diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index d08ffc212..b8ac370d4 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98 +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 2162df5d0..2958d7d7c 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 984a8f285..6124685f3 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml index 72e568880..59b54b03d 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index c2cb3bbe6..5eb936de2 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358 +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 3153372d3..5191e51a3 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -20,3 +20,4 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677 +createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml index 53d22e1ed..f69c98a3a 100644 --- a/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - \ No newline at end of file + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 02febf504..38230c9b1 100644 --- a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: c9ad4e28dafebe6064adfd1a8256a88ca610b8d0d8aea1b23aa772f06b5d793a +digest: 6000c5c6e0a0b0f87d67dd9a382a871f301dc2daa02d649abfe9fa14d0bff253 diff --git a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index dbc478783..1c4681879 100644 --- a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -14,7 +14,7 @@ metadata: Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-all diff --git a/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml index c06e78ab5..66eb851a8 100644 --- a/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - \ No newline at end of file + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 134cae44e..9b91be6b0 100644 --- a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: e8ce822cc387d097b86c462e1ed2ccc0136395e0c42e0731b722ed31cef9042d +digest: 896f413ddf85259b6b61515bc6327ea9f6d9b4b76db43dec745cbd16dfcc9974 diff --git a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index b06d960a5..cfa501bb9 100644 --- a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -13,7 +13,7 @@ metadata: Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: privilege-escalation diff --git a/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml index 6feabf7db..a90bf7620 100644 --- a/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - \ No newline at end of file + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index e3fb66644..e12508c16 100644 --- a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: ba2f062dce7055a18dba8f45007cb89575be9e027bbd7c3d4a43115333dfea5d +digest: 51d4e6bf94bdf4139e904740b241f59d0c6ad82db5d41e34c8384183f60d97ad diff --git a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 5be4515ce..ea9db6f16 100644 --- a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -13,7 +13,7 @@ metadata: Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml b/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml index d9eb9482e..67b1cd924 100644 --- a/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml +++ b/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - \ No newline at end of file + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml index c90f47f8d..3adda05ec 100644 --- a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 6b662e81d2e326be2844f05a81ba92a938006514b0d7dd0c15aa2ab526c7077b +digest: 41b892b201760036c88b6f6763db2e330aa1f5d03064e77ec38d6c6bbc5ff587 diff --git a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml index cad5c18e8..c20f86e3d 100644 --- a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -14,7 +14,7 @@ metadata: `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: run-as-non-root diff --git a/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml index 4d438a322..88fa037a6 100644 --- a/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - \ No newline at end of file + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index e3d7b7795..ccee16dbe 100644 --- a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 303a7f45eadad3b128126f5ae05dd2e9c3a24279034d6b89051127e4f7c39322 +digest: ccde04c25c74488da3ef02e15a4185c8b34218e817b8976d0536cdfb05b912f4 diff --git a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 4c9a83d20..10b593082 100644 --- a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -17,7 +17,7 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: background: true - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-seccomp-strict match: diff --git a/pod-security/restricted/restrict-volume-types/01-enforce.yaml b/pod-security/restricted/restrict-volume-types/01-enforce.yaml index 92ff83731..13a3780dc 100644 --- a/pod-security/restricted/restrict-volume-types/01-enforce.yaml +++ b/pod-security/restricted/restrict-volume-types/01-enforce.yaml @@ -2,6 +2,6 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - apply: - ns.yaml \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml index d7b90f513..549fa020c 100644 --- a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod,Volume" -digest: f050ec83c6176c4124cb678418bba7326d9885bd23ee9669e19761d8ec8a0cf2 +digest: 66179d39a81d5c556ff011609a38509aa579a8cb7f63fbf241579f327052ee05 diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index fb8fd35d9..21f3b719a 100644 --- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -15,7 +15,7 @@ metadata: limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: restricted-volumes