From 9e6408315dc22350e0b513885539403cb787d6d9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 09:46:58 +0200 Subject: [PATCH] deps: Update policies, kubectl image (#478) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan Co-authored-by: Kubewarden bot Co-authored-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/values.yaml | 2 +- charts/kubewarden-defaults/questions.yaml | 14 ++++++++++++++ charts/kubewarden-defaults/values.yaml | 3 ++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 8eb1ce13..00a49f0b 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -107,7 +107,7 @@ preDeleteJob: # The registry is defined in the global.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/kubectl" - tag: v1.27.15 + tag: v1.30.2 # kubewarden-controller deployment settings: podAnnotations: {} nodeSelector: {} diff --git a/charts/kubewarden-defaults/questions.yaml b/charts/kubewarden-defaults/questions.yaml index 7fe37bbe..faeb5342 100644 --- a/charts/kubewarden-defaults/questions.yaml +++ b/charts/kubewarden-defaults/questions.yaml @@ -324,6 +324,20 @@ questions: # tooltip: Maxium UID or GID # type: int # variable: max + # - variable: recommendedPolicies.userGroupPolicy.settings.validate_container_image_configuration + # default: false + # tooltip: Validate the USER directive in the container image + # label: Validate container image configuration + # description: >- + # Validate the USER directive in the container image. If set to true, the + # policy will enforce the same rules as MustRunAs and MustRunAsNonRoot for + # the run_as_user. And checks if the group of the USER directive is in the + # run_as_group range. The user and group should be defined as uid and gid. + # Container image validation is skipped if the container image is a Windows + # container. And user and groups names are not allowed. + # required: false + # type: boolean + # # do-not-share-host-paths policy settings # # TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826 diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml index 715af7b2..437ea18e 100644 --- a/charts/kubewarden-defaults/values.yaml +++ b/charts/kubewarden-defaults/values.yaml @@ -157,7 +157,7 @@ recommendedPolicies: userGroupPolicy: module: repository: "kubewarden/policies/user-group-psp" - tag: v0.5.0 + tag: v0.6.0 name: "do-not-run-as-root" settings: run_as_user: @@ -166,6 +166,7 @@ recommendedPolicies: rule: "RunAsAny" supplemental_groups: rule: "RunAsAny" + "validate_container_image_configuration": true hostPathsPolicy: module: repository: "kubewarden/policies/hostpaths-psp"