
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml
index 7cf04ed5a..5155b9eeb 100644
--- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml
+++ b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-git-repositories
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml
index 89c55d909..24d376cbf 100644
--- a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml
+++ b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: generate-flux-multi-tenant-resources
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml b/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml
index a865af19a..da74467e6 100644
--- a/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml
+++ b/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-flux-images
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 30e325f84..262f00af3 100755
--- a/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-flux-sources
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/flux/verify-flux-sources/artifacthub-pkg.yml b/flux/verify-flux-sources/artifacthub-pkg.yml
index 76a55c33c..e595d546b 100644
--- a/flux/verify-flux-sources/artifacthub-pkg.yml
+++ b/flux/verify-flux-sources/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Flux"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "GitRepository, Bucket, HelmRepository, ImageRepository"
-digest: 7bd73534dccd558c7114c3c3cf09d03d9ca98a13096dca0a7f44b5b11b55ae84
+digest: 36729a3f5f13572a543a7326be1dbd83323b17b24c78777ea86e318065d58f7b
diff --git a/flux/verify-flux-sources/verify-flux-sources.yaml b/flux/verify-flux-sources/verify-flux-sources.yaml
index f21f782ad..fd512ea49 100644
--- a/flux/verify-flux-sources/verify-flux-sources.yaml
+++ b/flux/verify-flux-sources/verify-flux-sources.yaml
@@ -18,7 +18,7 @@ metadata:
accessing outside sources. This policy verifies that each of the Flux
sources comes from a trusted location.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: flux-github-repositories
match:
diff --git a/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml b/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml
index 7cf04ed5a..5155b9eeb 100644
--- a/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml
+++ b/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-git-repositories
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
index acc3f29fb..d536a3082 100755
--- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
+++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-sidecar-injection-namespace
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml
index c5f7637cb..5b830e062 100755
--- a/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml
+++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-strict-mtls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
index 3f2e6b492..21e4241b3 100644
--- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
+++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
@@ -10,7 +10,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -24,4 +24,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
index de1e03c32..2a86675ca 100644
--- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
+++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
@@ -10,7 +10,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,4 +23,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
index 90c90ffc0..62bcc2d70 100644
--- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
+++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -60,7 +60,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
@@ -82,7 +82,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
index 59d1afa1b..8954aa77e 100644
--- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
+++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -41,7 +41,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -58,7 +58,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -80,7 +80,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml
index 4c6866bd0..2e032de89 100755
--- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml
+++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-disabling-injection-pods
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
index 12870b244..b589170fd 100644
--- a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
+++ b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-ambient-mode-namespace
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
index 350145f08..9b37e7c50 100644
--- a/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
+++ b/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-sidecar-injection-namespace
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml b/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml
index dae62e0d2..6e8841185 100644
--- a/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml
+++ b/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: create-authorizationpolicy
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5e9e5da0c..8c6d4630d 100644
--- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-ambient-mode-namespace
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
index a01e95c16..e63c70900 100644
--- a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
+++ b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Namespace"
-digest: 1d0f6644ba09afd6fe0dcb431b434c509b995580a5fef2f795df2fc979c6a931
+digest: a098ef222829beed7f5f33a4ea85690c3eac2dde8d7fb96f8ecb2cccf7d64f0c
diff --git a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
index 0428f52c5..c5c0b0efa 100644
--- a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
+++ b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
@@ -15,7 +15,7 @@ metadata:
`istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces
set `istio.io/dataplane-mode` to `ambient`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-amblient-mode-enabled
diff --git a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index acc3f29fb..d536a3082 100755
--- a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-sidecar-injection-namespace
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml
index ba5c3901c..b929f1aad 100644
--- a/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml
+++ b/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Namespace"
-digest: bef6a662a8eabeb1e615f5b1bc46200d9212d0f47e62e5705a31242082ccc2ef
+digest: 4d6f6b0757d0d1467aa84bddbdeae3faa9a14acbf2453a03e8f91194e5e4d739
diff --git a/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
index 77c10fc68..509911062 100644
--- a/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
+++ b/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
@@ -15,7 +15,7 @@ metadata:
`istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces
set `istio-inject` to `enabled`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-istio-injection-enabled
diff --git a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c5f7637cb..5b830e062 100755
--- a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-strict-mtls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/enforce-strict-mtls/artifacthub-pkg.yml b/istio/enforce-strict-mtls/artifacthub-pkg.yml
index 8206d79c9..c3f2482dc 100644
--- a/istio/enforce-strict-mtls/artifacthub-pkg.yml
+++ b/istio/enforce-strict-mtls/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "PeerAuthentication"
-digest: 1e7fbe8c0819be0142c61113b26cbcfe19ec3ca65a9b336165cbe0b1dc1b22b7
+digest: 9febcaf60d14baf9d3ced147ed586aa3bde99d8f1296ff318355c708b39748a1
diff --git a/istio/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio/enforce-strict-mtls/enforce-strict-mtls.yaml
index 2d3dfe81d..91167b572 100644
--- a/istio/enforce-strict-mtls/enforce-strict-mtls.yaml
+++ b/istio/enforce-strict-mtls/enforce-strict-mtls.yaml
@@ -18,7 +18,7 @@ metadata:
This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring
the `mode` be set to either `UNSET` or `STRICT`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-mtls
diff --git a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a79bc18f7..fd57ad415 100755
--- a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enforce-tls-hosts-host-subnets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml b/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml
index a29067dea..84efd2692 100644
--- a/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml
+++ b/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "DestinationRule"
-digest: 4825f2ffc9b90a1ddfc2055dd5afff807725961d52416b3be4276c384f05fc95
+digest: bc582eafa610d8f2c8cc0e0514b069e632da4ef5742ebf30926435fb382c965f
diff --git a/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml b/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml
index 1e7971bcb..7dde78fc2 100644
--- a/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml
+++ b/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml
@@ -16,7 +16,7 @@ metadata:
to the destination host. This policy enforces that the TLS mode cannot be set to a value
of `DISABLE`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: destrule
diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 4c6866bd0..2e032de89 100755
--- a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-disabling-injection-pods
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
index 3f2e6b492..21e4241b3 100644
--- a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
+++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml
@@ -10,7 +10,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -24,4 +24,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
index de1e03c32..2a86675ca 100644
--- a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
+++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml
@@ -10,7 +10,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,4 +23,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
index 90c90ffc0..62bcc2d70 100644
--- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
+++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -60,7 +60,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
@@ -82,7 +82,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- sleep
- "3600"
diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
index 59d1afa1b..8954aa77e 100644
--- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
+++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -41,7 +41,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -58,7 +58,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -80,7 +80,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml
index c9b718b3c..cda4c10a2 100644
--- a/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml
+++ b/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: d9555f2aed790d8fabc6fc8c0ed603f6ee99dce599c4e0114b4a23d0b184fd75
+digest: 3694d6b6206d2a7e7a0d2cf91e696dc92469a64c66732e325f4824a46bb7c1dc
diff --git a/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml
index 20e71a2b0..d8e89e3d6 100644
--- a/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml
+++ b/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml
@@ -16,7 +16,7 @@ metadata:
thereby reducing visibility. This policy ensures that Pods cannot set the annotation
`sidecar.istio.io/inject` to a value of `false`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: prohibit-inject-annotation
diff --git a/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml b/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml
index ee13fec52..531869ffd 100644
--- a/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml
+++ b/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-authorizationpolicies
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/require-authorizationpolicy/artifacthub-pkg.yml b/istio/require-authorizationpolicy/artifacthub-pkg.yml
index a7b09404d..48ec3dc74 100644
--- a/istio/require-authorizationpolicy/artifacthub-pkg.yml
+++ b/istio/require-authorizationpolicy/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "AuthorizationPolicy"
-digest: 6beea1fe2425e1ae6401738ffdedc3012109e67493b6cebdbb7c84eb79e490b0
+digest: d9ff9f3b2f3fbbbecb52cc92b14b02717fa497dc8ff3a9df9285b92ebc3c32a1
diff --git a/istio/require-authorizationpolicy/require-authorizationpolicy.yaml b/istio/require-authorizationpolicy/require-authorizationpolicy.yaml
index 1f6a47564..6429055f4 100644
--- a/istio/require-authorizationpolicy/require-authorizationpolicy.yaml
+++ b/istio/require-authorizationpolicy/require-authorizationpolicy.yaml
@@ -16,7 +16,7 @@ metadata:
at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting
purposes, ensures every Namespace has at least one AuthorizationPolicy.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-authz-pol
diff --git a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e823cc767..b1adfb176 100755
--- a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-virtual-service-wildcard
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml b/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml
index aa08fe72b..393023a6c 100644
--- a/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml
+++ b/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Istio"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "VirtualService"
-digest: 34ccfc30dd8bb8dd88099456cf3dff05d48ca160d844a897278e18b389f1b394
+digest: 99689de2d291550cb8ade3458bc15c5e860b1453a09cc13348429ab3fd4de90b
diff --git a/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml b/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml
index 40ebae537..a0da5276b 100644
--- a/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml
+++ b/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml
@@ -18,7 +18,7 @@ metadata:
character and allows for more governance when a single mesh deployment
model is used.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: block-virtual-service-wildcard
diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml
index 968942cd7..30ff5e7df 100644
--- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml
+++ b/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml
@@ -41,7 +41,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
@@ -94,7 +94,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
@@ -188,7 +188,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml
index 08f6360eb..db18be3cc 100644
--- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml
+++ b/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml
@@ -41,7 +41,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
@@ -89,7 +89,7 @@ spec:
- args:
- sleep
- infinity
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
# securityContext:
# runAsNonRoot: true
diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml
index 0238b4abb..3506239bf 100644
--- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml
+++ b/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: service-mesh-disallow-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml
index bb67612b9..c665359f8 100644
--- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml
+++ b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml
@@ -40,7 +40,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
@@ -54,7 +54,7 @@ metadata:
spec:
initContainers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- "2"
diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml
index 3033f520c..b43fabe72 100644
--- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml
+++ b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml
@@ -40,7 +40,7 @@ spec:
runAsUser: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- infinity
diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
index a5dc1eb82..84f1f8fca 100644
--- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
+++ b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: service-mesh-require-run-as-nonroot
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml
index a31e7ca64..072f906ea 100644
--- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml
+++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml
@@ -13,7 +13,7 @@ spec:
spec:
containers:
- name: test
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: system-node-critical
---
apiVersion: apps/v1
@@ -31,5 +31,5 @@ spec:
spec:
containers:
- name: test
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: system-node-critical
diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml
index ec47d15a5..4e45c009d 100644
--- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml
+++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-karpenter-daemonset-priority-class
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml
index ff19bbf31..aa7d5b191 100644
--- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml
+++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml
@@ -13,7 +13,7 @@ spec:
spec:
containers:
- name: test
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: DaemonSet
@@ -30,5 +30,5 @@ spec:
spec:
containers:
- name: test
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: system-node-not-critical
diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml
index 3908e040c..88afce3e3 100644
--- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml
+++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml
@@ -11,7 +11,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
\ No newline at end of file
diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml
index 7b48a46b4..e8bcbcc96 100644
--- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml
+++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml
@@ -14,6 +14,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml
index 7329ff5d9..c5ce7564c 100644
--- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml
+++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-karpenter-donot-evict
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml
index 46f622c67..d97e2d52e 100644
--- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml
+++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml
@@ -11,7 +11,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
@@ -32,6 +32,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml
index 14dfa4af3..b66cf0724 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml
@@ -9,4 +9,4 @@ spec:
karpenter.sh/capacity-type: spot
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml
index f9b63851c..8ec12b731 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml
@@ -9,7 +9,7 @@ spec:
karpenter.sh/capacity-type: on-demand
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,4 +22,4 @@ spec:
karpenter.sh/capacity-type: on-demand
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml
index 97f92406d..0e0daaa68 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml
@@ -9,4 +9,4 @@ spec:
karpenter.sh/capacity-type: on-demand
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml
index 052f8d02c..b3d654d9a 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml
@@ -9,7 +9,7 @@ spec:
karpenter.sh/capacity-type: spot
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,4 +22,4 @@ spec:
karpenter.sh/capacity-type: spot
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml
index 3574a6c39..d12a1d0f3 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml
@@ -9,7 +9,7 @@ spec:
karpenter.sh/capacity-type: spot
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,4 +22,4 @@ spec:
karpenter.sh/capacity-type: on-demand
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml
index 0e5bb13b2..eb3cc093d 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-karpenter-nodeselector
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml
index 6665a981e..9151701d9 100644
--- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml
+++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,7 +37,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -50,7 +50,7 @@ spec:
karpenter.sh/capacity-type: on-demand
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -73,4 +73,4 @@ spec:
karpenter.sh/capacity-type: spot
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml
index efbb43ebc..d0f81a65a 100644
--- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml
+++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: test5-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -17,7 +17,7 @@ spec:
memory: "1Gi"
ephemeral-storage: "1Gi"
- name: test5-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml
index 23a04613f..4ae42012e 100644
--- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml
+++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: test5-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -17,7 +17,7 @@ spec:
memory: "500Mi"
ephemeral-storage: "500Mi"
- name: test5-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml
index 7dcbc3abd..f166db55c 100644
--- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml
+++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -28,7 +28,7 @@ spec:
memory: "1Gi"
ephemeral-storage: "1Gi"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -51,7 +51,7 @@ spec:
spec:
containers:
- name: hello-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -66,7 +66,7 @@ spec:
memory: "1Gi"
ephemeral-storage: "1Gi"
- name: hello-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml
index 66323381b..3e4557bd5 100644
--- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml
+++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -28,7 +28,7 @@ spec:
memory: "500Mi"
ephemeral-storage: "500Mi"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
@@ -51,7 +51,7 @@ spec:
spec:
containers:
- name: hello-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -66,7 +66,7 @@ spec:
memory: "500Mi"
ephemeral-storage: "500Mi"
- name: hello-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml
index 3c3b4feac..87aecac73 100644
--- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml
+++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: set-karpenter-non-cpu-limits
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
index 040ccdb48..36bd362a8 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
index c34fd4785..b73ff7aaf 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml
index dcf3c489e..a11bdbc31 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -69,7 +69,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
index 566318b81..58b3482d5 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
@@ -26,6 +26,6 @@ spec:
spec:
containers:
- name: nginx
- image: nginx:1.14.2
+ image: ghcr.io/kyverno/test-nginx:1.14.2
ports:
- containerPort: 80
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml
index 4e8dfe8c2..54fa59bf8 100755
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: k10-data-protection-by-label
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
index cf1a15841..902760bcf 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
@@ -20,4 +20,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
index 397a81231..a710806fe 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
@@ -19,4 +19,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml
index bc6216c38..4b55fb60b 100644
--- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml
+++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -39,7 +39,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -62,4 +62,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml
index 3fa1c7221..41d795a32 100755
--- a/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml
+++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: k10-policy-hourly-rpo
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml
index 27e86f51b..744ccb78e 100755
--- a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml
+++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: k10-validate-ns-by-preset-label
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5f75f24ec..e553bb9cd 100755
--- a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: kasten-3-2-1-backup-policy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e9f379862..c77a33a63 100755
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: kasten-data-protection-by-label
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
index 040ccdb48..36bd362a8 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
index c34fd4785..b73ff7aaf 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml
index f197557ee..371bd292d 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -69,7 +69,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
\ No newline at end of file
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
index 566318b81..58b3482d5 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml
@@ -26,6 +26,6 @@ spec:
spec:
containers:
- name: nginx
- image: nginx:1.14.2
+ image: ghcr.io/kyverno/test-nginx:1.14.2
ports:
- containerPort: 80
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
index cf1a15841..902760bcf 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml
@@ -20,4 +20,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
index 397a81231..a710806fe 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml
@@ -19,4 +19,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml
index 848d14d3a..4359ca760 100644
--- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml
+++ b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -39,7 +39,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -62,4 +62,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml
index 5273b5370..319a8fa1d 100644
--- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml
+++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: kasten-generate-policy-by-preset-label
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c1bc4202f..d210f50d4 100755
--- a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: kasten-hourly-rpo
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d65a30c42..03a661f34 100755
--- a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: kasten-validate-ns-by-preset-label
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
index 68e1fe0a1..cb03ac87a 100644
--- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
+++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -34,4 +34,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml
index 50ec73c0a..88be8ab2f 100644
--- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml
+++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml
@@ -12,4 +12,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
index 44277f3ba..a328233b8 100644
--- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
+++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -53,7 +53,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -75,7 +75,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
index 4e85726df..20f3f43c5 100644
--- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
+++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
@@ -20,7 +20,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -92,7 +92,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml
index ed44c7cf3..59d82a83b 100755
--- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml
+++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-kubecost-labels
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml
index 8bb4eed17..60c8c9d59 100644
--- a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml
+++ b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml
@@ -18,7 +18,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep", "9999"]
resources:
diff --git a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml
index 067df0230..2de9a7249 100644
--- a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml
+++ b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: enable-kubecost-continuous-rightsizing
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index ed44c7cf3..59d82a83b 100755
--- a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-kubecost-labels
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
index 68e1fe0a1..cb03ac87a 100644
--- a/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
+++ b/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -34,4 +34,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml
index 50ec73c0a..88be8ab2f 100644
--- a/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml
+++ b/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml
@@ -12,4 +12,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
index 44277f3ba..a328233b8 100644
--- a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
+++ b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -53,7 +53,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -75,7 +75,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
index 4e85726df..20f3f43c5 100644
--- a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
+++ b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml
@@ -20,7 +20,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -92,7 +92,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
index 08c867372..407fa4ff4 100644
--- a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
+++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: config-syncer-secret-generation-from-rancher-capi
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubevirt/add-services/.chainsaw-test/policy-ready.yaml b/kubevirt/add-services/.chainsaw-test/policy-ready.yaml
index 230b1b098..b181997d3 100644
--- a/kubevirt/add-services/.chainsaw-test/policy-ready.yaml
+++ b/kubevirt/add-services/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: k6t-add-services
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml
index 575119eb7..b6d6478a9 100644
--- a/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml
+++ b/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: k6t-enforce-instancetype
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml
index 78917c4a9..496a0e63a 100644
--- a/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml
+++ b/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml
@@ -26,7 +26,7 @@ spec:
terminationGracePeriodSeconds: 0
volumes:
- containerDisk:
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
name: containerdisk
- cloudInitNoCloud:
userData: |
diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml
index 788d6f3fb..89a470679 100644
--- a/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml
+++ b/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml
@@ -20,7 +20,7 @@ spec:
terminationGracePeriodSeconds: 0
volumes:
- containerDisk:
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
name: containerdisk
- cloudInitNoCloud:
userData: |
diff --git a/kubevirt/enforce-instancetype/artifacthub-pkg.yml b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
index 73d5da7bf..4e19a07b0 100644
--- a/kubevirt/enforce-instancetype/artifacthub-pkg.yml
+++ b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "KubeVirt"
kyverno/kubernetesVersion: "1.24-1.25"
kyverno/subject: "VirtualMachine"
-digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439
+digest: 1cd35bac61b4a5945c825e7dc41443e8bd67d32bda052843d040b8d482d80cb8
diff --git a/kubevirt/enforce-instancetype/enforce-instancetype.yaml b/kubevirt/enforce-instancetype/enforce-instancetype.yaml
index 7148f7f2e..ef772390e 100644
--- a/kubevirt/enforce-instancetype/enforce-instancetype.yaml
+++ b/kubevirt/enforce-instancetype/enforce-instancetype.yaml
@@ -11,7 +11,7 @@ metadata:
kyverno.io/kyverno-version: "1.8.0-rc2"
kyverno.io/kubernetes-version: "1.24-1.25"
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: k6t-ensure-instance-type-and-preference
match:
diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
index 2ffa3ce71..b2e676ae4 100644
--- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
+++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
@@ -6,5 +6,5 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
index 0ef55981b..03ef199b1 100644
--- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
+++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
index 826bd837a..26a5d37d8 100644
--- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
+++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
@@ -6,7 +6,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,6 +15,6 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
index 876c42be2..ad64e4171 100644
--- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
+++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -76,7 +76,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml
index 2d21edf25..dc4acb236 100755
--- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml
+++ b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-linkerd-pod-injection-override
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
index 1d3b1cbc3..89f2c4e1b 100644
--- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
+++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
@@ -7,7 +7,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -19,7 +19,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -32,5 +32,5 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
index 3d4093257..c0ca58e47 100644
--- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
+++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -84,7 +84,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -106,7 +106,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -129,7 +129,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
index feddec893..6df9f3bcc 100644
--- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
+++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,6 +15,6 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
index e8c4c6706..9d7fe6099 100644
--- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
+++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -76,7 +76,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml
index 538df5440..5e3757418 100755
--- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml
+++ b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-linkerd-port-skipping
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
index 0a6966bd9..8b24c872b 100755
--- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
+++ b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-linkerd-mesh-injection
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
index c9a189f5a..6edadda16 100644
--- a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
+++ b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-linkerd-mesh-injection
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml
index b32f7e4c9..3db33b823 100644
--- a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml
+++ b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-linkerd-policy-annotation
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index ad356330a..516c9263a 100755
--- a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: check-linkerd-authorizationpolicy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml b/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml
index 1b1883f8c..881b2ea0a 100644
--- a/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml
+++ b/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Linkerd"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "AuthorizationPolicy"
-digest: e3f12288bb9f57e51764435a709284d7b3935ae8850eded4d998e35e9568cd19
+digest: a8aa490b9226b245c51bc84f7a01f3a64bf176a40aa24743da3628188cdf50a3
diff --git a/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml b/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml
index e126e1a27..784c361a3 100644
--- a/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml
+++ b/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml
@@ -17,7 +17,7 @@ metadata:
AuthorizationPolicy resources to ensure that either a matching Server or HTTPRoute exists
first.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-server-exists
diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
index 2ffa3ce71..b2e676ae4 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
@@ -6,5 +6,5 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
index 0ef55981b..03ef199b1 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 2d21edf25..dc4acb236 100755
--- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-linkerd-pod-injection-override
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
index 826bd837a..26a5d37d8 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
@@ -6,7 +6,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,6 +15,6 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
index 876c42be2..ad64e4171 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -76,7 +76,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml
index 05cdd4338..b21287453 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml
+++ b/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Linkerd"
kyverno/subject: "Pod"
-digest: f53f4954cf983e1ffd47faf03c76fa07ca01cc2a3d3ac2118c5f77f12e6abbf7
+digest: 054fa2bf433cf978fc7cbc5e846f4f4851a9fc1293a57aa5064d3a6af7e65c0d
diff --git a/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
index 8b608b408..fadc62b8a 100644
--- a/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
+++ b/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
@@ -13,7 +13,7 @@ metadata:
security and visibility. This policy prevents setting the annotation `linkerd.io/inject`
to `disabled` for Pods.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: pod-injection-override
diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
index 1d3b1cbc3..89f2c4e1b 100644
--- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
@@ -7,7 +7,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -19,7 +19,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -32,5 +32,5 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
index 3d4093257..c0ca58e47 100644
--- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -84,7 +84,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -106,7 +106,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -129,7 +129,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 538df5440..5e3757418 100755
--- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-linkerd-port-skipping
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
index feddec893..6df9f3bcc 100644
--- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,6 +15,6 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
index e8c4c6706..9d7fe6099 100644
--- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
@@ -76,7 +76,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command:
- "sleep"
- "3600"
diff --git a/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml
index 5fffbddde..a44ee21be 100644
--- a/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml
+++ b/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Linkerd"
kyverno/subject: "Pod"
-digest: eb06dd1a5965de97c84c7ca4f46d77a3d231600340a6f6f6f3369331d5fc0edc
+digest: 2afea901b654630b7006cfad1b1f90304418bb111d468576be735129d93a5778
diff --git a/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
index 7505e1f52..ec56544e8 100644
--- a/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
+++ b/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
@@ -13,7 +13,7 @@ metadata:
generally should be avoided. This policy prevents Pods from setting
the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: pod-prevent-port-skipping
diff --git a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 0a6966bd9..8b24c872b 100755
--- a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-linkerd-mesh-injection
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml
index 3a4b5a7c3..7eb59ea60 100644
--- a/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml
+++ b/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Linkerd"
kyverno/subject: "Namespace, Annotation"
-digest: 284e774c36aae48ee175b4388c792d073897fd6e5df3645ce65682d441a35877
+digest: 122ef3bc84488331c83eb1217f64e9371023914f3a249a380539a9857c625048
diff --git a/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
index 9026c2f11..822a0b307 100644
--- a/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
+++ b/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
@@ -12,7 +12,7 @@ metadata:
setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that
all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-mesh-annotation
diff --git a/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml b/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml
index 33990a027..f134b5900 100644
--- a/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml
+++ b/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml
@@ -16,9 +16,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -40,8 +40,8 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f23d8af71..d064a4759 100755
--- a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: require-linkerd-server
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml b/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml
index f4a6365b5..cb96cc7d9 100644
--- a/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml
+++ b/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml
@@ -16,9 +16,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -40,11 +40,11 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -64,6 +64,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/linkerd/require-linkerd-server/artifacthub-pkg.yml b/linkerd/require-linkerd-server/artifacthub-pkg.yml
index f6cfb2140..248d6b4f3 100644
--- a/linkerd/require-linkerd-server/artifacthub-pkg.yml
+++ b/linkerd/require-linkerd-server/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Linkerd"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Deployment, Server"
-digest: 48fc0973e425cb8e28ef82dc9c1be59f49b80850be42ba62189bcb5235e90278
+digest: bd855cb303add805e796aa91569f7f8708ba6ed901c1ff61766113fe4850596f
diff --git a/linkerd/require-linkerd-server/require-linkerd-server.yaml b/linkerd/require-linkerd-server/require-linkerd-server.yaml
index 87234a391..770000c51 100644
--- a/linkerd/require-linkerd-server/require-linkerd-server.yaml
+++ b/linkerd/require-linkerd-server/require-linkerd-server.yaml
@@ -17,7 +17,7 @@ metadata:
Deployments (exposing ports) and Services to ensure a corresponding Server resource
exists first.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-deployment-has-server
diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
index 8419e2c67..22580bde4 100644
--- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-ingress-nginx-custom-snippets
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
index 3e2289190..6f095d506 100644
--- a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-annotations
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
index d172b2aef..9d92cb157 100644
--- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-paths
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
index 8419e2c67..22580bde4 100644
--- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-ingress-nginx-custom-snippets
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
index e6fb8f915..7c6e08872 100644
--- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
+++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, NGINX Ingress"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "ConfigMap, Ingress"
-digest: f82c858055d25ed42fa4ec3104c73e59eb17411d06ee65eb78f6063497785e57
+digest: 96d31faa4e116027b69e70a654f0d7847d7ea2724ea439d8318550466db86921
diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
index 84f3d0dd3..e0b40d881 100644
--- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
+++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
@@ -16,7 +16,7 @@ metadata:
blocks *-snippet annotations on an Ingress.
See: https://github.com/kubernetes/ingress-nginx/issues/7837
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: check-config-map
match:
diff --git a/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml b/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml
index 3e2289190..6f095d506 100644
--- a/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-annotations
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress/restrict-annotations/artifacthub-pkg.yml
index f5d3f217b..8c325748e 100644
--- a/nginx-ingress/restrict-annotations/artifacthub-pkg.yml
+++ b/nginx-ingress/restrict-annotations/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, NGINX Ingress"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Ingress"
-digest: 6618fb9e85f16298c93bea7acde1bd85f18457056733a861d73e555f8b935a1d
+digest: 9bac2f494b4566ef2c9422e7486e3331123e70ba1f7b246442f08078994f6bf0
diff --git a/nginx-ingress/restrict-annotations/restrict-annotations.yaml b/nginx-ingress/restrict-annotations/restrict-annotations.yaml
index 091737f32..f7f9bd09d 100644
--- a/nginx-ingress/restrict-annotations/restrict-annotations.yaml
+++ b/nginx-ingress/restrict-annotations/restrict-annotations.yaml
@@ -17,7 +17,7 @@ metadata:
"annotation-value-word-blocklist" configuration setting is also recommended.
Please refer to the CVE for details.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: check-ingress
match:
diff --git a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
index d172b2aef..9d92cb157 100644
--- a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
+++ b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-paths
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml
index ce23817b0..1de37b67f 100644
--- a/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml
+++ b/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, NGINX Ingress"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Ingress"
-digest: ab86ab56e2f637eb204896effe8bde24dc297efa7dd7557bbb497f01b364518e
+digest: 79b9bb86e578c074e99337e99a4f3615c16b131eb67a8e1171aa709c80d4ea46
diff --git a/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml
index c4d9d5353..d086a9dfd 100644
--- a/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml
+++ b/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml
@@ -15,7 +15,7 @@ metadata:
Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0.
Please refer to the CVE for details.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: check-paths
match:
diff --git a/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml b/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml
index 7620a92af..195282bec 100644
--- a/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml
+++ b/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: check-routes
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
index ed6d92cb9..3a862d24f 100644
--- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
+++ b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-security-context-constraint-anyuid
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/openshift/check-routes/.chainsaw-test/policy-ready.yaml b/openshift/check-routes/.chainsaw-test/policy-ready.yaml
index 7620a92af..195282bec 100644
--- a/openshift/check-routes/.chainsaw-test/policy-ready.yaml
+++ b/openshift/check-routes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: check-routes
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/openshift/check-routes/artifacthub-pkg.yml b/openshift/check-routes/artifacthub-pkg.yml
index 4667c9650..b865bb722 100644
--- a/openshift/check-routes/artifacthub-pkg.yml
+++ b/openshift/check-routes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "Route"
-digest: a06ecd563e1cff566a0e9913e8f06275b802a190ed3d5d86f7cdf28b73ad4589
+digest: 709e81e4c987c6d59650910334ef2a2ab98ac267e690b6d99ac8e6004b3e3e00
diff --git a/openshift/check-routes/check-routes.yaml b/openshift/check-routes/check-routes.yaml
index 7b2291fd3..8ef5020f0 100644
--- a/openshift/check-routes/check-routes.yaml
+++ b/openshift/check-routes/check-routes.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: |-
HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: require-tls-routes
diff --git a/openshift/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift/disallow-deprecated-apis/artifacthub-pkg.yml
index 361b1c27a..26592afec 100644
--- a/openshift/disallow-deprecated-apis/artifacthub-pkg.yml
+++ b/openshift/disallow-deprecated-apis/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC"
-digest: 4632053b784cb8ea4e0959679a3418c429e6a97875c8acea31c62bda9e8c9f8e
+digest: fcfa3505149601c824da0ed5507a65f31b879ddffc646aec57e702796353833a
diff --git a/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml
index 8ad9a7876..e6320cb93 100644
--- a/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml
+++ b/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml
@@ -17,7 +17,7 @@ metadata:
Note that checking for some of these resources may require modifying the Kyverno
ConfigMap to remove filters.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-deprecated-apis
diff --git a/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml
index 427d0f45a..12b6733d0 100644
--- a/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml
+++ b/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "BuildConfig"
-digest: 54d8b6ca2d8a3bb07ef0e84375717f230aa1bbee36d2df8fda5563d8b828da64
+digest: b6c956c992d6427a0caa6d7527d0bc1f69c16b328ecfcde91f2560561927539f
diff --git a/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml
index e4b6396d4..f34271945 100644
--- a/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml
+++ b/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-build-strategy
diff --git a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
index ed6d92cb9..3a862d24f 100644
--- a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
+++ b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-security-context-constraint-anyuid
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml
index 57032ac9b..c951ddc9f 100644
--- a/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml
+++ b/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Security"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "Role,ClusterRole,RBAC"
-digest: 91f366a8916454b5922e91d99af42db7be144d64bfcab98a6223843fa4e2d9b5
+digest: aba34bc8844523568b27a380fc30dd2dba1492cb762d114bf2da851a48033c63
diff --git a/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml
index c444ed66f..e0f8ea9ee 100644
--- a/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml
+++ b/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-security-context-constraint
diff --git a/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml b/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml
index d6f5a4f24..17cd2ac21 100644
--- a/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml
+++ b/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disallow-self-provisioner-binding
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml b/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml
index e973625d7..04b329c03 100644
--- a/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml
+++ b/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "ClusterRoleBinding, RBAC"
-digest: 1a105716e9a5d2653a6fc6eea9f46c2fa384c00586b9c4148027370e687edfc5
+digest: a808a91eed3c1a1c44840bd490cec834627a5364c93553850acc335f2ad29613
diff --git a/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml b/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml
index d8c7a968b..8c1fb149f 100644
--- a/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml
+++ b/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-self-provisioner-binding-no-subject
diff --git a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
index 25e08a873..205b0733a 100644
--- a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
+++ b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "APIServer"
-digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3
+digest: a25476bbe38e4bac0519d3e0f8320bf32bdd7ebbd115bc016b1b5d927bf2ce56
diff --git a/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml
index e80628525..1c21f36fb 100644
--- a/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml
+++ b/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-etcd-encryption
diff --git a/openshift/team-validate-ns-name/artifacthub-pkg.yml b/openshift/team-validate-ns-name/artifacthub-pkg.yml
index 087dcf5f3..843c3c912 100644
--- a/openshift/team-validate-ns-name/artifacthub-pkg.yml
+++ b/openshift/team-validate-ns-name/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Namespace"
-digest: 2228cf663cbf371704be6b1ad20e3e293148dbf2d607889f68be80c3154c316b
+digest: 5bf6adc38d0e2a985bcfbd51a1281de127ef37fa05bbe8b48332337657992d68
diff --git a/openshift/team-validate-ns-name/team-validate-ns-name.yaml b/openshift/team-validate-ns-name/team-validate-ns-name.yaml
index 3ade0eae9..325825ee9 100644
--- a/openshift/team-validate-ns-name/team-validate-ns-name.yaml
+++ b/openshift/team-validate-ns-name/team-validate-ns-name.yaml
@@ -17,7 +17,7 @@ metadata:
This policy denies the creation of a Namespace if the name of the Namespace does
not follow a specific naming defined by the cluster admins.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: team-validate-ns-name
diff --git a/openshift/unique-routes/artifacthub-pkg.yml b/openshift/unique-routes/artifacthub-pkg.yml
index 5aa5b8e0d..74edd9612 100644
--- a/openshift/unique-routes/artifacthub-pkg.yml
+++ b/openshift/unique-routes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "Route"
-digest: faa4a7daf6ce438affd93e7807482980eb1eb64098a8224205da1d54758440cc
+digest: 9760b98f6bf58e3f1ae5b0c06dd2f47e8b49a47aab992e6c906795877c59fb93
diff --git a/openshift/unique-routes/unique-routes.yaml b/openshift/unique-routes/unique-routes.yaml
index 0070178ae..e5307919f 100644
--- a/openshift/unique-routes/unique-routes.yaml
+++ b/openshift/unique-routes/unique-routes.yaml
@@ -16,7 +16,7 @@ metadata:
these hosts should be unique across the cluster to ensure no routing conflicts occur.
This policy checks an incoming Route resource to ensure its hosts are unique to the cluster.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: require-unique-routes
diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
index 647879b83..d0ccba896 100644
--- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -15,7 +15,7 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
image: ghcr.io/busybox:1.35
containers:
diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml
index 817091e5a..b0fc37d37 100755
--- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: advanced-restrict-image-registries
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml
index 942e56ff7..57aa954ae 100644
--- a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -31,7 +31,7 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -43,5 +43,5 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml
index a71a48fcb..64143a246 100644
--- a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml
+++ b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -41,5 +41,5 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
index 56f826e9a..cc5e4b773 100644
--- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -44,7 +44,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -62,7 +62,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
index 41f409f6c..6b9e18273 100644
--- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -43,7 +43,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -64,7 +64,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -81,7 +81,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -104,7 +104,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -123,7 +123,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml
index e86a1d14c..b0aa428dc 100755
--- a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: allowed-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
index a74a0559a..38437c267 100644
--- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: foo
---
apiVersion: v1
@@ -17,6 +17,6 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
index cd959257d..311bf32b6 100644
--- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
+++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
---
apiVersion: v1
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
---
apiVersion: v1
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,7 +37,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: foo
---
apiVersion: v1
@@ -47,6 +47,6 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
index df4200b22..e8fd9d140 100644
--- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
index 7bbd8cba6..05f3c81a4 100644
--- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
priorityClassName: high
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml
index 668c9f4fc..e6e0cca79 100755
--- a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: allowed-podpriorities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml
index 0125550fd..7723e89bc 100644
--- a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml
+++ b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
---
apiVersion: v1
@@ -17,10 +17,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
---
apiVersion: v1
@@ -31,16 +31,16 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
index 6efc61a3f..645027785 100644
--- a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
+++ b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
@@ -18,9 +18,9 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml
index 612f342f3..76128fcfc 100755
--- a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: block-ephemeral-containers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
index d45f5e825..d3d1504e8 100644
--- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "true"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "true"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
index a5bb12fe4..9459e38bc 100644
--- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "false"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "false"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml
index 0e73ec3d5..078ddbcb6 100644
--- a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml
@@ -6,7 +6,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
@@ -20,14 +20,14 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- name: DISABLE_OPA
value: "true"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
@@ -43,12 +43,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -64,9 +64,9 @@ metadata:
name: badpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
@@ -80,12 +80,12 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
value: "false"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml
index 5ed8c10f5..1ed0f140f 100644
--- a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml
+++ b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml
@@ -6,7 +6,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
@@ -20,14 +20,14 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- name: DISABLE_OPA
value: "false"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -41,8 +41,8 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
diff --git a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml
index 85d6f8e34..5775be301 100755
--- a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: check-env-vars
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml
index f0246f6f7..4e8480426 100644
--- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: check-serviceaccount-secrets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
index 1526c45a0..da23da6e9 100644
--- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,14 +16,14 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
command:
- ls
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -42,7 +42,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -50,7 +50,7 @@ spec:
- echo
- foo
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
index e6ee813e1..ef63becbe 100644
--- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -24,7 +24,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -43,7 +43,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -51,7 +51,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
index 1b58ef909..7e212b343 100644
--- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
@@ -4,14 +4,14 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
command:
- ls
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -25,7 +25,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -40,9 +40,9 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -56,9 +56,9 @@ metadata:
name: badpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -75,9 +75,9 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -93,9 +93,9 @@ metadata:
name: badpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
index dc0c71226..73e835829 100644
--- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
+++ b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -12,7 +12,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -26,7 +26,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -40,9 +40,9 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -51,7 +51,7 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
grpc:
diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml
index a95d54494..d6eca0d4d 100755
--- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deny-commands-in-exec-probe
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml
index 7a079f736..5501ce375 100644
--- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: deny-secret-service-account-token-type
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
index 214c97602..a5e772ea5 100644
--- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -24,13 +24,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -38,7 +38,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -59,20 +59,20 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -93,9 +93,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -113,7 +113,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -121,13 +121,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -135,7 +135,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -150,20 +150,20 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -178,9 +178,9 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
index 62db85c4b..cdcb87c24 100644
--- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
@@ -16,22 +16,22 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -52,20 +52,20 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -86,9 +86,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -106,22 +106,22 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -136,20 +136,20 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -164,9 +164,9 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
index 124a1c3d7..1fc669eff 100644
--- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -12,13 +12,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -26,7 +26,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -35,20 +35,20 @@ metadata:
name: badpod02
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -57,9 +57,9 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -72,9 +72,9 @@ metadata:
name: badpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: SECRET_BAD
@@ -83,12 +83,12 @@ spec:
name: foo
key: pass
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml
index 3dbc1f932..4587d5e66 100644
--- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml
+++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml
@@ -4,22 +4,22 @@ metadata:
name: goodpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -28,9 +28,9 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
---
apiVersion: v1
@@ -39,20 +39,20 @@ metadata:
name: goodpod03
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -61,9 +61,9 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml
index a6c46920f..f9fb06bf8 100755
--- a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: no-secrets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml
index 34d9089d2..29d03237f 100755
--- a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: no-localhost-service
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
index f2d6ff74a..1cb757615 100644
--- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -24,7 +24,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -48,12 +48,12 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -67,7 +67,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -75,7 +75,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -93,12 +93,12 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
index d5b7d27aa..b125b872e 100644
--- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
@@ -16,14 +16,14 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -44,12 +44,12 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -63,14 +63,14 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -85,12 +85,12 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
index 26f0cbf6e..0e69e9d95 100644
--- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -12,7 +12,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -21,9 +21,9 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
envFrom:
- secretRef:
@@ -35,12 +35,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: SECRET_BAD
diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
index 6a02634ee..fae78c24e 100644
--- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
+++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
@@ -4,14 +4,14 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -20,9 +20,9 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
---
apiVersion: v1
@@ -31,11 +31,11 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml
index 5ee01d320..63270e950 100755
--- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: secrets-not-from-env-vars
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
index 61e78696a..621006ce2 100644
--- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -42,7 +42,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -64,7 +64,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -86,7 +86,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
index 381f46442..e6ec259aa 100644
--- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -43,7 +43,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
@@ -65,7 +65,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -88,7 +88,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
index a6a3bf162..9188bb978 100644
--- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -20,7 +20,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
index 79e584641..29d235285 100644
--- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
+++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -16,7 +16,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -28,7 +28,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
@@ -44,7 +44,7 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml
index 8698d373a..acaba3125 100755
--- a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: docker-socket-check
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
index 7668856fd..8d543bd44 100644
--- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
@@ -18,7 +18,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -37,7 +37,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
index 8cf26dc07..296a10557 100644
--- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -39,7 +39,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -56,7 +56,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
---
@@ -76,7 +76,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
index bca56ed61..57a16654b 100644
--- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
@@ -7,7 +7,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -19,6 +19,6 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml
index 8e5741b96..d9dd8c07b 100644
--- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml
+++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -27,7 +27,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -39,6 +39,6 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml
index 2530f09c7..ccfce366c 100755
--- a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: pod-lifetime
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
index 4042ab8a8..78d0115dd 100644
--- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -28,7 +28,7 @@ spec:
readinessProbe:
tcpSocket:
port: 8080
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -59,7 +59,7 @@ spec:
name: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
livenessProbe:
@@ -70,7 +70,7 @@ spec:
tcpSocket:
port: 8080
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -100,7 +100,7 @@ spec:
spec:
terminationGracePeriodSeconds: 5
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
index b82e3c264..f5c2d6b5b 100644
--- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
readinessProbe:
@@ -26,7 +26,7 @@ spec:
- cat
- /tmp/healthy
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -55,7 +55,7 @@ spec:
name: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
readinessProbe:
@@ -64,7 +64,7 @@ spec:
- cat
- /tmp/healthy
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -92,13 +92,13 @@ spec:
spec:
terminationGracePeriodSeconds: 5
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
tcpSocket:
port: 8080
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
diff --git a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml
index 1a741c0b9..93e19afb3 100755
--- a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: validate-probes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
index 3ecab0318..e96566074 100644
--- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -27,7 +27,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -52,7 +52,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -62,7 +62,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
index d7d6eaac7..2e5588e44 100644
--- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -27,7 +27,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -52,7 +52,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -62,7 +62,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
index b11e3fc29..2642c194c 100644
--- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -15,7 +15,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
index 15a373855..bdb942869 100644
--- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
+++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -15,7 +15,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml
index b9b225ce6..35c07ba78 100755
--- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: ensure-readonly-hostpath
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
index 78823c79e..66aef86b3 100644
--- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -15,7 +15,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,4 +26,4 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
index 9f2d32670..00afae229 100644
--- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
+++ b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -28,7 +28,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -40,4 +40,4 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
index 931d85e11..a81ce69fb 100644
--- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
index 1360dedfa..90f518ddc 100644
--- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml
index 451f8163f..d5c98b767 100755
--- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: exclude-namespaces-example
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
index 30cd26d52..81604049b 100644
--- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -41,12 +41,12 @@ spec:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
@@ -65,7 +65,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -87,12 +87,12 @@ spec:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
index 03c668ef2..f73c8eb25 100644
--- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -37,7 +37,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -57,7 +57,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
---
@@ -75,7 +75,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
index f24adfe86..80ae12300 100644
--- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
@@ -17,12 +17,12 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
index 97629fef4..44c8c9ae3 100644
--- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
+++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml
index 2babcc6e6..e3475173b 100755
--- a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: forbid-cpu-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
index 6949ea364..39daa206c 100644
--- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
---
apiVersion: v1
@@ -25,10 +25,10 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
- name: pod02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
@@ -38,8 +38,8 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
index e95c6524f..c8a62a5f0 100644
--- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
+++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox # by default, imagePullPolicy: Always
+ image: ghcr.io/kyverno/test-busybox # by default, imagePullPolicy: Always
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest # by default, imagePullPolicy: Always
+ image: ghcr.io/kyverno/test-busybox:latest # by default, imagePullPolicy: Always
---
apiVersion: v1
kind: Pod
@@ -32,7 +32,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
---
apiVersion: v1
@@ -42,10 +42,10 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -54,9 +54,9 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
- name: pod02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
index aa3f6ecf1..3e5f3952b 100644
--- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
---
apiVersion: batch/v1
@@ -37,12 +37,12 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
index 2e93055ba..3d2304f54 100644
--- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
@@ -17,11 +17,11 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
---
apiVersion: batch/v1
kind: CronJob
@@ -35,10 +35,10 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
restartPolicy: OnFailure
diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml
index 843ff7ef8..b103315ed 100755
--- a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: imagepullpolicy-always
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml
index e9271befe..3ed69ae88 100755
--- a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: ingress-host-match-tls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
index 96992623a..6ff94d1e4 100644
--- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
index c1f96536b..3d2e6cdf1 100644
--- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
+++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,7 +20,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
index 718cf5d4d..511d40c8a 100644
--- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
@@ -17,15 +17,15 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb05
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,14 +39,14 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb05
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
index 1a380e941..d24d66705 100644
--- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
@@ -17,13 +17,13 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -37,12 +37,12 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml
index 5623d2644..667e425d2 100755
--- a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: limit-containers-per-pod
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml
index 4282df611..b72728c58 100755
--- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: limit-hostpath-type-pv
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
index 2dfc11c6c..b1f06d7b3 100644
--- a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
index 92ed9c3a4..5dc8241d3 100644
--- a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
+++ b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -68,4 +68,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
index 0379980ec..86152ffc0 100644
--- a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
index acb202523..0eb07257d 100644
--- a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml
index b5a967f65..95cce276c 100755
--- a/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: limit-hostpath-vols
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
index b5e8f35f5..506be4759 100644
--- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -19,14 +19,14 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -40,14 +40,14 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "120Mi"
limits:
memory: "120Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -61,14 +61,14 @@ metadata:
spec:
containers:
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "200Mi"
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
index 2b67af375..e191b9f1d 100644
--- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
+++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -28,16 +28,16 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
index 85b8c5456..4d41660e1 100644
--- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
index d54369b17..f3aa1b901 100644
--- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
@@ -17,16 +17,16 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -45,16 +45,16 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml
index b0e2885d6..bcf716ae5 100755
--- a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: memory-requests-equal-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml
index e16e81cd7..acc9d41d9 100644
--- a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,5 +38,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml
index 9c3f19d3e..14f14b832 100644
--- a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml
+++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,5 +18,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
index e1824fb48..4671dd5f7 100644
--- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,6 +35,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
index 164d85d51..70978c9b6 100644
--- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,6 +35,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml
index aa0042784..07a3b80e9 100755
--- a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: metadata-match-regex
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml
index 235426002..7f289a15c 100755
--- a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: pdb-maxunavailable
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml
index c79a4845a..3f28c812b 100644
--- a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml
+++ b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml
@@ -18,6 +18,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "30"]
diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
index cf952a0ce..b62882c08 100644
--- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml
index 7bd6e6c77..5ca95f5ac 100644
--- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml
+++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml
@@ -10,5 +10,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml
index c88574c2e..5663c2f0e 100755
--- a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: prevent-bare-pods
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
index 26556887a..3cae71084 100644
--- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
@@ -23,7 +23,7 @@ spec:
value: "foo=bar"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,6 +43,6 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
index 487b91d99..6a6d20803 100644
--- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
@@ -23,7 +23,7 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,6 +43,6 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
index 05825db5a..cc9742c5b 100644
--- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
+++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
@@ -11,7 +11,7 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,5 +26,5 @@ spec:
value: "foo=bar"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml
index ed0f0c5fa..2281fcfca 100644
--- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml
+++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml
@@ -11,18 +11,18 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
metadata:
name: goodpod02
spec:
- securityContext:
- allowPrivilegeEscalation: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
+ securityContext:
+ allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
@@ -31,5 +31,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
-
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml
index feba52874..6356af7aa 100644
--- a/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,5 +16,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-annotations/.chainsaw-test/pod-good.yaml b/other-cel/require-annotations/.chainsaw-test/pod-good.yaml
index 2b0268b45..398771fcc 100644
--- a/other-cel/require-annotations/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-annotations/.chainsaw-test/pod-good.yaml
@@ -7,5 +7,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml
index 0b0e44020..0afbc09dc 100644
--- a/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,6 +34,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml
index c3b2c08ab..2d00b207b 100644
--- a/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,6 +36,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml
index d01618467..184f4f886 100755
--- a/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: require-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml b/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml
index f55f602a1..a9be85d99 100644
--- a/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -16,12 +16,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
name: http-port
diff --git a/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml b/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml
index 0825ba43a..1bbaa60e6 100644
--- a/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
@@ -17,12 +17,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
diff --git a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
index dd9ac3feb..fd12ecd36 100644
--- a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
@@ -41,12 +41,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
diff --git a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
index f491d3aab..9f5f94e13 100644
--- a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
@@ -42,12 +42,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
diff --git a/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml b/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml
index f8c44c430..ad3202354 100755
--- a/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-container-port-names
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
index fe9b249f6..cf0c3471c 100644
--- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
+++ b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,9 +40,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -62,7 +62,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
index 40e56f064..d677a36af 100644
--- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
+++ b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml
index c9b84bffe..22681ce73 100755
--- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: deployment-has-multiple-replicas
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
index da2b7cd1a..8dea0db19 100644
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
@@ -6,7 +6,7 @@ metadata:
name: badpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -16,18 +16,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
index b515750a6..be38730f2 100644
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
@@ -4,12 +4,12 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -26,7 +26,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /cache/data
@@ -41,12 +41,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/vol
name: vol
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumeMounts:
- mountPath: /mnt/foo
@@ -64,7 +64,7 @@ metadata:
name: badpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -74,18 +74,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/vol
name: vol
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -108,7 +108,7 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -126,7 +126,7 @@ metadata:
name: badpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -144,7 +144,7 @@ metadata:
name: badpod07
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
index 2af525da3..c99ae5a9b 100644
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -24,7 +24,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -33,7 +33,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /cache/data
@@ -49,7 +49,7 @@ metadata:
name: goodpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -59,18 +59,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -93,20 +93,20 @@ metadata:
name: goodpod05
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: vol
@@ -121,7 +121,7 @@ metadata:
name: goodpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
@@ -131,7 +131,7 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo
@@ -143,12 +143,12 @@ metadata:
name: goodpod07
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo
@@ -162,7 +162,7 @@ metadata:
spec:
initContainers:
- name: certificates
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -172,7 +172,7 @@ spec:
requests:
ephemeral-storage: 256Mi
- name: configure
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
@@ -185,7 +185,7 @@ spec:
ephemeral-storage: 256Mi
containers:
- name: my-app
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
limits:
cpu: "2"
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
index d32c2c22d..7983cee46 100644
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
@@ -16,23 +16,23 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -63,7 +63,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -73,18 +73,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
index 70b656486..bbea194f0 100644
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -26,18 +26,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -68,7 +68,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -78,18 +78,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml
index 9aa39646d..7ce8296f7 100755
--- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-emptydir-requests-and-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml
index 40f2785ec..fee9dd4df 100644
--- a/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: bb
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
diff --git a/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml b/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml
index 926cef9f4..72b1aeb11 100644
--- a/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: busybox02
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
diff --git a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
index eac23fb1b..a8dc4cf66 100644
--- a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
apiVersion: batch/v1
kind: CronJob
@@ -33,8 +33,8 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: bb
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
restartPolicy: OnFailure
diff --git a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
index 05e49a52c..3e5ca997d 100644
--- a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
apiVersion: batch/v1
kind: CronJob
@@ -33,8 +33,8 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
restartPolicy: OnFailure
diff --git a/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml b/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml
index af8d87a62..33b603041 100755
--- a/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: require-image-checksum
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml b/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml
index 151a757ec..acd7a9317 100644
--- a/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml
+++ b/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml
@@ -9,7 +9,7 @@ spec:
ingressClassName: someingress
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -33,7 +33,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -43,7 +43,7 @@ spec:
port:
number: 80
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -55,5 +55,4 @@ spec:
tls:
- hosts:
- endpoint01
- - endpoint02
-
+ - endpoint02
\ No newline at end of file
diff --git a/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml b/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml
index 77b55948d..9437be689 100755
--- a/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: require-ingress-https
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-ingress-https/.kyverno-test/resource.yaml b/other-cel/require-ingress-https/.kyverno-test/resource.yaml
index a97cba4e7..e1a3fa535 100644
--- a/other-cel/require-ingress-https/.kyverno-test/resource.yaml
+++ b/other-cel/require-ingress-https/.kyverno-test/resource.yaml
@@ -32,7 +32,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -64,7 +64,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -99,7 +99,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -130,7 +130,7 @@ spec:
ingressClassName: someingress
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -154,7 +154,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -164,7 +164,7 @@ spec:
port:
number: 80
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml b/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml
index af72489a1..64313b235 100644
--- a/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -36,7 +36,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -49,9 +49,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,9 +60,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -86,9 +86,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -101,11 +101,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -118,12 +118,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -134,10 +134,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -150,12 +150,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -168,12 +168,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -184,14 +184,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -202,12 +202,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -218,7 +218,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -229,7 +229,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -240,7 +240,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
---
diff --git a/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml b/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml
index 712cd7520..5a1a5a4f7 100644
--- a/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -40,9 +40,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -53,9 +53,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -68,10 +68,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -82,12 +82,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -98,12 +98,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -114,14 +114,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -132,16 +132,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -152,7 +152,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -164,7 +164,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -176,7 +176,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
\ No newline at end of file
diff --git a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
index 5f56fe9c0..b6ab78f8e 100644
--- a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -94,9 +94,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -114,9 +114,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -136,9 +136,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -158,9 +158,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -182,11 +182,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -208,12 +208,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -233,10 +233,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -258,12 +258,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -285,12 +285,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -310,14 +310,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -337,12 +337,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -359,7 +359,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -374,7 +374,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -391,7 +391,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -408,7 +408,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -427,9 +427,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -444,9 +444,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -463,9 +463,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -482,9 +482,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -503,11 +503,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -526,12 +526,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -548,10 +548,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -594,12 +594,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -616,14 +616,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -640,12 +640,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -665,7 +665,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -685,7 +685,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -702,7 +702,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -719,7 +719,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -739,7 +739,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
---
@@ -756,6 +756,6 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
\ No newline at end of file
diff --git a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
index 221eae1a4..c8edb5d19 100644
--- a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -54,7 +54,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -76,9 +76,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -98,9 +98,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -122,10 +122,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -145,12 +145,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -170,12 +170,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -195,14 +195,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -222,16 +222,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -249,7 +249,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -266,7 +266,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -283,7 +283,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -302,9 +302,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -321,9 +321,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -342,10 +342,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -362,12 +362,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -384,12 +384,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -406,14 +406,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -430,16 +430,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -480,7 +480,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -498,7 +498,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -516,7 +516,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -537,7 +537,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
@@ -555,7 +555,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
diff --git a/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml b/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml
index b51263787..637e72bac 100755
--- a/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-non-root-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
index 87f71c387..52e3037fa 100644
--- a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: ""
---
apiVersion: v1
@@ -15,5 +15,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
index e2d653623..2f03d56a3 100644
--- a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
@@ -5,6 +5,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
index 84125da65..cd47e10ba 100644
--- a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -29,5 +29,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
index 006d70fb8..d4f456b3b 100644
--- a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
---
apiVersion: batch/v1
@@ -30,6 +30,6 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
diff --git a/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml b/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml
index 022973982..ebc6846b9 100644
--- a/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml b/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml
index dffe62ec2..83ad74104 100644
--- a/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -24,9 +24,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -40,12 +40,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,9 +56,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "1"
@@ -72,10 +72,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
index 2f64b134f..201859261 100644
--- a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -31,7 +31,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
index 02687caa1..342fcb1e6 100644
--- a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -34,10 +34,10 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml b/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml
index 100b07c2d..4eba1ec3f 100755
--- a/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: require-qos-burstable
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
index 9cd0cbc6a..73a785cf5 100644
--- a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -24,13 +24,13 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -45,12 +45,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,6 +61,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
index f9ae97536..0b9826f4d 100644
--- a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
+++ b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -34,7 +34,7 @@ spec:
memory: "50Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
index 7a363df17..37882316a 100644
--- a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
@@ -14,14 +14,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
index b9d919b36..514a21f0e 100644
--- a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "200Mi"
@@ -23,7 +23,7 @@ spec:
memory: "200Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -45,7 +45,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -54,7 +54,7 @@ spec:
memory: "100Mi"
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml
index 7d014a1b1..08c5d44e0 100755
--- a/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-qos-guaranteed
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml b/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml
index 512228993..d6a378049 100755
--- a/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: require-storageclass
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml b/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml
index 74251b466..8699ccbea 100644
--- a/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml
+++ b/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml
@@ -16,7 +16,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
name: web
diff --git a/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml b/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml
index 45a6b7429..76ab2ae2d 100644
--- a/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml
+++ b/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml
@@ -15,7 +15,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeClaimTemplates:
- metadata:
name: www
@@ -43,5 +43,5 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml
index e273f217b..db8491b76 100644
--- a/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,7 +20,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,5 +33,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml b/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml
index 9cb7d4668..a51527584 100644
--- a/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,5 +18,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
index abd918f2f..3f61c09d4 100644
--- a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -37,6 +37,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
index 8995b0c41..a4679aa23 100644
--- a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,6 +35,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
index 9643a7fce..06e578ab4 100755
--- a/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml
index ef3124247..899bf3663 100755
--- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-binding-clusteradmin
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml
index badf5a0e7..4a404d804 100755
--- a/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-binding-system-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml
index 70e535108..5915caeff 100755
--- a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-clusterrole-nodesproxy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
index 48a871abc..901316bbf 100644
--- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
@@ -14,7 +14,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,5 +33,5 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
index 55da85360..7c8c3631e 100644
--- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
@@ -11,7 +11,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -30,5 +30,5 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
index 5d00d7481..1f0031330 100644
--- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
@@ -21,7 +21,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,5 +43,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
index 28a6a0f7a..3cadca17c 100644
--- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
@@ -22,7 +22,7 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,5 +45,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml
index 0bf44690a..06a62838f 100755
--- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-controlplane-scheduling
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
index a42e6c4de..e4bf60b12 100644
--- a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
@@ -19,7 +19,7 @@ spec:
image: foo.gcr.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
---
@@ -30,7 +30,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-init-again
image: foo.gcr.io/busybox:1.35
containers:
@@ -48,7 +48,7 @@ spec:
- name: busybox-init
image: docker.io/busybox:1.35
- name: busybox-init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
image: registry.k8s.io/busybox:1.35
diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
index dc600ad10..65b1e4ffb 100644
--- a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -21,7 +21,7 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
index 70bf2881d..3e31a9c90 100644
--- a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
@@ -43,7 +43,7 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
index 5116f3047..578157020 100644
--- a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
@@ -20,7 +20,7 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
---
@@ -43,7 +43,7 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
index 8c4f59439..83406554a 100644
--- a/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-deprecated-registry
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml
index a0f2c0f6a..f0dabb37a 100755
--- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-escalation-verbs-roles
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
index bbacc6aa1..a0472832c 100644
--- a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
+++ b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -27,7 +27,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
index 997bb6f42..7e1eda7a6 100644
--- a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
+++ b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
@@ -8,7 +8,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -28,7 +28,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml
index bec453ba0..63621d2a2 100755
--- a/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-classes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
index e35151a01..039aa593b 100644
--- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
+++ b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml
index 0767076fa..a55f67374 100755
--- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-defaultbackend
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
index f54f1e3bf..c69567878 100644
--- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
+++ b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: "*.foo.bar"
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: foo-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -32,7 +32,7 @@ spec:
port:
number: 80
- host: "*.example.com"
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -49,7 +49,7 @@ metadata:
spec:
rules:
- host: "*.bar"
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -59,7 +59,7 @@ spec:
port:
number: 80
- host: foo-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
index aa30b1149..e9a9e1222 100644
--- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
+++ b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -32,7 +32,7 @@ spec:
port:
number: 80
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml
index df65e8004..128b1e40c 100755
--- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-wildcard
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml b/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
index cc0f70f29..8118a2876 100644
--- a/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
+++ b/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
@@ -10,6 +10,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml b/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml
index 700346ed5..ef62a007b 100644
--- a/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml
+++ b/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml
@@ -7,6 +7,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
\ No newline at end of file
diff --git a/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml
index 65c013180..aec687efe 100755
--- a/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: no-loadbalancer-service
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml
index 156ee3c49..f6750f8da 100755
--- a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-networkpolicy-empty-podselector
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
index 6b604e991..2327e73a0 100644
--- a/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
@@ -15,7 +15,7 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -43,5 +43,5 @@ spec:
topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml
index f30a43957..1d308f3ec 100644
--- a/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,14 +14,16 @@ metadata:
spec:
affinity:
podAffinity:
- prefferedDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: bar
- operator: In
- values:
- - bar
- topologyKey: topology.kubernetes.io/zone
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: bar
+ operator: In
+ values:
+ - bar
+ topologyKey: topology.kubernetes.io/zone
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
@@ -35,5 +37,4 @@ spec:
topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
-
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
index 9e4569861..6740a7267 100644
--- a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
@@ -27,7 +27,7 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -51,6 +51,5 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
- restartPolicy: OnFailure
-
+ image: ghcr.io/kyverno/test-busybox:1.35
+ restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
index 1e7996a78..bd3d0113a 100644
--- a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
@@ -17,17 +17,19 @@ spec:
spec:
affinity:
podAffinity:
- prefferedDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: bar
- operator: In
- values:
- - bar
- topologyKey: topology.kubernetes.io/zone
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: bar
+ operator: In
+ values:
+ - bar
+ topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,6 +43,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
- restartPolicy: OnFailure
-
+ image: ghcr.io/kyverno/test-busybox:1.35
+ restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml
index 323503563..37bea35c1 100755
--- a/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-node-affinity
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml b/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml
index d3f7d1d9f..3ff3f7add 100644
--- a/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml
+++ b/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml
@@ -88,5 +88,4 @@ spec:
cpu: "500m"
limits:
memory: "256Mi"
- cpu: "500m"
-
+ cpu: "500m"
\ No newline at end of file
diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
index 035cb6a3c..80a45123c 100644
--- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
+++ b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
@@ -11,5 +11,5 @@ spec:
serviceAccountName: serviceaccount02
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml
index 5e04c53ee..2a3a3a751 100755
--- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml
+++ b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml
@@ -8,7 +8,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
serviceAccountName: serviceaccount01
diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
index 8788cebd3..14a0fe7a6 100644
--- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
+++ b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
@@ -18,4 +18,4 @@ spec:
serviceAccountName: serviceaccount02
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml
index b8f88a8ad..18bd07022 100755
--- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml
+++ b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml
@@ -16,6 +16,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
serviceAccountName: serviceaccount01
diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml
index 92b7018c8..9f02c6ee0 100755
--- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-pod-controller-serviceaccount-updates
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml
index 246854703..9216f115f 100644
--- a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-sa-automount-sa-token
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml
index 67a19e521..31cc263e5 100755
--- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-secret-role-verbs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
index 1860c7f8a..4d7d44e79 100644
--- a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,9 +80,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: not-secret-volume
secret:
diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
index 27a1a5908..41dd30666 100644
--- a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,9 +80,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
index a7a8666b5..abba08fa6 100644
--- a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -76,17 +76,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -109,9 +109,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
index cc2fde919..c420fd89b 100644
--- a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -76,17 +76,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -109,9 +109,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml
index 2b34811d6..212ceb7d6 100755
--- a/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-secrets-by-name
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml
index 079120fd4..2c94a352f 100755
--- a/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-service-port-range
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml
index 1d3572a1d..16e3af214 100755
--- a/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-storageclass
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
index c8a79df26..d830022bd 100644
--- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
+++ b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
@@ -9,9 +9,9 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,9 +22,9 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -35,9 +35,9 @@ spec:
runAsUser: 1000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -48,9 +48,9 @@ spec:
runAsGroup: 4000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -59,6 +59,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
index 1e87aba91..df7922daa 100644
--- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
+++ b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
@@ -9,7 +9,7 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
index 54e8b38a0..f6a55e57d 100644
--- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
+++ b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
@@ -21,9 +21,9 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -44,9 +44,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -64,9 +64,9 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
---
apiVersion: batch/v1
@@ -81,8 +81,8 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
index 499298727..356b0fef8 100644
--- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
+++ b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
@@ -21,9 +21,9 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,8 +41,8 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml
index 1e451f6c3..f8a123fe9 100755
--- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: validate-userid-groupid-fsgroup
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml
index 8c8bc69c9..c5c916747 100755
--- a/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-wildcard-resources
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml
index a831c631b..c30a6e387 100755
--- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml
@@ -3,5 +3,9 @@ kind: ClusterPolicy
metadata:
name: restrict-wildcard-verbs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
index c704109f2..040170cce 100644
--- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -49,7 +49,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -82,4 +82,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
index 9f9c9ad53..712dc9937 100644
--- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
+++ b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -88,4 +88,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml
index 080e44efe..42ae17e55 100755
--- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml
+++ b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: topologyspreadconstraints-policy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml b/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml
index 46f9e0e22..a69236e93 100644
--- a/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml
@@ -8,12 +8,12 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -31,12 +31,12 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod03-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: pod03-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -56,12 +56,12 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod04-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: pod04-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
diff --git a/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml b/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml
index c6aa28284..ceb5a23ac 100644
--- a/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml
@@ -8,12 +8,12 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
diff --git a/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml b/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml
index 7ec78b001..aa823debf 100644
--- a/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml
@@ -9,9 +9,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -24,9 +24,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,9 +37,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod03-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -52,6 +52,6 @@ spec:
automountServiceAccountToken: false
containers:
- name: pod04-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04-02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml
index 526b2f086..78905d2fe 100644
--- a/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml
@@ -20,12 +20,12 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -57,12 +57,12 @@ spec:
automountServiceAccountToken: false
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml
index fa9a421d4..45e0837e4 100644
--- a/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml
@@ -20,12 +20,12 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml
index ea92aa267..d5740571f 100644
--- a/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml
@@ -21,9 +21,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -48,9 +48,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -75,6 +75,6 @@ spec:
automountServiceAccountToken: false
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb-02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml b/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml
index a65c4f352..be0c14872 100644
--- a/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml
+++ b/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-certificates-volume
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml b/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml
index 29b66b141..4f277b474 100644
--- a/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
@@ -24,13 +24,13 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other/add-default-resources/.chainsaw-test/pod-resources.yaml b/other/add-default-resources/.chainsaw-test/pod-resources.yaml
index 01994cef1..67436ddcd 100644
--- a/other/add-default-resources/.chainsaw-test/pod-resources.yaml
+++ b/other/add-default-resources/.chainsaw-test/pod-resources.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
cpu: "500m"
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,9 +20,9 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "500m"
\ No newline at end of file
diff --git a/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml b/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml
index 70fb20b9f..62e72e025 100644
--- a/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml
@@ -17,13 +17,13 @@ spec:
spec:
containers:
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
@@ -48,13 +48,13 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -72,13 +72,13 @@ spec:
spec:
containers:
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
@@ -97,13 +97,13 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
cpu: "100m"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml b/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml
index 3fb503e7a..f17ab36f1 100644
--- a/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml
@@ -17,13 +17,13 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
cpu: "500m"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -44,9 +44,9 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "500m"
@@ -63,13 +63,13 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "500Mi"
cpu: "500m"
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
---
apiVersion: batch/v1
@@ -84,9 +84,9 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "500m"
diff --git a/other/add-default-resources/.chainsaw-test/policy-ready.yaml b/other/add-default-resources/.chainsaw-test/policy-ready.yaml
index 6b339310e..c50571612 100644
--- a/other/add-default-resources/.chainsaw-test/policy-ready.yaml
+++ b/other/add-default-resources/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-default-resources
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml b/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml
index 42d44876d..7cc10d6d2 100644
--- a/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml
@@ -10,7 +10,7 @@ spec:
fsGroup: 2000
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -24,4 +24,4 @@ spec:
fsGroup: 2000
containers:
- name: pod02-01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml b/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml
index cbacca5b3..64d69c149 100644
--- a/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml
+++ b/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,4 +16,4 @@ spec:
runAsNonRoot: false
containers:
- name: pod02-01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml b/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml
index 5b4d38770..17bac1cad 100644
--- a/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml
@@ -22,7 +22,7 @@ spec:
runAsGroup: 3000
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,5 +41,5 @@ spec:
fsGroup: 2000
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml b/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml
index c2f5d2803..9a0fd1453 100644
--- a/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml
@@ -19,7 +19,7 @@ spec:
fsGroup: 1000
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,5 +35,5 @@ spec:
runAsGroup: 2000
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml b/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml
index f594dc691..3e89df4d1 100644
--- a/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml
+++ b/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-default-securitycontext
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml
index 45cb5b925..0a72148ba 100644
--- a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml
@@ -5,23 +5,23 @@ metadata:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
@@ -33,23 +33,23 @@ metadata:
spec:
initContainers:
- name: pod02-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod02-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
\ No newline at end of file
diff --git a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml
index b413dcd51..8b43d2273 100644
--- a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml
+++ b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -21,17 +21,17 @@ metadata:
spec:
initContainers:
- name: pod02-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
- name: pod02-02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml
index 4be76e7a5..a92a49354 100644
--- a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml
@@ -17,23 +17,23 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
@@ -50,23 +50,23 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: nsenvvars
diff --git a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml
index 73006dd7e..1f1b58257 100644
--- a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml
@@ -17,20 +17,20 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -44,18 +44,18 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- configMapRef:
name: somenvars
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml b/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml
index f7a674d66..f405b3afc 100644
--- a/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml
+++ b/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-env-vars-from-cm
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml
index 06a84293d..9bb9e0a3f 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: pod05-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod05-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
---
@@ -23,8 +23,8 @@ metadata:
spec:
containers:
- name: pod06-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod06-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
\ No newline at end of file
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml
index b2accd0f9..4980087ab 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml
@@ -7,7 +7,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
---
@@ -20,12 +20,12 @@ spec:
- name: pod02-01-init
image: corp.reg.com/busybox:1.35
- name: pod02-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
---
@@ -36,14 +36,14 @@ metadata:
spec:
initContainers:
- name: pod03-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod03-01
image: corp.reg.com/busybox:1.35
- name: pod03-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
- name: foo-bar
@@ -55,13 +55,13 @@ metadata:
spec:
initContainers:
- name: pod04-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod04-01
image: corp.reg.com/busybox:1.35
- name: pod04-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
\ No newline at end of file
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml
index a10b115ef..b8705826b 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml
@@ -7,7 +7,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,12 +18,12 @@ spec:
- name: pod02-01-init
image: corp.reg.com/busybox:1.35
- name: pod02-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -32,14 +32,14 @@ metadata:
spec:
initContainers:
- name: pod03-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod03-01
image: corp.reg.com/busybox:1.35
- name: pod03-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: foo-bar
---
@@ -50,14 +50,14 @@ metadata:
spec:
initContainers:
- name: pod04-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod04-01
image: corp.reg.com/busybox:1.35
- name: pod04-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
---
@@ -68,14 +68,14 @@ metadata:
spec:
initContainers:
- name: pod05-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05-02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: pod05-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,6 +84,6 @@ metadata:
spec:
containers:
- name: pod06-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod06-02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml
index d775e2a4d..2f90e7068 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml
@@ -17,14 +17,14 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
- name: foo-bar
@@ -41,14 +41,14 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
- name: foo-bar
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml
index f0e8dc08f..d4b3abc50 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml
@@ -17,14 +17,14 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: foo-bar
---
@@ -40,14 +40,14 @@ spec:
spec:
initContainers:
- name: pod01-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02-init
image: corp.reg.com/busybox:1.35
containers:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: foo-bar
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml
index 5d9b0ed15..3f891b23a 100644
--- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml
+++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-imagepullsecrets-for-containers-and-initcontainers
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml
index b7f43ee27..300a7330d 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml
@@ -6,8 +6,8 @@ metadata:
spec:
containers:
- name: pod04-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
\ No newline at end of file
diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml
index 2e1cc12bc..b37c9a1dc 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml
@@ -7,7 +7,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
---
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
image: corp.reg.com/busybox:1.35
imagePullSecrets:
@@ -32,7 +32,7 @@ metadata:
spec:
containers:
- name: pod03-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03-02
image: corp.reg.com/busybox:1.35
imagePullSecrets:
diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml
index 4470c7f77..05d8c5dcf 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml
@@ -7,7 +7,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02-02
image: corp.reg.com/busybox:1.35
imagePullSecrets:
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: pod03-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03-02
image: corp.reg.com/busybox:1.35
imagePullSecrets:
@@ -42,6 +42,6 @@ metadata:
spec:
containers:
- name: pod04-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04-02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml
index 3c6b5787c..2fa7591f0 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml
@@ -19,7 +19,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
- name: foo-bar
@@ -38,7 +38,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: my-secret
- name: foo-bar
diff --git a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml
index ccc39cfe5..14eb62a3a 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml
@@ -19,7 +19,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: foo-bar
---
@@ -37,7 +37,7 @@ spec:
- name: pod01-01
image: corp.reg.com/busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: foo-bar
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml b/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml
index d0855e8ab..912de8e6d 100644
--- a/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml
+++ b/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-imagepullsecrets
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-labels/.chainsaw-test/pod-resources-patched.yaml b/other/add-labels/.chainsaw-test/pod-resources-patched.yaml
index f328a3db8..6b5b3c6e2 100644
--- a/other/add-labels/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-labels/.chainsaw-test/pod-resources-patched.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,4 +19,4 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-labels/.chainsaw-test/pod-resources.yaml b/other/add-labels/.chainsaw-test/pod-resources.yaml
index 3d0269253..34e771812 100644
--- a/other/add-labels/.chainsaw-test/pod-resources.yaml
+++ b/other/add-labels/.chainsaw-test/pod-resources.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,4 +16,4 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-labels/.chainsaw-test/policy-ready.yaml b/other/add-labels/.chainsaw-test/policy-ready.yaml
index 7f1d7387c..7e9f14965 100644
--- a/other/add-labels/.chainsaw-test/policy-ready.yaml
+++ b/other/add-labels/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-labels
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml b/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml
index dec79ccb9..cbb19c3f4 100644
--- a/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml
@@ -9,7 +9,7 @@ spec:
value: "1"
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,4 +22,4 @@ spec:
value: "1"
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-ndots/.chainsaw-test/pod-resources.yaml b/other/add-ndots/.chainsaw-test/pod-resources.yaml
index 25cdbe673..7a71b7c1b 100644
--- a/other/add-ndots/.chainsaw-test/pod-resources.yaml
+++ b/other/add-ndots/.chainsaw-test/pod-resources.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,4 +18,4 @@ spec:
value: "4"
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml b/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml
index 85ab92e24..25b9d8e89 100644
--- a/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml
@@ -21,7 +21,7 @@ spec:
value: "1"
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,5 +39,5 @@ spec:
value: "1"
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml b/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml
index 854a38c54..3f5184f8a 100644
--- a/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml
@@ -21,7 +21,7 @@ spec:
value: "4"
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,5 +39,5 @@ spec:
value: "4"
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-ndots/.chainsaw-test/policy-ready.yaml b/other/add-ndots/.chainsaw-test/policy-ready.yaml
index d3a5e5e0a..7b66e88d1 100644
--- a/other/add-ndots/.chainsaw-test/policy-ready.yaml
+++ b/other/add-ndots/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-ndots
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml b/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml
index 836a04ea5..599367523 100755
--- a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml
+++ b/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml
@@ -8,6 +8,8 @@ spec:
steps:
- name: step-01
try:
+ - apply:
+ file: permissions.yaml
- apply:
file: clusterroles.yaml
- script:
diff --git a/other/add-node-labels-pod/.chainsaw-test/permissions.yaml b/other/add-node-labels-pod/.chainsaw-test/permissions.yaml
new file mode 100644
index 000000000..28ded9e57
--- /dev/null
+++ b/other/add-node-labels-pod/.chainsaw-test/permissions.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:csr
+ labels:
+ rbac.kyverno.io/aggregate-to-background-controller: "true"
+ rbac.kyverno.io/aggregate-to-reports-controller: "true"
+ rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
\ No newline at end of file
diff --git a/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml b/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml
index 0dc834950..bf514fcb6 100644
--- a/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml
+++ b/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml
@@ -8,4 +8,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml b/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml
index 1aedd17ec..65317e2b1 100644
--- a/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml
+++ b/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml
@@ -10,4 +10,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-node-labels-pod/.chainsaw-test/pod.yaml b/other/add-node-labels-pod/.chainsaw-test/pod.yaml
index c0c348b22..ac14625d7 100644
--- a/other/add-node-labels-pod/.chainsaw-test/pod.yaml
+++ b/other/add-node-labels-pod/.chainsaw-test/pod.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,4 +20,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml b/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml
index 76a3eb9fd..1cfb8880c 100644
--- a/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml
@@ -8,7 +8,7 @@ spec:
color: orange
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -21,4 +21,4 @@ spec:
color: orange
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml b/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml
index ccea4c204..ea08d739f 100644
--- a/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml
+++ b/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,4 +18,4 @@ spec:
color: blue
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml b/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml
index fbb0b6285..6c5951aa4 100644
--- a/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml
@@ -21,7 +21,7 @@ spec:
color: orange
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,5 +39,5 @@ spec:
color: orange
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml b/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml
index a8ad91284..1ad3e86c4 100644
--- a/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml
@@ -21,7 +21,7 @@ spec:
color: blue
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,5 +39,5 @@ spec:
color: blue
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml b/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml
index ae9a861dc..b09e0db06 100644
--- a/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml
+++ b/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-nodeselector
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml b/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml
index 5943dced0..15cc18c3b 100644
--- a/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml
+++ b/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -14,7 +14,7 @@ spec:
- name: NO_PROXY
value: localhost,*.example.com
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -30,7 +30,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -39,7 +39,7 @@ spec:
- name: NO_PROXY
value: localhost,*.example.com
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
diff --git a/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml b/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml
index cefcefe6d..a1c193a9b 100644
--- a/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml
+++ b/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod01-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.domain:8080
@@ -25,7 +25,7 @@ spec:
- name: NO_PROXY
value: localhost,*.example.com
- name: pod02-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.org:8080
diff --git a/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml b/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml
index f95b070a9..02b7368b4 100644
--- a/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -26,7 +26,7 @@ spec:
- name: NO_PROXY
value: localhost,*.example.com
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -37,7 +37,7 @@ spec:
- name: FOO
value: bar
- name: bb-03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -58,7 +58,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -67,7 +67,7 @@ spec:
- name: NO_PROXY
value: localhost,*.example.com
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
@@ -78,7 +78,7 @@ spec:
- name: FOO
value: bar
- name: bb-03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.corp.domain:8080
diff --git a/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml b/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml
index 69dfa0633..3da033baf 100644
--- a/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml
+++ b/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.domain:8080
@@ -26,14 +26,14 @@ spec:
- name: NO_PROXY
value: kyverno.org
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.org:8080
- name: FOO
value: bar
- name: bb-03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -47,7 +47,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.domain:8080
@@ -56,12 +56,12 @@ spec:
- name: NO_PROXY
value: kyverno.org
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: HTTP_PROXY
value: http://proxy.kyverno.org:8080
- name: FOO
value: bar
- name: bb-03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml b/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml
index b41ad9e5f..5dadd830a 100644
--- a/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml
+++ b/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-pod-proxies
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml b/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml
index 73c047f45..428c98d95 100644
--- a/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml
+++ b/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml
@@ -11,7 +11,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
@@ -26,7 +26,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
\ No newline at end of file
diff --git a/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml b/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml
index e04aac641..05b55c04a 100644
--- a/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml
+++ b/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml
@@ -8,7 +8,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
diff --git a/other/add-ttl-jobs/.chainsaw-test/job.yaml b/other/add-ttl-jobs/.chainsaw-test/job.yaml
index 26b3dea6f..456158970 100644
--- a/other/add-ttl-jobs/.chainsaw-test/job.yaml
+++ b/other/add-ttl-jobs/.chainsaw-test/job.yaml
@@ -7,7 +7,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
@@ -22,7 +22,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
@@ -41,7 +41,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
backoffLimit: 4
\ No newline at end of file
diff --git a/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml b/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml
index c9d745ae9..1169d2363 100644
--- a/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml
+++ b/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-ttl-jobs
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml b/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml
index 84b4a64a8..1c63dcd9f 100755
--- a/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml
+++ b/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml
@@ -21,4 +21,4 @@ spec:
- name: step-03
try:
- sleep:
- duration: 10s
+ duration: 5s
diff --git a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 817091e5a..7ec4765db 100755
--- a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: advanced-restrict-image-registries
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml b/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
index 647879b83..d0ccba896 100644
--- a/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
+++ b/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -15,7 +15,7 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
image: ghcr.io/busybox:1.35
containers:
diff --git a/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml
index dd8d68cab..66fcac0df 100644
--- a/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml
+++ b/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml
@@ -18,7 +18,7 @@ metadata:
policy which gets a global approved registry from a ConfigMap and, based upon an
annotation at the Namespace level, gets the registry approved for that Namespace.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: validate-corp-registries
diff --git a/other/advanced-restrict-image-registries/artifacthub-pkg.yml b/other/advanced-restrict-image-registries/artifacthub-pkg.yml
index fb7c76feb..5a3b8e24d 100644
--- a/other/advanced-restrict-image-registries/artifacthub-pkg.yml
+++ b/other/advanced-restrict-image-registries/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 097d77b169e92cf516517b46d4be2600f04ea39b3d58650fbaecee13eb201058
+digest: c582453b374fec43c59725d5f29e195ff29c3489b1c0dc82056b1d5f34e0323b
diff --git a/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 089b2140f..58bfac67e 100755
--- a/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: allowed-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other/allowed-annotations/.chainsaw-test/pod-bad.yaml
index 0b5d757e4..1e16d26d9 100644
--- a/other/allowed-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other/allowed-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -31,7 +31,7 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -43,4 +43,4 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/allowed-annotations/.chainsaw-test/pod-good.yaml b/other/allowed-annotations/.chainsaw-test/pod-good.yaml
index 562703bde..cba4a832e 100644
--- a/other/allowed-annotations/.chainsaw-test/pod-good.yaml
+++ b/other/allowed-annotations/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: pod02-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -41,4 +41,4 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
index 5fc6b883c..95561c9b2 100644
--- a/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -44,7 +44,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -62,7 +62,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
index 0fb2af431..ea04d0443 100644
--- a/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -43,7 +43,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -64,7 +64,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -81,7 +81,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -104,7 +104,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
@@ -123,7 +123,7 @@ spec:
spec:
containers:
- name: hello
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
command:
- "sleep"
diff --git a/other/allowed-annotations/allowed-annotations.yaml b/other/allowed-annotations/allowed-annotations.yaml
index f41c976fa..8015b1985 100644
--- a/other/allowed-annotations/allowed-annotations.yaml
+++ b/other/allowed-annotations/allowed-annotations.yaml
@@ -16,7 +16,7 @@ metadata:
This policy demonstrates how to allow two annotations with a specific key
name of fluxcd.io/ while denying others that do not meet the pattern.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: allowed-fluxcd-annotations
diff --git a/other/allowed-annotations/artifacthub-pkg.yml b/other/allowed-annotations/artifacthub-pkg.yml
index 5d9eff405..8f54a75a6 100644
--- a/other/allowed-annotations/artifacthub-pkg.yml
+++ b/other/allowed-annotations/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod, Annotation"
-digest: b210e6f51fdf0e8bf5e3c463cf60d5cf890bdfa8b27d899d6947a5bef3709e62
+digest: 2ad5a50371741705bc0ad146f2da4a2f3f15d5b518f2e88b511b871cdf90b638
diff --git a/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 8ea7309d1..857a74d89 100755
--- a/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: allowed-base-images
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/allowed-base-images/.chainsaw-test/pod-bad.yaml b/other/allowed-base-images/.chainsaw-test/pod-bad.yaml
index e8a16cebc..454b6549a 100644
--- a/other/allowed-base-images/.chainsaw-test/pod-bad.yaml
+++ b/other/allowed-base-images/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: ko
image: ghcr.io/dlorenc/hello-ko:latest
---
@@ -18,7 +18,7 @@ spec:
- name: ko
image: ghcr.io/dlorenc/hello-ko:latest
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -27,4 +27,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml
index 7937bbad5..8d3413ad3 100644
--- a/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: kv-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: kv-02
image: ghcr.io/dlorenc/hello-ko:latest
---
@@ -39,6 +39,6 @@ spec:
image: ghcr.io/dlorenc/hello-ko:latest
imagePullPolicy: IfNotPresent
- name: hello02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/allowed-base-images/allowed-base-images.yaml b/other/allowed-base-images/allowed-base-images.yaml
index edfc5cb82..63defe1ec 100644
--- a/other/allowed-base-images/allowed-base-images.yaml
+++ b/other/allowed-base-images/allowed-base-images.yaml
@@ -18,7 +18,7 @@ metadata:
that a container's base, found in an OCI annotation, is in a cluster-wide
allow list.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: allowed-base-images
match:
diff --git a/other/allowed-base-images/artifacthub-pkg.yml b/other/allowed-base-images/artifacthub-pkg.yml
index 3f4a16eff..d49dff8a2 100644
--- a/other/allowed-base-images/artifacthub-pkg.yml
+++ b/other/allowed-base-images/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: be54e5cb7e03c6e7d786da1836612a228299b22d60443f8288420d6089372232
+digest: 1daa6379745925bb2029c676fa2c2ad09cba438d06fd3a7da89220ff213af337
diff --git a/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d61a55ec9..9e0786950 100755
--- a/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: allowed-image-repos
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml b/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml
index e23ebf763..b537acc36 100644
--- a/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml
+++ b/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ spec:
- name: pod-01
image: myknownimage
- name: pod-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -28,7 +28,7 @@ metadata:
spec:
initContainers:
- name: pod-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod-02-init
image: myknownimage
containers:
diff --git a/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml
index bcbdf2c4a..7909ba6f8 100644
--- a/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml
@@ -18,10 +18,10 @@ spec:
spec:
initContainers:
- name: bb-01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -43,12 +43,12 @@ spec:
spec:
initContainers:
- name: bb01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: bb-01
image: myknownimage
- name: bb-02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -66,7 +66,7 @@ spec:
image: kyverno
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
---
apiVersion: batch/v1
@@ -82,7 +82,7 @@ spec:
spec:
initContainers:
- name: bb01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: bb-01
image: kyverno
diff --git a/other/allowed-image-repos/allowed-image-repos.yaml b/other/allowed-image-repos/allowed-image-repos.yaml
index 88cfe4dfa..825734aa3 100644
--- a/other/allowed-image-repos/allowed-image-repos.yaml
+++ b/other/allowed-image-repos/allowed-image-repos.yaml
@@ -16,7 +16,7 @@ metadata:
image repositories present in a given Pod, across any container type, come from the
designated list.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: good-repos
diff --git a/other/allowed-image-repos/artifacthub-pkg.yml b/other/allowed-image-repos/artifacthub-pkg.yml
index 27a932971..d30bcbe2a 100644
--- a/other/allowed-image-repos/artifacthub-pkg.yml
+++ b/other/allowed-image-repos/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 50a89455445fbfe6a6e0b04ff5c491daa7d9b15470ebbf527e10e9387369cf9d
+digest: 3d84132172c9fc5fb1e6ec6e595f9001003790dd6d680d055016953cc0ea607d
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml
index 26fd44350..ce8abe788 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml
@@ -7,5 +7,5 @@ metadata:
name: pod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml
index 69c177c97..fded2be92 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml
@@ -4,5 +4,5 @@ metadata:
name: pod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml
index 9a28e7765..0d3608036 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml
@@ -6,5 +6,5 @@ metadata:
name: pod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml
index 1b591255f..b42efe886 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml
@@ -17,5 +17,5 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml
index 21982088b..000255478 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml
@@ -17,5 +17,5 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml
index f04f9a06f..fd98e77e2 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml
@@ -16,5 +16,5 @@ spec:
name: ds01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: ds01
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml
index fc51365cf..6fa390441 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml
@@ -13,6 +13,6 @@ spec:
- command:
- sleep
- "3600"
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: Never
diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml
index ef3f8c3e7..896f17970 100755
--- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml
@@ -14,7 +14,7 @@ spec:
- command:
- sleep
- "3600"
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
name: bb
restartPolicy: OnFailure
diff --git a/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml b/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml
index 0032cb311..9712e5443 100644
--- a/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml
+++ b/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: allowed-label-changes
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/allowed-label-changes/allowed-label-changes.yaml b/other/allowed-label-changes/allowed-label-changes.yaml
index 54ecb4c98..ab2d9d7cd 100644
--- a/other/allowed-label-changes/allowed-label-changes.yaml
+++ b/other/allowed-label-changes/allowed-label-changes.yaml
@@ -18,7 +18,7 @@ metadata:
except one with the key `breakglass`. Changing, adding, or deleting
any other labels is denied.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: safe-label
diff --git a/other/allowed-label-changes/artifacthub-pkg.yml b/other/allowed-label-changes/artifacthub-pkg.yml
index cc0e07050..6e6ff6cac 100644
--- a/other/allowed-label-changes/artifacthub-pkg.yml
+++ b/other/allowed-label-changes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod,Label"
-digest: 0f5a355dfc386b660a4f015b640bba3528691cdb95799ec5721ab06dbbd5afe0
+digest: bfe02517c6edc6600d21644020d63aeaa2e762a46ef10ef4b1178b98d9602e73
diff --git a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5bf922bad..6fd661a10 100755
--- a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: allowed-podpriorities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
index c94fdd994..546535346 100644
--- a/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
+++ b/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: foo
---
apiVersion: v1
@@ -17,5 +17,5 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
\ No newline at end of file
diff --git a/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
index 962082c47..1f400b745 100644
--- a/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
+++ b/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
---
apiVersion: v1
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
---
apiVersion: v1
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,7 +37,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: foo
---
apiVersion: v1
@@ -47,5 +47,5 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: low
\ No newline at end of file
diff --git a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
index 4c0ae45ee..621eab03e 100644
--- a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
index 2c3d6c0c0..358d87979 100644
--- a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
+++ b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
priorityClassName: high
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -42,7 +42,7 @@ spec:
priorityClassName: foo
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other/allowed-pod-priorities/allowed-pod-priorities.yaml b/other/allowed-pod-priorities/allowed-pod-priorities.yaml
index 2d3ff6fdb..a27cb9f32 100644
--- a/other/allowed-pod-priorities/allowed-pod-priorities.yaml
+++ b/other/allowed-pod-priorities/allowed-pod-priorities.yaml
@@ -15,7 +15,7 @@ metadata:
PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not
among them, the Pod is blocked.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-pod-priority
diff --git a/other/allowed-pod-priorities/artifacthub-pkg.yml b/other/allowed-pod-priorities/artifacthub-pkg.yml
index 8e4de7306..a0ba43e4b 100644
--- a/other/allowed-pod-priorities/artifacthub-pkg.yml
+++ b/other/allowed-pod-priorities/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 23857e576e4bdd7558082cd538b771f6714dd5d9ba39e32b064517dd701b9be7
+digest: 6a99faf88ebc4e5c6f4cddf0cea870a97313b98be402e56dc4b4fb8c3f4401ca
diff --git a/other/always-pull-images/.chainsaw-test/patched-pod01.yaml b/other/always-pull-images/.chainsaw-test/patched-pod01.yaml
index de5ba4d2a..4e454673d 100644
--- a/other/always-pull-images/.chainsaw-test/patched-pod01.yaml
+++ b/other/always-pull-images/.chainsaw-test/patched-pod01.yaml
@@ -4,6 +4,6 @@ metadata:
name: pod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
imagePullPolicy: Always
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/patched-pod02.yaml b/other/always-pull-images/.chainsaw-test/patched-pod02.yaml
index f06003aa2..b22f7528b 100644
--- a/other/always-pull-images/.chainsaw-test/patched-pod02.yaml
+++ b/other/always-pull-images/.chainsaw-test/patched-pod02.yaml
@@ -4,6 +4,6 @@ metadata:
name: pod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
imagePullPolicy: Always
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/patched-pod03.yaml b/other/always-pull-images/.chainsaw-test/patched-pod03.yaml
index f2c0fffae..e7c715062 100644
--- a/other/always-pull-images/.chainsaw-test/patched-pod03.yaml
+++ b/other/always-pull-images/.chainsaw-test/patched-pod03.yaml
@@ -4,9 +4,9 @@ metadata:
name: pod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox01
imagePullPolicy: Always
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
imagePullPolicy: Always
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml b/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml
index b2fbb9b19..45e705d07 100644
--- a/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml
+++ b/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml
@@ -17,10 +17,10 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: Always
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: Always
---
apiVersion: batch/v1
@@ -35,9 +35,9 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: Always
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: Always
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/podcontrollers.yaml b/other/always-pull-images/.chainsaw-test/podcontrollers.yaml
index a1592a737..dfc0cd399 100644
--- a/other/always-pull-images/.chainsaw-test/podcontrollers.yaml
+++ b/other/always-pull-images/.chainsaw-test/podcontrollers.yaml
@@ -17,10 +17,10 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,8 +34,8 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/pods.yaml b/other/always-pull-images/.chainsaw-test/pods.yaml
index d96ee4555..9acf1c838 100644
--- a/other/always-pull-images/.chainsaw-test/pods.yaml
+++ b/other/always-pull-images/.chainsaw-test/pods.yaml
@@ -4,7 +4,7 @@ metadata:
name: pod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -13,7 +13,7 @@ metadata:
name: pod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
imagePullPolicy: IfNotPresent
---
@@ -23,8 +23,8 @@ metadata:
name: pod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox01
imagePullPolicy: IfNotPresent
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/always-pull-images/.chainsaw-test/policy-ready.yaml b/other/always-pull-images/.chainsaw-test/policy-ready.yaml
index b0054d5ad..38b6d437c 100644
--- a/other/always-pull-images/.chainsaw-test/policy-ready.yaml
+++ b/other/always-pull-images/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: always-pull-images
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml
index 87ed4e4c1..b55e1e92d 100644
--- a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml
+++ b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml
@@ -24,7 +24,7 @@ spec:
fsGroup: 2000
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
capabilities:
@@ -32,7 +32,7 @@ spec:
- ALL
allowPrivilegeEscalation: false
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
capabilities:
@@ -59,7 +59,7 @@ spec:
fsGroup: 2000
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
capabilities:
@@ -67,7 +67,7 @@ spec:
- ALL
allowPrivilegeEscalation: false
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
capabilities:
diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml
index 8ef1efac9..127a029e3 100644
--- a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml
+++ b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml
@@ -19,11 +19,11 @@ spec:
fsGroup: 1000
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,9 +39,9 @@ spec:
runAsNonRoot: false
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml
index 9e1b74f07..10f5fddc6 100644
--- a/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml
+++ b/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml
@@ -11,7 +11,7 @@ spec:
runAsGroup: 3000
fsGroup: 2000
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
securityContext:
privileged: false
@@ -33,7 +33,7 @@ spec:
runAsGroup: 3000
fsGroup: 2000
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
securityContext:
privileged: false
@@ -41,7 +41,7 @@ spec:
drop:
- ALL
allowPrivilegeEscalation: false
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox2
securityContext:
privileged: false
@@ -63,7 +63,7 @@ spec:
runAsGroup: 3000
fsGroup: 2000
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
securityContext:
privileged: false
@@ -71,7 +71,7 @@ spec:
drop:
- ALL
allowPrivilegeEscalation: false
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox2
securityContext:
privileged: false
diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml
index c53ccae77..f6eb068f0 100644
--- a/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml
+++ b/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml
@@ -4,7 +4,7 @@ metadata:
name: pod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -13,9 +13,9 @@ metadata:
name: pod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox2
---
apiVersion: v1
@@ -29,9 +29,9 @@ spec:
runAsGroup: 1000
fsGroup: 3000
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox2
securityContext:
privileged: true
diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml
index 14fcc0f77..83db65cca 100644
--- a/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml
+++ b/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: apply-pss-restricted-profile
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml b/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml
index ac60501ba..79597ad99 100644
--- a/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml
+++ b/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: audit-event-on-delete
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml b/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml
index 4630f1939..8854bd09e 100755
--- a/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml
+++ b/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml
@@ -22,6 +22,16 @@ spec:
file: ns.yaml
- apply:
file: pod.yaml
+ - wait:
+ apiVersion: v1
+ kind: Pod
+ name: execevent-pod
+ namespace: exec-event-ns
+ timeout: 1m
+ for:
+ condition:
+ name: Ready
+ value: 'true'
- name: step-03
try:
- sleep:
diff --git a/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml b/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml
index 820c0db60..966237f55 100644
--- a/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml
+++ b/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: audit-event-on-exec
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml
index f308d56aa..a93ee9bf9 100644
--- a/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml
+++ b/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml
@@ -6,4 +6,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml
index 6425c063a..9046e73b0 100644
--- a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml
+++ b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml
@@ -6,4 +6,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml
index 88a6148a7..1db6a8b46 100644
--- a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml
+++ b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml
index c481e85a1..ef1a58464 100644
--- a/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml
+++ b/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: block-cluster-admin-from-ns
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1a9877928..013c407f3 100755
--- a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-ephemeral-containers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other/block-ephemeral-containers/.chainsaw-test/pod.yaml
index df553857f..4a2489bfb 100644
--- a/other/block-ephemeral-containers/.chainsaw-test/pod.yaml
+++ b/other/block-ephemeral-containers/.chainsaw-test/pod.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
---
apiVersion: v1
@@ -17,10 +17,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
---
apiVersion: v1
@@ -31,15 +31,15 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
\ No newline at end of file
diff --git a/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
index 5213371c9..002b0030b 100644
--- a/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
+++ b/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml
@@ -18,8 +18,8 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
- name: bb2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "300"]
\ No newline at end of file
diff --git a/other/block-ephemeral-containers/artifacthub-pkg.yml b/other/block-ephemeral-containers/artifacthub-pkg.yml
index cc77acc0c..7b4cbd14c 100644
--- a/other/block-ephemeral-containers/artifacthub-pkg.yml
+++ b/other/block-ephemeral-containers/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415
+digest: 52c16c4c34d51abea0bda3335e50c7ce5a20aefed83d702aa415c461f6f25ded
diff --git a/other/block-ephemeral-containers/block-ephemeral-containers.yaml b/other/block-ephemeral-containers/block-ephemeral-containers.yaml
index ee7ae46dd..52d657bb8 100644
--- a/other/block-ephemeral-containers/block-ephemeral-containers.yaml
+++ b/other/block-ephemeral-containers/block-ephemeral-containers.yaml
@@ -16,7 +16,7 @@ metadata:
This may potentially be used to gain access to unauthorized information executing inside
one or more containers in that Pod. This policy blocks the use of ephemeral containers.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: block-ephemeral-containers
diff --git a/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 31f374298..59a7f8589 100755
--- a/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-images-with-volumes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml b/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml
index 86e5fe870..07c3ab95c 100644
--- a/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml
@@ -35,5 +35,5 @@ spec:
- name: busybox
image: clover/volume:passbolt
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml b/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml
index 8b3d1eab3..9f85e6b60 100644
--- a/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml
+++ b/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: image-vol
image: clover/volume:passbolt
---
@@ -27,4 +27,4 @@ spec:
- name: image-vol
image: clover/volume:passbolt
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml b/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml
index 89c17cf42..6b3f55eb7 100644
--- a/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml
+++ b/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: v1
kind: Pod
@@ -14,6 +14,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:1.28
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.28
\ No newline at end of file
diff --git a/other/block-images-with-volumes/artifacthub-pkg.yml b/other/block-images-with-volumes/artifacthub-pkg.yml
index 622735973..d09e94783 100644
--- a/other/block-images-with-volumes/artifacthub-pkg.yml
+++ b/other/block-images-with-volumes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 84345ccd7ae57215dd11b5248f811119d38dcb4648c749146c887ec6c7389940
+digest: 1ef943234b2934a4286b5c988112a33c2ebae784ee67a4cff6464b373e13dbb7
diff --git a/other/block-images-with-volumes/block-images-with-volumes.yaml b/other/block-images-with-volumes/block-images-with-volumes.yaml
index 6f536acd7..601624fe3 100644
--- a/other/block-images-with-volumes/block-images-with-volumes.yaml
+++ b/other/block-images-with-volumes/block-images-with-volumes.yaml
@@ -16,7 +16,7 @@ metadata:
This may be unexpected and undesirable. This policy checks the contents of every
container image and inspects them for such VOLUME statements, then blocks if found.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: block-images-with-vols
match:
diff --git a/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c23b57020..632e42d5c 100755
--- a/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-large-images
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml b/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml
index 8931d8cf9..638897f79 100644
--- a/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: nvidia/cuda:12.2.0-devel-ubi8
---
@@ -35,5 +35,5 @@ spec:
- name: busybox
image: nvidia/cuda:12.2.0-devel-ubi8
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml b/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml
index b1c48e35e..9b951e23e 100644
--- a/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/block-large-images/.chainsaw-test/pods-bad.yaml b/other/block-large-images/.chainsaw-test/pods-bad.yaml
index c1d8e8a66..67de571ea 100644
--- a/other/block-large-images/.chainsaw-test/pods-bad.yaml
+++ b/other/block-large-images/.chainsaw-test/pods-bad.yaml
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: image-vol
image: nvidia/cuda:12.2.0-devel-ubi8
---
@@ -27,4 +27,4 @@ spec:
- name: image-vol
image: nvidia/cuda:12.2.0-devel-ubi8
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/block-large-images/.chainsaw-test/pods-good.yaml b/other/block-large-images/.chainsaw-test/pods-good.yaml
index 89c17cf42..6b3f55eb7 100644
--- a/other/block-large-images/.chainsaw-test/pods-good.yaml
+++ b/other/block-large-images/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: v1
kind: Pod
@@ -14,6 +14,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:1.28
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.28
\ No newline at end of file
diff --git a/other/block-large-images/artifacthub-pkg.yml b/other/block-large-images/artifacthub-pkg.yml
index 5f5744e98..90ab6ed3f 100644
--- a/other/block-large-images/artifacthub-pkg.yml
+++ b/other/block-large-images/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 3137003b33b29c736e18da96eba3c14b707a825053684304fe8a1f68c3fb7b03
+digest: 5f8b58b4ceb1c07f957c865ae462be2f008d32cd230e196ba82cf8de048ffacd
diff --git a/other/block-large-images/block-large-images.yaml b/other/block-large-images/block-large-images.yaml
index b98c6e055..1356b10a7 100644
--- a/other/block-large-images/block-large-images.yaml
+++ b/other/block-large-images/block-large-images.yaml
@@ -16,7 +16,7 @@ metadata:
name an image which is unusually large to disrupt operations. This policy
checks the size of every container image and blocks if it is over 2 Gibibytes.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: block-over-twogi
match:
diff --git a/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml
index f94b296f1..d959413be 100644
--- a/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml
+++ b/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-exec-by-namespace-label
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml b/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml
index 0fcb94939..38d2d9e55 100644
--- a/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml
+++ b/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 4a0a8217b5a4923004c7eb8f38dfddc34e0a8afaaf58620dd71c3ef6816ef6d4
+digest: 42e3e71f24b9acd8ea08921b9ff1fc3514c34152d0c004366a1ad057e2aa0c45
diff --git a/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml b/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml
index 817b8fafe..7ed82191a 100644
--- a/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml
+++ b/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml
@@ -12,7 +12,7 @@ metadata:
be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
This policy blocks Pod exec commands based upon a Namespace label `exec=false`.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: deny-exec-by-ns-label
diff --git a/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml
index 43a9ab178..60cf18c47 100644
--- a/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml
+++ b/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-exec-by-namespace-name
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-pod-exec-by-namespace/artifacthub-pkg.yml b/other/block-pod-exec-by-namespace/artifacthub-pkg.yml
index c59bcab16..1619977ff 100644
--- a/other/block-pod-exec-by-namespace/artifacthub-pkg.yml
+++ b/other/block-pod-exec-by-namespace/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: e5bc1f4228898b0f0c176d2e8a612a2782033db79f2a617c5a9cc0884fcfbd0b
+digest: d8fe4385e39be140e0e0f6824f81ce932b1539446773919882b46b8ee1f0fab2
diff --git a/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml b/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
index 80c84ff81..cdf57012f 100644
--- a/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
+++ b/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
@@ -12,7 +12,7 @@ metadata:
be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
This policy blocks Pod exec commands to Pods in a Namespace called `pci`.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: deny-exec-ns-pci
diff --git a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml
index 700808252..37ff8f0dd 100644
--- a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml
+++ b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-exec-by-pod-and-container
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml
index 413a8cf44..e0331afbd 100644
--- a/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml
+++ b/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 1048fd82ed830de348ac051163b8fba03d10fd25fe7f9987118b7cdbc0facd54
+digest: 9e8a4ce92d97bddbbc34c10c2a49c880d4e9b937ad56ecfac4f08cd4f3ea1ade
diff --git a/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml b/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml
index 6738b254d..e70bb0ce1 100644
--- a/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml
+++ b/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml
@@ -13,7 +13,7 @@ metadata:
This policy blocks Pod exec commands to containers named `nginx` in Pods starting
with name `myapp-maintenance`.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: deny-nginx-exec-in-myapp-maintenance
diff --git a/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml
index 2f10f9132..29794ca53 100644
--- a/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml
+++ b/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-exec-by-pod-label
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml
index 6443dce89..574c28a9b 100644
--- a/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml
+++ b/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 10965102115219f1940c22476ac3e4cba1f0dd5b5f20deafd1b052357260345c
+digest: 6e9f45cd3984e3cfc7a1853b123a61126590113026683a2494c27e0fe0ae8b64
diff --git a/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml b/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml
index 26b50faad..d4902899c 100644
--- a/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml
+++ b/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml
@@ -12,7 +12,7 @@ metadata:
be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
This policy blocks Pod exec commands to Pods having the label `exec=false`.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: deny-exec-by-label
diff --git a/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml
index c3e624930..6553e1348 100644
--- a/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml
+++ b/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-exec-by-pod-name
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml
index 8e409455f..f03dfc086 100644
--- a/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml
+++ b/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 16a9d3492e57968705fed46c1c67b401921aa8f5257c223ad0b94fe566f47939
+digest: 8827b6bd6cfd2a17c73ca53607abfcb82d380c26e16ce2a820ec8bbe68571894
diff --git a/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml b/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
index b3e47e811..94cd787d7 100644
--- a/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
+++ b/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
@@ -13,7 +13,7 @@ metadata:
This policy blocks Pod exec commands to Pods beginning with the name
`myapp-maintenance-`.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: deny-exec-myapp-maintenance
diff --git a/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a94cb88bd..d7383e71d 100755
--- a/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-stale-images
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml b/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml
index 045c8b809..1e64a891e 100755
--- a/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml
+++ b/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml
@@ -45,8 +45,8 @@ spec:
- script:
content: kubectl delete cpol block-stale-images
- sleep:
- duration: 10s
+ duration: 5s
- script:
content: kubectl delete all --all --force --grace-period=0 -n block-staleimg-ns
- sleep:
- duration: 10s
\ No newline at end of file
+ duration: 5s
\ No newline at end of file
diff --git a/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml b/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml
index f18af6e2d..11cce09b2 100644
--- a/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml
@@ -18,9 +18,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: busybox02
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: batch/v1
kind: CronJob
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/block-stale-images/.chainsaw-test/pods-bad.yaml b/other/block-stale-images/.chainsaw-test/pods-bad.yaml
index 849b0e427..58046dc18 100644
--- a/other/block-stale-images/.chainsaw-test/pods-bad.yaml
+++ b/other/block-stale-images/.chainsaw-test/pods-bad.yaml
@@ -6,9 +6,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: busybox02
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: v1
kind: Pod
@@ -28,6 +28,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:latest
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:latest
\ No newline at end of file
diff --git a/other/block-stale-images/artifacthub-pkg.yml b/other/block-stale-images/artifacthub-pkg.yml
index 396c28038..bb0b53084 100644
--- a/other/block-stale-images/artifacthub-pkg.yml
+++ b/other/block-stale-images/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 8e0fab0441480492ab506e9401eda165e86156c63b8768953386dffe7a0efc6b
+digest: 4c840db89d0d4d8d79c3ef120d319a93d62638f3e6c82ccbdf863b4f3d60b7aa
diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml
index 6aea5cebd..2ab83948a 100644
--- a/other/block-stale-images/block-stale-images.yaml
+++ b/other/block-stale-images/block-stale-images.yaml
@@ -15,7 +15,7 @@ metadata:
This policy checks the contents of every container image and inspects them for the create time.
If it finds any image which was built more than 6 months ago this policy blocks the deployment.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: block-stale-images
match:
diff --git a/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml b/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml
index ae138f061..9baf158d7 100644
--- a/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml
+++ b/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: block-updates-deletes
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/block-updates-deletes/artifacthub-pkg.yml b/other/block-updates-deletes/artifacthub-pkg.yml
index aba9a6e45..4e14a401b 100644
--- a/other/block-updates-deletes/artifacthub-pkg.yml
+++ b/other/block-updates-deletes/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "null"
kyverno/subject: "RBAC"
-digest: d53b77cab7e2dfe835323faa1124221ab793a2b7f39941c4302a545bafd2f0aa
+digest: 35f27980f157cbc9575162c934a0af1a5957f982d9a9996dd6031582a269c244
diff --git a/other/block-updates-deletes/block-updates-deletes.yaml b/other/block-updates-deletes/block-updates-deletes.yaml
index 6c2819bb5..1b63055c8 100644
--- a/other/block-updates-deletes/block-updates-deletes.yaml
+++ b/other/block-updates-deletes/block-updates-deletes.yaml
@@ -13,7 +13,7 @@ metadata:
Service resource that contains the label `protected=true` unless by
a cluster-admin.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: block-updates-deletes
diff --git a/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a1a66e266..51af7f041 100755
--- a/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-env-vars
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
index 6b1056a69..9f5f213d8 100644
--- a/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "true"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "true"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
diff --git a/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
index 91e7d8b6e..e95250b7c 100644
--- a/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "false"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: DISABLE_OPA
value: "false"
- name: foo
value: bar
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
diff --git a/other/check-env-vars/.chainsaw-test/pods-bad.yaml b/other/check-env-vars/.chainsaw-test/pods-bad.yaml
index 6712da27d..e66310e39 100644
--- a/other/check-env-vars/.chainsaw-test/pods-bad.yaml
+++ b/other/check-env-vars/.chainsaw-test/pods-bad.yaml
@@ -6,7 +6,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
@@ -20,14 +20,14 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- name: DISABLE_OPA
value: "true"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
@@ -43,12 +43,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -64,9 +64,9 @@ metadata:
name: badpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
@@ -80,12 +80,12 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
value: "false"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: DISABLE_OPA
diff --git a/other/check-env-vars/.chainsaw-test/pods-good.yaml b/other/check-env-vars/.chainsaw-test/pods-good.yaml
index 0fe74a3b0..cad997a5f 100644
--- a/other/check-env-vars/.chainsaw-test/pods-good.yaml
+++ b/other/check-env-vars/.chainsaw-test/pods-good.yaml
@@ -6,7 +6,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: DISABLE_OPA
@@ -20,14 +20,14 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: foo
value: bar
- name: DISABLE_OPA
value: "false"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -41,7 +41,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/check-env-vars/artifacthub-pkg.yml b/other/check-env-vars/artifacthub-pkg.yml
index 39e1edba3..2f20ce57d 100644
--- a/other/check-env-vars/artifacthub-pkg.yml
+++ b/other/check-env-vars/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: a3bb61fb5b7cc8a92a9c8522432cb2ca580e0ee9dd5fcf58bfb50da0577691de
+digest: a7841d0a5e766115e334aac9a90116bb228a7bcdc34ae12b56ac48cfbe833830
diff --git a/other/check-env-vars/check-env-vars.yaml b/other/check-env-vars/check-env-vars.yaml
index 773e78d8b..ab34491a2 100644
--- a/other/check-env-vars/check-env-vars.yaml
+++ b/other/check-env-vars/check-env-vars.yaml
@@ -17,7 +17,7 @@ metadata:
`DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-disable-opa
match:
diff --git a/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c7e2ac55c..f54312fbc 100755
--- a/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-hpa-exists
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml b/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml
index a9ef9299d..776d8a4c9 100644
--- a/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml
+++ b/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: nginx-container
- image: nginx:latest
+ image: ghcr.io/kyverno/test-nginx:latest
ports:
- containerPort: 80
resources:
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/bad-resource.yaml b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/bad-resource.yaml
new file mode 100644
index 000000000..ff83224b2
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/bad-resource.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: demo
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ nginx.ingress.kubernetes.io/server-snippet: |
+ add_header X-Safe-Header "Safe Content";
+ add_header X-Vuln-Header "Benign\r
+ HTTP/1.1 200 OK
+ Content-Type: text/html
+
+ --------";
+ return 200 "Original Content";
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: test.example.com
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: test-service
+ port:
+ number: 80
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: ingress-nginx-controller
+spec:
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.0
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
new file mode 100644
index 000000000..0c0b87b6d
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: check-ingress-nginx-controller-version-and-annotation-policy
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-test.yaml b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..9953106e4
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ name: check-ingress-nginx-controller-version-and-annotation-policy
+spec:
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: ../check-ingress-nginx-controller-version-and-annotation-policy.yaml
+ - name: step-02
+ try:
+ - patch:
+ resource:
+ apiVersion: kyverno.io/v1
+ kind: ClusterPolicy
+ metadata:
+ name: check-ingress-nginx-controller-version-and-annotation-policy
+ spec:
+ validationFailureAction: Enforce
+ - assert:
+ file: chainsaw-step-01-assert-1.yaml
+ - name: step-03
+ try:
+ - apply:
+ file: good-resource.yaml
+ - apply:
+ expect:
+ - check:
+ ($error != null): true
+ file: bad-resource.yaml
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/good-resource.yaml b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/good-resource.yaml
new file mode 100644
index 000000000..07b4c4526
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/.chainsaw-test/good-resource.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: demo
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: test.example.com
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: test-service
+ port:
+ number: 80
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: ingress-nginx-controller-6bbf7f5879-bvh6l
+spec:
+ containers:
+ - name: controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.2
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/artifacthub-pkg.yml b/other/check-ingress-nginx-controller-version-and-annotation-policy/artifacthub-pkg.yml
new file mode 100644
index 000000000..eb9f68634
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/artifacthub-pkg.yml
@@ -0,0 +1,21 @@
+name: check-ingress-nginx-controller-version-and-annotation-policy
+version: 1.0.0
+displayName: Ensure Valid Ingress NGINX Controller and Annotations
+createdAt: "2024-08-26T13:14:30Z"
+description: >-
+ This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx controller pod is running an appropriate version of the image. It checks for the presence of the `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.
+install: |-
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml
+ ```
+keywords:
+ - kyverno
+ - Other
+readme: |
+ This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx controller pod is running an appropriate version of the image. It checks for the presence of the `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.
+ Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+ kyverno/category: "Other"
+ kyverno/kubernetesVersion: "1.28"
+ kyverno/subject: "Deployment,ReplicaSet,StatefulSet,DaemonSet,Ingress"
+digest: d4bd973c6d8628e8e8944b3bb1df68997cd39c50f18bdbe98c7df6d3942d96da
diff --git a/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml b/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml
new file mode 100644
index 000000000..9dba90b99
--- /dev/null
+++ b/other/check-ingress-nginx-controller-version-and-annotation-policy/check-ingress-nginx-controller-version-and-annotation-policy.yaml
@@ -0,0 +1,87 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: check-ingress-nginx-controller-version-and-annotation-policy
+ annotations:
+ policies.kyverno.io/title: Ensure Valid Ingress NGINX Controller and Annotations
+ policies.kyverno.io/category: Ingress, Security
+ policies.kyverno.io/severity: high
+ kyverno.io/kyverno-version: 1.11.0
+ policies.kyverno.io/minversion: 1.9.0
+ kyverno.io/kubernetes-version: "1.28"
+ policies.kyverno.io/subject: Ingress, Pod
+ policies.kyverno.io/description: >-
+ This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx
+ controller Pod is running an appropriate version of the image. It checks for the presence of the
+ `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values
+ for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.
+spec:
+ validationFailureAction: Audit
+ background: true
+ rules:
+ - name: validate-ingress-annotations
+ match:
+ resources:
+ kinds:
+ - Ingress
+ validate:
+ message: "The annotation nginx.ingress.kubernetes.io/server-snippet is not allowed."
+ pattern:
+ metadata:
+ annotations:
+ X(nginx.ingress.kubernetes.io/server-snippet): ""
+ - name: validate-auth-tls-verify-client
+ match:
+ resources:
+ kinds:
+ - Ingress
+ validate:
+ message: "auth-tls-verify-client annotation must be 'on', 'off', 'optional', or 'optional_no_ca'."
+ deny:
+ conditions:
+ any:
+ - key: "{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/auth-tls-verify-client\"}}"
+ operator: AnyNotIn
+ value:
+ - "on"
+ - "off"
+ - "optional"
+ - "optional_no_ca"
+ - name: ensure-ingress-nginx-controller-version-pattern
+ match:
+ resources:
+ kinds:
+ - Pod
+ validate:
+ message: "The ingress-nginx controller image version must start with v1.11."
+ pattern:
+ spec:
+ containers:
+ - name: controller
+ image: "registry.k8s.io/ingress-nginx/controller:v1.11.*"
+
+ - name: deny-lower-ingress-nginx-controller-versions
+ match:
+ resources:
+ kinds:
+ - Pod
+ validate:
+ message: "The ingress-nginx controller image version must be v1.11.2 or greater."
+ deny:
+ conditions:
+ - key: "{{ request.object.spec.containers[?(@.name=='controller')].image }}"
+ operator: AnyIn
+ value:
+ - "registry.k8s.io/ingress-nginx/controller:v1.11.0"
+ - "registry.k8s.io/ingress-nginx/controller:v1.11.1"
+ - "registry.k8s.io/ingress-nginx/controller:v1.10.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.9.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.8.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.7.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.6.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.5.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.4.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.3.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.2.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.1.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.0.*"
diff --git a/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml
index 7d4297f14..722db3d46 100644
--- a/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml
+++ b/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Node"
-digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a
+digest: bbf47fbd4304d3778e87368f925a15eb4d76caf2b29b0223236b05a55f2be57c
diff --git a/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
index a0a287a5e..64107d290 100644
--- a/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
+++ b/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
@@ -17,7 +17,7 @@ metadata:
This policy runs in background mode and flags an entry in the ClusterPolicyReport
if any Node is reporting one of the affected kernel versions.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: kernel-validate
diff --git a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1373f8e29..45328ac8c 100755
--- a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-nvidia-gpus
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml
index c0ac499fe..e2930b584 100644
--- a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -50,7 +50,7 @@ spec:
limits:
cpu: "0.5"
nvidia.com/gpu: 1
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
diff --git a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml
index ccf376b91..1d65a3048 100644
--- a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml
@@ -24,7 +24,7 @@ spec:
limits:
cpu: "0.5"
nvidia.com/gpu: 1
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -39,7 +39,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- name: cuda
image: nvidia/cuda:12.2.0-devel-ubi8
diff --git a/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml b/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml
index 64b83fad3..86862cb2d 100644
--- a/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml
+++ b/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml
@@ -7,7 +7,7 @@ metadata:
namespace: nvidia-gpu-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -23,7 +23,7 @@ metadata:
namespace: nvidia-gpu-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
diff --git a/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml b/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml
index 84b2e027a..b20bbc4aa 100644
--- a/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml
+++ b/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml
@@ -20,7 +20,7 @@ metadata:
namespace: nvidia-gpu-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -42,5 +42,5 @@ spec:
resources:
limits:
nvidia.com/gpu: 0
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/check-nvidia-gpu/artifacthub-pkg.yml b/other/check-nvidia-gpu/artifacthub-pkg.yml
index 810b6637c..d1102c4f7 100644
--- a/other/check-nvidia-gpu/artifacthub-pkg.yml
+++ b/other/check-nvidia-gpu/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: e5286892d05b3b220ed0b9d8cad3ae4c50e2d394678758e3137661ab8c8b5648
+digest: bb7ad48deb4c3ed80a5e249a0406ab063fa1e01f181ecf67c6255212887bc541
diff --git a/other/check-nvidia-gpu/check-nvidia-gpu.yaml b/other/check-nvidia-gpu/check-nvidia-gpu.yaml
index c44194f96..be91959cd 100644
--- a/other/check-nvidia-gpu/check-nvidia-gpu.yaml
+++ b/other/check-nvidia-gpu/check-nvidia-gpu.yaml
@@ -17,7 +17,7 @@ metadata:
request a GPU to ensure they have been authored with this environment
variable.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-nvidia-gpus
match:
diff --git a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 3ff132b35..42d9fcf36 100644
--- a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-serviceaccount-secrets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 44e651654..814fe5ce5 100755
--- a/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-sa
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml b/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml
index ee6965680..414ce2cc7 100644
--- a/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml
+++ b/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
serviceAccountName: restricted
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
diff --git a/other/check-serviceaccount/.chainsaw-test/pod-good.yaml b/other/check-serviceaccount/.chainsaw-test/pod-good.yaml
index 84a2d8954..dea1f3a34 100644
--- a/other/check-serviceaccount/.chainsaw-test/pod-good.yaml
+++ b/other/check-serviceaccount/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
serviceAccountName: safe
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
diff --git a/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml b/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml
index e9873be81..bfabbcfb9 100644
--- a/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml
@@ -18,7 +18,7 @@ spec:
spec:
serviceAccountName: restricted
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
@@ -37,7 +37,7 @@ spec:
spec:
serviceAccountName: restricted
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
diff --git a/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml b/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml
index 85220548a..109c8445b 100644
--- a/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml
+++ b/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
serviceAccountName: safe
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
@@ -37,7 +37,7 @@ spec:
spec:
serviceAccountName: safe
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
args:
- sleep
diff --git a/other/check-serviceaccount/artifacthub-pkg.yml b/other/check-serviceaccount/artifacthub-pkg.yml
index 3a1eb30af..8fa3fe2be 100644
--- a/other/check-serviceaccount/artifacthub-pkg.yml
+++ b/other/check-serviceaccount/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod,ServiceAccount"
-digest: c01a1820fe70be2bec253ce6299f9af3dd82f3e1186e4d3f29894e538c47dc56
+digest: bce4d3d38e46648c836c946b740b2317851e75af24799027cbe0ba3d29488c51
diff --git a/other/check-serviceaccount/check-serviceaccount.yaml b/other/check-serviceaccount/check-serviceaccount.yaml
index 414cda066..4fb9b86c4 100644
--- a/other/check-serviceaccount/check-serviceaccount.yaml
+++ b/other/check-serviceaccount/check-serviceaccount.yaml
@@ -15,7 +15,7 @@ metadata:
Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field
matches the actual ServiceAccount.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-sa
diff --git a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 8531d7103..2d4e46eca 100755
--- a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: check-subjectaccessreview
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/check-vpa-configuration/.chainsaw-test/bad.yaml b/other/check-vpa-configuration/.chainsaw-test/bad.yaml
index d34acb6f8..16c652fbf 100644
--- a/other/check-vpa-configuration/.chainsaw-test/bad.yaml
+++ b/other/check-vpa-configuration/.chainsaw-test/bad.yaml
@@ -15,7 +15,7 @@ spec:
app: bad-busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: bad-busybox
command:
- "sleep"
@@ -35,7 +35,7 @@ spec:
name: bad-daemonset
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
@@ -58,7 +58,7 @@ spec:
app: bad-busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
diff --git a/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 27c9bad2f..06acb8836 100644
--- a/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: check-vpa-configuration
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/check-vpa-configuration/.chainsaw-test/good.yaml b/other/check-vpa-configuration/.chainsaw-test/good.yaml
index 97a943ce6..6d6e46c1d 100644
--- a/other/check-vpa-configuration/.chainsaw-test/good.yaml
+++ b/other/check-vpa-configuration/.chainsaw-test/good.yaml
@@ -15,7 +15,7 @@ spec:
app: good-busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: good-busybox
command:
- "sleep"
@@ -35,7 +35,7 @@ spec:
name: daemonset
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
@@ -58,7 +58,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
diff --git a/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml b/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml
index b8ad10271..62f983ca9 100644
--- a/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml
+++ b/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: concatenate-configmaps
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml b/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml
index a2f8ea14b..626d93810 100644
--- a/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml
+++ b/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: good-app-deploy
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -41,7 +41,7 @@ spec:
spec:
containers:
- name: my-app03-deploy
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -63,4 +63,4 @@ spec:
spec:
containers:
- name: my-app04-deploy
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml b/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml
index 1fed6971c..f66a1375d 100644
--- a/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml
+++ b/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: copy-namespace-labels
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/copy-namespace-labels/.chainsaw-test/resource.yaml b/other/copy-namespace-labels/.chainsaw-test/resource.yaml
index b1b58993e..5fa6fe3a2 100644
--- a/other/copy-namespace-labels/.chainsaw-test/resource.yaml
+++ b/other/copy-namespace-labels/.chainsaw-test/resource.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: good-app-deploy
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: my-app03-deploy
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -57,4 +57,4 @@ spec:
spec:
containers:
- name: my-app04-deploy
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/create-default-pdb/.chainsaw-test/deployment.yaml b/other/create-default-pdb/.chainsaw-test/deployment.yaml
index 2f3b38cca..d6872046d 100644
--- a/other/create-default-pdb/.chainsaw-test/deployment.yaml
+++ b/other/create-default-pdb/.chainsaw-test/deployment.yaml
@@ -17,6 +17,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/other/create-default-pdb/.chainsaw-test/policy-ready.yaml b/other/create-default-pdb/.chainsaw-test/policy-ready.yaml
index 55434454f..0a9d8507c 100644
--- a/other/create-default-pdb/.chainsaw-test/policy-ready.yaml
+++ b/other/create-default-pdb/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: create-default-pdb
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml b/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml
index dd9607645..f593e7326 100644
--- a/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml
+++ b/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
---
@@ -36,7 +36,7 @@ spec:
foo: bar
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
---
@@ -63,6 +63,6 @@ spec:
podAffinityTerm:
topologyKey: "kubernetes.io/something"
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml
index 035e63caf..a2adcfe73 100644
--- a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml
+++ b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml
@@ -27,6 +27,6 @@ spec:
values:
- busybox
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml
index 7081b4478..25bcea0ad 100644
--- a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml
+++ b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml
@@ -27,6 +27,6 @@ spec:
values:
- busybox
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml b/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml
index e058d5ea5..53ea39d66 100644
--- a/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml
+++ b/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml
@@ -27,6 +27,6 @@ spec:
values:
- busybox
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources: {}
\ No newline at end of file
diff --git a/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml b/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml
index 0d09b5584..68c82d8fe 100644
--- a/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml
+++ b/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: insert-pod-antiaffinity
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a95d54494..d6eca0d4d 100755
--- a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deny-commands-in-exec-probe
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
index 1526c45a0..da23da6e9 100644
--- a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,14 +16,14 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
command:
- ls
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -42,7 +42,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -50,7 +50,7 @@ spec:
- echo
- foo
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
index e6ee813e1..ef63becbe 100644
--- a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -24,7 +24,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -43,7 +43,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -51,7 +51,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
index 1b58ef909..7e212b343 100644
--- a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
+++ b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml
@@ -4,14 +4,14 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
command:
- ls
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -25,7 +25,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -40,9 +40,9 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -56,9 +56,9 @@ metadata:
name: badpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -75,9 +75,9 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -93,9 +93,9 @@ metadata:
name: badpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
index dc0c71226..73e835829 100644
--- a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
+++ b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -12,7 +12,7 @@ spec:
- echo
- meow
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -26,7 +26,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -40,9 +40,9 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -51,7 +51,7 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
grpc:
diff --git a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 20cbb81b1..b1d0e5bda 100644
--- a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: deny-secret-service-account-token-type
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml
index af012f338..ffde14cf0 100644
--- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml
+++ b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
---
@@ -36,6 +36,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml
index 754e39916..2f7825777 100644
--- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml
+++ b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml
@@ -33,7 +33,7 @@ kind: PodDisruptionBudget
metadata:
name: good-pdb04
spec:
- maxUnAvailable: 3
+ maxUnavailable: 3
selector:
matchLabels:
app: busybox
diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml
index e89ba5d6f..a0ebe4fa9 100644
--- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml
+++ b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deployment-replicas-higher-than-pdb
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml b/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml
index 0363819a2..4c6a057ee 100644
--- a/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml
+++ b/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disable-automountserviceaccounttoken
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml b/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml
index a92ae1287..ce9332411 100644
--- a/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml
+++ b/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml
@@ -18,7 +18,7 @@ spec:
dnsPolicy: Default
enableServiceLinks: false
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -34,6 +34,6 @@ spec:
dnsPolicy: Default
enableServiceLinks: false
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml b/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml
index 9878c3076..ff5a77142 100644
--- a/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml
+++ b/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml
@@ -18,7 +18,7 @@ spec:
dnsPolicy: None
enableServiceLinks: true
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -32,6 +32,6 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml b/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml
index ffe23041f..cb71fcb4a 100644
--- a/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml
+++ b/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml
@@ -6,7 +6,7 @@ spec:
dnsPolicy: Default
enableServiceLinks: false
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -17,5 +17,5 @@ spec:
dnsPolicy: Default
enableServiceLinks: false
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/disable-service-discovery/.chainsaw-test/pods.yaml b/other/disable-service-discovery/.chainsaw-test/pods.yaml
index 084cb1eff..3115caa25 100644
--- a/other/disable-service-discovery/.chainsaw-test/pods.yaml
+++ b/other/disable-service-discovery/.chainsaw-test/pods.yaml
@@ -4,7 +4,7 @@ metadata:
name: pod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,5 +15,5 @@ spec:
dnsPolicy: None
enableServiceLinks: true
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml b/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml
index 33cc29f72..7638bb1cd 100644
--- a/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml
+++ b/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: disable-service-discovery
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1f88265d6..9806aed9b 100755
--- a/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: no-secrets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
index eacd6b86e..c882c0d28 100644
--- a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -24,13 +24,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -38,7 +38,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -59,20 +59,20 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -93,9 +93,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -113,7 +113,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -121,13 +121,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -135,7 +135,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -150,20 +150,20 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -178,9 +178,9 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
index 093487967..47e2b1c11 100644
--- a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml
@@ -16,22 +16,22 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -52,20 +52,20 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -86,9 +86,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -106,22 +106,22 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -136,20 +136,20 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -164,9 +164,9 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
index a82e4e342..b87746e69 100644
--- a/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
+++ b/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
env:
- name: SECRET_BAD
@@ -12,13 +12,13 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -26,7 +26,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -35,20 +35,20 @@ metadata:
name: badpod02
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- secretRef:
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -57,9 +57,9 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
@@ -72,9 +72,9 @@ metadata:
name: badpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: SECRET_BAD
@@ -83,12 +83,12 @@ spec:
name: foo
key: pass
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml
index cb3bb22ee..2209cb7ef 100644
--- a/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml
+++ b/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml
@@ -4,22 +4,22 @@ metadata:
name: goodpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
env:
- name: foo
value: bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -28,9 +28,9 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
---
apiVersion: v1
@@ -39,20 +39,20 @@ metadata:
name: goodpod03
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
envFrom:
- configMapRef:
name: foo-bar
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -61,9 +61,9 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo-vol
diff --git a/other/disallow-all-secrets/artifacthub-pkg.yml b/other/disallow-all-secrets/artifacthub-pkg.yml
index 92ff32dd3..9b1d73952 100644
--- a/other/disallow-all-secrets/artifacthub-pkg.yml
+++ b/other/disallow-all-secrets/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod, Secret"
-digest: db6b8711b4b551144ef86db8345468058c21b7355f3acd3116981a87a1d8827b
+digest: 35c5d565e47b3d1b10670b2fea89b7918918317f63e83e8cff8abf4b500631ea
diff --git a/other/disallow-all-secrets/disallow-all-secrets.yaml b/other/disallow-all-secrets/disallow-all-secrets.yaml
index a7a7bfd43..b97719384 100644
--- a/other/disallow-all-secrets/disallow-all-secrets.yaml
+++ b/other/disallow-all-secrets/disallow-all-secrets.yaml
@@ -16,7 +16,7 @@ metadata:
this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false`
at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: secrets-not-from-env
match:
diff --git a/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 730a95d13..675fb79d1 100755
--- a/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: no-localhost-service
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/disallow-localhost-services/artifacthub-pkg.yml b/other/disallow-localhost-services/artifacthub-pkg.yml
index 8ea37925d..84223473d 100644
--- a/other/disallow-localhost-services/artifacthub-pkg.yml
+++ b/other/disallow-localhost-services/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Service"
-digest: f1cec7ef44c6b12a7cac8c077c2ddcbc4ef6bb2dd0945444de21052e00521d59
+digest: 73309c6f3693203f750b1404b69c7961304108ca7897c5ffacd1b38fb5229a78
diff --git a/other/disallow-localhost-services/disallow-localhost-services.yaml b/other/disallow-localhost-services/disallow-localhost-services.yaml
index 0c5123980..6fb9d84ca 100644
--- a/other/disallow-localhost-services/disallow-localhost-services.yaml
+++ b/other/disallow-localhost-services/disallow-localhost-services.yaml
@@ -13,7 +13,7 @@ metadata:
vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName
if the externalName field refers to localhost.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: no-localhost-service
diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f8d45db5d..899cbe9e3 100755
--- a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: secrets-not-from-env-vars
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
index b624674c3..2cd73ad4d 100644
--- a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -24,7 +24,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -48,12 +48,12 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -67,7 +67,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -75,7 +75,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: foo
@@ -93,11 +93,11 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailures
\ No newline at end of file
diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
index 4c20ae23e..193b1cc61 100644
--- a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml
@@ -16,14 +16,14 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: apps/v1
@@ -44,12 +44,12 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -63,14 +63,14 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
---
@@ -85,11 +85,11 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
index f4c4db620..88c89d23f 100644
--- a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
+++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: SECRET_BAD
@@ -12,7 +12,7 @@ spec:
secretKeyRef:
name: foo
key: pass
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -21,9 +21,9 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
envFrom:
- secretRef:
@@ -35,12 +35,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- secretRef:
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
env:
- name: SECRET_BAD
diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
index c6573bf3f..699fe1113 100644
--- a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
+++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml
@@ -4,14 +4,14 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -20,9 +20,9 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
---
apiVersion: v1
@@ -31,10 +31,10 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
envFrom:
- configMapRef:
name: foo-bar
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml
index 2e3ea7a57..0c45e0efb 100644
--- a/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml
+++ b/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Sample, EKS Best Practices"
kyverno/kubernetesVersion: "null"
kyverno/subject: "Pod, Secret"
-digest: 79f059e745a1bd214bb91455e985bbb474f4b40590e871b6babaf60a9672b3c9
+digest: c8f741860d0bd62d7cccd5dd02d176dfaa40a82105b73bf4c6e5cf453de7cc2a
diff --git a/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml
index afc2c6b95..305ae54eb 100644
--- a/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml
+++ b/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml
@@ -13,7 +13,7 @@ metadata:
be printed in log output which could be visible to unauthorized people and captured in forwarding
applications. This policy disallows using Secrets as environment variables.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: secrets-not-from-env-vars
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml
index 2b0a5cddd..ef754c6e0 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml
@@ -31,7 +31,7 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -60,6 +60,6 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml
index ce683c4be..61f804130 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml
@@ -18,7 +18,7 @@ spec:
spec:
dnsPolicy: ClusterFirstWithHostNet
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -34,6 +34,6 @@ spec:
spec:
dnsPolicy: ClusterFirst
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml
index ce9eb01e9..269408283 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml
@@ -19,5 +19,5 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml
index da21e2839..889a6e02c 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml
@@ -19,7 +19,7 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -43,7 +43,7 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -67,7 +67,7 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -91,5 +91,5 @@ spec:
- svc.kind
- dns-polconfig-ns.svc.kind
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml
index bb83def9a..ea18c5bc9 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml
@@ -5,7 +5,7 @@ metadata:
namespace: dns-polconfig-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
namespace: dns-polconfig-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
dnsPolicy: None
dnsConfig:
@@ -29,7 +29,7 @@ metadata:
namespace: dns-polconfig-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
dnsPolicy: ClusterFirst
---
@@ -40,7 +40,7 @@ metadata:
namespace: dns-polconfig-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
dnsPolicy: ClusterFirstWithHostNet
---
@@ -51,6 +51,6 @@ metadata:
namespace: dns-polconfig-ns
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
dnsPolicy: Default
\ No newline at end of file
diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml
index 8f8760ec9..1e00f064d 100644
--- a/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml
+++ b/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: change-dns-config-policy
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e73d54241..0fcc00e65 100755
--- a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: docker-socket-check
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
index 43d50e08b..f0033745a 100644
--- a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -42,7 +42,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -64,7 +64,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -86,7 +86,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
diff --git a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
index a0275658f..359d9528d 100644
--- a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -43,7 +43,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
@@ -65,7 +65,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -88,7 +88,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
index c44eeaa2a..1d78f08b6 100644
--- a/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
+++ b/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml
@@ -4,7 +4,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: docker-vol
@@ -20,7 +20,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
index 1860c831f..2f095abe4 100644
--- a/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
+++ b/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -16,7 +16,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -28,7 +28,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
@@ -44,7 +44,7 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumes:
- name: foo-vol
diff --git a/other/docker-socket-requires-label/artifacthub-pkg.yml b/other/docker-socket-requires-label/artifacthub-pkg.yml
index d31b5d4c3..aaf075e44 100644
--- a/other/docker-socket-requires-label/artifacthub-pkg.yml
+++ b/other/docker-socket-requires-label/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 58e37e4980fab8a47f937fffe55803136c1c5f8083ea33dd4915a6fc4c1d69de
+digest: e40e1d10d01009280c7fd2d9aa5164470b57f9513ae3fe33d56d0d814dc8e35b
diff --git a/other/docker-socket-requires-label/docker-socket-requires-label.yaml b/other/docker-socket-requires-label/docker-socket-requires-label.yaml
index 8760b1138..70396b5ee 100644
--- a/other/docker-socket-requires-label/docker-socket-requires-label.yaml
+++ b/other/docker-socket-requires-label/docker-socket-requires-label.yaml
@@ -15,7 +15,7 @@ metadata:
requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set
to `true`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: conditional-anchor-dockersock
diff --git a/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b53713baf..6ec2cfb1f 100755
--- a/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: pod-lifetime
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
index 2456f925f..e0cd0b51d 100644
--- a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml
@@ -18,7 +18,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -37,6 +37,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
index 49f7d105c..b21d3b1c7 100644
--- a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -39,7 +39,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: batch/v1
@@ -56,7 +56,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
---
@@ -76,6 +76,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
index e12fe5b2f..74dfc404a 100644
--- a/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
+++ b/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml
@@ -7,7 +7,7 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -19,5 +19,5 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml
index 72af42c34..add0bfc94 100644
--- a/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml
+++ b/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -27,7 +27,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -39,5 +39,5 @@ metadata:
name: goodpod04
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/enforce-pod-duration/artifacthub-pkg.yml b/other/enforce-pod-duration/artifacthub-pkg.yml
index 38454c1d0..52811d040 100644
--- a/other/enforce-pod-duration/artifacthub-pkg.yml
+++ b/other/enforce-pod-duration/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 3ded11cc52869141f7db7d402e6ead5965aa36fb1a16aedb0f71e4b7204adb72
+digest: 4e35f745fe654bc488191a537f1c15a226b3cc940baf8b2e29b925d70e4a1bea
diff --git a/other/enforce-pod-duration/enforce-pod-duration.yaml b/other/enforce-pod-duration/enforce-pod-duration.yaml
index 4ebb7e859..b417a57d5 100644
--- a/other/enforce-pod-duration/enforce-pod-duration.yaml
+++ b/other/enforce-pod-duration/enforce-pod-duration.yaml
@@ -12,7 +12,7 @@ metadata:
such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold.
Pod lifetime annotation can be no greater than 8 hours.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: pods-lifetime
diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 47804a262..dab21a517 100755
--- a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: enforce-resources-as-ratio
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml
index fa4a20153..e2f36d145 100644
--- a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,9 +16,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -40,9 +40,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml
index 4193f1be2..0ed516b55 100644
--- a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml
@@ -16,9 +16,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -44,14 +44,14 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
memory: "100Mi"
limits:
memory: "250Mi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: batch/v1
@@ -68,9 +68,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -93,13 +93,13 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
memory: "100Mi"
limits:
memory: "250Mi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml
index 0ca256fe3..447f3e0c7 100644
--- a/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml
+++ b/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml
@@ -4,9 +4,9 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -20,12 +20,12 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
memory: "100Mi"
limits:
memory: "300Mi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml
index f5b190b7e..c3c675aa1 100644
--- a/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml
+++ b/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml
@@ -4,9 +4,9 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -20,14 +20,14 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
memory: "100Mi"
limits:
memory: "250Mi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
---
apiVersion: v1
@@ -36,7 +36,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
\ No newline at end of file
diff --git a/other/enforce-resources-as-ratio/artifacthub-pkg.yml b/other/enforce-resources-as-ratio/artifacthub-pkg.yml
index d39c3251f..1c7b334ed 100644
--- a/other/enforce-resources-as-ratio/artifacthub-pkg.yml
+++ b/other/enforce-resources-as-ratio/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: cf12c44542d243f69c182ef98ea13d14cf1761268193410cfbac79408c3c060e
+digest: ef6e514b17ab853cb0d2b135aad3cef1619abd08d5bd52def17fa55252e3d91e
diff --git a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml
index 5acc54620..2ff7f4b33 100644
--- a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml
+++ b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml
@@ -16,7 +16,7 @@ metadata:
or limits may not work and a ratio may be better suited instead. This policy checks every
container in a Pod and ensures that memory limits are no more than 2.5x its requests.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-memory-requests-limits
match:
diff --git a/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1f660a84a..9013e5de2 100755
--- a/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: validate-probes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
index b050a0094..b6b6e6d0d 100644
--- a/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
exec:
@@ -28,7 +28,7 @@ spec:
readinessProbe:
tcpSocket:
port: 8080
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -59,7 +59,7 @@ spec:
name: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
livenessProbe:
@@ -70,7 +70,7 @@ spec:
tcpSocket:
port: 8080
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
livenessProbe:
exec:
@@ -100,7 +100,7 @@ spec:
spec:
terminationGracePeriodSeconds: 5
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
diff --git a/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
index c3f04c511..0479b2c10 100644
--- a/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
readinessProbe:
@@ -26,7 +26,7 @@ spec:
- cat
- /tmp/healthy
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -55,7 +55,7 @@ spec:
name: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","300"]
readinessProbe:
@@ -64,7 +64,7 @@ spec:
- cat
- /tmp/healthy
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
@@ -92,13 +92,13 @@ spec:
spec:
terminationGracePeriodSeconds: 5
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
livenessProbe:
tcpSocket:
port: 8080
periodSeconds: 10
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","300"]
livenessProbe:
diff --git a/other/ensure-probes-different/artifacthub-pkg.yml b/other/ensure-probes-different/artifacthub-pkg.yml
index 933c9aafb..669661d7a 100644
--- a/other/ensure-probes-different/artifacthub-pkg.yml
+++ b/other/ensure-probes-different/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 66d9c3579b90c7f462e4f87f848527f3b2860c29b4572aa81dffaa01817814aa
+digest: bc56d80f1a162d2f11decd05fa8dd1d1ef5f2b3b353b7673ea58d59ef46d95ab
diff --git a/other/ensure-probes-different/ensure-probes-different.yaml b/other/ensure-probes-different/ensure-probes-different.yaml
index a1e31fce8..920106c43 100644
--- a/other/ensure-probes-different/ensure-probes-different.yaml
+++ b/other/ensure-probes-different/ensure-probes-different.yaml
@@ -15,7 +15,7 @@ metadata:
checks that liveness and readiness probes are not equal. Keep in mind that if both the
probes are not set, they are considered to be equal and hence fails the check.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: validate-probes
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml
index d034c7356..b5448a7f8 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml
@@ -17,9 +17,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox
command: ["sleep","3600"]
- - image: nginx:1.28
+ - image: ghcr.io/kyverno/test-nginx:1.28
name: busybox02
command: ["sleep","3600"]
\ No newline at end of file
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml
index 03404b435..726e4beff 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml
@@ -17,9 +17,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox
command: ["sleep","3600"]
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
command: ["sleep","3600"]
\ No newline at end of file
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml
index 8c34d76eb..090cdb2dd 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml
@@ -17,9 +17,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox
command: ["sleep","3600"]
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox02
command: ["sleep","3600"]
\ No newline at end of file
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml
index 1b302fa25..c0fd922f2 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml
@@ -17,10 +17,10 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox
command: ["sleep","3600"]
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox02
command: ["sleep","3600"]
---
@@ -42,9 +42,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox
command: ["sleep","3600"]
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox02
command: ["sleep","3600"]
\ No newline at end of file
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml
index 72df29d52..750c57d1f 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml
@@ -17,9 +17,9 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
command: ["sleep","3600"]
- - image: busybox:1.28
+ - image: ghcr.io/kyverno/test-busybox:1.28
name: busybox02
command: ["sleep","3600"]
\ No newline at end of file
diff --git a/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml b/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml
index 8a8fceb5d..5f960e0dd 100644
--- a/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml
+++ b/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: ensure-production-matches-staging
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/ensure-production-matches-staging/artifacthub-pkg.yml b/other/ensure-production-matches-staging/artifacthub-pkg.yml
index 80669b81d..a48970acf 100644
--- a/other/ensure-production-matches-staging/artifacthub-pkg.yml
+++ b/other/ensure-production-matches-staging/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Deployment"
-digest: 4cb78d7f4e637e0222481cf1cfe6f0d165bf2ed836f30dd778400716953332e0
+digest: c1423e28522dc4bc67269ed0021a6012066e66c779fd6ec850663edc06175106
diff --git a/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml b/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml
index af70ce4da..57b4549a7 100644
--- a/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml
+++ b/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml
@@ -19,7 +19,7 @@ metadata:
that a production Deployment uses same image name as its staging counterpart. Third, that
a production Deployment uses an older or equal image version as its staging counterpart.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
#######################
diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 9668eb938..fdc2f51a7 100755
--- a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: ensure-readonly-hostpath
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
index be0eb2e1f..dcdc4db2f 100644
--- a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -27,7 +27,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -52,7 +52,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -62,7 +62,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
index ca7f558d4..6dd0a61a9 100644
--- a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -27,7 +27,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -52,7 +52,7 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -62,7 +62,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
index 9430edd30..098219015 100644
--- a/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
+++ b/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -15,7 +15,7 @@ spec:
readOnly: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
index 584c6ce57..ca5ccf2da 100644
--- a/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
+++ b/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
@@ -15,7 +15,7 @@ spec:
readOnly: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /some/dir
name: foo
diff --git a/other/ensure-readonly-hostpath/artifacthub-pkg.yml b/other/ensure-readonly-hostpath/artifacthub-pkg.yml
index c4f72ff42..afedd2a09 100644
--- a/other/ensure-readonly-hostpath/artifacthub-pkg.yml
+++ b/other/ensure-readonly-hostpath/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: f0e22c25527bc05172373d719f5ffd924c155c68edf62a6ff2650633e1ce2f2b
+digest: 52ca1a643fa89897e705f538f3596746bec87e87944029462efc04f82b8c4d3c
diff --git a/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml
index cc1e68891..d98a13a5e 100644
--- a/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml
+++ b/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml
@@ -19,7 +19,7 @@ metadata:
explicitly mounted in readOnly mode.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: ensure-hostpaths-readonly
match:
diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 451f8163f..d5c98b767 100755
--- a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: exclude-namespaces-example
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
index 78823c79e..66aef86b3 100644
--- a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
+++ b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -15,7 +15,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,4 +26,4 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
index e546e8044..c178e57d9 100644
--- a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
+++ b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -28,7 +28,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -40,4 +40,4 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
index 931d85e11..a81ce69fb 100644
--- a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
index 82e0c8a36..51a980cef 100644
--- a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
+++ b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: bb-01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
diff --git a/other/exclude-namespaces-dynamically/artifacthub-pkg.yml b/other/exclude-namespaces-dynamically/artifacthub-pkg.yml
index c4f9e347b..b665ce838 100644
--- a/other/exclude-namespaces-dynamically/artifacthub-pkg.yml
+++ b/other/exclude-namespaces-dynamically/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Namespace, Pod"
-digest: 17334323ddbfbe02d198f36d3d68f7fbd04285583750b1a171e4e461142a8e72
+digest: 12d7c34e85b599c26ee72d4fb193ee5cf13b27aa2a89eb74c5cd96538129e384
diff --git a/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml b/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml
index fc92fa013..f1cc90120 100644
--- a/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml
+++ b/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml
@@ -17,7 +17,7 @@ metadata:
where the ConfigMap stores an array of strings. This policy validates that any Pods created
outside of the list of Namespaces have the label `foo` applied.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: exclude-namespaces-dynamically
diff --git a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b96d2cb6d..6db4eed04 100755
--- a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: forbid-cpu-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
index 1dad16455..06dd9181c 100644
--- a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -41,12 +41,12 @@ spec:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
@@ -65,7 +65,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
@@ -87,12 +87,12 @@ spec:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
diff --git a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
index 86af67ba5..e0838c14b 100644
--- a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -37,7 +37,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -57,7 +57,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
---
@@ -75,7 +75,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
diff --git a/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
index 84a73e9da..62296d928 100644
--- a/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
+++ b/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
@@ -17,12 +17,12 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
- name: webserver2
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: 10m
\ No newline at end of file
diff --git a/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
index b0aba2e9b..1159a3cb1 100644
--- a/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
+++ b/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: webserver1
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: 10m
\ No newline at end of file
diff --git a/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml b/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml
index 841a8d9c6..ffd14ee7d 100644
--- a/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml
+++ b/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: generate-networkpolicy-existing
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml b/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml
index 8e1a47d6b..e3ff69fc8 100644
--- a/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml
+++ b/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml
@@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: nginx-container
- image: nginx:latest
+ image: ghcr.io/kyverno/test-nginx:latest
ports:
- containerPort: 80
securityContext:
diff --git a/other/get-debug-information/.chainsaw-test/policy-ready.yaml b/other/get-debug-information/.chainsaw-test/policy-ready.yaml
index 0754ffe2f..ca82aaca0 100644
--- a/other/get-debug-information/.chainsaw-test/policy-ready.yaml
+++ b/other/get-debug-information/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: get-debug-data-policy
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index adbe3c664..c1acbab53 100755
--- a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: imagepullpolicy-always
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
index eb6883232..c7d92a9ac 100644
--- a/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
+++ b/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
---
apiVersion: v1
@@ -25,10 +25,10 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
- name: pod02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
@@ -38,7 +38,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: pod02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
index 65f5d474f..9972b1147 100644
--- a/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
+++ b/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox # by default, imagePullPolicy: Always
+ image: ghcr.io/kyverno/test-busybox # by default, imagePullPolicy: Always
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest # by default, imagePullPolicy: Always
+ image: ghcr.io/kyverno/test-busybox:latest # by default, imagePullPolicy: Always
---
apiVersion: v1
kind: Pod
@@ -32,7 +32,7 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
---
apiVersion: v1
@@ -42,10 +42,10 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -54,8 +54,8 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullPolicy: IfNotPresent
- name: pod02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Always
\ No newline at end of file
diff --git a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
index 770e5393e..564bb7694 100644
--- a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
---
apiVersion: batch/v1
@@ -37,11 +37,11 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
imagePullPolicy: Never
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
index 4499d5b17..ceb81f45d 100644
--- a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
+++ b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml
@@ -17,11 +17,11 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
---
apiVersion: batch/v1
kind: CronJob
@@ -35,9 +35,9 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
- name: bb03
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/imagepullpolicy-always/artifacthub-pkg.yml b/other/imagepullpolicy-always/artifacthub-pkg.yml
index a88ed1308..24d2808fe 100644
--- a/other/imagepullpolicy-always/artifacthub-pkg.yml
+++ b/other/imagepullpolicy-always/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d
+digest: fec07496bb0b042077300e6235dfcc21ef12fc1a7c6b79f1babba998003e7300
diff --git a/other/imagepullpolicy-always/imagepullpolicy-always.yaml b/other/imagepullpolicy-always/imagepullpolicy-always.yaml
index 874c8ce01..52db3842c 100644
--- a/other/imagepullpolicy-always/imagepullpolicy-always.yaml
+++ b/other/imagepullpolicy-always/imagepullpolicy-always.yaml
@@ -14,7 +14,7 @@ metadata:
pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always`
when the `latest` tag is specified explicitly or where a tag is not defined at all.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: imagepullpolicy-always
diff --git a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1bd8a2c79..b738b5dbb 100755
--- a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: ingress-host-match-tls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/ingress-host-match-tls/artifacthub-pkg.yml b/other/ingress-host-match-tls/artifacthub-pkg.yml
index a13df750e..1fdf77798 100644
--- a/other/ingress-host-match-tls/artifacthub-pkg.yml
+++ b/other/ingress-host-match-tls/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.20, 1.21"
kyverno/subject: "Ingress"
-digest: 3f3af746f48800ebfdb337b428125c1421f29d91161ab34a0fd8e2225913dbb3
+digest: fbb6f531a3606b90ebea9d245a23c1b0a47e8d1be91f31493e9047edb3fb608b
diff --git a/other/ingress-host-match-tls/ingress-host-match-tls.yaml b/other/ingress-host-match-tls/ingress-host-match-tls.yaml
index bf65c827b..0c7718224 100644
--- a/other/ingress-host-match-tls/ingress-host-match-tls.yaml
+++ b/other/ingress-host-match-tls/ingress-host-match-tls.yaml
@@ -18,7 +18,7 @@ metadata:
in the list of TLS hosts.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: host-match-tls
match:
diff --git a/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml b/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml
index 5fa437cba..8a841029b 100644
--- a/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml
+++ b/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml
@@ -6,4 +6,4 @@ metadata:
spec:
containers:
- name: nginx
- image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
diff --git a/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml b/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml
index 20e440496..0264b848c 100644
--- a/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml
+++ b/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml
@@ -8,5 +8,5 @@ spec:
- env:
- name: MAINTAINER
value: NGINX Docker Maintainers
- image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
name: nginx
\ No newline at end of file
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml
index 33bfae1b8..4ff38b2a0 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml
@@ -21,7 +21,7 @@ spec:
volumeMounts:
- mountPath: /vault/secrets
name: vault-secret
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
initContainers:
- image: vault:1.5.4
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml
index 4cd10f8fd..1765d4960 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml
@@ -21,7 +21,7 @@ spec:
volumeMounts:
- mountPath: /vault/secrets
name: vault-secret
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
initContainers:
- image: vault:1.5.4
@@ -30,7 +30,7 @@ spec:
volumeMounts:
- mountPath: /vault/secrets
name: vault-secret
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumes:
- emptyDir:
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml
index f9d12fcf4..f49094cae 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml
@@ -15,7 +15,7 @@ spec:
vault.hashicorp.com/agent-inject: "true"
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -35,7 +35,7 @@ spec:
vault.hashicorp.com/agent-inject: "false"
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -53,7 +53,7 @@ spec:
app: myapp
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -73,8 +73,8 @@ spec:
vault.hashicorp.com/agent-inject: "true"
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml
index 0f17b48d4..5e8e7684f 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml
@@ -21,7 +21,7 @@ spec:
volumeMounts:
- mountPath: /vault/secrets
name: vault-secret
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
initContainers:
- image: vault:1.5.4
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml
index f4561dc34..421b47a5b 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml
@@ -21,7 +21,7 @@ spec:
volumeMounts:
- mountPath: /vault/secrets
name: vault-secret
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
initContainers:
- image: vault:1.5.4
diff --git a/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml b/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml
index e533267bc..e0e72cd24 100644
--- a/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml
+++ b/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: inject-sidecar
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/inspect-csr/.chainsaw-test/policy-ready.yaml b/other/inspect-csr/.chainsaw-test/policy-ready.yaml
index d465abbb4..28e607dfc 100644
--- a/other/inspect-csr/.chainsaw-test/policy-ready.yaml
+++ b/other/inspect-csr/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: inspect-csr
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/other/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml
index 45ffe8d62..489bbea7b 100755
--- a/other/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml
+++ b/other/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml
@@ -12,4 +12,7 @@ rules:
resources:
- nodes
verbs:
+ - get
+ - list
+ - watch
- update
diff --git a/other/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml b/other/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml
index 92ad03d96..832c2217e 100755
--- a/other/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml
+++ b/other/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml
@@ -14,7 +14,7 @@ spec:
try:
- script:
content: |
- kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f -
+ kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' | sed 's/\[Node,\*,\*\]//g' | kubectl apply -f -
- sleep:
duration: 5s
- name: step-02
@@ -26,14 +26,14 @@ spec:
- name: step-03
try:
- sleep:
- duration: 10s
+ duration: 5s
- script:
content: ./label-check.sh
- name: step-04
try:
- script:
content: |
- kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' - | kubectl apply -f -
+ kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' | kubectl apply -f -
- script:
content: |
node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1);
diff --git a/other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a8bab8010..3e921ad78 100755
--- a/other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: limit-configmap-for-sa
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/limit-configmap-for-sa/artifacthub-pkg.yml b/other/limit-configmap-for-sa/artifacthub-pkg.yml
index 6e537128d..8b7328069 100644
--- a/other/limit-configmap-for-sa/artifacthub-pkg.yml
+++ b/other/limit-configmap-for-sa/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.20-1.23"
kyverno/subject: "ConfigMap, ServiceAccount"
-digest: 2cdbadb9f955d03dc445b0b04405d9c8483d437c863d0fda1d9e4876fd8242de
+digest: d05b789387da92170215cd0a37a17b95b071c9012fe9f4104bb94fc6da36a63e
diff --git a/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml b/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml
index 66fb81cd6..1c5a48140 100644
--- a/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml
+++ b/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml
@@ -12,7 +12,7 @@ metadata:
policies.kyverno.io/description: This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: limit-configmap-for-sa-developer
match:
diff --git a/other/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 33f4a1654..b089e733d 100755
--- a/other/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: limit-containers-per-pod
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
index fe98f797b..009f67e0a 100644
--- a/other/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
+++ b/other/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml
@@ -5,12 +5,12 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod05
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
index 6e09c3e46..870ace2eb 100644
--- a/other/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
+++ b/other/limit-containers-per-pod/.chainsaw-test/pod-good.yaml
@@ -5,13 +5,13 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,6 +20,6 @@ metadata:
spec:
containers:
- name: pod01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: pod02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
index 114495014..c85df9f2d 100644
--- a/other/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml
@@ -17,15 +17,15 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb05
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,13 +39,13 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb05
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
index 44639a82d..3114e9a1c 100644
--- a/other/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
+++ b/other/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml
@@ -17,13 +17,13 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -37,11 +37,11 @@ spec:
spec:
containers:
- name: bb01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: bb04
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/limit-containers-per-pod/artifacthub-pkg.yml b/other/limit-containers-per-pod/artifacthub-pkg.yml
index 52beb9890..bff4c6af1 100644
--- a/other/limit-containers-per-pod/artifacthub-pkg.yml
+++ b/other/limit-containers-per-pod/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 375b0ea0b5a26365b69af559cbbda54c352e8a13c838fdbbdcb9d3f01b4941e9
+digest: a19afd0477cc6fed8ab76b57996f33d2d4cc7fb879a9af0053a9f38ea61ae8ca
diff --git a/other/limit-containers-per-pod/limit-containers-per-pod.yaml b/other/limit-containers-per-pod/limit-containers-per-pod.yaml
index c5fc9bd72..3c564f840 100644
--- a/other/limit-containers-per-pod/limit-containers-per-pod.yaml
+++ b/other/limit-containers-per-pod/limit-containers-per-pod.yaml
@@ -14,7 +14,7 @@ metadata:
be applied consistently. This policy checks all Pods to ensure they have
no more than four containers.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: limit-containers-per-pod
diff --git a/other/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 3f396191b..2c957e6e7 100755
--- a/other/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: limit-hostpath-type-pv
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/limit-hostpath-type-pv/artifacthub-pkg.yml b/other/limit-hostpath-type-pv/artifacthub-pkg.yml
index 7dac0b038..e3e4dafd5 100644
--- a/other/limit-hostpath-type-pv/artifacthub-pkg.yml
+++ b/other/limit-hostpath-type-pv/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Other"
kyverno/subject: "PersistentVolume"
-digest: 1c17b81f546a6aef28cbd0d514baa157df7a955a5587db9dd148a0f35f6aa7ee
+digest: e30937d2f138d9f3933b578a6fc85b50248c1990d45685ecf1e20977f9e514d6
diff --git a/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml
index 5aa7ec51d..fb8a6408e 100644
--- a/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml
+++ b/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml
@@ -15,7 +15,7 @@ metadata:
the only directory that can be mounted as a hostPath volume is /data.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: limit-hostpath-type-pv-to-slash-data
match:
diff --git a/other/limit-hostpath-vols/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/limit-hostpath-vols/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b5a967f65..95cce276c 100755
--- a/other/limit-hostpath-vols/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/limit-hostpath-vols/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: limit-hostpath-vols
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml b/other/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
index 2dfc11c6c..b1f06d7b3 100644
--- a/other/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
+++ b/other/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
diff --git a/other/limit-hostpath-vols/.chainsaw-test/pod-good.yaml b/other/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
index 92ed9c3a4..5dc8241d3 100644
--- a/other/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
+++ b/other/limit-hostpath-vols/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -68,4 +68,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml b/other/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
index 0379980ec..86152ffc0 100644
--- a/other/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
diff --git a/other/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml b/other/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
index acb202523..0eb07257d 100644
--- a/other/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
+++ b/other/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -45,7 +45,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
diff --git a/other/limit-hostpath-vols/artifacthub-pkg.yml b/other/limit-hostpath-vols/artifacthub-pkg.yml
index 79bce138c..c43928962 100644
--- a/other/limit-hostpath-vols/artifacthub-pkg.yml
+++ b/other/limit-hostpath-vols/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 2208bdd4687e4543523335641bdcd452d4bf3788af7af15feea49a8d603aeea3
+digest: 28b447d20112d6101365d546637703469c876788462a79675ce2142f52b7799f
diff --git a/other/limit-hostpath-vols/limit-hostpath-vols.yaml b/other/limit-hostpath-vols/limit-hostpath-vols.yaml
index 814074fef..ee03338f6 100644
--- a/other/limit-hostpath-vols/limit-hostpath-vols.yaml
+++ b/other/limit-hostpath-vols/limit-hostpath-vols.yaml
@@ -19,7 +19,7 @@ metadata:
access is enforced preventing directory escape.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: limit-hostpath-to-slash-data
match:
diff --git a/other/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b380064bd..077a20e1d 100755
--- a/other/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: memory-requests-equal-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
index ceb85fe42..6b7202dd0 100644
--- a/other/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
+++ b/other/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -19,14 +19,14 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -40,14 +40,14 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "120Mi"
limits:
memory: "120Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -61,14 +61,14 @@ metadata:
spec:
containers:
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "200Mi"
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
index ca209878d..a0376fff4 100644
--- a/other/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
+++ b/other/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -28,16 +28,16 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
index 7c1a62010..fe31ffddc 100644
--- a/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml
@@ -17,14 +17,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -43,14 +43,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "10Mi"
limits:
memory: "140Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
index 1a18a0717..c50090466 100644
--- a/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
+++ b/other/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml
@@ -17,16 +17,16 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -45,16 +45,16 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
memory: "100Mi"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other/memory-requests-equal-limits/artifacthub-pkg.yml b/other/memory-requests-equal-limits/artifacthub-pkg.yml
index 0eab5d3b2..5838d445e 100644
--- a/other/memory-requests-equal-limits/artifacthub-pkg.yml
+++ b/other/memory-requests-equal-limits/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5
+digest: cb2f04d97c0c90630bda35a345a0252b2aa0042f07057ed3f0903997c573a349
diff --git a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml
index 9afeb8f06..e040e9b1d 100644
--- a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml
+++ b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml
@@ -13,7 +13,7 @@ metadata:
they also set CPU limits equal to requests. Guaranteed is the highest schedulable class.
This policy checks that all containers in a given Pod have memory requests equal to limits.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: memory-requests-equal-limits
diff --git a/other/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 440d4828f..8381a07c8 100755
--- a/other/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: metadata-match-regex
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other/metadata-match-regex/.chainsaw-test/pod-bad.yaml
index 50accd487..12d65ae28 100644
--- a/other/metadata-match-regex/.chainsaw-test/pod-bad.yaml
+++ b/other/metadata-match-regex/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,4 +38,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other/metadata-match-regex/.chainsaw-test/pod-good.yaml
index 1247325fc..5eec4c9fe 100644
--- a/other/metadata-match-regex/.chainsaw-test/pod-good.yaml
+++ b/other/metadata-match-regex/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,4 +18,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
index 495f99078..a844ba8d4 100644
--- a/other/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,5 +35,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
index ad399aa8b..bb15ee531 100644
--- a/other/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
+++ b/other/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,5 +35,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/metadata-match-regex/artifacthub-pkg.yml b/other/metadata-match-regex/artifacthub-pkg.yml
index 56a6a64b6..ba8c06083 100644
--- a/other/metadata-match-regex/artifacthub-pkg.yml
+++ b/other/metadata-match-regex/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Other"
kyverno/subject: "Pod, Label"
-digest: 229910cb3f12ff2146bd1f463d21dc6397757da1485dad3e00c71cd815752c52
+digest: 441b2cca24a1742f532f07a90d9998f26e8ee416848f4060c8a5d33ffd99bf7d
diff --git a/other/metadata-match-regex/metadata-match-regex.yaml b/other/metadata-match-regex/metadata-match-regex.yaml
index 57194d227..98da37886 100644
--- a/other/metadata-match-regex/metadata-match-regex.yaml
+++ b/other/metadata-match-regex/metadata-match-regex.yaml
@@ -13,7 +13,7 @@ metadata:
policy illustrates how to ensure a label with key `corp.org/version` is both present and matches
a given regex, in this case ensuring semver is met.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-for-regex
diff --git a/other/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml b/other/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml
index b48f23b80..41b4fda4b 100644
--- a/other/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml
@@ -10,23 +10,23 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
diff --git a/other/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml b/other/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml
index c68b84d50..2c0d76998 100644
--- a/other/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml
@@ -17,23 +17,23 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
diff --git a/other/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml b/other/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml
index 93a17c1b8..a06db0ae5 100644
--- a/other/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
\ No newline at end of file
diff --git a/other/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml b/other/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml
index 4dbaf3d72..80074573d 100644
--- a/other/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml
@@ -5,12 +5,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
diff --git a/other/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml b/other/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml
index 5042319fa..6d5afaee6 100644
--- a/other/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml
@@ -5,23 +5,23 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "true"
diff --git a/other/mitigate-log4shell/.chainsaw-test/pod.yaml b/other/mitigate-log4shell/.chainsaw-test/pod.yaml
index 2f6b7409b..a38dc06d7 100644
--- a/other/mitigate-log4shell/.chainsaw-test/pod.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/pod.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,9 +14,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -30,17 +30,17 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "false"
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
diff --git a/other/mitigate-log4shell/.chainsaw-test/podcontroller.yaml b/other/mitigate-log4shell/.chainsaw-test/podcontroller.yaml
index 3014766e4..3bee10f48 100644
--- a/other/mitigate-log4shell/.chainsaw-test/podcontroller.yaml
+++ b/other/mitigate-log4shell/.chainsaw-test/podcontroller.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "false"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: foo
value: bar
@@ -44,18 +44,18 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "false"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: LOG4J_FORMAT_MSG_NO_LOOKUPS
value: "false"
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/cronjob-patched.yaml b/other/mutate-large-termination-gps/.chainsaw-test/cronjob-patched.yaml
index 12998b9fe..8bf2b3188 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/cronjob-patched.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/cronjob-patched.yaml
@@ -11,6 +11,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 50
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/deploy-patched.yaml b/other/mutate-large-termination-gps/.chainsaw-test/deploy-patched.yaml
index 827bc9e9a..8819f8766 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/deploy-patched.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/deploy-patched.yaml
@@ -17,5 +17,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 50
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched01.yaml b/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched01.yaml
index 502949cda..f82be8d23 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched01.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched01.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 50
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched02.yaml b/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched02.yaml
index 1be2f4b89..fd9a53f11 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched02.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched02.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 50
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/pod-patched01.yaml b/other/mutate-large-termination-gps/.chainsaw-test/pod-patched01.yaml
index c1efbfe8e..6a3aec0ac 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/pod-patched01.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/pod-patched01.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 50
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/pod.yaml b/other/mutate-large-termination-gps/.chainsaw-test/pod.yaml
index b903b2b04..8e90f5236 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/pod.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/pod.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 51
---
apiVersion: v1
@@ -15,7 +15,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 20
---
apiVersion: v1
@@ -25,4 +25,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/mutate-large-termination-gps/.chainsaw-test/podcontroller.yaml b/other/mutate-large-termination-gps/.chainsaw-test/podcontroller.yaml
index 920e69bac..ecf268630 100644
--- a/other/mutate-large-termination-gps/.chainsaw-test/podcontroller.yaml
+++ b/other/mutate-large-termination-gps/.chainsaw-test/podcontroller.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 51
---
apiVersion: batch/v1
@@ -32,6 +32,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
terminationGracePeriodSeconds: 100
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/mutate-pod-binding/.chainsaw-test/pod-patched01.yaml b/other/mutate-pod-binding/.chainsaw-test/pod-patched01.yaml
index ab4d4e72d..23fdcc503 100644
--- a/other/mutate-pod-binding/.chainsaw-test/pod-patched01.yaml
+++ b/other/mutate-pod-binding/.chainsaw-test/pod-patched01.yaml
@@ -9,4 +9,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/mutate-pod-binding/.chainsaw-test/pod-patched02.yaml b/other/mutate-pod-binding/.chainsaw-test/pod-patched02.yaml
index e0152ae1a..59ec3df51 100644
--- a/other/mutate-pod-binding/.chainsaw-test/pod-patched02.yaml
+++ b/other/mutate-pod-binding/.chainsaw-test/pod-patched02.yaml
@@ -9,4 +9,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/mutate-pod-binding/.chainsaw-test/pod.yaml b/other/mutate-pod-binding/.chainsaw-test/pod.yaml
index c0c348b22..ac14625d7 100644
--- a/other/mutate-pod-binding/.chainsaw-test/pod.yaml
+++ b/other/mutate-pod-binding/.chainsaw-test/pod.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,4 +20,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/mutate-pod-binding/.chainsaw-test/testpod.yaml b/other/mutate-pod-binding/.chainsaw-test/testpod.yaml
index 02ca579a5..aa8d94925 100644
--- a/other/mutate-pod-binding/.chainsaw-test/testpod.yaml
+++ b/other/mutate-pod-binding/.chainsaw-test/testpod.yaml
@@ -8,7 +8,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
args:
- sleep
- 1d
diff --git a/other/nfs-subdir-external-provisioner-storage-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/nfs-subdir-external-provisioner-storage-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 642ae896e..9184d79d3 100755
--- a/other/nfs-subdir-external-provisioner-storage-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/nfs-subdir-external-provisioner-storage-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: nfs-subdir-external-provisioner-storage-path
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/nfs-subdir-external-provisioner-storage-path/artifacthub-pkg.yml b/other/nfs-subdir-external-provisioner-storage-path/artifacthub-pkg.yml
index 813c4d5be..fc2e8ce5e 100644
--- a/other/nfs-subdir-external-provisioner-storage-path/artifacthub-pkg.yml
+++ b/other/nfs-subdir-external-provisioner-storage-path/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "PersistentVolumeClaim"
-digest: 425b9eb3c309af4cee2f6e4a02e1208a917299356d93b9bcdb92e8c4a5559838
+digest: 4ce2e43657c7e062c9cf5b613d108c564a4dbb6ad31ac6a180935b897871671d
diff --git a/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml b/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml
index 3bd64419d..091713cba 100644
--- a/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml
+++ b/other/nfs-subdir-external-provisioner-storage-path/nfs-subdir-external-provisioner-storage-path.yaml
@@ -18,7 +18,7 @@ metadata:
annotation that it cannot be empty, which may otherwise result in it consuming the root of the designated path.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: enforce-storage-path
match:
diff --git a/other/only-trustworthy-registries-set-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/only-trustworthy-registries-set-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 54e6fce1e..7b6cbe4a9 100755
--- a/other/only-trustworthy-registries-set-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/only-trustworthy-registries-set-root/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: only-trustworthy-registries-set-root
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/only-trustworthy-registries-set-root/.chainsaw-test/pod-bad.yaml b/other/only-trustworthy-registries-set-root/.chainsaw-test/pod-bad.yaml
index 5b1051c80..09294bd5c 100644
--- a/other/only-trustworthy-registries-set-root/.chainsaw-test/pod-bad.yaml
+++ b/other/only-trustworthy-registries-set-root/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: kyverno02
image: ghcr.io/nginx-proxy/nginx-proxy:latest
---
@@ -30,4 +30,4 @@ spec:
- name: kyverno01
image: ghcr.io/nginx-proxy/nginx-proxy:latest
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/only-trustworthy-registries-set-root/.chainsaw-test/podcontroller-bad.yaml b/other/only-trustworthy-registries-set-root/.chainsaw-test/podcontroller-bad.yaml
index b89c47855..2d5e9e555 100644
--- a/other/only-trustworthy-registries-set-root/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/only-trustworthy-registries-set-root/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
- name: kyverno01
image: ghcr.io/kyverno/kyverno:latest
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: kyverno02
image: ghcr.io/kyverno/kyverno:latest
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml b/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml
index 3ac90f4d1..0109f8f9e 100644
--- a/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml
+++ b/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Other, EKS Best Practices"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 4543cc84b584a3a39e4e279cb032ce21e6dde1271bde7a55c0c3351ab4db722c
+digest: e4b63d3c3c3264611b5501d76184e2ec5856a320aaa5a8355f27309ba2dc87cc
diff --git a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml
index 03d0a8c3b..f0b23e442 100644
--- a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml
+++ b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml
@@ -16,7 +16,7 @@ metadata:
This policy blocks any image that runs as root if it does not come from a trustworthy
registry, `ghcr.io` in this case.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: only-allow-trusted-images
match:
diff --git a/other/pdb-maxunavailable-with-deployments/.chainsaw-test/existing-deployments.yaml b/other/pdb-maxunavailable-with-deployments/.chainsaw-test/existing-deployments.yaml
index 60a06f7bd..b7c8c9d71 100644
--- a/other/pdb-maxunavailable-with-deployments/.chainsaw-test/existing-deployments.yaml
+++ b/other/pdb-maxunavailable-with-deployments/.chainsaw-test/existing-deployments.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
---
@@ -36,6 +36,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
diff --git a/other/pdb-maxunavailable-with-deployments/.chainsaw-test/policy-ready.yaml b/other/pdb-maxunavailable-with-deployments/.chainsaw-test/policy-ready.yaml
index ad66bfea4..cb0a3ddb4 100644
--- a/other/pdb-maxunavailable-with-deployments/.chainsaw-test/policy-ready.yaml
+++ b/other/pdb-maxunavailable-with-deployments/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: pdb-maxunavailable-with-deployments
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5cdc2b1cc..293c82b88 100755
--- a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: pdb-maxunavailable
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/pdb-maxunavailable/artifacthub-pkg.yml b/other/pdb-maxunavailable/artifacthub-pkg.yml
index 6c0ffacd2..4ccb6065b 100644
--- a/other/pdb-maxunavailable/artifacthub-pkg.yml
+++ b/other/pdb-maxunavailable/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "PodDisruptionBudget"
-digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c
+digest: 5d77f56fc16217f79de484881ef63e5dd61b8e4e9befce9d57c9269d508f01eb
diff --git a/other/pdb-maxunavailable/pdb-maxunavailable.yaml b/other/pdb-maxunavailable/pdb-maxunavailable.yaml
index b26a8c354..74aea2068 100644
--- a/other/pdb-maxunavailable/pdb-maxunavailable.yaml
+++ b/other/pdb-maxunavailable/pdb-maxunavailable.yaml
@@ -14,7 +14,7 @@ metadata:
This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field
it must be greater than zero.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: pdb-maxunavailable
diff --git a/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f781cbce7..bbf99fddc 100755
--- a/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: pdb-minavailable-check
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml b/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml
index fa348fd11..1f09ebbf0 100644
--- a/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml
+++ b/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml
@@ -16,4 +16,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/pdb-minavailable/.chainsaw-test/ss-good.yaml b/other/pdb-minavailable/.chainsaw-test/ss-good.yaml
index c294a8a93..17a21a459 100644
--- a/other/pdb-minavailable/.chainsaw-test/ss-good.yaml
+++ b/other/pdb-minavailable/.chainsaw-test/ss-good.yaml
@@ -16,7 +16,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
# Workload is not in PDB namespace.
apiVersion: apps/v1
@@ -36,7 +36,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
# Workload does not match PDB selector.
apiVersion: apps/v1
@@ -57,7 +57,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
# Workload has 0 replicas and is not in PDB namespace.
apiVersion: apps/v1
@@ -77,4 +77,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/pdb-minavailable/artifacthub-pkg.yml b/other/pdb-minavailable/artifacthub-pkg.yml
index bb8be578f..9e6e3fed9 100644
--- a/other/pdb-minavailable/artifacthub-pkg.yml
+++ b/other/pdb-minavailable/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "PodDisruptionBudget, Deployment, StatefulSet"
-digest: f6f12d2b34642666ce110807b85756d86012a840a15f236c53e2a4866347b628
+digest: c1a7a9d5dfb23c4b6bcfc6bc3d0add8811e7d7967c4d5856c6ff692b16f3ef31
diff --git a/other/pdb-minavailable/pdb-minavailable.yaml b/other/pdb-minavailable/pdb-minavailable.yaml
index ef8c1d896..8c2c09737 100644
--- a/other/pdb-minavailable/pdb-minavailable.yaml
+++ b/other/pdb-minavailable/pdb-minavailable.yaml
@@ -15,7 +15,7 @@ metadata:
tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have
a matching PodDisruptionBudget to ensure these two values do not match.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: pdb-minavailable
diff --git a/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b86d64eb2..97b3403b7 100755
--- a/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: policy-for-exceptions
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 34cc2d581..4b2a40e77 100755
--- a/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: prevent-bare-pods
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other/prevent-bare-pods/.chainsaw-test/deployment.yaml
index 8ddcca3cc..69f5ff774 100644
--- a/other/prevent-bare-pods/.chainsaw-test/deployment.yaml
+++ b/other/prevent-bare-pods/.chainsaw-test/deployment.yaml
@@ -18,5 +18,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "30"]
\ No newline at end of file
diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
index be458efe5..94d7c7119 100644
--- a/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
+++ b/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml
index f7e01fe38..95edb3b2c 100644
--- a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml
+++ b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml
@@ -10,4 +10,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/prevent-bare-pods/artifacthub-pkg.yml b/other/prevent-bare-pods/artifacthub-pkg.yml
index 8eb457c4c..c6c3aadc4 100644
--- a/other/prevent-bare-pods/artifacthub-pkg.yml
+++ b/other/prevent-bare-pods/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Other, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 3dcbd8d5c7a049035f8eb9c927348db667a6a5fd11a1ddd80e36b0588c6152ea
+digest: 533a2a23fe80fcd7b5337c209848b1bc4dfb325c28e315a53ec1cd925a087c22
diff --git a/other/prevent-bare-pods/prevent-bare-pods.yaml b/other/prevent-bare-pods/prevent-bare-pods.yaml
index ec9c7d4a3..52ff27a31 100644
--- a/other/prevent-bare-pods/prevent-bare-pods.yaml
+++ b/other/prevent-bare-pods/prevent-bare-pods.yaml
@@ -17,7 +17,7 @@ metadata:
This policy prevents such "bare" Pods from being created unless they originate
from a higher-level workload controller of some sort.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: bare-pods
diff --git a/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
index 28649c6d3..61ca05d85 100644
--- a/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml
@@ -23,7 +23,7 @@ spec:
value: "foo=bar"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,5 +43,5 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
index f919b1592..0286eded7 100644
--- a/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
+++ b/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml
@@ -23,7 +23,7 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,5 +43,5 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
index 6ef434f4a..d85d45d09 100644
--- a/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
+++ b/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml
@@ -11,7 +11,7 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,4 +26,4 @@ spec:
value: "foo=bar"
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml
index c7519c65f..2281fcfca 100644
--- a/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml
+++ b/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml
@@ -11,18 +11,18 @@ spec:
value: "foo"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
metadata:
name: goodpod02
spec:
- securityContext:
- allowPrivilegeEscalation: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
+ securityContext:
+ allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
@@ -31,4 +31,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/prevent-cr8escape/artifacthub-pkg.yml b/other/prevent-cr8escape/artifacthub-pkg.yml
index 078babb4f..203aee69d 100644
--- a/other/prevent-cr8escape/artifacthub-pkg.yml
+++ b/other/prevent-cr8escape/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 67a50e864bbb6fae4b125140c3c19fd42f87a6b2b95f0ce269e6ee6128e81932
+digest: dee90f00f10e3d43caca49f65b30c3977a0350e6fc9a4cdc103dc35d64dcc32d
diff --git a/other/prevent-cr8escape/prevent-cr8escape.yaml b/other/prevent-cr8escape/prevent-cr8escape.yaml
index 2b49dd16d..c911bb9ec 100644
--- a/other/prevent-cr8escape/prevent-cr8escape.yaml
+++ b/other/prevent-cr8escape/prevent-cr8escape.yaml
@@ -16,7 +16,7 @@ metadata:
and gain root access to the host. The recommended remediation is to disallow
sysctl settings with + or = in their value.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: restrict-sysctls-cr8escape
@@ -26,9 +26,9 @@ spec:
kinds:
- Pod
validate:
- message: "characters '+' or '=' are not allowed in sysctls values"
+ message: "characters '+' or '=' are not allowed in sysctls values"
pattern:
spec:
=(securityContext):
=(sysctls):
- - =(value): "!*+* & !*=*"
\ No newline at end of file
+ - =(value): "!*+* & !*=*"
diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml
index dc9963c0d..a5dd0d042 100644
--- a/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml
+++ b/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: prevent-duplicate-hpa
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml
index 58f0031ac..3cda7d5f4 100644
--- a/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml
+++ b/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: prevent-duplicate-vpa
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/protect-node-taints/artifacthub-pkg.yml b/other/protect-node-taints/artifacthub-pkg.yml
index 533658df9..94b87d72e 100644
--- a/other/protect-node-taints/artifacthub-pkg.yml
+++ b/other/protect-node-taints/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Other"
kyverno/subject: "Node"
-digest: e7d59f8d6cda75ac07409a3a3db6799c9025cab95fc3e5967d155d589a2a43a9
+digest: cb8d6a738f2314bb4bb6816669699a6409387aff0712b91225366d014210ba57
diff --git a/other/protect-node-taints/protect-node-taints.yaml b/other/protect-node-taints/protect-node-taints.yaml
index efc995a7a..de0ca0e12 100644
--- a/other/protect-node-taints/protect-node-taints.yaml
+++ b/other/protect-node-taints/protect-node-taints.yaml
@@ -17,7 +17,7 @@ metadata:
requires, at minimum, one of the following versions of Kubernetes:
v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: protect-node-taints
diff --git a/other/record-creation-details/.chainsaw-test/pod-patch01.yaml b/other/record-creation-details/.chainsaw-test/pod-patch01.yaml
index c5ffb9d57..810e1d95f 100644
--- a/other/record-creation-details/.chainsaw-test/pod-patch01.yaml
+++ b/other/record-creation-details/.chainsaw-test/pod-patch01.yaml
@@ -7,4 +7,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/record-creation-details/.chainsaw-test/pod-patch02.yaml b/other/record-creation-details/.chainsaw-test/pod-patch02.yaml
index 0333b019f..8b8d1d8a2 100644
--- a/other/record-creation-details/.chainsaw-test/pod-patch02.yaml
+++ b/other/record-creation-details/.chainsaw-test/pod-patch02.yaml
@@ -7,4 +7,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/record-creation-details/.chainsaw-test/pod-patched.yaml b/other/record-creation-details/.chainsaw-test/pod-patched.yaml
index 7600a51a0..a8c7f5b58 100644
--- a/other/record-creation-details/.chainsaw-test/pod-patched.yaml
+++ b/other/record-creation-details/.chainsaw-test/pod-patched.yaml
@@ -12,4 +12,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/record-creation-details/.chainsaw-test/pod.yaml b/other/record-creation-details/.chainsaw-test/pod.yaml
index 4c2e703e9..1cd38e3ec 100644
--- a/other/record-creation-details/.chainsaw-test/pod.yaml
+++ b/other/record-creation-details/.chainsaw-test/pod.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/record-creation-details/artifacthub-pkg.yml b/other/record-creation-details/artifacthub-pkg.yml
index 98f223764..051a414d6 100644
--- a/other/record-creation-details/artifacthub-pkg.yml
+++ b/other/record-creation-details/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Annotation"
-digest: 95a8dfcaaeb98c59c2ac31afcca749c7b01ee0cb0a1d4b0294f3b3bfb3573357
+digest: c2bf90639f2306db073513d79b29d842614423d651dad2c376bd773c83b346f2
diff --git a/other/record-creation-details/record-creation-details.yaml b/other/record-creation-details/record-creation-details.yaml
index 2c5a551bf..38b9c7cad 100644
--- a/other/record-creation-details/record-creation-details.yaml
+++ b/other/record-creation-details/record-creation-details.yaml
@@ -22,7 +22,7 @@ metadata:
all kinds ("*") it is highly recommend to more narrowly scope it to only
the resources which should be labeled.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: add-userinfo
diff --git a/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml b/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml
index a1179a8a9..7a1c2c053 100755
--- a/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml
+++ b/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml
@@ -24,10 +24,15 @@ spec:
try:
- apply:
file: deployment.yaml
- - name: step-03
- try:
- - sleep:
- duration: 5s
+ - wait:
+ apiVersion: v1
+ kind: Pod
+ namespace: refresh-env-var-ns
+ timeout: 1m
+ for:
+ condition:
+ name: Ready
+ value: 'true'
- script:
content: |
kubectl get pod -n refresh-env-var-ns --no-headers | awk '{print $1}' > deploy-names.txt
diff --git a/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml b/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml
index 8c6fcc342..50337a3de 100755
--- a/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml
+++ b/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml
@@ -38,8 +38,15 @@ spec:
file: chainsaw-step-03-apply-2.yaml
- name: step-04
try:
- - sleep:
- duration: 5s
+ - wait:
+ apiVersion: v1
+ kind: Pod
+ namespace: refresh-vols-ns
+ timeout: 1m
+ for:
+ condition:
+ name: Ready
+ value: 'true'
- script:
content: |
annotation=$(kubectl get pod pod01 -n refresh-vols-ns -o json | kyverno jp query "metadata.annotations.\"corp.org/random\" || '' " | tail -n 1 | cut -d '"' -f 2)
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml
index a8989f2ab..e18da3573 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml
@@ -7,17 +7,17 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: foo
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml
index 8c9d75a51..e182bbc32 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml
@@ -7,14 +7,14 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: foo
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml
index dd850344b..0831ab7ee 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml
@@ -7,17 +7,17 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml
index 5823e1a99..2d69f1266 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml
@@ -7,12 +7,12 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml
index 7e8c842bd..8a48b8687 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml
@@ -7,7 +7,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml
index 62a4ea1c3..b520b7761 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml
@@ -7,14 +7,14 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml
index 597250679..b8a610b58 100644
--- a/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml
+++ b/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml
@@ -7,21 +7,21 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /test-pd
name: foo
- mountPath: /foo
name: empty
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
- mountPath: /test-pd
name: bar
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
@@ -46,12 +46,12 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
@@ -79,7 +79,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -101,17 +101,17 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: foo
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
@@ -139,14 +139,14 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: foo
- name: busybox03
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml
index 7fe897c39..ba3fc9c5f 100644
--- a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml
+++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml
@@ -6,12 +6,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml
index c5ff1df27..b7c2e0e08 100644
--- a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml
+++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml
@@ -8,9 +8,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml
index 1a9d41e47..ca17e41b1 100644
--- a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml
+++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml
@@ -6,9 +6,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml
index c26aa7af7..1963fae18 100644
--- a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml
+++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml
@@ -7,7 +7,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml
index f79271c58..20573908e 100644
--- a/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml
+++ b/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml
@@ -6,9 +6,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,9 +18,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
@@ -39,7 +39,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: config-vol
@@ -65,9 +65,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /foo
name: empty
diff --git a/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml b/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml
index f8afe83e1..bb75ef485 100644
--- a/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml
+++ b/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: replace-image-registry-with-harbor
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/replace-image-registry/.chainsaw-test/pods.yaml b/other/replace-image-registry/.chainsaw-test/pods.yaml
index 34c9f6f41..431e2298a 100644
--- a/other/replace-image-registry/.chainsaw-test/pods.yaml
+++ b/other/replace-image-registry/.chainsaw-test/pods.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
---
diff --git a/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index fd8ed662a..263c5c382 100755
--- a/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-annotations/.chainsaw-test/pod-bad.yaml b/other/require-annotations/.chainsaw-test/pod-bad.yaml
index 9b0858baf..67847efb5 100644
--- a/other/require-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other/require-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,4 +16,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-annotations/.chainsaw-test/pod-good.yaml b/other/require-annotations/.chainsaw-test/pod-good.yaml
index 921c8ccbc..595021867 100644
--- a/other/require-annotations/.chainsaw-test/pod-good.yaml
+++ b/other/require-annotations/.chainsaw-test/pod-good.yaml
@@ -7,4 +7,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml
index a5b33062f..1c921aa36 100644
--- a/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,5 +34,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-annotations/.chainsaw-test/podcontroller-good.yaml b/other/require-annotations/.chainsaw-test/podcontroller-good.yaml
index 3141ba5a2..be29b46ab 100644
--- a/other/require-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,5 +36,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-annotations/artifacthub-pkg.yml b/other/require-annotations/artifacthub-pkg.yml
index 0e0b55a67..05bd74b20 100644
--- a/other/require-annotations/artifacthub-pkg.yml
+++ b/other/require-annotations/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Other"
kyverno/subject: "Pod, Annotation"
-digest: fafe53fa9a2931eba4755bff2e2a8dfeced08c3fa02593c966d9a07fdd4ae604
+digest: 8a834315ded9e0c9db8c138cc02ff5d8bf0791428f01379aafcfe2158d06d4a4
diff --git a/other/require-annotations/require-annotations.yaml b/other/require-annotations/require-annotations.yaml
index 25cbec47e..8a8b95c16 100644
--- a/other/require-annotations/require-annotations.yaml
+++ b/other/require-annotations/require-annotations.yaml
@@ -13,7 +13,7 @@ metadata:
all tools can understand. The recommended annotations describe applications in a way that can be
queried. This policy validates that the annotation `corp.org/department` is specified with some value.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-for-annotation
diff --git a/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 9b92524c0..40047293c 100755
--- a/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-base-image
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-base-image/.chainsaw-test/pod-bad.yaml b/other/require-base-image/.chainsaw-test/pod-bad.yaml
index 7223403a6..1cbc08a5f 100644
--- a/other/require-base-image/.chainsaw-test/pod-bad.yaml
+++ b/other/require-base-image/.chainsaw-test/pod-bad.yaml
@@ -8,7 +8,7 @@ spec:
- name: cowrie
image: docker.io/trithemius/cowrie:latest
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: kyverno
image: ghcr.io/kyverno/kyverno:latest
---
@@ -30,4 +30,4 @@ metadata:
spec:
containers:
- name: bb
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml b/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml
index abedca421..20a9e94fd 100644
--- a/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
- name: cowrie
image: docker.io/trithemius/cowrie:latest
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: bb
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: kyverno
image: ghcr.io/kyverno/kyverno:latest
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-base-image/artifacthub-pkg.yml b/other/require-base-image/artifacthub-pkg.yml
index db651d988..b9ef5f1f6 100644
--- a/other/require-base-image/artifacthub-pkg.yml
+++ b/other/require-base-image/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 23dcc8f9a56d36ceb6f45b8c7e76b450472e5c22a4a701bea37c25c8df68984e
+digest: 6142ec32c660c1699f435d90d7d8cabf3125a2bc73ab1e910d518fe05c04385d
diff --git a/other/require-base-image/require-base-image.yaml b/other/require-base-image/require-base-image.yaml
index 99f77be7c..fe944e9c2 100644
--- a/other/require-base-image/require-base-image.yaml
+++ b/other/require-base-image/require-base-image.yaml
@@ -21,7 +21,7 @@ metadata:
to specify it using metadata or build directives of some sort (ex., Dockerfile FROM
statements do not automatically expose this information).
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: require-base-image
match:
diff --git a/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f8c44c430..ad3202354 100755
--- a/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-container-port-names
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-container-port-names/.chainsaw-test/pod-bad.yaml b/other/require-container-port-names/.chainsaw-test/pod-bad.yaml
index f55f602a1..a9be85d99 100644
--- a/other/require-container-port-names/.chainsaw-test/pod-bad.yaml
+++ b/other/require-container-port-names/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -16,12 +16,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
name: http-port
diff --git a/other/require-container-port-names/.chainsaw-test/pod-good.yaml b/other/require-container-port-names/.chainsaw-test/pod-good.yaml
index 0825ba43a..1bbaa60e6 100644
--- a/other/require-container-port-names/.chainsaw-test/pod-good.yaml
+++ b/other/require-container-port-names/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
@@ -17,12 +17,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
diff --git a/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml b/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
index dd9ac3feb..fd12ecd36 100644
--- a/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
@@ -41,12 +41,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
- containerPort: 443
diff --git a/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml b/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
index f491d3aab..9f5f94e13 100644
--- a/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml
@@ -17,12 +17,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
@@ -42,12 +42,12 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: http-port
containerPort: 80
diff --git a/other/require-container-port-names/artifacthub-pkg.yml b/other/require-container-port-names/artifacthub-pkg.yml
index 6f6c29a31..8ecf33e21 100644
--- a/other/require-container-port-names/artifacthub-pkg.yml
+++ b/other/require-container-port-names/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 9be3e553fa8984998988824ca5700f9348d21fa777a1efefa78d82267cdcf140
+digest: ac5fa3fa26805f370d12458b3a71aa6ae305de03ed06b474e5825d58bd70e9a1
diff --git a/other/require-container-port-names/require-container-port-names.yaml b/other/require-container-port-names/require-container-port-names.yaml
index 2eed86e9f..c390ac15b 100644
--- a/other/require-container-port-names/require-container-port-names.yaml
+++ b/other/require-container-port-names/require-container-port-names.yaml
@@ -16,7 +16,7 @@ metadata:
the port number to change. This policy requires that for every containerPort defined
there is also a name specified.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: port-name
diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b4edddc1d..c9d3557aa 100644
--- a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-cpu-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml
index 9a135528d..3bd362c8d 100644
--- a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml
+++ b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,9 +14,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -25,10 +25,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,15 +37,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -54,14 +54,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml
index cadee0f49..ef95698f5 100644
--- a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml
+++ b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -17,12 +17,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -34,13 +34,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -52,18 +52,18 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -75,23 +75,23 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml
index ac56be204..fca1f7504 100644
--- a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,9 +32,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -52,10 +52,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -73,15 +73,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -96,7 +96,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -111,9 +111,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -128,10 +128,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -146,13 +146,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml
index 330e0e9cb..ba862204f 100644
--- a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -35,12 +35,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -61,13 +61,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -88,18 +88,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -120,23 +120,23 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -155,7 +155,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -173,12 +173,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -196,13 +196,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -220,18 +220,18 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
@@ -249,23 +249,23 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: initcontainer02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
containers:
- name: container01
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
- name: container02
- image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
+ image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d
resources:
limits:
cpu: "50m"
diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b272d0794..64c9b55e6 100755
--- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deployment-has-multiple-replicas
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
index 4ec336991..a6afc9c8c 100644
--- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
+++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,9 +40,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -62,6 +62,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
index a962c8e73..9eb0ce03a 100644
--- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
+++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -40,6 +40,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml b/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml
index 3a4843fb4..e6646d6e5 100644
--- a/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml
+++ b/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Deployment"
-digest: c51f69dfe47a743104560fa0dadb1c7dcf60d98ed66eb1d142e5891ac7213f1a
+digest: c3af9217dcb041aef987c0018fe2e2b405964f03d5f37481fe75c2e434abb4cc
diff --git a/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml b/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml
index bb1c38b39..f65200876 100644
--- a/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml
+++ b/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml
@@ -13,7 +13,7 @@ metadata:
may suffer downtime if that one replica goes down. This policy validates that Deployments
have more than one replica.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: deployment-has-multiple-replicas
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
index da2b7cd1a..8dea0db19 100644
--- a/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml
@@ -6,7 +6,7 @@ metadata:
name: badpod01
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -16,18 +16,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 9aa39646d..7ce8296f7 100755
--- a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-emptydir-requests-and-limits
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
index b515750a6..be38730f2 100644
--- a/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml
@@ -4,12 +4,12 @@ metadata:
name: badpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -26,7 +26,7 @@ metadata:
name: badpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /cache/data
@@ -41,12 +41,12 @@ metadata:
name: badpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/vol
name: vol
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumeMounts:
- mountPath: /mnt/foo
@@ -64,7 +64,7 @@ metadata:
name: badpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -74,18 +74,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/vol
name: vol
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -108,7 +108,7 @@ metadata:
name: badpod05
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -126,7 +126,7 @@ metadata:
name: badpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -144,7 +144,7 @@ metadata:
name: badpod07
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
limits:
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
index 2af525da3..c99ae5a9b 100644
--- a/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml
@@ -4,7 +4,7 @@ metadata:
name: goodpod01
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
resources:
requests:
@@ -24,7 +24,7 @@ metadata:
name: goodpod02
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: v1
@@ -33,7 +33,7 @@ metadata:
name: goodpod03
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /cache/data
@@ -49,7 +49,7 @@ metadata:
name: goodpod04
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -59,18 +59,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -93,20 +93,20 @@ metadata:
name: goodpod05
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: vol
@@ -121,7 +121,7 @@ metadata:
name: goodpod06
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
@@ -131,7 +131,7 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo
@@ -143,12 +143,12 @@ metadata:
name: goodpod07
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
volumes:
- name: foo
@@ -162,7 +162,7 @@ metadata:
spec:
initContainers:
- name: certificates
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -172,7 +172,7 @@ spec:
requests:
ephemeral-storage: 256Mi
- name: configure
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
@@ -185,7 +185,7 @@ spec:
ephemeral-storage: 256Mi
containers:
- name: my-app
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
resources:
limits:
cpu: "2"
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
index d32c2c22d..7983cee46 100644
--- a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml
@@ -16,23 +16,23 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -63,7 +63,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/foo
@@ -73,18 +73,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/vol
name: vol
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
index 70b656486..bbea194f0 100644
--- a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -26,18 +26,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo-host
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
@@ -68,7 +68,7 @@ spec:
template:
spec:
initContainers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox-init
volumeMounts:
- mountPath: /mnt/vol
@@ -78,18 +78,18 @@ spec:
ephemeral-storage: "2Gi"
limits:
ephemeral-storage: "2Gi"
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02-init
volumeMounts:
- mountPath: /mnt/foo
name: foo
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
volumeMounts:
- mountPath: /mnt/foo
name: foo
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox02
resources:
requests:
diff --git a/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c0c44a2a1..e004556f1 100755
--- a/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-image-checksum
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml
index cfdacda24..0b6a5d300 100644
--- a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml
+++ b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml
@@ -5,6 +5,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
command: ["sleep", "1d"]
diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml
index 325985fc1..369a602ab 100644
--- a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml
+++ b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
---
apiVersion: v1
kind: Pod
@@ -16,9 +16,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox
+ image: ghcr.io/kyverno/test-busybox
- name: bb
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
---
apiVersion: v1
kind: Pod
@@ -27,14 +27,14 @@ metadata:
spec:
initContainers:
- name: init-busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ['sh', '-c', 'echo Init container 1 completed']
- name: init-alpine
image: alpine:3.16
command: ['sh', '-c', 'echo Init container 2 completed']
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
---
diff --git a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml
index 4e2a4bea4..461519b56 100644
--- a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml
+++ b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
command: ["sleep", "1d"]
diff --git a/other/require-image-checksum/.chainsaw-test/pod-good.yaml b/other/require-image-checksum/.chainsaw-test/pod-good.yaml
index 99d09cc75..5e29724b6 100644
--- a/other/require-image-checksum/.chainsaw-test/pod-good.yaml
+++ b/other/require-image-checksum/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: busybox02
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
---
apiVersion: v1
kind: Pod
@@ -16,9 +16,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
apiVersion: v1
kind: Pod
@@ -27,14 +27,14 @@ metadata:
spec:
initContainers:
- name: init-busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
command: ['sh', '-c', 'echo Init container 1 completed']
- name: init-nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
command: ['sh', '-c', 'echo Init container 2 completed']
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
diff --git a/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml b/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
index 94553ecae..94b3efb8a 100644
--- a/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
apiVersion: batch/v1
kind: CronJob
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: bb
- image: busybox:latest
+ image: ghcr.io/kyverno/test-busybox:latest
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml b/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
index adbbf001b..2e1dcb3dd 100644
--- a/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
---
apiVersion: batch/v1
kind: CronJob
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+ image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d
- name: nginx
- image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+ image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index dac18803b..f364f02c5 100755
--- a/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-image-source
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-image-source/artifacthub-pkg.yml b/other/require-image-source/artifacthub-pkg.yml
index b6e7f081d..02ca86dd7 100644
--- a/other/require-image-source/artifacthub-pkg.yml
+++ b/other/require-image-source/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 439869ce881c7a4eea43180435dad9eb03c5c9c2cfae470822de7b988b2da514
+digest: f3c463c88038c56cc9f24daec7120fe2c99871d023b03908d2936e2a183c7488
diff --git a/other/require-image-source/require-image-source.yaml b/other/require-image-source/require-image-source.yaml
index 3f475a19b..de17213e4 100644
--- a/other/require-image-source/require-image-source.yaml
+++ b/other/require-image-source/require-image-source.yaml
@@ -18,7 +18,7 @@ metadata:
either a label `org.opencontainers.image.source` or a newer annotation in the
manifest of the same name.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-source
match:
diff --git a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 2dea3c73c..cd574d50d 100755
--- a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-imagepullsecrets
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml b/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml
index 7752ff1f1..90485653d 100644
--- a/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml
+++ b/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: busybox
---
apiVersion: v1
kind: Pod
@@ -13,10 +13,10 @@ metadata:
name: badpod02
spec:
containers:
- - name: nginx
+ - name: test
image: ghcr.io/kyverno/test-verify-image:unsigned
- name: busybox
- image: busybox:1.35
+ image: docker.io/library/busybox:latest
---
apiVersion: v1
kind: Pod
@@ -25,9 +25,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: docker.io/library/busybox:latest
- name: nginx
- image: ghcr.io/kyverno/test-verify-image:unsigned
+ image: test
---
apiVersion: v1
kind: Pod
@@ -38,4 +38,4 @@ spec:
- name: busybox
image: quay.io/quay/busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml b/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml
index ec771040e..cf44ccd83 100644
--- a/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml
+++ b/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: myregistrykey
---
@@ -27,7 +27,7 @@ spec:
- name: nginx
image: ghcr.io/kyverno/test-verify-image:unsigned
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: myregistrykey
---
@@ -38,7 +38,7 @@ metadata:
spec:
containers:
- name: nginx
- image: nginx:1.12
+ image: ghcr.io/kyverno/test-nginx:1.12
- name: busybox
image: quay.io/quay/busybox
imagePullSecrets:
diff --git a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml
index b045809ce..6d54ff516 100644
--- a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: docker.io/library/busybox:latest
- name: nginx
image: ghcr.io/kyverno/test-verify-image:unsigned
---
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: nginx
- image: ghcr.io/kyverno/test-verify-image:unsigned
+ image: docker.io/library/busybox:latest
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml
index 42e09323a..145420ad8 100644
--- a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
- name: nginx
image: ghcr.io/kyverno/test-verify-image:unsigned
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: myregistrykey
---
@@ -37,7 +37,7 @@ spec:
- name: nginx
image: ghcr.io/kyverno/test-verify-image:unsigned
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
imagePullSecrets:
- name: myregistrykey
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/require-imagepullsecrets/artifacthub-pkg.yml b/other/require-imagepullsecrets/artifacthub-pkg.yml
index a4f1a2be1..01f0b55fc 100644
--- a/other/require-imagepullsecrets/artifacthub-pkg.yml
+++ b/other/require-imagepullsecrets/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: f3c4d38ad9226792773c837a5d87c53785a7b5e81cd32c9d6904afed09f05658
+digest: d8d0e0f4e0c34ddb01bcce40e04b12250f31258dd65e86cf3d6698e943bd4f39
diff --git a/other/require-imagepullsecrets/require-imagepullsecrets.yaml b/other/require-imagepullsecrets/require-imagepullsecrets.yaml
index ba65bf9b9..bbae63228 100644
--- a/other/require-imagepullsecrets/require-imagepullsecrets.yaml
+++ b/other/require-imagepullsecrets/require-imagepullsecrets.yaml
@@ -12,7 +12,7 @@ metadata:
from them. This policy checks those images and if they come from a registry
other than ghcr.io or quay.io an `imagePullSecret` is required.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-for-image-pull-secrets
diff --git a/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 4fa797722..ba4f64d57 100755
--- a/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-ingress-https
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml b/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml
index ae1d49976..c3d232f9b 100644
--- a/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml
+++ b/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml
@@ -32,7 +32,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -64,7 +64,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -99,7 +99,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/require-ingress-https/.chainsaw-test/ingress-good.yaml b/other/require-ingress-https/.chainsaw-test/ingress-good.yaml
index 2a168ed5f..acd7a9317 100644
--- a/other/require-ingress-https/.chainsaw-test/ingress-good.yaml
+++ b/other/require-ingress-https/.chainsaw-test/ingress-good.yaml
@@ -9,7 +9,7 @@ spec:
ingressClassName: someingress
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -33,7 +33,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -43,7 +43,7 @@ spec:
port:
number: 80
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/require-ingress-https/.kyverno-test/resource.yaml b/other/require-ingress-https/.kyverno-test/resource.yaml
index a97cba4e7..e1a3fa535 100644
--- a/other/require-ingress-https/.kyverno-test/resource.yaml
+++ b/other/require-ingress-https/.kyverno-test/resource.yaml
@@ -32,7 +32,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -64,7 +64,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -99,7 +99,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -130,7 +130,7 @@ spec:
ingressClassName: someingress
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -154,7 +154,7 @@ spec:
ingressClassName: nginx-int
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -164,7 +164,7 @@ spec:
port:
number: 80
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/require-ingress-https/artifacthub-pkg.yml b/other/require-ingress-https/artifacthub-pkg.yml
index 74f1bbfd3..1c33821f8 100644
--- a/other/require-ingress-https/artifacthub-pkg.yml
+++ b/other/require-ingress-https/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Ingress"
-digest: 982d69a4f52345017974fd7bb4d7de95223a9ab3570caae9796c5f99374d5e02
+digest: cdb852e2d5ddb156f5e85f1762d96019ea169f10cac73cace3b0cc5a50383e0e
diff --git a/other/require-ingress-https/require-ingress-https.yaml b/other/require-ingress-https/require-ingress-https.yaml
index 245c2e963..446c18638 100644
--- a/other/require-ingress-https/require-ingress-https.yaml
+++ b/other/require-ingress-https/require-ingress-https.yaml
@@ -16,7 +16,7 @@ metadata:
`"false"` and specify TLS in the spec.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: has-annotation
match:
diff --git a/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 4c125b9cf..8f601d225 100755
--- a/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-network-policy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-netpol/.chainsaw-test/deploy-bad.yaml b/other/require-netpol/.chainsaw-test/deploy-bad.yaml
index b519536ec..182791010 100644
--- a/other/require-netpol/.chainsaw-test/deploy-bad.yaml
+++ b/other/require-netpol/.chainsaw-test/deploy-bad.yaml
@@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -57,7 +57,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -78,4 +78,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-netpol/.chainsaw-test/deploy-good.yaml b/other/require-netpol/.chainsaw-test/deploy-good.yaml
index 5ae682bba..434f62123 100644
--- a/other/require-netpol/.chainsaw-test/deploy-good.yaml
+++ b/other/require-netpol/.chainsaw-test/deploy-good.yaml
@@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
---
@@ -38,7 +38,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -60,4 +60,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-netpol/artifacthub-pkg.yml b/other/require-netpol/artifacthub-pkg.yml
index 4f08f4b1d..924016008 100644
--- a/other/require-netpol/artifacthub-pkg.yml
+++ b/other/require-netpol/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Deployment, NetworkPolicy"
-digest: d686b188180446c5c25e5bcfa3964da763bffa1a81bda457563c6f965fe2b9b7
+digest: 29a64b1f99f0a4219f4f077557f0774f61ce728e6bb77b082e6e22c5c02ca9ae
diff --git a/other/require-netpol/require-netpol.yaml b/other/require-netpol/require-netpol.yaml
index 87da7eb3d..f8a4d848a 100644
--- a/other/require-netpol/require-netpol.yaml
+++ b/other/require-netpol/require-netpol.yaml
@@ -15,7 +15,7 @@ metadata:
traffic. This policy checks incoming Deployments to ensure
they have a matching, preexisting NetworkPolicy.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: require-network-policy
diff --git a/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b51263787..637e72bac 100755
--- a/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-non-root-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml b/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml
index af72489a1..64313b235 100644
--- a/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml
+++ b/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -36,7 +36,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -49,9 +49,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,9 +60,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -86,9 +86,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -101,11 +101,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -118,12 +118,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -134,10 +134,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -150,12 +150,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -168,12 +168,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -184,14 +184,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -202,12 +202,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -218,7 +218,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -229,7 +229,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -240,7 +240,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
---
diff --git a/other/require-non-root-groups/.chainsaw-test/pod-good.yaml b/other/require-non-root-groups/.chainsaw-test/pod-good.yaml
index 712cd7520..5a1a5a4f7 100644
--- a/other/require-non-root-groups/.chainsaw-test/pod-good.yaml
+++ b/other/require-non-root-groups/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -40,9 +40,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -53,9 +53,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -68,10 +68,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -82,12 +82,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -98,12 +98,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -114,14 +114,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -132,16 +132,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -152,7 +152,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -164,7 +164,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -176,7 +176,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
\ No newline at end of file
diff --git a/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml b/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
index 5f56fe9c0..b6ab78f8e 100644
--- a/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -94,9 +94,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -114,9 +114,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -136,9 +136,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -158,9 +158,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -182,11 +182,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -208,12 +208,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -233,10 +233,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -258,12 +258,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -285,12 +285,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -310,14 +310,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -337,12 +337,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -359,7 +359,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -374,7 +374,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -391,7 +391,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -408,7 +408,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -427,9 +427,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -444,9 +444,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -463,9 +463,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -482,9 +482,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -503,11 +503,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
securityContext:
@@ -526,12 +526,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -548,10 +548,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -594,12 +594,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -616,14 +616,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -640,12 +640,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 0
---
@@ -665,7 +665,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -685,7 +685,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -702,7 +702,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [0]
---
@@ -719,7 +719,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
supplementalGroups: [14,0]
---
@@ -739,7 +739,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
---
@@ -756,6 +756,6 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
fsGroup: 0
\ No newline at end of file
diff --git a/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml b/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
index 221eae1a4..c8edb5d19 100644
--- a/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -54,7 +54,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -76,9 +76,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -98,9 +98,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -122,10 +122,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -145,12 +145,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -170,12 +170,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -195,14 +195,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -222,16 +222,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -249,7 +249,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -266,7 +266,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -283,7 +283,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -302,9 +302,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -321,9 +321,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
securityContext:
@@ -342,10 +342,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -362,12 +362,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -384,12 +384,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -406,14 +406,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -430,16 +430,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
---
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -480,7 +480,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -498,7 +498,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32]
@@ -516,7 +516,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
supplementalGroups: [32,94]
@@ -537,7 +537,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
@@ -555,7 +555,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsGroup: 1
fsGroup: 32
diff --git a/other/require-non-root-groups/artifacthub-pkg.yml b/other/require-non-root-groups/artifacthub-pkg.yml
index dd9b5a84c..0d4fc388b 100644
--- a/other/require-non-root-groups/artifacthub-pkg.yml
+++ b/other/require-non-root-groups/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Sample, EKS Best Practices"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: bacd5ec5a02c3be4fb7be44e3ecc9f4adef25539e3c363fd295494e9702843c4
+digest: 541ab5a775533b779bf097c3690b94eccee05dfd9938714950ae21ccebdac1cd
diff --git a/other/require-non-root-groups/require-non-root-groups.yaml b/other/require-non-root-groups/require-non-root-groups.yaml
index 450ec1c64..1e855ca33 100644
--- a/other/require-non-root-groups/require-non-root-groups.yaml
+++ b/other/require-non-root-groups/require-non-root-groups.yaml
@@ -16,7 +16,7 @@ metadata:
greater than zero (i.e., non root). A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-runasgroup
diff --git a/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e82f379c7..8c2b4707b 100755
--- a/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-pdb
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-pdb/.chainsaw-test/deploy-bad.yaml b/other/require-pdb/.chainsaw-test/deploy-bad.yaml
index b86c8bfbb..7886dee79 100644
--- a/other/require-pdb/.chainsaw-test/deploy-bad.yaml
+++ b/other/require-pdb/.chainsaw-test/deploy-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -39,4 +39,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-pdb/.chainsaw-test/deploy-good.yaml b/other/require-pdb/.chainsaw-test/deploy-good.yaml
index 2512d20a3..6a4f7f2e1 100644
--- a/other/require-pdb/.chainsaw-test/deploy-good.yaml
+++ b/other/require-pdb/.chainsaw-test/deploy-good.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -39,4 +39,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-pdb/.chainsaw-test/ss-bad.yaml b/other/require-pdb/.chainsaw-test/ss-bad.yaml
index d27b52eb1..02d9a3b2a 100644
--- a/other/require-pdb/.chainsaw-test/ss-bad.yaml
+++ b/other/require-pdb/.chainsaw-test/ss-bad.yaml
@@ -15,7 +15,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -35,4 +35,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-pdb/.chainsaw-test/ss-good.yaml b/other/require-pdb/.chainsaw-test/ss-good.yaml
index 2b962e004..b61262bd5 100644
--- a/other/require-pdb/.chainsaw-test/ss-good.yaml
+++ b/other/require-pdb/.chainsaw-test/ss-good.yaml
@@ -17,7 +17,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: StatefulSet
@@ -36,4 +36,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busbyox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/require-pdb/artifacthub-pkg.yml b/other/require-pdb/artifacthub-pkg.yml
index 35bfe5bd0..6890900b2 100644
--- a/other/require-pdb/artifacthub-pkg.yml
+++ b/other/require-pdb/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Sample, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Deployment, PodDisruptionBudget"
-digest: fd512d593d6284ba1b90523d4c93368e193499dc30cf5a406b53d8d6ca75dc30
+digest: 13a247c0635beb4f7b605795a996fe6842bd742539b4df06d05ca7dc99a73354
diff --git a/other/require-pdb/require-pdb.yaml b/other/require-pdb/require-pdb.yaml
index 64d8a2acf..8033df82f 100644
--- a/other/require-pdb/require-pdb.yaml
+++ b/other/require-pdb/require-pdb.yaml
@@ -15,7 +15,7 @@ metadata:
to ensure they have a matching, preexisting PodDisruptionBudget.
Note: This policy must be run in `enforce` mode to ensure accuracy.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: require-pdb
diff --git a/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml b/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
index 8ca6bd275..25c58c50b 100644
--- a/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
+++ b/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: ""
---
apiVersion: v1
@@ -15,4 +15,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml b/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
index 77c66a524..469a0f33a 100644
--- a/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
+++ b/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml
@@ -5,5 +5,5 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
\ No newline at end of file
diff --git a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
index cbb574a94..c761d14a1 100644
--- a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -29,4 +29,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
index c90891887..5396df2b8 100644
--- a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
---
apiVersion: batch/v1
@@ -30,5 +30,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
priorityClassName: high
\ No newline at end of file
diff --git a/other/require-pod-priorityclassname/artifacthub-pkg.yml b/other/require-pod-priorityclassname/artifacthub-pkg.yml
index ad7219941..85d2fe331 100644
--- a/other/require-pod-priorityclassname/artifacthub-pkg.yml
+++ b/other/require-pod-priorityclassname/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Multi-Tenancy, EKS Best Practices"
kyverno/subject: "Pod"
-digest: cd90184711eef81fd5a640c90d12517c05360ba1f22eed6fb00a3d6585451549
+digest: 80346b515ceeb68cc07c7e605423063389772475dc8d14fbf316f6be329991ab
diff --git a/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml b/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml
index 746652bba..23d11fe71 100644
--- a/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml
+++ b/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml
@@ -15,7 +15,7 @@ metadata:
scheduling guarantees. This policy requires that a Pod defines the priorityClassName field
with some value.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: true
rules:
- name: check-priorityclassname
diff --git a/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a8e1ef52a..1f02c7af6 100755
--- a/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-qos-burstable
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml b/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml
index 94c229340..b16ba3020 100644
--- a/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml
+++ b/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,6 +18,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-qos-burstable/.chainsaw-test/pod-good.yaml b/other/require-qos-burstable/.chainsaw-test/pod-good.yaml
index 9fd1bcce1..2ec7cf140 100644
--- a/other/require-qos-burstable/.chainsaw-test/pod-good.yaml
+++ b/other/require-qos-burstable/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -24,9 +24,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -40,12 +40,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,9 +56,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "1"
@@ -72,9 +72,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml b/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
index 88f2c188b..e91d8ed23 100644
--- a/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -31,6 +31,6 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml b/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
index a57f80ec2..dd1b477ff 100644
--- a/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml
@@ -14,9 +14,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -34,9 +34,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-qos-burstable/artifacthub-pkg.yml b/other/require-qos-burstable/artifacthub-pkg.yml
index 99ef9e693..dd93ce0fc 100644
--- a/other/require-qos-burstable/artifacthub-pkg.yml
+++ b/other/require-qos-burstable/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Other, Multi-Tenancy"
kyverno/subject: "Pod"
-digest: 306ca9dddcba820b33b51b41e32884d7f21cdbfd3d244bfb481688ba44d34b5c
+digest: 0373fe0fb9acfb4ce9d2c70de1ed87e94fb223e8fdca74785ec1130a66f7859a
diff --git a/other/require-qos-burstable/require-qos-burstable.yaml b/other/require-qos-burstable/require-qos-burstable.yaml
index bbb5810e5..5f1ec55b8 100644
--- a/other/require-qos-burstable/require-qos-burstable.yaml
+++ b/other/require-qos-burstable/require-qos-burstable.yaml
@@ -16,7 +16,7 @@ metadata:
This policy is provided with the intention that users will need to control its scope by using
exclusions, preconditions, and other policy language mechanisms.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: burstable
diff --git a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 7d014a1b1..08c5d44e0 100755
--- a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-qos-guaranteed
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml b/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
index 9cd0cbc6a..73a785cf5 100644
--- a/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
+++ b/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -24,13 +24,13 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
limits:
memory: "100Mi"
@@ -45,12 +45,12 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,6 +61,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml b/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
index f9ae97536..0b9826f4d 100644
--- a/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
+++ b/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
@@ -34,7 +34,7 @@ spec:
memory: "50Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
diff --git a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
index 7a363df17..37882316a 100644
--- a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml
@@ -14,14 +14,14 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
limits:
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
index b9d919b36..514a21f0e 100644
--- a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
+++ b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "200Mi"
@@ -23,7 +23,7 @@ spec:
memory: "200Mi"
cpu: "2"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -45,7 +45,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "100Mi"
@@ -54,7 +54,7 @@ spec:
memory: "100Mi"
cpu: "1"
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
resources:
requests:
memory: "50Mi"
diff --git a/other/require-qos-guaranteed/artifacthub-pkg.yml b/other/require-qos-guaranteed/artifacthub-pkg.yml
index 5a67ea056..b98b980ef 100644
--- a/other/require-qos-guaranteed/artifacthub-pkg.yml
+++ b/other/require-qos-guaranteed/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Other, Multi-Tenancy"
kyverno/subject: "Pod"
-digest: 3ecceebb826c81f7b5519068a0148af2d3d45055ceff3ad31fd9b21551c1a904
+digest: 9e79f00aeb00fc07f1b30cb8db0aa6e43b578a4668bce76c14e1094e06e59c6d
diff --git a/other/require-qos-guaranteed/require-qos-guaranteed.yaml b/other/require-qos-guaranteed/require-qos-guaranteed.yaml
index 8f1f0f3ac..1e30cf89f 100644
--- a/other/require-qos-guaranteed/require-qos-guaranteed.yaml
+++ b/other/require-qos-guaranteed/require-qos-guaranteed.yaml
@@ -17,7 +17,7 @@ metadata:
intention that users will need to control its scope by using
exclusions, preconditions, and other policy language mechanisms.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: guaranteed
diff --git a/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml b/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml
index f4e8838e4..3b8e14c81 100755
--- a/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml
+++ b/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-reasonable-pdbs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml
index 46bdc9fe5..5362da4b2 100644
--- a/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml
+++ b/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml
@@ -15,6 +15,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml
index 04275685e..49a14ed3f 100644
--- a/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml
+++ b/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml
@@ -15,6 +15,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.36
+ - image: ghcr.io/kyverno/test-busybox:1.36
name: busybox
command: ["sleep", "infinity"]
diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml
index 192e86b9e..d690d761f 100644
--- a/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml
+++ b/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-replicas-allow-disruption
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 4b3bb52d1..741ae585b 100755
--- a/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-storageclass
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-storageclass/.chainsaw-test/ss-bad.yaml b/other/require-storageclass/.chainsaw-test/ss-bad.yaml
index 024c50372..a930f7a6c 100644
--- a/other/require-storageclass/.chainsaw-test/ss-bad.yaml
+++ b/other/require-storageclass/.chainsaw-test/ss-bad.yaml
@@ -16,7 +16,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 80
name: web
diff --git a/other/require-storageclass/.chainsaw-test/ss-good.yaml b/other/require-storageclass/.chainsaw-test/ss-good.yaml
index 6078a1b32..4962ec721 100644
--- a/other/require-storageclass/.chainsaw-test/ss-good.yaml
+++ b/other/require-storageclass/.chainsaw-test/ss-good.yaml
@@ -15,7 +15,7 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeClaimTemplates:
- metadata:
name: www
@@ -43,4 +43,4 @@ spec:
terminationGracePeriodSeconds: 10
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-storageclass/artifacthub-pkg.yml b/other/require-storageclass/artifacthub-pkg.yml
index 6df82ceba..7328fe938 100644
--- a/other/require-storageclass/artifacthub-pkg.yml
+++ b/other/require-storageclass/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Other, Multi-Tenancy"
kyverno/subject: "PersistentVolumeClaim, StatefulSet"
-digest: e99e3f27171a721aa76970de2f591c33104b08886120a17baaa0679e7e09c76a
+digest: 4406764cb5789780214b436f63b473b52ad60a71d7ff04f7a535810b83b882e7
diff --git a/other/require-storageclass/require-storageclass.yaml b/other/require-storageclass/require-storageclass.yaml
index 9946e705b..235a7d4cc 100644
--- a/other/require-storageclass/require-storageclass.yaml
+++ b/other/require-storageclass/require-storageclass.yaml
@@ -14,7 +14,7 @@ metadata:
StorageClasses. This policy requires that PVCs and StatefulSets containing
volumeClaimTemplates define the storageClassName field with some value.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: pvc-storageclass
diff --git a/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d7d9c6219..aca3243c3 100755
--- a/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: unique-external-dns
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-unique-external-dns/artifacthub-pkg.yml b/other/require-unique-external-dns/artifacthub-pkg.yml
index e2b1e9106..6905f4a3f 100644
--- a/other/require-unique-external-dns/artifacthub-pkg.yml
+++ b/other/require-unique-external-dns/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Service"
-digest: 262bd249cf33c9559be9371778d998b9f76cc429bb883bbc086fea5899c511f9
+digest: b3ce771e03d3b5519be378a040633219fea076f0987e7b9e6324e4dd6ff748bc
diff --git a/other/require-unique-external-dns/require-unique-external-dns.yaml b/other/require-unique-external-dns/require-unique-external-dns.yaml
index 2529cf1c9..c5279428e 100644
--- a/other/require-unique-external-dns/require-unique-external-dns.yaml
+++ b/other/require-unique-external-dns/require-unique-external-dns.yaml
@@ -16,7 +16,7 @@ metadata:
internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique
hostname present in the value of the annotation.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: ensure-valid-externaldns-annotation
diff --git a/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 9ef98f47d..03c5e82b1 100755
--- a/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-unique-service-selector
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-unique-service-selector/artifacthub-pkg.yml b/other/require-unique-service-selector/artifacthub-pkg.yml
index 9749c0d5d..2e6bc7bd1 100644
--- a/other/require-unique-service-selector/artifacthub-pkg.yml
+++ b/other/require-unique-service-selector/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Service"
-digest: 5e6dd5321e79e2317b3d48f72404ec38fe5ab197e588b41af0e12697b4d02e82
+digest: 5eab14f82192be84034e365e64a6af4b6be246f0037fe3cd4e774ee8cb5503f2
diff --git a/other/require-unique-service-selector/require-unique-service-selector.yaml b/other/require-unique-service-selector/require-unique-service-selector.yaml
index a5572c18f..5d64b9a88 100644
--- a/other/require-unique-service-selector/require-unique-service-selector.yaml
+++ b/other/require-unique-service-selector/require-unique-service-selector.yaml
@@ -14,7 +14,7 @@ metadata:
consequences. This policy ensures that within the same Namespace a Service has
a unique set of labels as a selector.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-service-selector
diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 440fe2a4c..2ad06cf41 100755
--- a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-unique-uid-per-workload
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml
index bad20ef1a..d0dd4d169 100644
--- a/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml
+++ b/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 144
---
@@ -16,11 +16,11 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1234
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 122
---
@@ -31,10 +31,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 122
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 144
\ No newline at end of file
diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml
index 86867dfbe..8ec3174c7 100644
--- a/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml
+++ b/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2234
---
@@ -16,8 +16,8 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 3232
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml
index 2932c9b42..e5361c89e 100644
--- a/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml
+++ b/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1234
---
@@ -16,10 +16,10 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 144
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 111
\ No newline at end of file
diff --git a/other/require-unique-uid-per-workload/artifacthub-pkg.yml b/other/require-unique-uid-per-workload/artifacthub-pkg.yml
index e07b2f984..e2528dd38 100644
--- a/other/require-unique-uid-per-workload/artifacthub-pkg.yml
+++ b/other/require-unique-uid-per-workload/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "Pod"
-digest: 5673faa10e2ca3fe1f6bc9d45f69e7deb22342fe9b4a4981a02b139f52773ef6
+digest: 9ab36010faaa527346b15d2a923949d0aa8578179a59af9dfdd4e13c782e4149
diff --git a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml
index 653b8edcb..713ee8434 100644
--- a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml
+++ b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml
@@ -18,7 +18,7 @@ metadata:
kyverno.io/kubernetes-version: "1.20"
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: require-unique-uid
match:
diff --git a/other/require-vulnerability-scan/artifacthub-pkg.yml b/other/require-vulnerability-scan/artifacthub-pkg.yml
index efa9ce1a0..45d6b28ae 100644
--- a/other/require-vulnerability-scan/artifacthub-pkg.yml
+++ b/other/require-vulnerability-scan/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: e0ee103ddd3d4dde09b63bc2295791747231ba0f3fef843c0f543cf7ac456e82
+digest: b17dd860ebad820becd3996eb69887e58f508cfc1167fa1d33137d1844915013
diff --git a/other/require-vulnerability-scan/require-vulnerability-scan.yaml b/other/require-vulnerability-scan/require-vulnerability-scan.yaml
index 7d2fdebcb..c6f71e297 100644
--- a/other/require-vulnerability-scan/require-vulnerability-scan.yaml
+++ b/other/require-vulnerability-scan/require-vulnerability-scan.yaml
@@ -19,7 +19,7 @@ metadata:
policy is expected to be customized based upon your signing strategy and applicable to
the images you designate.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 10
failurePolicy: Fail
rules:
diff --git a/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml b/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml
index 30cd5da24..beb41ff21 100644
--- a/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml
+++ b/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
- name: busybox02
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
---
apiVersion: batch/v1
kind: CronJob
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: busybox
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
- name: busybox02
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml b/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml
index 73738614d..535f4e9ee 100644
--- a/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml
+++ b/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml
@@ -17,9 +17,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: batch/v1
kind: CronJob
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml b/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml
index 1d4567cdf..e9ddd787f 100644
--- a/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml
+++ b/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
---
apiVersion: v1
kind: Pod
@@ -14,6 +14,6 @@ metadata:
spec:
containers:
- name: busybox
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
- name: busybox02
- image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
+ image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3
diff --git a/other/resolve-image-to-digest/.chainsaw-test/pods.yaml b/other/resolve-image-to-digest/.chainsaw-test/pods.yaml
index 7e4cd58e4..de8c9dae3 100644
--- a/other/resolve-image-to-digest/.chainsaw-test/pods.yaml
+++ b/other/resolve-image-to-digest/.chainsaw-test/pods.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
---
apiVersion: v1
kind: Pod
@@ -14,6 +14,6 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.28
+ image: ghcr.io/kyverno/test-busybox:1.28
- name: busybox02
- image: busybox:1.28
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.28
\ No newline at end of file
diff --git a/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml b/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml
index 5ac15d5ee..cb101349a 100644
--- a/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml
+++ b/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml
@@ -14,5 +14,5 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: bb-pod
\ No newline at end of file
diff --git a/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d064f3fca..feec6ff3b 100755
--- a/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-annotations
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-annotations/.chainsaw-test/pod-bad.yaml b/other/restrict-annotations/.chainsaw-test/pod-bad.yaml
index 87a6bad2d..ff2b86396 100644
--- a/other/restrict-annotations/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-annotations/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,7 +20,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,4 +33,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-annotations/.chainsaw-test/pod-good.yaml b/other/restrict-annotations/.chainsaw-test/pod-good.yaml
index 3d976de3a..315490046 100644
--- a/other/restrict-annotations/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-annotations/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,4 +18,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
index ec75284c5..cc35545ab 100644
--- a/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -37,5 +37,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml b/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
index c4e5270ad..e867704be 100644
--- a/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -35,5 +35,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-annotations/artifacthub-pkg.yml b/other/restrict-annotations/artifacthub-pkg.yml
index 2b85c2e0c..49170ccf2 100644
--- a/other/restrict-annotations/artifacthub-pkg.yml
+++ b/other/restrict-annotations/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod, Annotation"
-digest: a685e92213d17c1848c0374cc959633ce189df2efdfd3d775427d4769ce09efc
+digest: a5f5b1e2ad8917290af81b3213e67067b0f94a16c4dcb61b80c0da9fc513d896
diff --git a/other/restrict-annotations/restrict-annotations.yaml b/other/restrict-annotations/restrict-annotations.yaml
index abd3b374d..b300c9997 100644
--- a/other/restrict-annotations/restrict-annotations.yaml
+++ b/other/restrict-annotations/restrict-annotations.yaml
@@ -14,7 +14,7 @@ metadata:
don't set reserved annotations or to force them to use a newer version of an annotation.
pod-policies.kyverno.io/autogen-controllers: none
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: block-flux-v1
diff --git a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 6a59fdfc0..25aa46f5b 100755
--- a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-automount-sa-token
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml b/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml
index 3c8653366..a874b157c 100644
--- a/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml
@@ -6,7 +6,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,4 +26,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml b/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml
index 205b71c38..3a0f5678d 100644
--- a/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -16,7 +16,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -27,4 +27,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml
index f734c0042..2df7835ea 100644
--- a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml
@@ -18,7 +18,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,5 +34,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml
index 871b09919..442ba319d 100644
--- a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml
@@ -18,7 +18,7 @@ spec:
automountServiceAccountToken: false
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,5 +34,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-automount-sa-token/artifacthub-pkg.yml b/other/restrict-automount-sa-token/artifacthub-pkg.yml
index 55b4ff029..c5e3f864a 100644
--- a/other/restrict-automount-sa-token/artifacthub-pkg.yml
+++ b/other/restrict-automount-sa-token/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Sample, EKS Best Practices"
kyverno/subject: "Pod,ServiceAccount"
-digest: b87206e937c2e059e0d47e27d1d5ac1857be4f7ec5310a0fc6cc714ee3cfa396
+digest: 0ffc85f3f6118bbf7d6f4e8d9aa592c7872f0c496f1ba745767f4baf539bb927
diff --git a/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml b/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml
index f1c735bea..299c61084 100644
--- a/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml
+++ b/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml
@@ -15,7 +15,7 @@ metadata:
be followed if Pods do not need to speak to the API server to function.
This policy ensures that mounting of these ServiceAccount tokens is blocked.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-automountServiceAccountToken
diff --git a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 708cbe548..77ed2b43c 100755
--- a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-binding-clusteradmin
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-binding-clusteradmin/artifacthub-pkg.yml b/other/restrict-binding-clusteradmin/artifacthub-pkg.yml
index a17b5c86a..69db52032 100644
--- a/other/restrict-binding-clusteradmin/artifacthub-pkg.yml
+++ b/other/restrict-binding-clusteradmin/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Security"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: ae00ae65ccb6684e3899708865190608815348e30b7d5fd76814b87fd1eb1901
+digest: 8c59127d811aa4da08a14410048d982903c89ca60675357b94bd5ff80bc404d0
diff --git a/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml b/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml
index 52dbf1d5c..35c1efeb6 100644
--- a/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml
+++ b/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml
@@ -16,7 +16,7 @@ metadata:
policy prevents binding to the cluster-admin ClusterRole in
RoleBinding or ClusterRoleBinding resources.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: clusteradmin-bindings
diff --git a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a49f3c16e..3fe7b760e 100755
--- a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-binding-system-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-binding-system-groups/artifacthub-pkg.yml b/other/restrict-binding-system-groups/artifacthub-pkg.yml
index 1e7e5eacb..31213c762 100644
--- a/other/restrict-binding-system-groups/artifacthub-pkg.yml
+++ b/other/restrict-binding-system-groups/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d
+digest: 68386af8e018f4f0bd0fe986378651e3ea4c142b426b39c010e038df85fb7ef2
diff --git a/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml
index 6c81a334b..c4de8e94f 100644
--- a/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml
+++ b/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml
@@ -16,7 +16,7 @@ metadata:
for other users. This policy prevents creating bindings to some of these
groups including system:anonymous, system:unauthenticated, and system:masters.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: restrict-anonymous
diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 2e1ce717b..a65f0b176 100644
--- a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-clusterrole-csr
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5f5432cb0..a156276bd 100644
--- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-clusterrole-mutating-validating-admission-webhooks
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index fc59b9caa..fc7cb1b91 100755
--- a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-clusterrole-nodesproxy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml b/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml
index ec96f02e9..aae076899 100644
--- a/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml
+++ b/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.27"
kyverno/subject: "ClusterRole, RBAC"
-digest: 0d9a0433d58ccb0d102ef757fed015a7bc8fdf128dd3fa4f8526c9608571d92e
+digest: 18ba0b2ea2556ca0042bcb0c2f32061d95e81792e07ae86e81dd39bd810a920e
diff --git a/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml
index b0ab6ae74..2a2e5dd85 100644
--- a/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml
+++ b/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml
@@ -18,7 +18,7 @@ metadata:
for more info. This policy prevents the creation
of a ClusterRole if it contains the nodes/proxy resource.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: clusterrole-nodesproxy
diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 422e25cb6..01387a8b1 100755
--- a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-controlplane-scheduling
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
index 40f952470..fe996274c 100644
--- a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml
@@ -14,7 +14,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,4 +33,4 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
index 7b29cfe71..977e70b40 100644
--- a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml
@@ -11,7 +11,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -30,4 +30,4 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
index 1409e1aa5..e574038a2 100644
--- a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml
@@ -21,7 +21,7 @@ spec:
effect: "NoSchedule"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -43,4 +43,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
index e0baf251c..070b38777 100644
--- a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml
@@ -22,7 +22,7 @@ spec:
effect: "NoExecute"
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,4 +45,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-controlplane-scheduling/artifacthub-pkg.yml b/other/restrict-controlplane-scheduling/artifacthub-pkg.yml
index 187e8817b..9dc6dfb4e 100644
--- a/other/restrict-controlplane-scheduling/artifacthub-pkg.yml
+++ b/other/restrict-controlplane-scheduling/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 85670ece069aa1b3296a294a7137ca87d1cc0636f9f78611c79a2b84d8c4aaeb
+digest: b3561eaa50e32c43a6609d87e43d4a04e44184461a4b6868783cfa8d08191893
diff --git a/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml b/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml
index 210710e9b..438d48709 100644
--- a/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml
+++ b/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml
@@ -14,7 +14,7 @@ metadata:
in a Pod spec which allows running on control plane nodes
with the taint key `node-role.kubernetes.io/master`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: restrict-controlplane-scheduling-master
diff --git a/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml b/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
index 7b53955c7..1a09f7d33 100644
--- a/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml
@@ -19,7 +19,7 @@ spec:
image: foo.gcr.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
---
@@ -30,7 +30,7 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-init-again
image: foo.gcr.io/busybox:1.35
containers:
@@ -48,7 +48,7 @@ spec:
- name: busybox-init
image: docker.io/busybox:1.35
- name: busybox-init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
image: registry.k8s.io/busybox:1.35
diff --git a/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml b/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
index 947410f82..228080b72 100644
--- a/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml
@@ -6,7 +6,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -21,6 +21,6 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
index 0df6e26f9..7eb4f05fa 100644
--- a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml
@@ -43,6 +43,6 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
index c837017b9..9a5842267 100644
--- a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml
@@ -20,7 +20,7 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
---
@@ -43,6 +43,6 @@ spec:
image: registry.k8s.io/busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
image: docker.io/busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
index 9481b23f2..5293df1eb 100644
--- a/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
+++ b/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: restrict-deprecated-registry
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/restrict-edit-for-endpoints/artifacthub-pkg.yml b/other/restrict-edit-for-endpoints/artifacthub-pkg.yml
index f8d8ad381..653f40cad 100644
--- a/other/restrict-edit-for-endpoints/artifacthub-pkg.yml
+++ b/other/restrict-edit-for-endpoints/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "ClusterRole"
-digest: dbcccf542d23629de3cd4b51ebf14220caa3150a30371c8fba2b7f18bc64b83e
+digest: 577d69ec993881fbd86f972fa53db4b0e6c2e67e63d844468305a840f6aaf3c2
diff --git a/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml b/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml
index 16ccbacb1..20c171212 100644
--- a/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml
+++ b/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml
@@ -18,7 +18,7 @@ metadata:
to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have
the edit permission of Endpoints.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: system-aggregate-to-edit-check
diff --git a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a79fd3397..0d89a1527 100755
--- a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-escalation-verbs-roles
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml b/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml
index 9c3ce8480..2df0119be 100644
--- a/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml
+++ b/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Security"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Role, ClusterRole, RBAC"
-digest: b4e370bcf146a9d1052f80bd63f03f87147216ffd601cfeaf17106db883a9095
+digest: bdcf97fcc1ed01e6c49548591ed6b9035da04d20ec8decf4735fdca01f47b04a
diff --git a/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml
index 61870d1e7..cf8c12364 100644
--- a/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml
+++ b/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml
@@ -15,7 +15,7 @@ metadata:
privilege escalation and should be tightly controlled. This policy prevents
use of these verbs in Role or ClusterRole resources.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: escalate
diff --git a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b15ee6b98..6a1a8d9b8 100755
--- a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-classes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
index 35c7dd6d1..2a1cfd92e 100644
--- a/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
+++ b/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml
@@ -7,7 +7,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -27,7 +27,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -35,4 +35,4 @@ spec:
service:
name: test
port:
- number: 80
\ No newline at end of file
+ number: 80
diff --git a/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
index 243a785be..b12449d19 100644
--- a/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
+++ b/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml
@@ -8,7 +8,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -28,7 +28,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-classes/artifacthub-pkg.yml b/other/restrict-ingress-classes/artifacthub-pkg.yml
index 0e03a09f9..b57417fed 100644
--- a/other/restrict-ingress-classes/artifacthub-pkg.yml
+++ b/other/restrict-ingress-classes/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: e6c966c4fd384ec46ee4f9c51101839d2b2d889a17ad232409e6c13bc9321bf4
+digest: d999fe6b4a48cd622280388cda32bdf3ec60ca4badc4ae1d2e858446d5cecf58
diff --git a/other/restrict-ingress-classes/restrict-ingress-classes.yaml b/other/restrict-ingress-classes/restrict-ingress-classes.yaml
index 994eb64ee..a152f1f35 100644
--- a/other/restrict-ingress-classes/restrict-ingress-classes.yaml
+++ b/other/restrict-ingress-classes/restrict-ingress-classes.yaml
@@ -16,7 +16,7 @@ metadata:
annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass
resource.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-ingress
diff --git a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 85c3af1c1..649bb41f9 100755
--- a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-defaultbackend
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
index 09e9a251f..bf3c9b599 100644
--- a/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
+++ b/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml b/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml
index eda2c16c7..abbe59806 100644
--- a/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml
+++ b/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Ingress"
-digest: 9e88f8cef640608f92540545a086285ac1a2944e6cf41f84f2d8ffb6f2e5c315
+digest: c73c675aaf385c335de92d0002abbc06be0249ebd22fe855b19c8c03e5457402
diff --git a/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml b/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml
index f40091701..2ef0136b8 100644
--- a/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml
+++ b/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml
@@ -18,7 +18,7 @@ metadata:
want users to use explicit hosts, they should not be able to overwrite the global default backend
service. This policy prohibits the use of the defaultBackend field.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: restrict-ingress-defaultbackend
diff --git a/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 2b9230dd4..0daa114c0 100755
--- a/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: unique-ingress-host
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml
index d0c74aa1d..88422f2fe 100644
--- a/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: foo
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: foo-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -32,7 +32,7 @@ spec:
port:
number: 80
- host: bar-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml
index 25c458053..d9927cb4c 100644
--- a/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml
index b723a2f7e..84d7d6232 100644
--- a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint02
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -32,7 +32,7 @@ spec:
path: /
pathType: Prefix
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml
index 08a001059..5394f16ed 100644
--- a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint03
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress.yaml
index d9fe68573..cea1f16d4 100644
--- a/other/restrict-ingress-host/.chainsaw-test/ingress.yaml
+++ b/other/restrict-ingress-host/.chainsaw-test/ingress.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: foo
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: bar
- https:
+ http:
paths:
- backend:
service:
diff --git a/other/restrict-ingress-host/artifacthub-pkg.yml b/other/restrict-ingress-host/artifacthub-pkg.yml
index 137283b00..cfc0adaa2 100644
--- a/other/restrict-ingress-host/artifacthub-pkg.yml
+++ b/other/restrict-ingress-host/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: 626994bf34517beb56b95c46ae5055dabd3173ab94b391c2806a76015b1f46fd
+digest: ad7c3575de345ee12631b16d79ec0db8798b2260a81a01180322f99201940dc7
diff --git a/other/restrict-ingress-host/restrict-ingress-host.yaml b/other/restrict-ingress-host/restrict-ingress-host.yaml
index 48836b6f6..f931887aa 100644
--- a/other/restrict-ingress-host/restrict-ingress-host.yaml
+++ b/other/restrict-ingress-host/restrict-ingress-host.yaml
@@ -14,7 +14,7 @@ metadata:
This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
It also ensures that only a single host may be specified in a given manifest.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-single-host-create
diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f85e022ab..c831fd9a5 100755
--- a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-ingress-wildcard
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
index b6bce89c8..6fcfc2e11 100644
--- a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
+++ b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: "*.foo.bar"
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: foo-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -32,7 +32,7 @@ spec:
port:
number: 80
- host: "*.example.com"
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -49,7 +49,7 @@ metadata:
spec:
rules:
- host: "*.bar"
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -59,7 +59,7 @@ spec:
port:
number: 80
- host: foo-bar
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
index f67cf1494..ed761a800 100644
--- a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
+++ b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
rules:
- host: endpoint01
- https:
+ http:
paths:
- backend:
service:
@@ -22,7 +22,7 @@ metadata:
spec:
rules:
- host: endpoint02
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
@@ -32,7 +32,7 @@ spec:
port:
number: 80
- host: endpoint01
- https:
+ http:
paths:
- path: /testpath
pathType: Prefix
diff --git a/other/restrict-ingress-wildcard/artifacthub-pkg.yml b/other/restrict-ingress-wildcard/artifacthub-pkg.yml
index 9998c48fb..f569184b0 100644
--- a/other/restrict-ingress-wildcard/artifacthub-pkg.yml
+++ b/other/restrict-ingress-wildcard/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Ingress"
-digest: d47ca7c1ce633eef4936ded9deb782cae7b9d7646e3435122826061976aee4ee
+digest: 25278c05b7c2e54ab33d137d83540d5d4dac23b1a85083d88609c3b1c3197992
diff --git a/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml b/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml
index d046029bc..bcc76c67a 100644
--- a/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml
+++ b/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml
@@ -17,7 +17,7 @@ metadata:
policy enforces that any Ingress host does not contain a wildcard
character.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: block-ingress-wildcard
diff --git a/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml b/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
index cc0f70f29..8118a2876 100644
--- a/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
+++ b/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml
@@ -10,6 +10,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml b/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml
index 700346ed5..ef62a007b 100644
--- a/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml
+++ b/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml
@@ -7,6 +7,6 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
command: ["sleep", "3600"]
restartPolicy: Never
\ No newline at end of file
diff --git a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a487741b5..e88dc49d3 100755
--- a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: no-loadbalancer-service
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-loadbalancer/artifacthub-pkg.yml b/other/restrict-loadbalancer/artifacthub-pkg.yml
index e2559fce9..5bc4ad5db 100644
--- a/other/restrict-loadbalancer/artifacthub-pkg.yml
+++ b/other/restrict-loadbalancer/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Service"
-digest: dfa26ce07b5ab3a4f5d0106b450a92c866f572478a91491b8c6f18cd523184e0
+digest: 68ddfd3d14a9764d7cc6b8aedfed75b1911b1cfe922ba45e3bbd4cd1efcf37b6
diff --git a/other/restrict-loadbalancer/restrict-loadbalancer.yaml b/other/restrict-loadbalancer/restrict-loadbalancer.yaml
index 313c774c6..08786542c 100644
--- a/other/restrict-loadbalancer/restrict-loadbalancer.yaml
+++ b/other/restrict-loadbalancer/restrict-loadbalancer.yaml
@@ -15,7 +15,7 @@ metadata:
overrun established budgets and security practices set by the organization. This policy restricts
use of the Service type LoadBalancer.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: no-LoadBalancer
diff --git a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 08739c249..e11e07dd3 100755
--- a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-networkpolicy-empty-podselector
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml b/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml
index c473a8d9d..6bbd9179b 100644
--- a/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml
+++ b/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Other, Multi-Tenancy"
kyverno/subject: "NetworkPolicy"
-digest: d0ba9667eb86aaf3c808d6db56254a4556aaa19e2eb3824886a97a216a5e53b8
+digest: 38fcf833843a204155ecd0cba6cf7118a44a168d0269fe24e3faff349fbe8a11
diff --git a/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml b/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml
index 5b02ab52b..e3b7e3d5d 100644
--- a/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml
+++ b/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml
@@ -13,7 +13,7 @@ metadata:
more closely control the necessary traffic flows. This policy requires that all NetworkPolicies
other than that of `default-deny` not use an empty podSelector.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: empty-podselector
diff --git a/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 8aac3db00..0108affce 100755
--- a/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-node-affinity
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml b/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
index d2622ecd3..aa7d1512d 100644
--- a/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml
@@ -15,7 +15,7 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -43,4 +43,4 @@ spec:
topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml b/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml
index 3df39edbf..1d308f3ec 100644
--- a/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,14 +14,16 @@ metadata:
spec:
affinity:
podAffinity:
- prefferedDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: bar
- operator: In
- values:
- - bar
- topologyKey: topology.kubernetes.io/zone
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: bar
+ operator: In
+ values:
+ - bar
+ topologyKey: topology.kubernetes.io/zone
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
@@ -35,4 +37,4 @@ spec:
topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
index 101b7dce3..6740a7267 100644
--- a/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml
@@ -27,7 +27,7 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -51,5 +51,5 @@ spec:
- bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml b/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
index 91a6a6330..bd3d0113a 100644
--- a/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml
@@ -17,17 +17,19 @@ spec:
spec:
affinity:
podAffinity:
- prefferedDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: bar
- operator: In
- values:
- - bar
- topologyKey: topology.kubernetes.io/zone
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: bar
+ operator: In
+ values:
+ - bar
+ topologyKey: topology.kubernetes.io/zone
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,5 +43,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-node-affinity/artifacthub-pkg.yml b/other/restrict-node-affinity/artifacthub-pkg.yml
index f5e03f2f6..c52eb901b 100644
--- a/other/restrict-node-affinity/artifacthub-pkg.yml
+++ b/other/restrict-node-affinity/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 1bc527f2c286a2ec07141d43e26857ccb4ce6996b291b3bb1903469b113fcfde
+digest: f501d3f3b0391ae2dc698b28eacd8e46dbdf5af9278a688127bfb18678f0532c
diff --git a/other/restrict-node-affinity/restrict-node-affinity.yaml b/other/restrict-node-affinity/restrict-node-affinity.yaml
index b6b7a0fa7..18c2e0f03 100644
--- a/other/restrict-node-affinity/restrict-node-affinity.yaml
+++ b/other/restrict-node-affinity/restrict-node-affinity.yaml
@@ -17,7 +17,7 @@ metadata:
is not used in a Pod spec.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-nodeaffinity
match:
diff --git a/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml b/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml
index e0ebd7aac..b0c9f434e 100755
--- a/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml
+++ b/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml
@@ -25,6 +25,8 @@ spec:
file: ../restrict-node-label-changes.yaml
- assert:
file: policy-ready.yaml
+ - sleep:
+ duration: 5s
- name: step-03
try:
- script:
diff --git a/other/restrict-node-label-changes/artifacthub-pkg.yml b/other/restrict-node-label-changes/artifacthub-pkg.yml
index 56618f392..76b6cdb5d 100644
--- a/other/restrict-node-label-changes/artifacthub-pkg.yml
+++ b/other/restrict-node-label-changes/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Node, Label"
-digest: 5f85ca279377a987568daa4353191e8e843ed6e708ffc9a4163e0fd95ec27894
+digest: 50b9b20c822339142265cda589f17f9f6383f451b58f26e833eaacad76476c26
diff --git a/other/restrict-node-label-changes/restrict-node-label-changes.yaml b/other/restrict-node-label-changes/restrict-node-label-changes.yaml
index f0f2b2655..c395ddef8 100644
--- a/other/restrict-node-label-changes/restrict-node-label-changes.yaml
+++ b/other/restrict-node-label-changes/restrict-node-label-changes.yaml
@@ -16,7 +16,7 @@ metadata:
requires, at minimum, one of the following versions of Kubernetes:
v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: prevent-label-value-changes
@@ -26,6 +26,7 @@ spec:
kinds:
- Node
validate:
+ allowExistingViolations: false
message: "Modifying the `foo` label on a Node is not allowed."
deny:
conditions:
@@ -51,8 +52,9 @@ spec:
operator: Equals
value: "?*"
validate:
+ allowExistingViolations: false
message: "Removing the `foo` label on a Node is not allowed."
pattern:
metadata:
labels:
- foo: "*"
\ No newline at end of file
+ foo: "*"
diff --git a/other/restrict-node-label-creation/artifacthub-pkg.yml b/other/restrict-node-label-creation/artifacthub-pkg.yml
index ed5cc29b6..1e328653a 100644
--- a/other/restrict-node-label-creation/artifacthub-pkg.yml
+++ b/other/restrict-node-label-creation/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Node, Label"
-digest: ce639e3a55535dabae7b3db6afcdbab9937bdded689547396ea64a52157b026c
+digest: 18bb96511f438e7d5267490f448768be97012a7b4943d51b190e538692cac76b
diff --git a/other/restrict-node-label-creation/restrict-node-label-creation.yaml b/other/restrict-node-label-creation/restrict-node-label-creation.yaml
index e89c7dda8..c1490f602 100644
--- a/other/restrict-node-label-creation/restrict-node-label-creation.yaml
+++ b/other/restrict-node-label-creation/restrict-node-label-creation.yaml
@@ -17,7 +17,7 @@ metadata:
requires, at minimum, one of the following versions of Kubernetes:
v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: prevent-label-set
diff --git a/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index b8c04eaa7..fdf0703cc 100755
--- a/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-node-selection
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml b/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml
index dbaf54c33..a06a33408 100644
--- a/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml
@@ -7,7 +7,7 @@ spec:
foo: bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -17,4 +17,4 @@ spec:
nodeName: kind-control-plane
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/other/restrict-node-selection/.chainsaw-test/pod-good.yaml b/other/restrict-node-selection/.chainsaw-test/pod-good.yaml
index 88a6148a7..1db6a8b46 100644
--- a/other/restrict-node-selection/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-node-selection/.chainsaw-test/pod-good.yaml
@@ -5,4 +5,4 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml
index 985c6f597..273229789 100644
--- a/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml
@@ -19,7 +19,7 @@ spec:
foo: bar
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -34,5 +34,5 @@ spec:
nodeName: kind-control-plane
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
diff --git a/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml b/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml
index f5d682100..ba28ba4d3 100644
--- a/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -31,5 +31,5 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-node-selection/artifacthub-pkg.yml b/other/restrict-node-selection/artifacthub-pkg.yml
index 0e9f3f1c4..1fe39ffa0 100644
--- a/other/restrict-node-selection/artifacthub-pkg.yml
+++ b/other/restrict-node-selection/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 5de29662e13080d414e0381c82da17f65dc8818a835d66aa353c51b604b7c478
+digest: 87d5b2c54ff483fca02c5605bcb9be7416ca45762035324b9bfc62d20c7bcbb1
diff --git a/other/restrict-node-selection/restrict-node-selection.yaml b/other/restrict-node-selection/restrict-node-selection.yaml
index 95ad1c945..543e26579 100644
--- a/other/restrict-node-selection/restrict-node-selection.yaml
+++ b/other/restrict-node-selection/restrict-node-selection.yaml
@@ -16,7 +16,7 @@ metadata:
this policy is only designed to work on initial creation and not in background
mode.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: restrict-nodeselector
diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 92b7018c8..9f02c6ee0 100755
--- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-pod-controller-serviceaccount-updates
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml
index b8f88a8ad..18bd07022 100755
--- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml
@@ -16,6 +16,6 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
serviceAccountName: serviceaccount01
diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml
index 5e04c53ee..2a3a3a751 100755
--- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml
@@ -8,7 +8,7 @@ spec:
template:
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
restartPolicy: OnFailure
serviceAccountName: serviceaccount01
diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
index 035cb6a3c..80a45123c 100644
--- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml
@@ -11,5 +11,5 @@ spec:
serviceAccountName: serviceaccount02
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
index 8788cebd3..14a0fe7a6 100644
--- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml
@@ -18,4 +18,4 @@ spec:
serviceAccountName: serviceaccount02
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml b/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml
index 5dd332082..0ff3f5cf7 100644
--- a/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml
+++ b/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: e1653e8ecec5c0cb8c9ef44b431fdf0b1231605d8d8406a11a165561a763dfca
+digest: 7339d1663d9447d7e8ece53460ab38514dc6828ca60844279ce84fed61c53540
diff --git a/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml b/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml
index dd588c2f3..b9f82dce6 100644
--- a/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml
+++ b/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml
@@ -16,7 +16,7 @@ metadata:
to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods
directly for this field are not possible as it is immutable once set.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: block-serviceaccount-updates
diff --git a/other/restrict-pod-count-per-node/artifacthub-pkg.yml b/other/restrict-pod-count-per-node/artifacthub-pkg.yml
index cb6f7ed78..6b526329e 100644
--- a/other/restrict-pod-count-per-node/artifacthub-pkg.yml
+++ b/other/restrict-pod-count-per-node/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 6213a01793e7c3de54e755c786b08ea7d1335a6c826137885be32182173f6c44
+digest: f2da36f1444861ff2de4385a814d6720a13ee89e794d1c12aa2af7aba3aa5129
diff --git a/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml b/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml
index d88f60997..25142d6c0 100644
--- a/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml
+++ b/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml
@@ -14,7 +14,7 @@ metadata:
development cases. This policy restricts Pod count on a Node named `minikube` to be no more than 10.
# pod-policies.kyverno.io/autogen-controllers: none
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: restrict-pod-count
diff --git a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f6f90dfa1..5008f0284 100644
--- a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-sa-automount-sa-token
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-scale/artifacthub-pkg.yml b/other/restrict-scale/artifacthub-pkg.yml
index 6a6db795e..7b2c98bb5 100644
--- a/other/restrict-scale/artifacthub-pkg.yml
+++ b/other/restrict-scale/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Deployment"
-digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2
+digest: c2617db73bd8805c8e4ac8eb6a0a86ca203a97092d4e9f2d61229405e63a3a82
diff --git a/other/restrict-scale/restrict-scale.yaml b/other/restrict-scale/restrict-scale.yaml
index e3ebfaeeb..93f791819 100644
--- a/other/restrict-scale/restrict-scale.yaml
+++ b/other/restrict-scale/restrict-scale.yaml
@@ -18,7 +18,7 @@ metadata:
of rules which can be used to limit the replica count both upon creation of a Deployment and
when a scale operation is performed.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
# This rule can be used to limit scale operations based upon Deployment labels assuming the given label
diff --git a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f09ecb57a..acb40c325 100755
--- a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-secret-role-verbs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-secret-role-verbs/artifacthub-pkg.yml b/other/restrict-secret-role-verbs/artifacthub-pkg.yml
index 57cd87034..71616b822 100644
--- a/other/restrict-secret-role-verbs/artifacthub-pkg.yml
+++ b/other/restrict-secret-role-verbs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Security"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Role, ClusterRole, RBAC"
-digest: 3c71693c6eb0ac3af7bf871d7c6b0e66518709a16c98d56a8f4a6b30f25c2106
+digest: 521df259b97560b55cc1b96a55aa5aadeae44496644e770e48ccf732a67454b8
diff --git a/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml b/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml
index 78c48a111..847631de6 100644
--- a/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml
+++ b/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml
@@ -18,7 +18,7 @@ metadata:
also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets
or when also using a wildcard in the base API group.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: secret-verbs
diff --git a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 8afc2f280..885f95c16 100755
--- a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-secrets-by-label
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml b/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml
index ac106eaed..4c57dbdab 100644
--- a/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: bottom-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,20 +80,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -108,9 +108,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: not-secret-volume
secret:
diff --git a/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml b/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml
index 4aaa0d338..07f7e709b 100644
--- a/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: bottom-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: bottom-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,9 +80,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -95,20 +95,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-so-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
diff --git a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml
index 6578bbd3d..2d7eaa2d4 100644
--- a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: bottom-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -76,17 +76,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -109,9 +109,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml
index 3a8701e60..fec1aa792 100644
--- a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml
@@ -17,20 +17,20 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-so-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -57,9 +57,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -77,20 +77,20 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: not-so-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -111,9 +111,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other/restrict-secrets-by-label/artifacthub-pkg.yml b/other/restrict-secrets-by-label/artifacthub-pkg.yml
index c9d9d0fe9..e9892292d 100644
--- a/other/restrict-secrets-by-label/artifacthub-pkg.yml
+++ b/other/restrict-secrets-by-label/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod, Secret"
-digest: ed7a9afd18b3a9679c24da6d8715c0a678cf89010d5f78d266b57db38313dd55
+digest: cac5d5e5de6d58442abd4e904d5d0f8e5b3f6173db4b0e5a2403a2cc85e84371
diff --git a/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml b/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml
index 6a9cc2838..6990dcc72 100644
--- a/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml
+++ b/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml
@@ -17,7 +17,7 @@ metadata:
that only Secrets not labeled with `status=protected` can be consumed by Pods.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: secrets-lookup-from-env
match:
diff --git a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1dfdeb90d..3e186f629 100755
--- a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-secrets-by-name
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml b/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
index e1dd9b7ef..ccee7d259 100644
--- a/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,9 +80,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: not-secret-volume
secret:
diff --git a/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml b/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
index a184066bd..bff4c6b38 100644
--- a/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -22,9 +22,9 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -35,9 +35,9 @@ spec:
key: foo
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -52,20 +52,20 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_SECRET
valueFrom:
@@ -80,9 +80,9 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
index 03aa8e484..eb30243ac 100644
--- a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -76,17 +76,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: top-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -109,9 +109,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
index 18dabc169..cfbd62478 100644
--- a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml
@@ -17,17 +17,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: secret-volume
secret:
@@ -76,17 +76,17 @@ spec:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
envFrom:
- secretRef:
name: safe-secret
- name: busybox02-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
env:
- name: ENV_FOO
value: "bar"
@@ -109,9 +109,9 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty-volume
emptyDir: {}
diff --git a/other/restrict-secrets-by-name/artifacthub-pkg.yml b/other/restrict-secrets-by-name/artifacthub-pkg.yml
index ef4305ff1..e9d1cfcde 100644
--- a/other/restrict-secrets-by-name/artifacthub-pkg.yml
+++ b/other/restrict-secrets-by-name/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod, Secret"
-digest: b7e99348eb0fad19369fadce638e4494f39819c020ca5acaa1ca8ad3fa72d35f
+digest: f7f69fc8b018d902fdc489a7de1edf2d38d19f35be677ef607a49666e9f04149
diff --git a/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml b/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml
index d7989a36e..a0f324da4 100644
--- a/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml
+++ b/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml
@@ -18,7 +18,7 @@ metadata:
result in a Secret being mounted.
spec:
background: false
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: safe-secrets-from-env
match:
diff --git a/other/restrict-service-account/artifacthub-pkg.yml b/other/restrict-service-account/artifacthub-pkg.yml
index e07cd6af0..138cbf43a 100644
--- a/other/restrict-service-account/artifacthub-pkg.yml
+++ b/other/restrict-service-account/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod,ServiceAccount"
-digest: 2e6f8d9217bc2296083d793d71409c60b9c20cfed55592d31c7a2d460c3b6ae9
+digest: 119b2007c7a6ca4706240ad186bff0f3583c2b6b9b9d9b244c8a21d082cbf0e7
diff --git a/other/restrict-service-account/restrict-service-account.yaml b/other/restrict-service-account/restrict-service-account.yaml
index 63788548e..0a53836e2 100644
--- a/other/restrict-service-account/restrict-service-account.yaml
+++ b/other/restrict-service-account/restrict-service-account.yaml
@@ -18,7 +18,7 @@ metadata:
specified is matched based on the image and name of the container. For example:
'sa-name: ["registry/image-name"]'
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-service-account
diff --git a/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 8f2584462..07257ae91 100755
--- a/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-service-port-range
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-service-port-range/artifacthub-pkg.yml b/other/restrict-service-port-range/artifacthub-pkg.yml
index 9a5add890..820c3e958 100644
--- a/other/restrict-service-port-range/artifacthub-pkg.yml
+++ b/other/restrict-service-port-range/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Service"
-digest: fdd0c49e20e23a9aa4fb79712a0850b474421a33358c110ac586d1c169f66afd
+digest: d6e7a0b8d467dc8f00d06e509209cd3dd90e97b42ffab8ef560b5ef7fbe1f531
diff --git a/other/restrict-service-port-range/restrict-service-port-range.yaml b/other/restrict-service-port-range/restrict-service-port-range.yaml
index feaacd485..5113f7db0 100644
--- a/other/restrict-service-port-range/restrict-service-port-range.yaml
+++ b/other/restrict-service-port-range/restrict-service-port-range.yaml
@@ -17,7 +17,7 @@ metadata:
This policy enforces that only the port range 32000 to 33000 may
be used for Service resources.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: restrict-port-range
match:
diff --git a/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 671726afd..8dd985a78 100755
--- a/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-storageclass
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-storageclass/artifacthub-pkg.yml b/other/restrict-storageclass/artifacthub-pkg.yml
index b291ad7ba..bbd67b17c 100644
--- a/other/restrict-storageclass/artifacthub-pkg.yml
+++ b/other/restrict-storageclass/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Other, Multi-Tenancy"
kyverno/subject: "StorageClass"
-digest: 45f76a11eb13298cb775e980d8327414de5b7496e2f8c9c5b5f93c9c960a409d
+digest: 757dc74948bb948eb799a7cd02506980c6c4c79e2574c1ef5e3f79dbcf4cd2e7
diff --git a/other/restrict-storageclass/restrict-storageclass.yaml b/other/restrict-storageclass/restrict-storageclass.yaml
index 77a222a9e..e3fb73413 100644
--- a/other/restrict-storageclass/restrict-storageclass.yaml
+++ b/other/restrict-storageclass/restrict-storageclass.yaml
@@ -15,7 +15,7 @@ metadata:
a PersistentVolume cannot be reused across Namespaces. This policy requires
StorageClasses set a reclaimPolicy of `Delete`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: storageclass-delete
diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index ec8e34add..f0db745d7 100755
--- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: validate-userid-groupid-fsgroup
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
index 39f787f33..6f5e811f9 100644
--- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
+++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml
@@ -9,9 +9,9 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,9 +22,9 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -35,9 +35,9 @@ spec:
runAsUser: 1000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -48,6 +48,6 @@ spec:
runAsGroup: 4000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
index 2c478309e..8f55ad883 100644
--- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
+++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml
@@ -9,6 +9,6 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
index 4647f8bc8..4c55cd19d 100644
--- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
+++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml
@@ -21,9 +21,9 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,7 +41,7 @@ spec:
fsGroup: 3000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
index b636710ad..83bd236e3 100644
--- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
+++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml
@@ -21,9 +21,9 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -41,7 +41,7 @@ spec:
fsGroup: 2000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
restartPolicy: OnFailure
\ No newline at end of file
diff --git a/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml b/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml
index f9cc87dc4..4e3971dd4 100644
--- a/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml
+++ b/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
-digest: 6d9326c04e9bb93aac3b2a7d44c922d02032fc35cf9e06cb8174babd16916189
+digest: 5d0262e16c46c10cb3eb0e211b33f363d12a8222780951b32a7b91e8b718b480
diff --git a/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml b/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml
index 37f8b2878..776dc75c3 100644
--- a/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml
+++ b/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml
@@ -14,7 +14,7 @@ metadata:
to make sure any file created in the volume will have the specified groupID.
This policy validates that these fields are set to the defined values.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: validate-userid
diff --git a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f8b1749c0..f00b31b9c 100755
--- a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-wildcard-resources
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-wildcard-resources/artifacthub-pkg.yml b/other/restrict-wildcard-resources/artifacthub-pkg.yml
index 83e9d11bb..e615875f1 100644
--- a/other/restrict-wildcard-resources/artifacthub-pkg.yml
+++ b/other/restrict-wildcard-resources/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "ClusterRole, Role, RBAC"
-digest: 7a7dbb2922a03060c6eddd2b0a1f55aca4bc2651b271e036acac8aec45251f99
+digest: 311d2cd912524e95dd356dba1366967200954540388500e00a3772ff89f9e7ee
diff --git a/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml
index 003404417..316f552c7 100644
--- a/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml
+++ b/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml
@@ -17,7 +17,7 @@ metadata:
This policy blocks any Role or ClusterRole that contains a wildcard entry in
the resources list found in any rule.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: wildcard-resources
diff --git a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index fe34e2e7e..68363af9d 100755
--- a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-wildcard-verbs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/restrict-wildcard-verbs/artifacthub-pkg.yml b/other/restrict-wildcard-verbs/artifacthub-pkg.yml
index 362adcc55..4fd401fa9 100644
--- a/other/restrict-wildcard-verbs/artifacthub-pkg.yml
+++ b/other/restrict-wildcard-verbs/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Role, ClusterRole, RBAC"
-digest: 6c66139e22ed82c0b6d4756b7653136347fdb9575976e13292fbc33e516fe475
+digest: fc70320b1c882684a48f67314bf2631e11b8ac040aa2c1a45b4d5c88e2e81e76
diff --git a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
index 4d35bb57b..ac0943c58 100644
--- a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
+++ b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
@@ -17,7 +17,7 @@ metadata:
This policy blocks any Role or ClusterRole that contains a wildcard entry in
the verbs list found in any rule.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: wildcard-verbs
diff --git a/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml b/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml
index f1c63457a..8b0249a92 100755
--- a/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml
+++ b/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml
@@ -14,7 +14,7 @@ spec:
try:
- script:
content: |
- kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:nodes/system\:thisisjunk/g' - | kubectl apply -f -
+ kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:nodes/system\:thisisjunk/g' | kubectl apply -f -
- sleep:
duration: 5s
- name: step-02
@@ -39,6 +39,6 @@ spec:
try:
- script:
content: |
- kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:thisisjunk/system\:nodes/g' - | kubectl apply -f -
+ kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:thisisjunk/system\:nodes/g' | kubectl apply -f -
- sleep:
duration: 5s
diff --git a/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml b/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml
index 07da4412e..a5890b2af 100644
--- a/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml
+++ b/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: scale-deployment-zero
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml
index bf7b29028..4483c6711 100644
--- a/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml
+++ b/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -36,7 +36,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -57,7 +57,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
topologySpreadConstraints:
- maxSkew: 2
diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml
index 363c819bf..35d1d441c 100644
--- a/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml
+++ b/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
topologySpreadConstraints:
- maxSkew: 1
diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml
index ecc414a6d..ccc57744e 100644
--- a/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml
+++ b/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
topologySpreadConstraints:
- maxSkew: 1
diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml
index e459cc5da..7526987d0 100644
--- a/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml
+++ b/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml
@@ -16,7 +16,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
topologySpreadConstraints:
- maxSkew: 1
diff --git a/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml b/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml
index 351e8f691..e2ac9e7c7 100644
--- a/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml
+++ b/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: spread-pods
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/sync-secrets/.chainsaw-test/policy-ready.yaml b/other/sync-secrets/.chainsaw-test/policy-ready.yaml
index ba880653c..d284cd3e0 100644
--- a/other/sync-secrets/.chainsaw-test/policy-ready.yaml
+++ b/other/sync-secrets/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: sync-secrets
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 080e44efe..42ae17e55 100755
--- a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: topologyspreadconstraints-policy
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
index c704109f2..040170cce 100644
--- a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
+++ b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -49,7 +49,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -82,4 +82,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
index 9f9c9ad53..712dc9937 100644
--- a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
+++ b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -55,7 +55,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
topologySpreadConstraints:
- maxSkew: 1
topologyKey: foo.bar/test
@@ -88,4 +88,4 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/other/topologyspreadconstraints-policy/artifacthub-pkg.yml b/other/topologyspreadconstraints-policy/artifacthub-pkg.yml
index aea39aa02..ecd64026c 100644
--- a/other/topologyspreadconstraints-policy/artifacthub-pkg.yml
+++ b/other/topologyspreadconstraints-policy/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Deployment, StatefulSet"
-digest: 041afd3ce5efff6a08d60eed81a6922a1877a229a64c94a801cfa5fbc082c32c
+digest: 1c1b582664e27ee557fb109b537101f2f262fb73d1d2fe882c0eb5a3dc3dd4ba
diff --git a/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml b/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml
index 657d791eb..5d5f5ffc7 100644
--- a/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml
+++ b/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml
@@ -20,7 +20,7 @@ metadata:
spec:
background: true
failurePolicy: Ignore
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: spread-pods
match:
diff --git a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a42b5ae27..dbf46af8a 100755
--- a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: unique-ingress-host-and-path
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/unique-ingress-host-and-path/artifacthub-pkg.yml b/other/unique-ingress-host-and-path/artifacthub-pkg.yml
index 5bf072d02..9a6d32d92 100644
--- a/other/unique-ingress-host-and-path/artifacthub-pkg.yml
+++ b/other/unique-ingress-host-and-path/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Ingress"
-digest: 14c42f5e4f27f6ab33c50d7efc900f289b326ef96137464f4431d1a6ffdd7a4f
+digest: 830c9b4883a2a64f2da0ea693fd30c3a352d592e9971b7627e166c66e17d5c40
diff --git a/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml b/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml
index c95021467..63b800890 100644
--- a/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml
+++ b/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml
@@ -16,7 +16,7 @@ metadata:
This policy ensures that no Ingress can be created or updated unless it is
globally unique with respect to host plus path combination.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-host-path-combo
diff --git a/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index c2b93df17..faa8b2142 100755
--- a/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: unique-ingress-path
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/other/unique-ingress-paths/artifacthub-pkg.yml b/other/unique-ingress-paths/artifacthub-pkg.yml
index 8b2515b0e..674e1ed86 100644
--- a/other/unique-ingress-paths/artifacthub-pkg.yml
+++ b/other/unique-ingress-paths/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: b7d6475c0f1a2e885ffeec1b6840bfca32b8d690dbefe6646d3dca6b78fdc7b2
+digest: a785d7bf1c1f02d9db27ca15873b81a3f93ca68ac2ad311415ecdc00b8d75810
diff --git a/other/unique-ingress-paths/unique-ingress-paths.yaml b/other/unique-ingress-paths/unique-ingress-paths.yaml
index 8493df3ab..c710ba6d6 100644
--- a/other/unique-ingress-paths/unique-ingress-paths.yaml
+++ b/other/unique-ingress-paths/unique-ingress-paths.yaml
@@ -16,7 +16,7 @@ metadata:
existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of
/foo/baz).
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-path
diff --git a/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml
index 160b7ebbd..dcfb7646c 100755
--- a/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml
+++ b/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml
@@ -19,7 +19,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- image: vault:1.2.3
name: vault-agent
diff --git a/other/update-image-tag/.chainsaw-test/deploy.yaml b/other/update-image-tag/.chainsaw-test/deploy.yaml
index f24157785..f952b61a5 100644
--- a/other/update-image-tag/.chainsaw-test/deploy.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy.yaml
@@ -19,7 +19,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
- name: vault-agent
image: vault:1.2.3
@@ -46,8 +46,8 @@ spec:
spec:
containers:
- name: vault-agent
- image: busybox:1.3.5
- - image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.3.5
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
---
apiVersion: apps/v1
@@ -71,7 +71,7 @@ spec:
spec:
containers:
- name: vault-agent
- image: busybox:1.3.5
+ image: ghcr.io/kyverno/test-busybox:1.3.5
---
apiVersion: apps/v1
kind: Deployment
@@ -92,4 +92,4 @@ spec:
spec:
containers:
- name: vault-agent
- image: busybox:1.3.5
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.3.5
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml
index e526fa97e..43e94aab8 100644
--- a/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.6.0
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml
index 1beaf0827..124682ee4 100644
--- a/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.5.4
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml
index 9bc1b1754..f1ba65bd5 100644
--- a/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.6.0
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml
index 075665308..cfa7142f9 100644
--- a/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.5.4
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml
index b4554a24f..627ff5fe4 100644
--- a/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.6.0
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml
index 4c3d98b38..51a01f15d 100644
--- a/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml
+++ b/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml
@@ -21,5 +21,5 @@ spec:
containers:
- name: vault-agent
image: vault:1.5.4
- - image: busybox:1.35
+ - image: ghcr.io/kyverno/test-busybox:1.35
name: busybox
\ No newline at end of file
diff --git a/other/update-image-tag/.chainsaw-test/policy-ready.yaml b/other/update-image-tag/.chainsaw-test/policy-ready.yaml
index c1e1c3f8d..9f7da58fa 100644
--- a/other/update-image-tag/.chainsaw-test/policy-ready.yaml
+++ b/other/update-image-tag/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: update-image-tag
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/verify-image-cve-2022-42889/artifacthub-pkg.yml b/other/verify-image-cve-2022-42889/artifacthub-pkg.yml
index 1cbeaf83b..f7b2f1955 100644
--- a/other/verify-image-cve-2022-42889/artifacthub-pkg.yml
+++ b/other/verify-image-cve-2022-42889/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 2c0122c8dcdabb0170d567011389e734e1c26295e09a032f55682440b8fd0620
+digest: 2760f77b5695c74d2a6a02f0a5be1ad32dcf89bb76007ef7ef22e3fce350a669
diff --git a/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml b/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml
index a5322b573..01a357bf7 100644
--- a/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml
+++ b/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml
@@ -19,7 +19,7 @@ metadata:
package. Using this for your own purposes will require customizing the `imageReferences`,
`subject`, and `issuer` fields based on your image signatures and attestations.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 10
rules:
- name: cve-2022-42889
diff --git a/other/verify-image-gcpkms/artifacthub-pkg.yml b/other/verify-image-gcpkms/artifacthub-pkg.yml
index 2457c1b3e..8230589d8 100644
--- a/other/verify-image-gcpkms/artifacthub-pkg.yml
+++ b/other/verify-image-gcpkms/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/subject: "Pod"
-digest: fa0df7562cf397dc3115deeabb85bb80d2d5aeb6dead376122628d4c97dc739c
+digest: c57410fff68cc13d077c230c5e275472c71879173577d7dfe129a4a61e37caa6
diff --git a/other/verify-image-gcpkms/verify-image-gcpkms.yaml b/other/verify-image-gcpkms/verify-image-gcpkms.yaml
index 8ffab7532..7ee8e2701 100644
--- a/other/verify-image-gcpkms/verify-image-gcpkms.yaml
+++ b/other/verify-image-gcpkms/verify-image-gcpkms.yaml
@@ -16,7 +16,7 @@ metadata:
its signature against the provided public key. This policy serves as an illustration for
how to configure a similar rule and will require replacing with your image(s) and keys.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: verify-image
diff --git a/other/verify-image-slsa/artifacthub-pkg.yml b/other/verify-image-slsa/artifacthub-pkg.yml
index f59d4fa08..e7dd5fa00 100644
--- a/other/verify-image-slsa/artifacthub-pkg.yml
+++ b/other/verify-image-slsa/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 74a49f461828bb48c6557309059077c5b7cfb801b85af44280ad0f489c27ac3e
+digest: 71468d92deb1f7a812ea584f2ce92002279fb67237d414a55911860497317349
diff --git a/other/verify-image-slsa/verify-image-slsa.yaml b/other/verify-image-slsa/verify-image-slsa.yaml
index 8a45095e3..1b25025bf 100644
--- a/other/verify-image-slsa/verify-image-slsa.yaml
+++ b/other/verify-image-slsa/verify-image-slsa.yaml
@@ -18,7 +18,7 @@ metadata:
when produced through GitHub Actions. It requires configuration based upon
your own values.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 30
rules:
- name: check-slsa-keyless
diff --git a/other/verify-image-with-multi-keys/artifacthub-pkg.yml b/other/verify-image-with-multi-keys/artifacthub-pkg.yml
index 630316e2e..f75f759ff 100644
--- a/other/verify-image-with-multi-keys/artifacthub-pkg.yml
+++ b/other/verify-image-with-multi-keys/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 512b32c2d9e2bcf48907258ca01ff675efb4ed0d1967351ad161e50b20512d56
+digest: bdc70bf5d50bcf20a110d0d0af6992f5d0f2d426e8edab84a8436c7d1ec97af8
diff --git a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml
index 4c77e2ce9..1d4f2bd1c 100644
--- a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml
+++ b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml
@@ -18,7 +18,7 @@ metadata:
key in a ConfigMap called `keys` in the `default` Namespace
and also a Namespace key in the same ConfigMap.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: check-image-with-two-keys
diff --git a/other/verify-image/artifacthub-pkg.yml b/other/verify-image/artifacthub-pkg.yml
index f1b8a5397..6d7751d2e 100644
--- a/other/verify-image/artifacthub-pkg.yml
+++ b/other/verify-image/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Software Supply Chain Security, EKS Best Practices"
kyverno/subject: "Pod"
-digest: a8736ddddb89acaa42ad54420b84992be6d27d39ea0f404f93cbd82a916d6043
+digest: 40063592a49e22a2f9b96a09c8e5202feb31818d0b6c1787d80ce3416d3e6898
diff --git a/other/verify-image/verify-image.yaml b/other/verify-image/verify-image.yaml
index 08357fe20..02f0db0e7 100644
--- a/other/verify-image/verify-image.yaml
+++ b/other/verify-image/verify-image.yaml
@@ -16,7 +16,7 @@ metadata:
its signature against the provided public key. This policy serves as an illustration for
how to configure a similar rule and will require replacing with your image(s) and keys.
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
background: false
rules:
- name: verify-image
diff --git a/other/verify-manifest-integrity/artifacthub-pkg.yml b/other/verify-manifest-integrity/artifacthub-pkg.yml
index 765697fc0..e56837352 100644
--- a/other/verify-manifest-integrity/artifacthub-pkg.yml
+++ b/other/verify-manifest-integrity/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Deployment"
-digest: 69902d8be3696a25da697f19dce03c9d5e7b8505e1b9ffacab282c5a09004cec
+digest: 0a6c2164a5d6aefdbd14b48d0698ab886a687fe456c73e1bac7f72a7e975c24e
diff --git a/other/verify-manifest-integrity/verify-manifest-integrity.yaml b/other/verify-manifest-integrity/verify-manifest-integrity.yaml
index 33fbfb05d..31eb490c7 100644
--- a/other/verify-manifest-integrity/verify-manifest-integrity.yaml
+++ b/other/verify-manifest-integrity/verify-manifest-integrity.yaml
@@ -19,7 +19,7 @@ metadata:
the expected key but ignores the `spec.replicas` field allowing other teams to change just
this value.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: verify-deployment-allow-replicas
diff --git a/other/verify-sbom-cyclonedx/artifacthub-pkg.yml b/other/verify-sbom-cyclonedx/artifacthub-pkg.yml
index 5b23662b1..0e70c328b 100644
--- a/other/verify-sbom-cyclonedx/artifacthub-pkg.yml
+++ b/other/verify-sbom-cyclonedx/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Software Supply Chain Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: c96b68cc7e56de0f391ef9fd673bb0f9c372370f4a9f07b7ca3aedba2b2f6628
+digest: 330ef8f4b5e7dda5105cd384d12da2e091c62c8c1b553897f2d66edebea17b55
diff --git a/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml b/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml
index 934d11b52..0242e4ad3 100644
--- a/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml
+++ b/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml
@@ -18,7 +18,7 @@ metadata:
and was signed by the expected subject and issuer when produced through GitHub Actions
and using Cosign's keyless signing. It requires configuration based upon your own values.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 30
rules:
- name: check-sbom
diff --git a/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml b/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml
index acbf54602..dff10bd82 100644
--- a/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml
+++ b/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: verify-vpa-target
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/other/verify-vpa-target/.chainsaw-test/prereq.yaml b/other/verify-vpa-target/.chainsaw-test/prereq.yaml
index 57e5b4482..b265f78da 100644
--- a/other/verify-vpa-target/.chainsaw-test/prereq.yaml
+++ b/other/verify-vpa-target/.chainsaw-test/prereq.yaml
@@ -15,7 +15,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
@@ -35,7 +35,7 @@ spec:
name: good-daemonset
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
@@ -58,7 +58,7 @@ spec:
app: busybox
spec:
containers:
- - image: busybox:latest
+ - image: ghcr.io/kyverno/test-busybox:latest
name: busybox
command:
- "sleep"
diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
index 5c7bd5f6b..bbaf3bdc0 100644
--- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -14,12 +14,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -33,7 +33,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -41,7 +41,7 @@ spec:
- CHOWN
- MKNOD
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
@@ -49,7 +49,7 @@ spec:
- "ALL"
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "CAP_NET_RAW", "FOWNER"]
@@ -61,7 +61,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "CAP_SETPCAP", "SETFCAP", "FOWNER"]
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["CAP_NET_RAW", "CAP_SYS_ADMIN", "NET_ADMIN"]
@@ -85,7 +85,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -98,7 +98,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -112,13 +112,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -131,14 +131,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -151,16 +151,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,14 +173,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
index a0806e7c0..d7dec96bc 100644
--- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -14,12 +14,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -33,7 +33,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -41,7 +41,7 @@ spec:
- CHOWN
- MKNOD
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
@@ -49,7 +49,7 @@ spec:
- "ALL"
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -61,7 +61,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,7 +84,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -93,7 +93,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -106,13 +106,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -125,10 +125,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -137,14 +137,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -153,14 +153,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
index fb3fca4d4..9307c1c14 100644
--- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -23,12 +23,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "CAP_NET_RAW", "SETFCAP", "FOWNER"]
@@ -48,7 +48,7 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -57,12 +57,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "CAP_SYS_ADMIN", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -107,7 +107,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -130,13 +130,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -158,14 +158,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -187,16 +187,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -218,14 +218,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -244,7 +244,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -263,7 +263,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -283,13 +283,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -308,14 +308,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -334,16 +334,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -362,14 +362,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
index 431dbcfcb..eb8386d5d 100644
--- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -23,12 +23,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -48,7 +48,7 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -57,12 +57,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -103,7 +103,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -125,13 +125,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -153,10 +153,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -174,14 +174,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -199,14 +199,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -225,7 +225,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -240,7 +240,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -259,13 +259,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -284,10 +284,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -302,14 +302,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -324,14 +324,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml
index 5c1ca4056..ab17d56d2 100755
--- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
index 7fba934b0..76850d7f6 100644
--- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
@@ -8,7 +8,7 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,9 +18,9 @@ spec:
hostIPC: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -30,9 +30,9 @@ spec:
hostNetwork: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,9 +44,9 @@ spec:
hostNetwork: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,7 +56,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -66,7 +66,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -88,5 +88,5 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
index e2cf4a39b..c6471fc77 100644
--- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -17,7 +17,7 @@ spec:
hostPID: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -27,9 +27,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -39,9 +39,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -53,9 +53,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -64,7 +64,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -74,7 +74,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,7 +84,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -94,7 +94,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -106,5 +106,5 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
index 803e15585..61fd6af18 100644
--- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
@@ -17,9 +17,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -57,7 +57,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -76,7 +76,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -95,7 +95,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -116,7 +116,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -132,7 +132,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -148,7 +148,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -164,7 +164,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -182,5 +182,5 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
index a6bd5b852..07581653c 100644
--- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
@@ -17,9 +17,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -56,7 +56,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -75,7 +75,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -94,7 +94,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -113,7 +113,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -134,7 +134,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -149,7 +149,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -165,7 +165,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -181,7 +181,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -197,7 +197,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -215,4 +215,4 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml
index 728930b26..8e1525f8e 100755
--- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
index 4259a9f1a..ada442cc5 100644
--- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -52,7 +52,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -68,7 +68,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
index 5194f478f..76c5baa0c 100644
--- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -21,7 +21,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -41,7 +41,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -50,7 +50,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -59,7 +59,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
index c7962a93e..ab34a002a 100644
--- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -39,7 +39,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: bar
hostPath:
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -91,7 +91,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -117,7 +117,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -139,7 +139,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
index 3e464bbbd..e57aa7df5 100644
--- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -90,7 +90,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
@@ -111,7 +111,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -126,7 +126,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml
index 5bc41e9b1..2093a5bc4 100755
--- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-path
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
index 7103ed4af..ab8ca032b 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
@@ -5,15 +5,15 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 1234
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8099
- hostPort: 8090
@@ -26,16 +26,16 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,9 +90,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -109,13 +109,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -129,13 +129,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -149,10 +149,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -165,14 +165,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -185,16 +185,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -207,20 +207,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -233,12 +233,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
index 7b1dc0f58..00ce9cfd7 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -23,17 +23,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5431
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- containerPort: 8088
@@ -46,7 +46,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5000
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -106,9 +106,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -117,9 +117,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -133,12 +133,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -152,10 +152,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -164,14 +164,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -180,14 +180,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -199,16 +199,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -220,7 +220,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
index a8fbc8500..762a7bffc 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
@@ -14,15 +14,15 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -39,14 +39,14 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 8080
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -89,7 +89,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -115,9 +115,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -143,13 +143,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -172,13 +172,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -201,10 +201,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -226,14 +226,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -255,16 +255,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -286,20 +286,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -321,14 +321,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -343,7 +343,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -362,7 +362,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -385,9 +385,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -410,13 +410,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -436,13 +436,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -462,10 +462,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -484,14 +484,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -510,16 +510,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -538,20 +538,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
index eeceb5d4c..78e52435e 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5432
@@ -39,15 +39,15 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 9808
hostPort: 6000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -108,7 +108,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -133,9 +133,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -153,9 +153,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -178,13 +178,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -206,10 +206,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -227,14 +227,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -252,14 +252,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -280,16 +280,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -310,7 +310,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -330,7 +330,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -345,7 +345,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -365,7 +365,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -387,9 +387,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -404,9 +404,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -426,13 +426,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -451,10 +451,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -469,14 +469,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -491,14 +491,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -516,16 +516,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml
index f4e6012b3..68c1e2e62 100755
--- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-ports-range
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml
index d5c83c72c..e37b39072 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
-digest: 22f1d93a44d6e62c3329f6609e46b92729549be08cb157b7c1f11581527c4d48
+digest: 98649f33f27275eee56ff1e6366816e81f7adc044f36ffa72a371d2ab8d488ad
createdAt: "2024-08-21T00:22:34Z"
diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
index b67269271..211fc502a 100644
--- a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
@@ -28,7 +28,6 @@ spec:
- CREATE
- UPDATE
validate:
- cel:
cel:
variables:
- name: allContainers
diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
index 482abd63e..d954d8705 100644
--- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8099
- hostPort: 8090
@@ -25,16 +25,16 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,9 +90,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -109,13 +109,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -129,13 +129,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -149,10 +149,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -165,14 +165,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -185,16 +185,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -207,20 +207,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -233,12 +233,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
index 49c331fd9..bd28f17d9 100644
--- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -23,17 +23,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- containerPort: 8088
@@ -46,7 +46,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -89,7 +89,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -104,9 +104,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -115,9 +115,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -130,12 +130,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -148,10 +148,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -160,13 +160,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -175,13 +175,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -193,15 +193,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
index 087ef9bc5..eca7e8b75 100644
--- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
@@ -14,15 +14,15 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -39,14 +39,14 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 8080
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -89,7 +89,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -115,9 +115,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -143,13 +143,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -172,13 +172,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -201,10 +201,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -226,14 +226,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -255,16 +255,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -286,20 +286,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -321,14 +321,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -343,7 +343,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -362,7 +362,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -385,9 +385,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -410,13 +410,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -436,13 +436,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -462,10 +462,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -484,14 +484,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -510,16 +510,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -538,20 +538,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
index b8cd1dda4..97c5643aa 100644
--- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
@@ -39,15 +39,15 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 9808
hostPort: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -107,7 +107,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -131,9 +131,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -151,9 +151,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -175,12 +175,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -202,10 +202,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -223,13 +223,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -247,13 +247,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -274,15 +274,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -300,7 +300,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -315,7 +315,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -334,7 +334,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -355,9 +355,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -372,9 +372,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -393,12 +393,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -417,10 +417,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -435,13 +435,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -456,13 +456,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -480,15 +480,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml
index 7630931c6..46cf00260 100755
--- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-ports
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
index d6e00d2ed..e5ebd1526 100644
--- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -37,12 +37,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -52,7 +52,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -65,12 +65,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -83,13 +83,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -102,18 +102,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -126,18 +126,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
index 8f225cfd5..9a14517e9 100644
--- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -37,12 +37,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -51,7 +51,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,7 +61,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -71,7 +71,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -84,9 +84,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -99,10 +99,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -112,13 +112,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -128,15 +128,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
index fd8c0d6f6..2b9838389 100644
--- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -40,15 +40,15 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -70,7 +70,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -92,12 +92,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -119,13 +119,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -147,18 +147,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -180,18 +180,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -210,7 +210,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -229,12 +229,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -253,13 +253,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -278,18 +278,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -308,18 +308,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
index be6c2f1d3..24add416f 100644
--- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -40,15 +40,15 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -70,7 +70,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -89,7 +89,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -111,9 +111,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -135,10 +135,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -157,13 +157,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -182,15 +182,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -209,7 +209,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -225,7 +225,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -244,9 +244,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -265,10 +265,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -284,13 +284,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -306,15 +306,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml
index ddce453da..24ff7dd20 100755
--- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-process
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml
index 5c34fd693..e8d224546 100644
--- a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
-digest: 338a31daa29f6303a1b67e727631a4ea60abcc3bef1c6f322f8835fc8c6ddc17
-createdAt: "2023-12-03T00:22:34Z"
+digest: 37386d4c35fe393c0957f0e52ddf818b38d31cb5440e3bcc155161b1f79e47c4
+createdAt: "2024-08-27T00:22:34Z"
diff --git a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml
index 2d7269f15..da74ffd67 100644
--- a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml
+++ b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml
@@ -35,10 +35,7 @@ spec:
expressions:
- expression: >-
variables.allContainers.all(container,
- !has(container.securityContext) ||
- !has(container.securityContext.windowsOptions) ||
- !has(container.securityContext.windowsOptions.hostProcess) ||
- container.securityContext.windowsOptions.hostProcess == false)
+ container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false)
message: >-
HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess,
spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
index f1d439769..91bb7660f 100644
--- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
@@ -5,16 +5,16 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -49,11 +49,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -64,7 +64,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -75,9 +75,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -88,12 +88,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -102,14 +102,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -118,14 +118,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
index 5000dcc54..85d1e5a64 100644
--- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
@@ -5,16 +5,16 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -49,7 +49,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -58,7 +58,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -78,9 +78,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -91,10 +91,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -103,12 +103,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -117,14 +117,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
index e7d597df7..c53985938 100644
--- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
@@ -14,16 +14,16 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -38,14 +38,14 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -65,7 +65,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -85,9 +85,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -107,12 +107,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -130,14 +130,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -155,14 +155,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -179,7 +179,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -196,9 +196,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -215,12 +215,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -235,14 +235,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -257,14 +257,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
index b02400703..eb3103ad1 100644
--- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
@@ -14,16 +14,16 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -38,14 +38,14 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -65,7 +65,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -83,7 +83,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -103,9 +103,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -125,10 +125,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -146,12 +146,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -169,14 +169,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -193,7 +193,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -208,7 +208,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -225,9 +225,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -244,10 +244,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -262,12 +262,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -282,13 +282,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml
index cc13a32d2..deead22e1 100755
--- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
index 87ef3bbcb..9fafc59be 100755
--- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-proc-mount
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
index 9126416e3..fd37b5981 100644
--- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -32,12 +32,12 @@ spec:
role: "foo"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -52,7 +52,7 @@ spec:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,12 +61,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -78,14 +78,14 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
role: "foo"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -97,12 +97,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
@@ -116,7 +116,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -128,7 +128,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -140,9 +140,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -154,12 +154,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -171,13 +171,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -186,15 +186,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -203,18 +203,18 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -223,7 +223,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -235,7 +235,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -247,7 +247,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -260,7 +260,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -272,7 +272,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -284,7 +284,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -297,9 +297,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -311,9 +311,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -325,9 +325,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -340,12 +340,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -357,13 +357,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -372,13 +372,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -387,14 +387,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -403,15 +403,15 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -420,15 +420,15 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -437,16 +437,16 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -455,16 +455,16 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
index f372cfc59..286d078b7 100644
--- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -28,12 +28,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -48,7 +48,7 @@ spec:
type: container_init_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -57,7 +57,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -66,7 +66,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -75,7 +75,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -87,7 +87,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -99,7 +99,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -111,7 +111,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -123,7 +123,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -135,7 +135,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -147,9 +147,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -161,12 +161,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -178,13 +178,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -193,13 +193,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -208,13 +208,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -223,15 +223,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -240,18 +240,18 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -260,7 +260,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -269,7 +269,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -281,7 +281,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -293,7 +293,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -306,9 +306,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -320,12 +320,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -337,10 +337,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -349,13 +349,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -364,14 +364,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -380,15 +380,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -397,16 +397,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
index 897ffc294..37ef091a3 100644
--- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -46,20 +46,20 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
role: "foo"
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -77,18 +77,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -106,18 +106,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
@@ -140,7 +140,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -161,7 +161,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -182,9 +182,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -205,12 +205,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -231,13 +231,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -255,15 +255,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -281,18 +281,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -307,7 +307,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -325,7 +325,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -343,9 +343,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -363,12 +363,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -386,13 +386,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -407,15 +407,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -430,18 +430,18 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -480,7 +480,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -501,7 +501,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -523,7 +523,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -544,7 +544,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -565,7 +565,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -587,9 +587,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -610,9 +610,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -633,9 +633,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -657,12 +657,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -683,13 +683,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -707,13 +707,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -731,14 +731,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -756,15 +756,15 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -782,15 +782,15 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -808,16 +808,16 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -835,18 +835,18 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -861,7 +861,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -879,7 +879,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -897,7 +897,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -916,7 +916,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -934,7 +934,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -952,7 +952,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -971,9 +971,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -991,9 +991,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -1011,9 +1011,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -1032,12 +1032,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -1055,13 +1055,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1076,13 +1076,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1097,14 +1097,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1119,15 +1119,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1142,15 +1142,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1165,16 +1165,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1189,16 +1189,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
index 630331acb..b3b964adb 100644
--- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -43,18 +43,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -75,7 +75,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -93,7 +93,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -114,7 +114,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -135,7 +135,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -156,7 +156,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -177,7 +177,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -198,7 +198,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -219,9 +219,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -242,12 +242,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -268,13 +268,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -292,13 +292,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -316,13 +316,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -340,15 +340,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -366,18 +366,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -395,7 +395,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -413,7 +413,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -434,7 +434,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -455,7 +455,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -477,9 +477,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -500,12 +500,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -526,10 +526,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -547,13 +547,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -571,14 +571,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -596,15 +596,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -622,18 +622,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -648,7 +648,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -663,7 +663,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -681,7 +681,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -699,7 +699,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -718,9 +718,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -738,12 +738,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -761,10 +761,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -779,13 +779,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -800,14 +800,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -822,15 +822,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -845,18 +845,18 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -871,7 +871,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -886,7 +886,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -904,7 +904,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -922,7 +922,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -940,7 +940,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -958,7 +958,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -976,7 +976,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -994,9 +994,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -1014,12 +1014,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -1037,13 +1037,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1058,13 +1058,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1079,13 +1079,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1100,15 +1100,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1123,16 +1123,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml
index 1971822e2..a4b562256 100755
--- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-selinux
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
index ed1acc81d..14d48792f 100644
--- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
@@ -5,19 +5,19 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -29,12 +29,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -49,7 +49,7 @@ spec:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -58,7 +58,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -70,7 +70,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -82,9 +82,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -96,12 +96,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -113,13 +113,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -128,15 +128,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -145,16 +145,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
index c7c153eb2..e97ff3768 100644
--- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
@@ -5,19 +5,19 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -29,12 +29,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -51,7 +51,7 @@ spec:
localhostProfile: profiles/audit.json
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -69,7 +69,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -78,7 +78,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -103,7 +103,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -115,7 +115,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -128,9 +128,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -142,12 +142,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -160,13 +160,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -175,14 +175,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -191,15 +191,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -208,17 +208,17 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
index 433a45dac..92d9b91db 100644
--- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
@@ -14,19 +14,19 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -44,19 +44,19 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -77,7 +77,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -98,7 +98,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -119,9 +119,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -142,12 +142,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -168,13 +168,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -192,15 +192,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -218,18 +218,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -244,7 +244,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -262,7 +262,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -280,9 +280,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -300,12 +300,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -323,13 +323,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -344,15 +344,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -367,16 +367,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
index 49df1fbcf..72cafb0a1 100644
--- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
@@ -14,19 +14,19 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -44,19 +44,19 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -77,7 +77,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -95,7 +95,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -116,7 +116,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -138,7 +138,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -159,7 +159,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -181,9 +181,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -204,13 +204,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -231,13 +231,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -255,14 +255,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -280,15 +280,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -306,19 +306,19 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -333,7 +333,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -348,7 +348,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -366,7 +366,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -385,7 +385,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -403,7 +403,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -422,9 +422,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -442,13 +442,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -466,13 +466,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -487,14 +487,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -509,15 +509,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -532,17 +532,17 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml
index 92459aedf..03da26034 100755
--- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-seccomp
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
index 4e3793ff4..e850d943b 100644
--- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
@@ -13,7 +13,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,7 +26,7 @@ spec:
value: "1000-2000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -41,7 +41,7 @@ spec:
value: "0"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,7 +56,7 @@ spec:
value: "5000-6000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -65,7 +65,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -78,7 +78,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
index 1811c89d4..389f1f79a 100644
--- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
@@ -13,7 +13,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -35,7 +35,7 @@ spec:
value: "1000-2000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,7 +44,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -53,7 +53,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -66,7 +66,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -79,7 +79,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -92,7 +92,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -105,7 +105,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -118,7 +118,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
index 3d1973b78..587c2affb 100644
--- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
@@ -22,7 +22,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,7 +45,7 @@ spec:
value: "5000-6000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -63,7 +63,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -106,7 +106,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -125,7 +125,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
index 8446a6028..5280d7259 100644
--- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
@@ -22,7 +22,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,7 +45,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -63,7 +63,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -81,7 +81,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -103,7 +103,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -125,7 +125,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -147,7 +147,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -169,7 +169,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -191,7 +191,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -212,7 +212,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -227,7 +227,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -246,7 +246,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -284,7 +284,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -303,7 +303,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -322,7 +322,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml
index a7afea7ef..cc9ad507f 100755
--- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-sysctls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
index 64949f3ca..a52dfab66 100644
--- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,9 +38,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -53,13 +53,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -72,10 +72,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -88,14 +88,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -108,12 +108,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -126,16 +126,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -148,20 +148,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -174,7 +174,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -189,7 +189,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -205,13 +205,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -226,7 +226,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -234,7 +234,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -249,7 +249,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -257,7 +257,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -273,7 +273,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -282,7 +282,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -295,7 +295,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -305,7 +305,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -318,13 +318,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -333,7 +333,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -346,7 +346,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -354,7 +354,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -363,7 +363,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -376,7 +376,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -384,7 +384,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -394,7 +394,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
index 4475cfe63..70eb6daf5 100644
--- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -32,13 +32,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -51,14 +51,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -71,7 +71,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -79,7 +79,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -92,20 +92,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -118,7 +118,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -133,13 +133,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -154,7 +154,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -162,7 +162,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -177,14 +177,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -197,7 +197,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -206,7 +206,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -219,20 +219,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -245,13 +245,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -260,7 +260,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -273,7 +273,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -281,7 +281,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -290,7 +290,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
index afca656f9..f3d52b08b 100644
--- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -54,9 +54,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -74,9 +74,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -98,13 +98,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -126,10 +126,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -151,14 +151,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -180,12 +180,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -207,16 +207,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -238,20 +238,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -270,7 +270,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -285,7 +285,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -304,9 +304,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -321,9 +321,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -342,13 +342,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -367,10 +367,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -389,14 +389,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -415,12 +415,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -439,16 +439,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -467,20 +467,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -502,7 +502,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -526,7 +526,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -551,13 +551,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -581,7 +581,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -589,7 +589,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -613,7 +613,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -621,7 +621,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -646,7 +646,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -655,7 +655,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -677,7 +677,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -687,7 +687,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -709,13 +709,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -724,7 +724,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -746,7 +746,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -754,7 +754,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -763,7 +763,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -785,7 +785,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -793,7 +793,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -803,7 +803,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -822,7 +822,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -843,7 +843,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -865,13 +865,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -892,7 +892,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -900,7 +900,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -921,7 +921,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -929,7 +929,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -951,7 +951,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -960,7 +960,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -979,7 +979,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -989,7 +989,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1008,13 +1008,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1023,7 +1023,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1042,7 +1042,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1050,7 +1050,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1059,7 +1059,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1078,7 +1078,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1086,7 +1086,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1096,7 +1096,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
index 89131915e..1968566d9 100644
--- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -59,13 +59,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -87,14 +87,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -116,7 +116,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -124,7 +124,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -146,20 +146,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -178,7 +178,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -197,7 +197,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -217,13 +217,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -242,14 +242,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -268,7 +268,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -276,7 +276,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -295,20 +295,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -330,7 +330,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -354,13 +354,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -384,7 +384,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -392,7 +392,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -416,14 +416,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -445,7 +445,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -454,7 +454,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -476,20 +476,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -511,13 +511,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -526,7 +526,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -548,7 +548,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -556,7 +556,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -565,7 +565,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -584,7 +584,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -603,7 +603,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -624,13 +624,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -651,7 +651,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -659,7 +659,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -680,7 +680,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -689,7 +689,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -708,20 +708,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -740,13 +740,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -755,7 +755,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -774,7 +774,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -782,7 +782,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -791,7 +791,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml
index a7bd6b8fa..02a811690 100755
--- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-capabilities-strict
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
index 28ce245f0..e3c44d598 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -25,9 +25,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -38,11 +38,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -53,10 +53,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -67,14 +67,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
index 7f7a8fe64..e184edd4f 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -16,11 +16,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -31,12 +31,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -47,16 +47,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -67,20 +67,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
index 34577c35b..d6bd83a50 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -52,9 +52,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -74,11 +74,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -98,10 +98,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -121,14 +121,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -145,7 +145,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -160,7 +160,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -177,9 +177,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -196,11 +196,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -217,10 +217,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -237,14 +237,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
index b1a20f561..1e3709b54 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -34,11 +34,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -58,12 +58,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -83,16 +83,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -112,20 +112,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -142,7 +142,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -159,11 +159,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -180,12 +180,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -202,16 +202,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -228,19 +228,19 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml
index 30a5747c2..b8dc40c39 100755
--- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-privilege-escalation
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
index 2985acbe3..f7446b3cf 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
-digest: 6c249b689ee08cc1edcbacf7a00a35cab98d5b1b2bf3fc7ebd8a0dd1e27bb2c1
-createdAt: "2023-12-04T09:04:49Z"
+digest: 3d361694af595b4070d5ad6ef8e65f893069209a29b7b23d026ea685393e96b5
+createdAt: "2024-08-30T09:04:49Z"
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
index 5fc1229ae..db6c6ffce 100644
--- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
+++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
@@ -28,30 +28,16 @@ spec:
- UPDATE
validate:
cel:
+ variables:
+ - name: allContainers
+ expression: >-
+ object.spec.containers +
+ object.spec.?initContainers.orValue([]) +
+ object.spec.?ephemeralContainers.orValue([])
expressions:
- expression: >-
- object.spec.containers.all(container, has(container.securityContext) &&
- has(container.securityContext.allowPrivilegeEscalation) &&
- container.securityContext.allowPrivilegeEscalation == false)
+ variables.allContainers.all(container,
+ container.?securityContext.?allowPrivilegeEscalation.orValue(false) == false)
message: >-
- Privilege escalation is disallowed. The field
- spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-
- - expression: >-
- !has(object.spec.initContainers) ||
- object.spec.initContainers.all(container, has(container.securityContext) &&
- has(container.securityContext.allowPrivilegeEscalation) &&
- container.securityContext.allowPrivilegeEscalation == false)
- message: >-
- Privilege escalation is disallowed. The field
- spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-
- - expression: >-
- !has(object.spec.ephemeralContainers) ||
- object.spec.ephemeralContainers.all(container, has(container.securityContext) &&
- has(container.securityContext.allowPrivilegeEscalation) &&
- container.securityContext.allowPrivilegeEscalation == false)
- message: >-
- Privilege escalation is disallowed. The field
- spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-
\ No newline at end of file
+ Privilege escalation is disallowed.
+ All containers must set the securityContext.allowPrivilegeEscalation field to `false`.
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
index 91b114870..4cdcafbbd 100644
--- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -40,10 +40,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -54,12 +54,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -68,12 +68,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
index 3a3336909..66421b648 100644
--- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -36,9 +36,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -49,11 +49,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -64,11 +64,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -81,10 +81,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -93,12 +93,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -107,10 +107,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -121,12 +121,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
index 441a23f49..75459b442 100644
--- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -54,9 +54,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -76,10 +76,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -99,12 +99,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -122,14 +122,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -144,7 +144,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -161,7 +161,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -178,9 +178,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -197,10 +197,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -217,12 +217,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -237,12 +237,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
index d8115b64b..083e569d7 100644
--- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -72,9 +72,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -94,11 +94,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -118,11 +118,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -144,10 +144,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -165,12 +165,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -188,10 +188,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -211,14 +211,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -233,7 +233,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -248,7 +248,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -282,9 +282,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -301,11 +301,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -322,11 +322,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -345,10 +345,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -363,12 +363,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -383,10 +383,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -403,11 +403,11 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml
index 3a15a8755..6a5138508 100755
--- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-run-as-non-root-user
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
index 8af6f9567..dc7e2e6d4 100644
--- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -36,7 +36,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -49,9 +49,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,9 +60,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -86,9 +86,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -101,11 +101,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -118,12 +118,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -134,10 +134,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -150,12 +150,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -168,12 +168,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -184,14 +184,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -202,12 +202,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -218,7 +218,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
index 6a08ba318..20d08d820 100644
--- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -40,9 +40,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -53,9 +53,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -68,10 +68,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -82,12 +82,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -98,12 +98,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -114,14 +114,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -132,16 +132,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
index 50368df71..64dcc37c2 100644
--- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -94,9 +94,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -114,9 +114,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -136,9 +136,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -158,9 +158,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -182,11 +182,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -208,12 +208,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -233,10 +233,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -258,12 +258,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -285,12 +285,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -310,14 +310,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -337,12 +337,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -359,7 +359,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -374,7 +374,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -391,7 +391,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -408,7 +408,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -427,9 +427,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -444,9 +444,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -463,9 +463,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -482,9 +482,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -503,11 +503,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -526,12 +526,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -548,10 +548,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -594,12 +594,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -616,14 +616,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -640,12 +640,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
index 3216a4fed..2320e7563 100644
--- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -54,7 +54,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -76,9 +76,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -98,9 +98,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -122,10 +122,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -145,12 +145,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -170,12 +170,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -195,14 +195,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -222,16 +222,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -248,7 +248,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -282,7 +282,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -301,9 +301,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -320,9 +320,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -341,10 +341,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -361,12 +361,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -383,12 +383,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -405,14 +405,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -429,15 +429,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
index d97abc312..ce7c2fd4e 100755
--- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-run-as-nonroot
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
index 8f541571f..f9a801b7c 100644
--- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -29,9 +29,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -43,12 +43,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -60,13 +60,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -75,15 +75,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -92,16 +92,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
index 0a9275016..d35109aeb 100644
--- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
localhostProfile: operator/default/profile1.json
@@ -30,7 +30,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -42,7 +42,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -55,9 +55,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -73,12 +73,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -91,13 +91,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -109,14 +109,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -128,15 +128,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -148,19 +148,19 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
index b7f7162c8..e11928730 100644
--- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -79,12 +79,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -105,13 +105,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -129,15 +129,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -155,18 +155,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -181,7 +181,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -199,7 +199,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -217,9 +217,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -237,12 +237,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -260,13 +260,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -281,15 +281,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -304,16 +304,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
index 555c0abca..cfac47fb3 100644
--- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -57,7 +57,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -78,7 +78,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -100,9 +100,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -127,12 +127,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -154,13 +154,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -181,14 +181,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -209,15 +209,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -238,19 +238,19 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -268,7 +268,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -286,7 +286,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -305,7 +305,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -323,7 +323,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -342,9 +342,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -366,12 +366,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -390,13 +390,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -414,14 +414,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -439,15 +439,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -465,19 +465,19 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml
index db4a4dc3a..cdb6f45bc 100755
--- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-seccomp-strict
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
index c8b3f40fa..a7a90ba35 100644
--- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
+++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -72,7 +72,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -107,7 +107,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -125,7 +125,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -141,7 +141,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -157,7 +157,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -174,7 +174,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -190,7 +190,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -207,7 +207,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -224,7 +224,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -240,7 +240,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -257,7 +257,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -275,7 +275,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -291,7 +291,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -312,7 +312,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -328,7 +328,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
index 4ea15fd1d..7446083e8 100644
--- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
+++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: mysettings
mountPath: /settings
@@ -45,7 +45,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: warehouse
mountPath: /warehouse
@@ -65,7 +65,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -84,7 +84,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -109,7 +109,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -126,7 +126,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -146,7 +146,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /mysecret
name: mysecret
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
index bbbe09c60..e4468a88b 100644
--- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
@@ -11,7 +11,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -34,7 +34,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -57,7 +57,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -79,7 +79,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -102,7 +102,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -126,7 +126,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -149,7 +149,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -173,7 +173,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -195,7 +195,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -217,7 +217,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -240,7 +240,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -262,7 +262,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -285,7 +285,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -308,7 +308,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -330,7 +330,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -353,7 +353,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -377,7 +377,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -399,7 +399,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -426,7 +426,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -448,7 +448,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
index 26c344b15..a49214521 100644
--- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -57,7 +57,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -119,7 +119,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -145,7 +145,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -171,7 +171,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -186,7 +186,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -207,7 +207,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: mysettings
mountPath: /settings
@@ -229,7 +229,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: warehouse
mountPath: /warehouse
@@ -256,7 +256,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -281,7 +281,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -312,7 +312,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -335,7 +335,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -361,7 +361,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /mysecret
name: mysecret
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml
index 417239b4b..9ced74a13 100755
--- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml
+++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-volume-types
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5c1ca4056..ab17d56d2 100755
--- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
index 5c7bd5f6b..bbaf3bdc0 100644
--- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -14,12 +14,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -33,7 +33,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -41,7 +41,7 @@ spec:
- CHOWN
- MKNOD
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
@@ -49,7 +49,7 @@ spec:
- "ALL"
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "CAP_NET_RAW", "FOWNER"]
@@ -61,7 +61,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "CAP_SETPCAP", "SETFCAP", "FOWNER"]
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["CAP_NET_RAW", "CAP_SYS_ADMIN", "NET_ADMIN"]
@@ -85,7 +85,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -98,7 +98,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -112,13 +112,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -131,14 +131,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -151,16 +151,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,14 +173,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
index a0806e7c0..d7dec96bc 100644
--- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -14,12 +14,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -33,7 +33,7 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -41,7 +41,7 @@ spec:
- CHOWN
- MKNOD
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
@@ -49,7 +49,7 @@ spec:
- "ALL"
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -61,7 +61,7 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,7 +84,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -93,7 +93,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -106,13 +106,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -125,10 +125,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -137,14 +137,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -153,14 +153,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
index fb3fca4d4..9307c1c14 100644
--- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -23,12 +23,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "CAP_NET_RAW", "SETFCAP", "FOWNER"]
@@ -48,7 +48,7 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -57,12 +57,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "CAP_SYS_ADMIN", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -107,7 +107,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -130,13 +130,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -158,14 +158,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -187,16 +187,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -218,14 +218,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -244,7 +244,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -263,7 +263,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -283,13 +283,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -308,14 +308,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -334,16 +334,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -362,14 +362,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
index 431dbcfcb..eb8386d5d 100644
--- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -23,12 +23,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -48,7 +48,7 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -57,12 +57,12 @@ spec:
- MKNOD
containers:
- name: add-capabilities
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"]
- name: add-capabilities-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"]
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -103,7 +103,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -125,13 +125,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -153,10 +153,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -174,14 +174,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -199,14 +199,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -225,7 +225,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -240,7 +240,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -259,13 +259,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -284,10 +284,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -302,14 +302,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -324,14 +324,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- DAC_OVERRIDE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
index 29a7671e8..2641a75d4 100644
--- a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 424f0a6b33686600c40b6658dd67ebd4eb596e0975b01120ea994168a2e065c8
+digest: a5e328cbdcad170fc3ddbda39c98da9f916642bba25a058f91fe56fb98dc6457
diff --git a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml
index 857a4db84..3dd486ef4 100644
--- a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml
+++ b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: adding-capabilities
diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 728930b26..8e1525f8e 100755
--- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
index 7fba934b0..76850d7f6 100644
--- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml
@@ -8,7 +8,7 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -18,9 +18,9 @@ spec:
hostIPC: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -30,9 +30,9 @@ spec:
hostNetwork: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,9 +44,9 @@ spec:
hostNetwork: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,7 +56,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -66,7 +66,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -88,5 +88,5 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
index e2cf4a39b..c6471fc77 100644
--- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml
@@ -5,9 +5,9 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -17,7 +17,7 @@ spec:
hostPID: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -27,9 +27,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -39,9 +39,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -53,9 +53,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -64,7 +64,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -74,7 +74,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,7 +84,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -94,7 +94,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -106,5 +106,5 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
index 803e15585..61fd6af18 100644
--- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml
@@ -17,9 +17,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -57,7 +57,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -76,7 +76,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -95,7 +95,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -116,7 +116,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -132,7 +132,7 @@ spec:
hostPID: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -148,7 +148,7 @@ spec:
hostIPC: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -164,7 +164,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -182,5 +182,5 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
index a6bd5b852..07581653c 100644
--- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml
@@ -17,9 +17,9 @@ spec:
hostNetwork: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,9 +36,9 @@ spec:
hostIPC: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -56,7 +56,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -75,7 +75,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -94,7 +94,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -113,7 +113,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -134,7 +134,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -149,7 +149,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -165,7 +165,7 @@ spec:
hostPID: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -181,7 +181,7 @@ spec:
hostIPC: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -197,7 +197,7 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -215,4 +215,4 @@ spec:
hostNetwork: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml
index 1d4ad81fb..e905e9823 100644
--- a/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 1d351ee3d7246a2802529dab37854d12c82c5da2f925c0938316a5c1de576fec
+digest: 59eba864baeede16f51173a304f052af1aaa6f7e2c87c53c36b4235b58aebd99
diff --git a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
index 27eae3a63..cd501d769 100644
--- a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
+++ b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
@@ -15,7 +15,7 @@ metadata:
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: host-namespaces
diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 5bc41e9b1..2093a5bc4 100755
--- a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-path
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
index 4259a9f1a..ada442cc5 100644
--- a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: foo
hostPath:
@@ -52,7 +52,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -68,7 +68,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
index 5194f478f..76c5baa0c 100644
--- a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -21,7 +21,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -41,7 +41,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -50,7 +50,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -59,7 +59,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
index c7962a93e..ab34a002a 100644
--- a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -39,7 +39,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: bar
hostPath:
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -91,7 +91,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -117,7 +117,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -139,7 +139,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
index 3e464bbbd..e57aa7df5 100644
--- a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -42,7 +42,7 @@ spec:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumes:
- name: empty
emptyDir:
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -90,7 +90,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
@@ -111,7 +111,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -126,7 +126,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: temp
mountPath: /scratch
diff --git a/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml
index 3ce9e79a5..742e8bcff 100644
--- a/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod,Volume"
-digest: 1f463bdd7f64c70aa68071db30a6cb1b4843b62c46acf55df6ef47c5edbc9257
+digest: f062fed727b0eb8f3a829d1f22e5a7d288cedc7ea7ed69c7d3b69c935b4f3318
diff --git a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml
index 90181aab3..5e4591c8a 100644
--- a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml
+++ b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml
@@ -14,7 +14,7 @@ metadata:
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: host-path
diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f4e6012b3..68c1e2e62 100755
--- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-ports-range
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
index 7103ed4af..ab8ca032b 100644
--- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml
@@ -5,15 +5,15 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 1234
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8099
- hostPort: 8090
@@ -26,16 +26,16 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,9 +90,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -109,13 +109,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -129,13 +129,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -149,10 +149,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -165,14 +165,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -185,16 +185,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -207,20 +207,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -233,12 +233,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
index 7b1dc0f58..00ce9cfd7 100644
--- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -23,17 +23,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5431
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- containerPort: 8088
@@ -46,7 +46,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5000
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -106,9 +106,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -117,9 +117,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -133,12 +133,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -152,10 +152,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -164,14 +164,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -180,14 +180,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -199,16 +199,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -220,7 +220,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
index a8fbc8500..762a7bffc 100644
--- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml
@@ -14,15 +14,15 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -39,14 +39,14 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 8080
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -89,7 +89,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -115,9 +115,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -143,13 +143,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -172,13 +172,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -201,10 +201,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -226,14 +226,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -255,16 +255,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -286,20 +286,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -321,14 +321,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -343,7 +343,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -362,7 +362,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -385,9 +385,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -410,13 +410,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -436,13 +436,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -462,10 +462,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -484,14 +484,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -510,16 +510,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -538,20 +538,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
index eeceb5d4c..78e52435e 100644
--- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 5432
@@ -39,15 +39,15 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 9808
hostPort: 6000
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -108,7 +108,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -133,9 +133,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -153,9 +153,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -178,13 +178,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -206,10 +206,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -227,14 +227,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -252,14 +252,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -280,16 +280,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -310,7 +310,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -330,7 +330,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -345,7 +345,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -365,7 +365,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -387,9 +387,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -404,9 +404,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -426,13 +426,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -451,10 +451,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -469,14 +469,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -491,14 +491,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -516,16 +516,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
hostPort: 5555
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml
index 27b112f41..3835a04dd 100644
--- a/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: e590b0680f5a8484fb8c775f51c817d77103716e6740476eb620d34431c3bea4
+digest: 288fc86ed4f1a254c7ad3cc01dd9ab2302fd34015acf543a052cbbc306370aea
diff --git a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
index b8711bcce..ce117117d 100644
--- a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
+++ b/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
@@ -17,7 +17,7 @@ metadata:
or to a value of zero. This policy is mutually exclusive of the disallow-host-ports policy.
Note that Kubernetes Pod Security Admission does not support the host port range rule.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: host-port-range
diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 7630931c6..46cf00260 100755
--- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-ports
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
index 482abd63e..d954d8705 100644
--- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8099
- hostPort: 8090
@@ -25,16 +25,16 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -48,7 +48,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
hostPort: 8090
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -73,7 +73,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -90,9 +90,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -109,13 +109,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -129,13 +129,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -149,10 +149,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -165,14 +165,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -185,16 +185,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -207,20 +207,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -233,12 +233,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
index 49c331fd9..bd28f17d9 100644
--- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml
@@ -5,14 +5,14 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -23,17 +23,17 @@ metadata:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- name: init-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
- containerPort: 8088
@@ -46,7 +46,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -76,7 +76,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -89,7 +89,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -104,9 +104,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -115,9 +115,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -130,12 +130,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -148,10 +148,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -160,13 +160,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -175,13 +175,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -193,15 +193,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
index 087ef9bc5..eca7e8b75 100644
--- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml
@@ -14,15 +14,15 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
hostPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -39,14 +39,14 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 8080
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -89,7 +89,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -115,9 +115,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -143,13 +143,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -172,13 +172,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -201,10 +201,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -226,14 +226,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -255,16 +255,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -286,20 +286,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -321,14 +321,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -343,7 +343,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -362,7 +362,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -385,9 +385,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -410,13 +410,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -436,13 +436,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-secure
containerPort: 4443
hostPort: 443
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -462,10 +462,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -484,14 +484,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -510,16 +510,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -538,20 +538,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web
containerPort: 4443
hostPort: 443
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
protocol: TCP
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: dns
containerPort: 5553
hostPort: 53
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
index b8cd1dda4..97c5643aa 100644
--- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml
@@ -14,14 +14,14 @@ spec:
spec:
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8090
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8088
hostPort: 0
@@ -39,15 +39,15 @@ spec:
restartPolicy: Never
initContainers:
- name: init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 9808
hostPort: 0
containers:
- name: busybox
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox-again
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- containerPort: 8080
---
@@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -107,7 +107,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -131,9 +131,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -151,9 +151,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -175,12 +175,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -202,10 +202,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -223,13 +223,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -247,13 +247,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -274,15 +274,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -300,7 +300,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -315,7 +315,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -334,7 +334,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -355,9 +355,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -372,9 +372,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -393,12 +393,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: admin
containerPort: 8000
@@ -417,10 +417,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -435,13 +435,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -456,13 +456,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -480,15 +480,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
diff --git a/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml
index b7e2500be..7e7b74969 100644
--- a/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: f1f94bb74ca482b363777c421c196f325ef4db85b608d3df7f37ec6a29acb8f2
+digest: dafa02270c9b3d557fe234ccdd2cbb9368615fc7d086bc0bfb4ce70f55239aa4
diff --git a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml
index 7bc0e8aea..c7c4ce292 100644
--- a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml
+++ b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml
@@ -14,7 +14,7 @@ metadata:
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: host-ports-none
diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index ddce453da..24ff7dd20 100755
--- a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-host-process
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
index d6e00d2ed..e5ebd1526 100644
--- a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -37,12 +37,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -52,7 +52,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -65,12 +65,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -83,13 +83,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -102,18 +102,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -126,18 +126,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
index 8f225cfd5..9a14517e9 100644
--- a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -37,12 +37,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -51,7 +51,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,7 +61,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -71,7 +71,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -84,9 +84,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -99,10 +99,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -112,13 +112,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -128,15 +128,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
index fd8c0d6f6..2b9838389 100644
--- a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -40,15 +40,15 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -70,7 +70,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -92,12 +92,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -119,13 +119,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -147,18 +147,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -180,18 +180,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -210,7 +210,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -229,12 +229,12 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -253,13 +253,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -278,18 +278,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -308,18 +308,18 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
index be6c2f1d3..24add416f 100644
--- a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -40,15 +40,15 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -70,7 +70,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -89,7 +89,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -111,9 +111,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -135,10 +135,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -157,13 +157,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -182,15 +182,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -209,7 +209,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -225,7 +225,7 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -244,9 +244,9 @@ spec:
hostNetwork: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
@@ -265,10 +265,10 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -284,13 +284,13 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -306,15 +306,15 @@ spec:
hostNetwork: true
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: false
diff --git a/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml
index 1012702bd..dae9448df 100644
--- a/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: a3a0e51e3919e03dcbeb5235aa59b5b9649519765de17a3087a29e302626fac9
+digest: d2a564ae812b3416bdcac56fccbc9ccb9159eb575067593073ad9843b5cc9c55
diff --git a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml
index 2c79a6282..c43b8fdc2 100644
--- a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml
+++ b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml
@@ -15,7 +15,7 @@ metadata:
policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
the `hostProcess` field, if present, is set to `false`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: host-process-containers
diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index cc13a32d2..deead22e1 100755
--- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
index f1d439769..91bb7660f 100644
--- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml
@@ -5,16 +5,16 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -49,11 +49,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -64,7 +64,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -75,9 +75,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -88,12 +88,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -102,14 +102,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -118,14 +118,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
index 5000dcc54..85d1e5a64 100644
--- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml
@@ -5,16 +5,16 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -34,11 +34,11 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -49,7 +49,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -58,7 +58,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -67,7 +67,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -78,9 +78,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -91,10 +91,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -103,12 +103,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -117,14 +117,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
index e7d597df7..c53985938 100644
--- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml
@@ -14,16 +14,16 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -38,14 +38,14 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -65,7 +65,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -85,9 +85,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -107,12 +107,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -130,14 +130,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -155,14 +155,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -179,7 +179,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -196,9 +196,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
@@ -215,12 +215,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -235,14 +235,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -257,14 +257,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
index b02400703..eb3103ad1 100644
--- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml
@@ -14,16 +14,16 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -38,14 +38,14 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -65,7 +65,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -83,7 +83,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -103,9 +103,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -125,10 +125,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -146,12 +146,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -169,14 +169,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -193,7 +193,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -208,7 +208,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -225,9 +225,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
---
@@ -244,10 +244,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -262,12 +262,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -282,13 +282,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
diff --git a/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml
index e6725cb78..e8b320d85 100644
--- a/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 3bfa868c53de9913fa1798a4685a7df0b1715718f60c92bb822bfcca1dc17e02
+digest: 31d595cab8979474bfbb853fb0f1c67a98bbfff08dda6ec0ef71158cea09ba8d
diff --git a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
index a121a45a3..1f8534e76 100644
--- a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
+++ b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
@@ -13,7 +13,7 @@ metadata:
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: privileged-containers
diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
index 87ef3bbcb..9fafc59be 100755
--- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
+++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-proc-mount
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml
index 3c1f68f2f..7263f7285 100644
--- a/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: ce3647a9f835eb5da49ae65ccc4976010b8f7fd3cba7b0ac66b05a6cf8fac3fb
+digest: 554523e9edb577257fb875d958ebbf3c4d6ede3e85306350173d593d1300bcb4
diff --git a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml
index aeb74f072..443513ce7 100644
--- a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml
+++ b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml
@@ -15,7 +15,7 @@ metadata:
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-proc-mount
diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 1971822e2..a4b562256 100755
--- a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-selinux
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
index 9126416e3..fd37b5981 100644
--- a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -32,12 +32,12 @@ spec:
role: "foo"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -52,7 +52,7 @@ spec:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -61,12 +61,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -78,14 +78,14 @@ metadata:
spec:
initContainers:
- name: busybox-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
role: "foo"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -97,12 +97,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
@@ -116,7 +116,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -128,7 +128,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -140,9 +140,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -154,12 +154,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -171,13 +171,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -186,15 +186,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -203,18 +203,18 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -223,7 +223,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -235,7 +235,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -247,7 +247,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -260,7 +260,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -272,7 +272,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -284,7 +284,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -297,9 +297,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -311,9 +311,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -325,9 +325,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -340,12 +340,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -357,13 +357,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -372,13 +372,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -387,14 +387,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -403,15 +403,15 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -420,15 +420,15 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -437,16 +437,16 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -455,16 +455,16 @@ metadata:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
index f372cfc59..286d078b7 100644
--- a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml
@@ -5,18 +5,18 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -28,12 +28,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -48,7 +48,7 @@ spec:
type: container_init_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -57,7 +57,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -66,7 +66,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -75,7 +75,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -87,7 +87,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -99,7 +99,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -111,7 +111,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -123,7 +123,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -135,7 +135,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -147,9 +147,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -161,12 +161,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -178,13 +178,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -193,13 +193,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -208,13 +208,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -223,15 +223,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -240,18 +240,18 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -260,7 +260,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -269,7 +269,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -281,7 +281,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -293,7 +293,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -306,9 +306,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -320,12 +320,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -337,10 +337,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -349,13 +349,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -364,14 +364,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -380,15 +380,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -397,16 +397,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
index 897ffc294..37ef091a3 100644
--- a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -46,20 +46,20 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
role: "foo"
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -77,18 +77,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -106,18 +106,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: "1000"
@@ -140,7 +140,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -161,7 +161,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -182,9 +182,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -205,12 +205,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -231,13 +231,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -255,15 +255,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -281,18 +281,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -307,7 +307,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -325,7 +325,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -343,9 +343,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -363,12 +363,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
@@ -386,13 +386,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -407,15 +407,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -430,18 +430,18 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: spc_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -480,7 +480,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -501,7 +501,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -523,7 +523,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -544,7 +544,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -565,7 +565,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -587,9 +587,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -610,9 +610,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -633,9 +633,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -657,12 +657,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -683,13 +683,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -707,13 +707,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -731,14 +731,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -756,15 +756,15 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -782,15 +782,15 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -808,16 +808,16 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -835,18 +835,18 @@ spec:
spec:
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -861,7 +861,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -879,7 +879,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -897,7 +897,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -916,7 +916,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -934,7 +934,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -952,7 +952,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -971,9 +971,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -991,9 +991,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
@@ -1011,9 +1011,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -1032,12 +1032,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: unconfined_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -1055,13 +1055,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1076,13 +1076,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1097,14 +1097,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1119,15 +1119,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1142,15 +1142,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1165,16 +1165,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
role: sysadm_r
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1189,16 +1189,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
index 630331acb..b3b964adb 100644
--- a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml
@@ -14,18 +14,18 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -43,18 +43,18 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -75,7 +75,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -93,7 +93,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -114,7 +114,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -135,7 +135,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -156,7 +156,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -177,7 +177,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -198,7 +198,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -219,9 +219,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -242,12 +242,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -268,13 +268,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -292,13 +292,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -316,13 +316,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -340,15 +340,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -366,18 +366,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -395,7 +395,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -413,7 +413,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -434,7 +434,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -455,7 +455,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -477,9 +477,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -500,12 +500,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -526,10 +526,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -547,13 +547,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -571,14 +571,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -596,15 +596,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -622,18 +622,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -648,7 +648,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -663,7 +663,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -681,7 +681,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -699,7 +699,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -718,9 +718,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -738,12 +738,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -761,10 +761,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -779,13 +779,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -800,14 +800,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -822,15 +822,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -845,18 +845,18 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -871,7 +871,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -886,7 +886,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -904,7 +904,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -922,7 +922,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -940,7 +940,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
@@ -958,7 +958,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
@@ -976,7 +976,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -994,9 +994,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -1014,12 +1014,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
@@ -1037,13 +1037,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1058,13 +1058,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1079,13 +1079,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_kvm_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1100,15 +1100,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -1123,16 +1123,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_init_t
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_t
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml
index bfccd620f..dc12fd55b 100644
--- a/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 4d028ef08da7f6dffc6ecfe22eff55e643d57ddc14498142958fb572bf31dfe0
+digest: 1e6920c08280c459e1c16fa0eb1d75304ffbda279b16798a8e68973d47e2cd5e
diff --git a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml
index fa3f19d8d..b43a6f8ef 100644
--- a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml
+++ b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml
@@ -13,7 +13,7 @@ metadata:
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: selinux-type
diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 7c5650ac0..f4778fa79 100755
--- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-apparmor-profiles
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml
index d11890f9d..407d69967 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml
@@ -8,7 +8,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,7 +20,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -31,4 +31,4 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml
index d8f331b95..ce0e9f149 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml
@@ -8,7 +8,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -20,7 +20,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,7 +38,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -49,7 +49,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,4 +60,4 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml
index 33a282868..58d1c54e4 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,7 +36,7 @@ spec:
restartPolicy: Never
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -56,7 +56,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -74,5 +74,5 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml
index aaaa17340..efaa3240c 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml
@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -36,7 +36,7 @@ spec:
restartPolicy: Never
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -54,7 +54,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -74,7 +74,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -94,7 +94,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -109,7 +109,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -127,7 +127,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -145,4 +145,4 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml b/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml
index 2a1d7f38b..0a4d55281 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml
+++ b/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod, Annotation"
-digest: b826e93fa173d610354a528e16823d018ccf90e890f63339029724b3ac75a185
+digest: 365cb097730bd86fe20b203539015172b6f348bc6e012beb3cbce3f013fe665d
diff --git a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
index 84194c67b..ef093df69 100644
--- a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
+++ b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml
@@ -16,7 +16,7 @@ metadata:
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: app-armor
diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 92459aedf..03da26034 100755
--- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-seccomp
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
index ed1acc81d..14d48792f 100644
--- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml
@@ -5,19 +5,19 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -29,12 +29,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -49,7 +49,7 @@ spec:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -58,7 +58,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -70,7 +70,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -82,9 +82,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -96,12 +96,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -113,13 +113,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -128,15 +128,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -145,16 +145,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
index c7c153eb2..e97ff3768 100644
--- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml
@@ -5,19 +5,19 @@ metadata:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -29,12 +29,12 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -51,7 +51,7 @@ spec:
localhostProfile: profiles/audit.json
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,7 +60,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -69,7 +69,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -78,7 +78,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -103,7 +103,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -115,7 +115,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -128,9 +128,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -142,12 +142,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -160,13 +160,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -175,14 +175,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -191,15 +191,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -208,17 +208,17 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
index 433a45dac..92d9b91db 100644
--- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml
@@ -14,19 +14,19 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -44,19 +44,19 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -77,7 +77,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -98,7 +98,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -119,9 +119,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -142,12 +142,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -168,13 +168,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -192,15 +192,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -218,18 +218,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -244,7 +244,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -262,7 +262,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -280,9 +280,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -300,12 +300,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -323,13 +323,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -344,15 +344,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -367,16 +367,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
index 49df1fbcf..72cafb0a1 100644
--- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml
@@ -14,19 +14,19 @@ spec:
spec:
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -44,19 +44,19 @@ spec:
restartPolicy: Never
initContainers:
- name: busybox01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
- name: busybox02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -77,7 +77,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -95,7 +95,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -116,7 +116,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -138,7 +138,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -159,7 +159,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -181,9 +181,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -204,13 +204,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -231,13 +231,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -255,14 +255,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -280,15 +280,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -306,19 +306,19 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -333,7 +333,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -348,7 +348,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -366,7 +366,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -385,7 +385,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -403,7 +403,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -422,9 +422,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -442,13 +442,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -466,13 +466,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -487,14 +487,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -509,15 +509,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -532,17 +532,17 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
diff --git a/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml
index 13712bd99..a8fcf383b 100644
--- a/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml
+++ b/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 300e7c36b0fd01c8f70e9ad772b85ef2b4ed6593e6ff1224859bb06b675bfdc2
+digest: c2469f9eada153312c69490065cc32046f7615b0d88c9177d65ebec45b3ea01f
diff --git a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml
index 2fd176dc4..b1161e77d 100644
--- a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml
+++ b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml
@@ -15,7 +15,7 @@ metadata:
set to `RuntimeDefault` or `Localhost`.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-seccomp
match:
diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a7afea7ef..cc9ad507f 100755
--- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-sysctls
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
index 4e3793ff4..e850d943b 100644
--- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml
@@ -13,7 +13,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -26,7 +26,7 @@ spec:
value: "1000-2000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -41,7 +41,7 @@ spec:
value: "0"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -56,7 +56,7 @@ spec:
value: "5000-6000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -65,7 +65,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -78,7 +78,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
index 1811c89d4..389f1f79a 100644
--- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
+++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml
@@ -13,7 +13,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -35,7 +35,7 @@ spec:
value: "1000-2000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,7 +44,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -53,7 +53,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -66,7 +66,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -79,7 +79,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -92,7 +92,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -105,7 +105,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -118,7 +118,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
index 3d1973b78..587c2affb 100644
--- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml
@@ -22,7 +22,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,7 +45,7 @@ spec:
value: "5000-6000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -63,7 +63,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -106,7 +106,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_next_id
@@ -125,7 +125,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
index 8446a6028..5280d7259 100644
--- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml
@@ -22,7 +22,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -45,7 +45,7 @@ spec:
value: "60000"
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -63,7 +63,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -81,7 +81,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -103,7 +103,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -125,7 +125,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -147,7 +147,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -169,7 +169,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -191,7 +191,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -212,7 +212,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -227,7 +227,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
@@ -246,7 +246,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
@@ -284,7 +284,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.tcp_syncookies
@@ -303,7 +303,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
@@ -322,7 +322,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
diff --git a/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml
index 1835085a6..1e62c8a19 100644
--- a/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml
+++ b/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 29b9c1bda8c60f61aff4fa1df4a19d9f18eec7376ca9aea202bacc4ab6ab8a11
+digest: ad4c1dcbc7f5e811797fa2df1de2d52c2180526f9b89e5cd3ee7ff637d9ab1c7
diff --git a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml
index 6b309beb9..2f2832bff 100644
--- a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml
+++ b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml
@@ -17,7 +17,7 @@ metadata:
This policy ensures that only those "safe" subsets can be specified in
a Pod.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-sysctls
diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index a7bd6b8fa..02a811690 100755
--- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-capabilities-strict
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
index 64949f3ca..a52dfab66 100644
--- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,9 +38,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -53,13 +53,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -72,10 +72,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -88,14 +88,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -108,12 +108,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -126,16 +126,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -148,20 +148,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -174,7 +174,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -189,7 +189,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -205,13 +205,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -226,7 +226,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -234,7 +234,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -249,7 +249,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -257,7 +257,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -273,7 +273,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -282,7 +282,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -295,7 +295,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -305,7 +305,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -318,13 +318,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -333,7 +333,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -346,7 +346,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -354,7 +354,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -363,7 +363,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -376,7 +376,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -384,7 +384,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -394,7 +394,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
index 4475cfe63..70eb6daf5 100644
--- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -32,13 +32,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -51,14 +51,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -71,7 +71,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -79,7 +79,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -92,20 +92,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -118,7 +118,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -133,13 +133,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -154,7 +154,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -162,7 +162,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -177,14 +177,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -197,7 +197,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -206,7 +206,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -219,20 +219,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -245,13 +245,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -260,7 +260,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -273,7 +273,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -281,7 +281,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -290,7 +290,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
index afca656f9..f3d52b08b 100644
--- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -54,9 +54,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -74,9 +74,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -98,13 +98,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -126,10 +126,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -151,14 +151,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -180,12 +180,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -207,16 +207,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -238,20 +238,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -270,7 +270,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -285,7 +285,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -304,9 +304,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -321,9 +321,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -342,13 +342,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -367,10 +367,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -389,14 +389,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -415,12 +415,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -439,16 +439,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -467,20 +467,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- NET_RAW
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -502,7 +502,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -526,7 +526,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -551,13 +551,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -581,7 +581,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -589,7 +589,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -613,7 +613,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -621,7 +621,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -646,7 +646,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -655,7 +655,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -677,7 +677,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -687,7 +687,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -709,13 +709,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -724,7 +724,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -746,7 +746,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -754,7 +754,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -763,7 +763,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -785,7 +785,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -793,7 +793,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -803,7 +803,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -822,7 +822,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -843,7 +843,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -865,13 +865,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -892,7 +892,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -900,7 +900,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -921,7 +921,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -929,7 +929,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -951,7 +951,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -960,7 +960,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -979,7 +979,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -989,7 +989,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1008,13 +1008,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1023,7 +1023,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1042,7 +1042,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1050,7 +1050,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1059,7 +1059,7 @@ spec:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1078,7 +1078,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1086,7 +1086,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -1096,7 +1096,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
index 89131915e..1968566d9 100644
--- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -59,13 +59,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -87,14 +87,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -116,7 +116,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -124,7 +124,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -146,20 +146,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -178,7 +178,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -197,7 +197,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -217,13 +217,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -242,14 +242,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -268,7 +268,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -276,7 +276,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -295,20 +295,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -330,7 +330,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -354,13 +354,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -384,7 +384,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -392,7 +392,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -416,14 +416,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -445,7 +445,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -454,7 +454,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -476,20 +476,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -511,13 +511,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -526,7 +526,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -548,7 +548,7 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -556,7 +556,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -565,7 +565,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -584,7 +584,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -603,7 +603,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -624,13 +624,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -651,7 +651,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -659,7 +659,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -680,7 +680,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -689,7 +689,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -708,20 +708,20 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -740,13 +740,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
- ALL
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -755,7 +755,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -774,7 +774,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -782,7 +782,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
@@ -791,7 +791,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
drop:
diff --git a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
index 02febf504..38230c9b1 100644
--- a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
+++ b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: c9ad4e28dafebe6064adfd1a8256a88ca610b8d0d8aea1b23aa772f06b5d793a
+digest: 6000c5c6e0a0b0f87d67dd9a382a871f301dc2daa02d649abfe9fa14d0bff253
diff --git a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
index dbc478783..1c4681879 100644
--- a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
+++ b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
@@ -14,7 +14,7 @@ metadata:
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-drop-all
diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 30a5747c2..b8dc40c39 100755
--- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-privilege-escalation
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
index 28ce245f0..e3c44d598 100644
--- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -25,9 +25,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -38,11 +38,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -53,10 +53,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -67,14 +67,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
index 7f7a8fe64..e184edd4f 100644
--- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -16,11 +16,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -31,12 +31,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -47,16 +47,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -67,20 +67,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
index 34577c35b..d6bd83a50 100644
--- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -52,9 +52,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -74,11 +74,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -98,10 +98,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -121,14 +121,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -145,7 +145,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -160,7 +160,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
@@ -177,9 +177,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -196,11 +196,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -217,10 +217,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -237,14 +237,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
index b1a20f561..1e3709b54 100644
--- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -34,11 +34,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -58,12 +58,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -83,16 +83,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -112,20 +112,20 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -142,7 +142,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -159,11 +159,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -180,12 +180,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -202,16 +202,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
@@ -228,19 +228,19 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
diff --git a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
index 134cae44e..9b91be6b0 100644
--- a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
+++ b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: e8ce822cc387d097b86c462e1ed2ccc0136395e0c42e0731b722ed31cef9042d
+digest: 896f413ddf85259b6b61515bc6327ea9f6d9b4b76db43dec745cbd16dfcc9974
diff --git a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
index b06d960a5..cfa501bb9 100644
--- a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
+++ b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
@@ -13,7 +13,7 @@ metadata:
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: privilege-escalation
diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 3a15a8755..6a5138508 100755
--- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-run-as-non-root-user
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
index 91b114870..4cdcafbbd 100644
--- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -40,10 +40,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -54,12 +54,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -68,12 +68,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
index 3a3336909..66421b648 100644
--- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -36,9 +36,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -49,11 +49,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -64,11 +64,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -81,10 +81,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -93,12 +93,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -107,10 +107,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -121,12 +121,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
index 441a23f49..75459b442 100644
--- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -54,9 +54,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -76,10 +76,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -99,12 +99,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -122,14 +122,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -144,7 +144,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -161,7 +161,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -178,9 +178,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -197,10 +197,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
---
@@ -217,12 +217,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -237,12 +237,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 0
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
index d8115b64b..083e569d7 100644
--- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -72,9 +72,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -94,11 +94,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -118,11 +118,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -144,10 +144,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -165,12 +165,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -188,10 +188,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -211,14 +211,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -233,7 +233,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -248,7 +248,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -282,9 +282,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -301,11 +301,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
---
@@ -322,11 +322,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 2
securityContext:
@@ -345,10 +345,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -363,12 +363,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -383,10 +383,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
---
@@ -403,11 +403,11 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml
index e3fb66644..e12508c16 100644
--- a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml
+++ b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: ba2f062dce7055a18dba8f45007cb89575be9e027bbd7c3d4a43115333dfea5d
+digest: 51d4e6bf94bdf4139e904740b241f59d0c6ad82db5d41e34c8384183f60d97ad
diff --git a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml
index 5be4515ce..ea9db6f16 100644
--- a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml
+++ b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml
@@ -13,7 +13,7 @@ metadata:
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: run-as-non-root-user
diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d97abc312..ce7c2fd4e 100755
--- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-run-as-nonroot
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
index 8af6f9567..dc7e2e6d4 100644
--- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -25,7 +25,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -36,7 +36,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -49,9 +49,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -60,9 +60,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -73,9 +73,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -86,9 +86,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -101,11 +101,11 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -118,12 +118,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -134,10 +134,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -150,12 +150,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -168,12 +168,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -184,14 +184,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -202,12 +202,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -218,7 +218,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
index 6a08ba318..20d08d820 100644
--- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -16,7 +16,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -27,7 +27,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -40,9 +40,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -53,9 +53,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -68,10 +68,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -82,12 +82,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -98,12 +98,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -114,14 +114,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -132,16 +132,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
index 50368df71..64dcc37c2 100644
--- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -52,7 +52,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -72,7 +72,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -94,9 +94,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -114,9 +114,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -136,9 +136,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -158,9 +158,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -182,11 +182,11 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -208,12 +208,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -233,10 +233,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -258,12 +258,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -285,12 +285,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -310,14 +310,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -337,12 +337,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -359,7 +359,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -374,7 +374,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -391,7 +391,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -408,7 +408,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -427,9 +427,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -444,9 +444,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -463,9 +463,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
@@ -482,9 +482,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -503,11 +503,11 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
securityContext:
@@ -526,12 +526,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -548,10 +548,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -570,12 +570,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -594,12 +594,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -616,14 +616,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -640,12 +640,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: false
---
\ No newline at end of file
diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
index 3216a4fed..2320e7563 100644
--- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -54,7 +54,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -76,9 +76,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -98,9 +98,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -122,10 +122,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -145,12 +145,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -170,12 +170,12 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -195,14 +195,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -222,16 +222,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -248,7 +248,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -265,7 +265,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -282,7 +282,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -301,9 +301,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -320,9 +320,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
securityContext:
@@ -341,10 +341,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -361,12 +361,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -383,12 +383,12 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -405,14 +405,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
---
@@ -429,15 +429,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
runAsNonRoot: true
diff --git a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
index c90f47f8d..3adda05ec 100644
--- a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
+++ b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 6b662e81d2e326be2844f05a81ba92a938006514b0d7dd0c15aa2ab526c7077b
+digest: 41b892b201760036c88b6f6763db2e330aa1f5d03064e77ec38d6c6bbc5ff587
diff --git a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
index cad5c18e8..c20f86e3d 100644
--- a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
+++ b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
@@ -14,7 +14,7 @@ metadata:
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: run-as-non-root
diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index db4a4dc3a..cdb6f45bc 100755
--- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-seccomp-strict
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
index 8f541571f..f9a801b7c 100644
--- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -29,9 +29,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -43,12 +43,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -60,13 +60,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -75,15 +75,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -92,16 +92,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
index 0a9275016..d35109aeb 100644
--- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -17,7 +17,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
localhostProfile: operator/default/profile1.json
@@ -30,7 +30,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -42,7 +42,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -55,9 +55,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -73,12 +73,12 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -91,13 +91,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -109,14 +109,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -128,15 +128,15 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -148,19 +148,19 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
index b7f7162c8..e11928730 100644
--- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -56,9 +56,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -79,12 +79,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -105,13 +105,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -129,15 +129,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -155,18 +155,18 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -181,7 +181,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -199,7 +199,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -217,9 +217,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -237,12 +237,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
@@ -260,13 +260,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -281,15 +281,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -304,16 +304,16 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
index 555c0abca..cfac47fb3 100644
--- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -35,7 +35,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -57,7 +57,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -78,7 +78,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -100,9 +100,9 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -127,12 +127,12 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -154,13 +154,13 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -181,14 +181,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -209,15 +209,15 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -238,19 +238,19 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -268,7 +268,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -286,7 +286,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -305,7 +305,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -323,7 +323,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -342,9 +342,9 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -366,12 +366,12 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
@@ -390,13 +390,13 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -414,14 +414,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -439,15 +439,15 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
@@ -465,19 +465,19 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seccompProfile:
type: RuntimeDefault
diff --git a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml
index e3d7b7795..ccee16dbe 100644
--- a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml
+++ b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 303a7f45eadad3b128126f5ae05dd2e9c3a24279034d6b89051127e4f7c39322
+digest: ccde04c25c74488da3ef02e15a4185c8b34218e817b8976d0536cdfb05b912f4
diff --git a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
index 4c9a83d20..10b593082 100644
--- a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
+++ b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
@@ -17,7 +17,7 @@ metadata:
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: check-seccomp-strict
match:
diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 417239b4b..9ced74a13 100755
--- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: restrict-volume-types
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
index c8b3f40fa..a7a90ba35 100644
--- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -55,7 +55,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -72,7 +72,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -90,7 +90,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -107,7 +107,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -125,7 +125,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -141,7 +141,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -157,7 +157,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -174,7 +174,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -190,7 +190,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -207,7 +207,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -224,7 +224,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -240,7 +240,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -257,7 +257,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -275,7 +275,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -291,7 +291,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -312,7 +312,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -328,7 +328,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
index 4ea15fd1d..7446083e8 100644
--- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
+++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -29,7 +29,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: mysettings
mountPath: /settings
@@ -45,7 +45,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: warehouse
mountPath: /warehouse
@@ -65,7 +65,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -84,7 +84,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -109,7 +109,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -126,7 +126,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -146,7 +146,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /mysecret
name: mysecret
diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
index bbbe09c60..e4468a88b 100644
--- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
@@ -11,7 +11,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -34,7 +34,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -57,7 +57,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -79,7 +79,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -102,7 +102,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -126,7 +126,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -149,7 +149,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -173,7 +173,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -195,7 +195,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -217,7 +217,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -240,7 +240,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -262,7 +262,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -285,7 +285,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -308,7 +308,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -330,7 +330,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -353,7 +353,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -377,7 +377,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -399,7 +399,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -426,7 +426,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -448,7 +448,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
index 26c344b15..a49214521 100644
--- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -57,7 +57,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -85,7 +85,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -119,7 +119,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -145,7 +145,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -171,7 +171,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -186,7 +186,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: udev
mountPath: /data
@@ -207,7 +207,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: mysettings
mountPath: /settings
@@ -229,7 +229,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: warehouse
mountPath: /warehouse
@@ -256,7 +256,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: labels
mountPath: /labels
@@ -281,7 +281,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: ephem
mountPath: /ephem
@@ -312,7 +312,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- name: foo
mountPath: /foo
@@ -335,7 +335,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
@@ -361,7 +361,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: /mysecret
name: mysecret
diff --git a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
index d7b90f513..549fa020c 100644
--- a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
+++ b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod,Volume"
-digest: f050ec83c6176c4124cb678418bba7326d9885bd23ee9669e19761d8ec8a0cf2
+digest: 66179d39a81d5c556ff011609a38509aa579a8cb7f63fbf241579f327052ee05
diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml
index fb8fd35d9..21f3b719a 100644
--- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml
+++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml
@@ -15,7 +15,7 @@ metadata:
limits usage of non-core volume types to those defined through PersistentVolumes.
This policy blocks any other type of volume other than those in the allow list.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: restricted-volumes
diff --git a/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml b/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml
index f48794180..96c5863e6 100644
--- a/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml
+++ b/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Pod Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: cf5baa226ad6dddf0a93a2a2196c47671fa0abef9e109dbac6f03e03f992d38e
+digest: d132cf882bdaeb17e768973fbe9b8958449a72e3da8af849c856ca1b8e4b750a
diff --git a/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml b/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml
index f1d120976..5e2e52e17 100644
--- a/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml
+++ b/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml
@@ -18,7 +18,7 @@ metadata:
version of the Pod Security Standards cluster wide.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: baseline
match:
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml
index 3aa63a46f..28ce8ce01 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -56,7 +56,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -70,7 +70,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -92,7 +92,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -104,7 +104,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -115,7 +115,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -142,7 +142,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -164,7 +164,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
ports:
- name: web-insecure
containerPort: 8080
@@ -190,7 +190,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
windowsOptions:
hostProcess: true
@@ -214,7 +214,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -236,7 +236,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -261,7 +261,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -284,7 +284,7 @@ spec:
value: "4"
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -301,7 +301,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -324,7 +324,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -350,7 +350,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml
index 0446b5e49..f22282014 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -27,7 +27,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -40,7 +40,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -51,7 +51,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -78,7 +78,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -100,7 +100,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -125,7 +125,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -152,7 +152,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -174,7 +174,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -200,7 +200,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -224,7 +224,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -250,7 +250,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -267,7 +267,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -290,7 +290,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -307,7 +307,7 @@ metadata:
spec:
initContainers:
- name: container01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -328,7 +328,7 @@ spec:
- SYS_ADMIN
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml
index 82e49f127..e09c584ba 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -92,7 +92,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -115,7 +115,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -146,7 +146,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -158,7 +158,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -169,7 +169,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -205,7 +205,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -236,7 +236,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
ports:
- name: web-insecure
containerPort: 8080
@@ -271,7 +271,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
windowsOptions:
hostProcess: true
@@ -304,7 +304,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -335,7 +335,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -369,7 +369,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -401,7 +401,7 @@ spec:
value: "4"
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -427,7 +427,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -494,7 +494,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -523,7 +523,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -549,7 +549,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -575,7 +575,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -601,7 +601,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -624,7 +624,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -655,7 +655,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -667,7 +667,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -678,7 +678,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -714,7 +714,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -745,7 +745,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
ports:
- name: web-insecure
containerPort: 8080
@@ -780,7 +780,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
windowsOptions:
hostProcess: true
@@ -813,7 +813,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -844,7 +844,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -876,7 +876,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -908,7 +908,7 @@ spec:
value: "4"
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -934,7 +934,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -966,7 +966,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -1001,7 +1001,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml
index 418c21476..139df42da 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -45,7 +45,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -58,7 +58,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -69,7 +69,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -105,7 +105,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -136,7 +136,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -170,7 +170,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -206,7 +206,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -237,7 +237,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -272,7 +272,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -303,7 +303,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -336,7 +336,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -362,7 +362,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -394,7 +394,7 @@ spec:
spec:
initContainers:
- name: container01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -415,7 +415,7 @@ spec:
- SYS_ADMIN
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -439,7 +439,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -462,7 +462,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -490,7 +490,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -503,7 +503,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -514,7 +514,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -547,7 +547,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -575,7 +575,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -606,7 +606,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -639,7 +639,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -667,7 +667,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -700,7 +700,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -731,7 +731,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -764,7 +764,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -789,7 +789,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -818,7 +818,7 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: container01-init
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -839,7 +839,7 @@ spec:
- SYS_ADMIN
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml
index ec91895a4..6fb06a0ef 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted-capabilities
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml
index a1ee0bcff..51cbeae27 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:latest
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
index 8f6f5ceb5..3ef9995ca 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: e917468019277ed45ac963bb9c8623fda646a33eb49320716a565a3191c6cfb9
+digest: 4a35f7759f06a4a8881df10978d5c87f5a24994c10209512f8a81a05f7f2b0c0
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml
index 8f466a1d7..6ff865a3c 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml
@@ -20,7 +20,7 @@ metadata:
exempting `nginx` and `redis` container images from the Capabilities control check.
spec:
background: true
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: restricted-exempt-capabilities
match:
@@ -35,5 +35,5 @@ spec:
exclude:
- controlName: Capabilities
images:
- - nginx*
+ - ghcr.io/kyverno/test-nginx*
- redis*
\ No newline at end of file
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml
index 7fe0e0bb5..9388cc1e2 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -56,7 +56,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -70,7 +70,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -92,7 +92,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -104,7 +104,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -115,7 +115,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -142,7 +142,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -164,7 +164,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -190,7 +190,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -214,7 +214,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -236,7 +236,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -261,7 +261,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -284,7 +284,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -301,7 +301,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -324,7 +324,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -350,7 +350,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml
index 4713c8eda..daf2ff3c7 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -25,7 +25,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -38,7 +38,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -47,7 +47,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -72,7 +72,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -94,7 +94,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -117,7 +117,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -144,7 +144,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -164,7 +164,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -188,7 +188,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -212,7 +212,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -238,7 +238,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -253,7 +253,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml
index fb1c69140..9e5f97ec7 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -64,7 +64,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -88,7 +88,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -111,7 +111,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -142,7 +142,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -154,7 +154,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -165,7 +165,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -201,7 +201,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -232,7 +232,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -267,7 +267,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -298,7 +298,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -327,7 +327,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -359,7 +359,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -389,7 +389,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -413,7 +413,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -445,7 +445,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -480,7 +480,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -509,7 +509,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -535,7 +535,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -561,7 +561,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -587,7 +587,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -610,7 +610,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -641,7 +641,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -653,7 +653,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -664,7 +664,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -700,7 +700,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -729,7 +729,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -762,7 +762,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -793,7 +793,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -822,7 +822,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -852,7 +852,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -884,7 +884,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -910,7 +910,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -942,7 +942,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -977,7 +977,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml
index 5ff0bae32..714a50fc9 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -43,7 +43,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -56,7 +56,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -65,7 +65,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -99,7 +99,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -128,7 +128,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -160,7 +160,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -196,7 +196,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -225,7 +225,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -258,7 +258,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -287,7 +287,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -318,7 +318,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -342,7 +342,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -369,7 +369,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -392,7 +392,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:dontpull
+ image: ghcr.io/kyverno/test-nginx:dontpull
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -420,7 +420,7 @@ spec:
type: Unconfined
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -433,7 +433,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -444,7 +444,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -477,7 +477,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -505,7 +505,7 @@ spec:
type: Unconfined
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -534,7 +534,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -565,7 +565,7 @@ spec:
runAsUser: 1
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -591,7 +591,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -622,7 +622,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -653,7 +653,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -686,7 +686,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -709,7 +709,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml
index 875efe127..876cd8bb0 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted-seccomp
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml
index 82ac9a273..649d512d8 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: c5b83d86fd4a976412f4bbb1bd732f487d7c0ce37958f1fa41cf33cd12dd71d1
+digest: 1b88f3c697aa61054f3a4b890e83c63258da6e1267d450844f3e8c87c374f91d
diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml
index 886eca9e6..ad7bf8b68 100644
--- a/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml
+++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml
@@ -20,7 +20,7 @@ metadata:
completely exempting Seccomp control check.
spec:
background: true
- validationFailureAction: enforce
+ validationFailureAction: Enforce
rules:
- name: restricted-exempt-seccomp
match:
diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 03e743584..aad179a5b 100755
--- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: podsecurity-subrule-restricted
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml
index 911207ea4..721b624de 100644
--- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -22,7 +22,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -39,7 +39,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -56,7 +56,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -70,7 +70,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -92,7 +92,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -104,7 +104,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -115,7 +115,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -142,7 +142,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -164,7 +164,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -190,7 +190,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -214,7 +214,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -236,7 +236,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -261,7 +261,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -284,7 +284,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -301,7 +301,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -324,7 +324,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -350,7 +350,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml
index 89679f823..0ebfab8a2 100644
--- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -27,7 +27,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -40,7 +40,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -51,7 +51,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -78,7 +78,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -100,7 +100,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -125,7 +125,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -152,7 +152,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -174,7 +174,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -200,7 +200,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -224,7 +224,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -250,7 +250,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -267,7 +267,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml
index 5f75cf3ee..9a35e7f8d 100644
--- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -40,7 +40,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -66,7 +66,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -92,7 +92,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -115,7 +115,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -146,7 +146,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -158,7 +158,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -169,7 +169,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -205,7 +205,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -236,7 +236,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -271,7 +271,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -304,7 +304,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -335,7 +335,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -369,7 +369,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -401,7 +401,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -427,7 +427,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -459,7 +459,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -494,7 +494,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
@@ -523,7 +523,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: true
@@ -549,7 +549,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
@@ -575,7 +575,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -601,7 +601,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -624,7 +624,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
@@ -655,7 +655,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -667,7 +667,7 @@ spec:
add:
- SYS_NET_ADMIN
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -678,7 +678,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -714,7 +714,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -745,7 +745,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -780,7 +780,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
windowsOptions:
hostProcess: true
@@ -813,7 +813,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: true
allowPrivilegeEscalation: false
@@ -844,7 +844,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
type: container_engine_t
@@ -876,7 +876,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -908,7 +908,7 @@ spec:
value: "4"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -934,7 +934,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -966,7 +966,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -1001,7 +1001,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
user: sysadm_u
diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml
index e0f0d3f8a..c1d89e95e 100644
--- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -45,7 +45,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -58,7 +58,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -69,7 +69,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -105,7 +105,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -136,7 +136,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -170,7 +170,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -206,7 +206,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -237,7 +237,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -272,7 +272,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -303,7 +303,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -336,7 +336,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -362,7 +362,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -392,7 +392,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -415,7 +415,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: nginx:1.1.9
+ image: ghcr.io/kyverno/test-nginx:1.1.9
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -443,7 +443,7 @@ spec:
type: RuntimeDefault
initContainers:
- name: init-container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -456,7 +456,7 @@ spec:
add:
- NET_BIND_SERVICE
- name: init-container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -467,7 +467,7 @@ spec:
- ALL
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -500,7 +500,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -528,7 +528,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -559,7 +559,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
ports:
- name: web-insecure
containerPort: 8080
@@ -592,7 +592,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
privileged: false
allowPrivilegeEscalation: false
@@ -620,7 +620,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
@@ -653,7 +653,7 @@ spec:
type: RuntimeDefault
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -684,7 +684,7 @@ spec:
localhostProfile: operator/default/profile1.json
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -717,7 +717,7 @@ spec:
value: "1 0"
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
@@ -742,7 +742,7 @@ spec:
runAsNonRoot: true
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
diff --git a/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml
index 6b0d6a395..0e95f38cc 100644
--- a/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml
+++ b/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Pod Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 80554d63be98bc08dafdc5373c2763db38fead447b83ac4d9b1ac3209d98279b
+digest: 7fea2befa6f0012dd9c61407974aba41d582e75160a18f8639b5a861e03b28f7
diff --git a/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml b/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml
index e66589439..8cf8d6b96 100644
--- a/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml
+++ b/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml
@@ -18,7 +18,7 @@ metadata:
restricted profile through the latest version of the Pod Security Standards cluster wide.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: restricted
match:
diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
index cfb6ab67a..b9a1d6b21 100644
--- a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
+++ b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
@@ -3,7 +3,11 @@ kind: ClusterPolicy
metadata:
name: add-psa-namespace-reporting
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml
index 93dfa2f2d..3ea142941 100755
--- a/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml
+++ b/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deny-privileged-profile
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml
index 01867dc1a..46908e117 100644
--- a/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml
+++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,7 @@ kind: ClusterPolicy
metadata:
name: add-privileged-existing-namespaces
status:
- ready: true
\ No newline at end of file
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml b/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml
index 622a18a59..2cf0d32e9 100644
--- a/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml
+++ b/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: add-psa-labels
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
index cfb6ab67a..b9a1d6b21 100644
--- a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
+++ b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
@@ -3,7 +3,11 @@ kind: ClusterPolicy
metadata:
name: add-psa-namespace-reporting
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
index 15b830f10..aa2652863 100644
--- a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
+++ b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
@@ -22,7 +22,7 @@ metadata:
organization's security practices and take appropriate action to rectify the
situation.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-namespace-labels
diff --git a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
index 00f936a11..a630d7f76 100644
--- a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
+++ b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Pod Security Admission, EKS Best Practices"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Namespace"
-digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434
+digest: bef9af61af8383e43369256e922ca3405b2b1170f6e79ef215cefd4f49aed6f5
diff --git a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 93dfa2f2d..3ea142941 100755
--- a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: deny-privileged-profile
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psa/deny-privileged-profile/artifacthub-pkg.yml b/psa/deny-privileged-profile/artifacthub-pkg.yml
index f9742ec5f..94fd84b99 100644
--- a/psa/deny-privileged-profile/artifacthub-pkg.yml
+++ b/psa/deny-privileged-profile/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Admission"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Namespace"
-digest: e417c381e1aa9fd3778b37c09cfdccb87b0de20ee16ac4034496283f4fa859ac
+digest: d203db4076926737e39f08bb5f4e4b41e665e89e88352fe5b2ae4685b59a5ef3
diff --git a/psa/deny-privileged-profile/deny-privileged-profile.yaml b/psa/deny-privileged-profile/deny-privileged-profile.yaml
index a7f108555..a3e0dc64c 100644
--- a/psa/deny-privileged-profile/deny-privileged-profile.yaml
+++ b/psa/deny-privileged-profile/deny-privileged-profile.yaml
@@ -20,7 +20,7 @@ metadata:
the cluster-admin ClusterRole may create Namespaces which assign the label
`pod-security.kubernetes.io/enforce=privileged`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-privileged
diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
index 295f13ed2..cb9c8bee7 100644
--- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
+++ b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
@@ -10,7 +10,7 @@ spec:
- 550
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,7 +37,7 @@ spec:
- 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -52,4 +52,4 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml
index ccdb66190..79894baf2 100644
--- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml
+++ b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ spec:
- 500
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,7 +33,7 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,7 +44,7 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -57,4 +57,4 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
index da4768b78..0e0934d3b 100644
--- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
+++ b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,4 +39,4 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
index cbb26cae5..1e05f2afc 100644
--- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
+++ b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
- 500
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,4 +39,4 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml
index d68e9bb1c..7d430ec06 100755
--- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml
+++ b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: psp-check-supplemental-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
index 9d97c06bf..a9fecbc5d 100644
--- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
+++ b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -32,9 +32,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -47,13 +47,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -66,13 +66,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -86,14 +86,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -102,7 +102,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -110,7 +110,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -119,16 +119,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -137,20 +137,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -159,13 +159,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,5 +173,5 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
index 8b77e2a79..e1cea6c10 100644
--- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
+++ b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,9 +38,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -53,13 +53,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -72,10 +72,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,14 +84,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -100,12 +100,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -114,16 +114,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -132,17 +132,17 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
index 4037cb574..a598ea012 100644
--- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
+++ b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -59,13 +59,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -87,14 +87,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -116,16 +116,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -147,14 +147,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,7 +173,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -192,7 +192,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -212,13 +212,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -237,14 +237,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -264,9 +264,9 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -274,7 +274,7 @@ spec:
- CAP_CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -293,14 +293,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
index 8daee6250..5c5c8c0fc 100644
--- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
+++ b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -54,13 +54,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CAP_CHOWN
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -82,10 +82,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -103,14 +103,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CAP_CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -128,14 +128,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -154,7 +154,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -169,7 +169,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -188,13 +188,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -213,10 +213,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -231,14 +231,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -253,14 +253,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml
index e870f077e..98bd55441 100755
--- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml
+++ b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: psp-restrict-adding-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index d68e9bb1c..7d430ec06 100755
--- a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: psp-check-supplemental-groups
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
index 295f13ed2..cb9c8bee7 100644
--- a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
+++ b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
@@ -10,7 +10,7 @@ spec:
- 550
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -23,7 +23,7 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -37,7 +37,7 @@ spec:
- 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -52,4 +52,4 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml
index ccdb66190..79894baf2 100644
--- a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml
+++ b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -19,7 +19,7 @@ spec:
- 500
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -33,7 +33,7 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -44,7 +44,7 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -57,4 +57,4 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
index da4768b78..0e0934d3b 100644
--- a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
+++ b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
@@ -20,7 +20,7 @@ spec:
runAsGroup: 0
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,4 +39,4 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
index cbb26cae5..1e05f2afc 100644
--- a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
+++ b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
@@ -19,7 +19,7 @@ spec:
- 500
containers:
- name: busybox01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -39,4 +39,4 @@ spec:
- 120
containers:
- name: busybox01
- image: busybox:1.35
\ No newline at end of file
+ image: ghcr.io/kyverno/test-busybox:1.35
\ No newline at end of file
diff --git a/psp-migration/check-supplemental-groups/artifacthub-pkg.yml b/psp-migration/check-supplemental-groups/artifacthub-pkg.yml
index 0a3710df8..fb9f9a670 100644
--- a/psp-migration/check-supplemental-groups/artifacthub-pkg.yml
+++ b/psp-migration/check-supplemental-groups/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: f5ab7722d2b21ceee41c2069834148c0822d542ff21212d5def3c2b0b19265d1
+digest: 0df6e6333f415231f233f4824d5c72cb89c81bc5617c4b721f26bc20060b9b77
diff --git a/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml b/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml
index 24c05a1fb..8115a8e46 100644
--- a/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml
+++ b/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml
@@ -17,7 +17,7 @@ metadata:
may only specify supplementalGroup IDs between 100-200 or 500-600.
spec:
background: false
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: supplementalgroup-ranges
match:
diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index e870f077e..98bd55441 100755
--- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: psp-restrict-adding-capabilities
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
index 9d97c06bf..a9fecbc5d 100644
--- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
+++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -18,7 +18,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -32,9 +32,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -47,13 +47,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -66,13 +66,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -86,14 +86,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -102,7 +102,7 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -110,7 +110,7 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -119,16 +119,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -137,20 +137,20 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -159,13 +159,13 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,5 +173,5 @@ spec:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
\ No newline at end of file
diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
index 8b77e2a79..e1cea6c10 100644
--- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
+++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml
@@ -5,7 +5,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -14,7 +14,7 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -27,9 +27,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -38,9 +38,9 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -53,13 +53,13 @@ metadata:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -72,10 +72,10 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -84,14 +84,14 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -100,12 +100,12 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -114,16 +114,16 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: v1
kind: Pod
@@ -132,17 +132,17 @@ metadata:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
index 4037cb574..a598ea012 100644
--- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
+++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -59,13 +59,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -87,14 +87,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -116,16 +116,16 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -147,14 +147,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -173,7 +173,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -192,7 +192,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -212,13 +212,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -237,14 +237,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -264,9 +264,9 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
- name: initcontainer02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -274,7 +274,7 @@ spec:
- CAP_CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -293,14 +293,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_RAW
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
index 8daee6250..5c5c8c0fc 100644
--- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
+++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml
@@ -14,7 +14,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -32,7 +32,7 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -54,13 +54,13 @@ spec:
spec:
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CAP_CHOWN
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -82,10 +82,10 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -103,14 +103,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- CAP_CHOWN
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: apps/v1
kind: Deployment
@@ -128,14 +128,14 @@ spec:
spec:
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -154,7 +154,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -169,7 +169,7 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -188,13 +188,13 @@ spec:
restartPolicy: OnFailure
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
@@ -213,10 +213,10 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -231,14 +231,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
---
apiVersion: batch/v1
kind: CronJob
@@ -253,14 +253,14 @@ spec:
restartPolicy: OnFailure
initContainers:
- name: initcontainer01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
securityContext:
capabilities:
add:
diff --git a/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml b/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml
index 2d1918052..f4e20a86e 100644
--- a/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml
+++ b/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 0b02be286162b2cd028b4fe9f3e261b1c948dd04404c783c51dc02ab69eb79ca
+digest: e57e9f84a3d4819cd640fb97e4c6189447e2c1e730f6114821a1da3381fc42ac
diff --git a/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml b/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml
index 27cc6ed3e..9fc9618b4 100644
--- a/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml
+++ b/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml
@@ -18,7 +18,7 @@ metadata:
ephemeralContainers, initContainers, and containers to ensure the only
capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: allowed-capabilities
diff --git a/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml b/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml
index ca24ce66c..156082c75 100755
--- a/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml
+++ b/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-tekton-task-runs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml
index fe3d051fb..7def58fad 100755
--- a/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml
+++ b/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-tekton-bundle
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml b/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml
index 2c83e3067..1b267a35e 100644
--- a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml
+++ b/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
kyverno/category: "Tekton in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "TaskRun, PipelineRun"
-digest: d1031e87d2d3e9496022593cac502bd8382863247803e4bd06a1badbe782ae48
+digest: 040ff6442dff95a14000ef7ac2a4f953659997d19654a8a959c0b59427ac4ee9
createdAt: "2024-05-24T04:26:34Z"
diff --git a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml b/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml
index 585c00efb..5be99b3c4 100644
--- a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml
+++ b/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml
@@ -36,6 +36,9 @@ spec:
- resources:
kinds:
- TaskRun
+ operations:
+ - CREATE
+ - UPDATE
validate:
cel:
expressions:
diff --git a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index ca24ce66c..156082c75 100755
--- a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-tekton-task-runs
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/tekton/block-tekton-task-runs/artifacthub-pkg.yml b/tekton/block-tekton-task-runs/artifacthub-pkg.yml
index c0f341deb..2a2c6aa3a 100644
--- a/tekton/block-tekton-task-runs/artifacthub-pkg.yml
+++ b/tekton/block-tekton-task-runs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "TaskRun"
-digest: 08b6fe5c9990d02fb809bb5145c58a85c071ed1ae4ad1485dec7344290784390
+digest: b81f44a6c23cb10349cf4064d04442ce0309521544b77730a0527251832d0b7d
diff --git a/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml b/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml
index 4471a5f54..e4ca35903 100644
--- a/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml
+++ b/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
Restrict creation of TaskRun resources to the Tekton pipelines controller.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: check-taskrun-user
diff --git a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index fe3d051fb..7def58fad 100755
--- a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-tekton-bundle
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/tekton/require-tekton-bundle/artifacthub-pkg.yml b/tekton/require-tekton-bundle/artifacthub-pkg.yml
index d7b4a9a21..67a0cb150 100644
--- a/tekton/require-tekton-bundle/artifacthub-pkg.yml
+++ b/tekton/require-tekton-bundle/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "TaskRun, PipelineRun"
-digest: 2e136747af729cc2bb5d1c88ff51a2a0d5ec2209e64aa3a79920e52f9c6ab0da
+digest: c400aeb9b0b39a27adac5e00b70aeff9f499ac307247a55d15e93ba81d69108d
diff --git a/tekton/require-tekton-bundle/require-tekton-bundle.yaml b/tekton/require-tekton-bundle/require-tekton-bundle.yaml
index cd7d2bcd8..b032593f1 100644
--- a/tekton/require-tekton-bundle/require-tekton-bundle.yaml
+++ b/tekton/require-tekton-bundle/require-tekton-bundle.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
PipelineRun and TaskRun resources must be executed from a bundle
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-bundle-pipelinerun
diff --git a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 42c3f3219..84a9f9ace 100755
--- a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-tekton-namespace-pipelinerun
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml b/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml
index 30a45fae7..7d34a53ca 100644
--- a/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml
+++ b/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "PipelineRun"
-digest: e7c2137806f319b9be984090216e7f5bc7a0ea94180799ecdf46f13d0774c5bf
+digest: 68f1df141b035ffba5e5affa37a526a9cd1a3ddc6b3d356a9cac3b589d871672
diff --git a/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml b/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml
index 5ff282ecb..71ac3231b 100644
--- a/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml
+++ b/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
A Namespace is required for a PipelineRun and may not be set to `default`.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-pipelinerun-namespace
diff --git a/tekton/require-tekton-securitycontext/artifacthub-pkg.yml b/tekton/require-tekton-securitycontext/artifacthub-pkg.yml
index b4249f464..ebab9bec5 100644
--- a/tekton/require-tekton-securitycontext/artifacthub-pkg.yml
+++ b/tekton/require-tekton-securitycontext/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "TaskRun"
-digest: 829fa20172f49fa1cb37a3207517b328751ca06744c073f55863e154f5cccbc1
+digest: 37aa2c05b969ca2398bc4c52888560c4013a2f545809883b70be3baba0124e41
diff --git a/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml b/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml
index c36a71f68..22321547b 100644
--- a/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml
+++ b/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
A securityContext is required for each TaskRun step.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: check-step-securitycontext
diff --git a/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml b/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml
index e3f5cde55..3c5033be6 100644
--- a/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml
+++ b/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "PipelineRun"
-digest: acba55acc1c2d5d52296ae0d7ee592ffd76760a98c140fa83c02139b104f4901
+digest: 21c240bef27349acb75f7c2cec962e82af3d0fa83697fe016de91cabab6510c3
diff --git a/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml b/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml
index 95c4d68c4..2804ae881 100644
--- a/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml
+++ b/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
A signed bundle is required
spec:
- validationFailureAction: enforce
+ validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: check-signature
diff --git a/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml b/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml
index 2fa607cb8..38faf3ed7 100644
--- a/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml
+++ b/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "TaskRun"
-digest: 61be170b85f21ddea8032bf685ad6da38b0b119108f6a628a6b3eb9136e411ae
+digest: 51735b052443aac5d798fa4368c3b60542bf39e43ab324e2868e023303df2c7a
diff --git a/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml b/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml
index 3defd9119..323f407d4 100644
--- a/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml
+++ b/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml
@@ -13,7 +13,7 @@ metadata:
policies.kyverno.io/description: >-
A signed bundle is required.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 30
rules:
- name: check-signature
diff --git a/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml b/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml
index 25ca986d3..367f268ab 100644
--- a/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml
+++ b/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Tekton"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "TaskRun"
-digest: 542d74bd9fa89a22f22d4fdd4ac9b36b4b8f0fcfe46f98638d1a1be775a0dc1f
+digest: 81c27e22b753182ea158fbb2361e60c18ebcf2347d779b2d4a3027c3024f9d3e
diff --git a/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml b/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml
index c1ee4b1ef..ac6d7a263 100644
--- a/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml
+++ b/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml
@@ -14,7 +14,7 @@ metadata:
A signed bundle is required and a vulnerability scan made by Grype must
return no vulnerabilities greater than 8.0.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
webhookTimeoutSeconds: 30
rules:
- name: check-signature
diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml
index f3e37c449..b0025f795 100755
--- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml
+++ b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-default-tlsoptions
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index f3e37c449..b0025f795 100755
--- a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: disallow-default-tlsoptions
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml b/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml
index b517b015d..8f499ff9f 100644
--- a/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml
+++ b/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Traefik"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "TLSOption"
-digest: 59fb6372a65f74a9857938fa4bd798b7a09f4ccc0514449c17ef61c735d24121
+digest: 000ee9b234050f94e9ba8352b94146f8a6bcf65b128b66858e3eb8c01ccc2661
diff --git a/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml b/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml
index b3bccd254..a1166804f 100644
--- a/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml
+++ b/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml
@@ -15,7 +15,7 @@ metadata:
creating the `default` TLSOption is a restricted operation. This policy ensures that
only a cluster-admin can create the `default` TLSOption resource.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: disallow-default-tlsoptions
diff --git a/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml b/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml
index df978e12d..2cdf18026 100755
--- a/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml
+++ b/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-velero-restore
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml
index 11afe59c1..26087f9ce 100755
--- a/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml
+++ b/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: validate-cron-schedule
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml b/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml
index 697870a71..07b85e3a4 100644
--- a/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml
@@ -21,7 +21,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
\ No newline at end of file
diff --git a/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml b/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml
index 6f887de82..88cc7db57 100644
--- a/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml
@@ -23,7 +23,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
\ No newline at end of file
diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml
index c9df04160..c6f54c11d 100644
--- a/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml
@@ -12,7 +12,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
\ No newline at end of file
diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml
index cca70b10d..08c546bdf 100644
--- a/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml
@@ -14,7 +14,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
\ No newline at end of file
diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml
index 2ebbc8a62..2273f38b4 100644
--- a/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml
@@ -17,7 +17,7 @@ spec:
claimName: external
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml
index e5e9b742a..f8e79378f 100644
--- a/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml
@@ -17,7 +17,7 @@ spec:
emptyDir: {}
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
diff --git a/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml b/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml
index 6a8db11a6..ecb8da406 100644
--- a/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml
@@ -22,7 +22,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
@@ -49,7 +49,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
\ No newline at end of file
diff --git a/velero/backup-all-volumes/.chainsaw-test/pods.yaml b/velero/backup-all-volumes/.chainsaw-test/pods.yaml
index eb6b906ca..2ce6a580a 100644
--- a/velero/backup-all-volumes/.chainsaw-test/pods.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/pods.yaml
@@ -13,7 +13,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
@@ -31,7 +31,7 @@ spec:
claimName: mypvc
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
@@ -54,7 +54,7 @@ spec:
claimName: external
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
@@ -79,7 +79,7 @@ spec:
emptyDir: {}
containers:
- name: container01
- image: busybox:1.35
+ image: ghcr.io/kyverno/test-busybox:1.35
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: task-pv-storage
diff --git a/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml b/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml
index b8ce12303..00b968680 100644
--- a/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml
+++ b/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: backup-all-volumes
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index df978e12d..2cdf18026 100755
--- a/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: block-velero-restore
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/velero/block-velero-restore/artifacthub-pkg.yml b/velero/block-velero-restore/artifacthub-pkg.yml
index f4b815f13..94151db98 100644
--- a/velero/block-velero-restore/artifacthub-pkg.yml
+++ b/velero/block-velero-restore/artifacthub-pkg.yml
@@ -28,4 +28,4 @@ annotations:
kyverno/category: "Velero"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Restore"
-digest: 8dc53eeed16dfae126f70003803e7f14a7373f202e01398a785b8f2747b3d2f9
+digest: a65832197cee441d134ff4ce6379639d8e4f4ae2ddb0ce3b4d91d57f1fb5960f
diff --git a/velero/block-velero-restore/block-velero-restore.yaml b/velero/block-velero-restore/block-velero-restore.yaml
index 25e516871..12a679e9c 100644
--- a/velero/block-velero-restore/block-velero-restore.yaml
+++ b/velero/block-velero-restore/block-velero-restore.yaml
@@ -13,7 +13,7 @@ metadata:
It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace
then operation fails and warning message is throw.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: false
rules:
- name: block-velero-restore-to-protected-namespace
diff --git a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 11afe59c1..26087f9ce 100755
--- a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: validate-cron-schedule
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/velero/validate-cron-schedule/artifacthub-pkg.yml b/velero/validate-cron-schedule/artifacthub-pkg.yml
index 077c12914..0dc049d09 100644
--- a/velero/validate-cron-schedule/artifacthub-pkg.yml
+++ b/velero/validate-cron-schedule/artifacthub-pkg.yml
@@ -22,4 +22,4 @@ annotations:
kyverno/category: "Velero"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Schedule"
-digest: 68d90c2a50f1f633d184a82ffb9f8713f64100b2d95ae79e11969cba88cf46ae
+digest: d8c1924e3db7b25ae27aa8c2bd6b78b5b56d68653ef9bcdf28aaea308319667a
diff --git a/velero/validate-cron-schedule/validate-cron-schedule.yaml b/velero/validate-cron-schedule/validate-cron-schedule.yaml
index ed8098cc1..08fbf3ae3 100644
--- a/velero/validate-cron-schedule/validate-cron-schedule.yaml
+++ b/velero/validate-cron-schedule/validate-cron-schedule.yaml
@@ -11,7 +11,7 @@ metadata:
operation. This policy validates that the schedule is a valid Cron format.
spec:
background: true
- validationFailureAction: audit
+ validationFailureAction: Audit
rules:
- name: validate-cron
match:
diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml
index 9fb95c569..9815bd06a 100755
--- a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+++ b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -3,4 +3,8 @@ kind: ClusterPolicy
metadata:
name: require-run-as-containeruser
status:
- ready: true
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
diff --git a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml
index d11205de7..9d6107379 100644
--- a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml
+++ b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
kyverno/category: "Windows Security"
kyverno/kubernetesVersion: "1.22-1.28"
kyverno/subject: "Pod"
-digest: e51c72783f9c92d0ba3337d8e41bb5383b7ce15f583d7e1732ef75d7c1acd811
+digest: 78c7a47122dd89c1289514d16fe3d1a55be44e649ed04fbb9106de02633fa51e
diff --git a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml
index 547bb2a34..2e26f9a00 100644
--- a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml
+++ b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml
@@ -16,7 +16,7 @@ metadata:
spec.initContainers[*].securityContext.windowsOptions.runAsUserName,
and is either unset or set to ContainerUser.
spec:
- validationFailureAction: audit
+ validationFailureAction: Audit
background: true
rules:
- name: require-run-as-containeruser