From f5a97a8d16a78f1bc8bb686ad3269bdd47e6513a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Mon, 10 Jul 2023 11:39:05 +0200 Subject: [PATCH 01/12] deps: Bump default policies versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These have severity and category annotations. Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-defaults/chart-values.yaml | 12 ++++++------ charts/kubewarden-defaults/values.yaml | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/kubewarden-defaults/chart-values.yaml b/charts/kubewarden-defaults/chart-values.yaml index af2fd299..92b2de5a 100644 --- a/charts/kubewarden-defaults/chart-values.yaml +++ b/charts/kubewarden-defaults/chart-values.yaml @@ -70,25 +70,25 @@ recommendedPolicies: skipAdditionalNamespaces: [] defaultPolicyMode: "monitor" allowPrivilegeEscalationPolicy: - module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.5" + module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.6" name: "no-privilege-escalation" hostNamespacePolicy: - module: "kubewarden/policies/host-namespaces-psp:v0.1.5" + module: "kubewarden/policies/host-namespaces-psp:v0.1.6" name: "no-host-namespace-sharing" podPrivilegedPolicy: - module: "kubewarden/policies/pod-privileged:v0.2.5" + module: "kubewarden/policies/pod-privileged:v0.2.7" name: "no-privileged-pod" userGroupPolicy: - module: "kubewarden/policies/user-group-psp:v0.4.7" + module: "kubewarden/policies/user-group-psp:v0.4.9" name: "do-not-run-as-root" hostPathsPolicy: - module: "kubewarden/policies/hostpaths-psp:v0.1.8" + module: "kubewarden/policies/hostpaths-psp:v0.1.9" name: "do-not-share-host-paths" paths: - pathPrefix: "/tmp" readOnly: true capabilitiesPolicy: - module: "kubewarden/policies/capabilities-psp:v0.1.11" + module: "kubewarden/policies/capabilities-psp:v0.1.13" name: "drop-capabilities" allowed_capabilities: [] required_drop_capabilities: diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml index e09423d9..4e81b50c 100644 --- a/charts/kubewarden-defaults/values.yaml +++ b/charts/kubewarden-defaults/values.yaml @@ -106,25 +106,25 @@ recommendedPolicies: skipAdditionalNamespaces: [] defaultPolicyMode: "monitor" allowPrivilegeEscalationPolicy: - module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.5" + module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.6" name: "no-privilege-escalation" hostNamespacePolicy: - module: "kubewarden/policies/host-namespaces-psp:v0.1.5" + module: "kubewarden/policies/host-namespaces-psp:v0.1.6" name: "no-host-namespace-sharing" podPrivilegedPolicy: - module: "kubewarden/policies/pod-privileged:v0.2.5" + module: "kubewarden/policies/pod-privileged:v0.2.7" name: "no-privileged-pod" userGroupPolicy: - module: "kubewarden/policies/user-group-psp:v0.4.7" + module: "kubewarden/policies/user-group-psp:v0.4.9" name: "do-not-run-as-root" hostPathsPolicy: - module: "kubewarden/policies/hostpaths-psp:v0.1.8" + module: "kubewarden/policies/hostpaths-psp:v0.1.9" name: "do-not-share-host-paths" paths: - pathPrefix: "/tmp" readOnly: true capabilitiesPolicy: - module: "kubewarden/policies/capabilities-psp:v0.1.11" + module: "kubewarden/policies/capabilities-psp:v0.1.13" name: "drop-capabilities" allowed_capabilities: [] required_drop_capabilities: From 1cdac0c07da26042dca5ae31157c209ef8301fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 11 Jul 2023 15:57:03 +0200 Subject: [PATCH 02/12] refactor: Rename to installPolicyReportCRDs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-crds/chart-values.yaml | 7 +++---- charts/kubewarden-crds/values.yaml | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/kubewarden-crds/chart-values.yaml b/charts/kubewarden-crds/chart-values.yaml index be6cc71d..26cd27d2 100644 --- a/charts/kubewarden-crds/chart-values.yaml +++ b/charts/kubewarden-crds/chart-values.yaml @@ -1,4 +1,3 @@ -policyReports: - # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs - # Set to false if they are already in the cluster - enable: true +# deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs +# Set to false if they are already in the cluster +installPolicyReportCRDs: true diff --git a/charts/kubewarden-crds/values.yaml b/charts/kubewarden-crds/values.yaml index 9de7d127..0c4784e4 100644 --- a/charts/kubewarden-crds/values.yaml +++ b/charts/kubewarden-crds/values.yaml @@ -1,6 +1,5 @@ # This file was autogenerated. -policyReports: - # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs - # Set to false if they are already in the cluster - enable: true +# deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs +# Set to false if they are already in the cluster +installPolicyReportCRDs: true From 8120af71f9ba7d8236c19671f63b331591874a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 11 Jul 2023 16:38:22 +0200 Subject: [PATCH 03/12] refactor: Drop experimental for auditScanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- .../kubewarden-controller/chart-values.yaml | 44 +++++++++---------- .../templates/_helpers.tpl | 2 +- .../templates/cronjob.yaml | 16 +++---- .../kubewarden-controller/templates/rbac.yaml | 8 ++-- .../templates/serviceaccount.yaml | 4 +- charts/kubewarden-controller/values.yaml | 44 +++++++++---------- 6 files changed, 57 insertions(+), 61 deletions(-) diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index c0bd9b39..3755ba19 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -87,26 +87,24 @@ resources: requests: cpu: 250m memory: 50Mi -# experimental Kubewarden features. These features are not recommended for -# production yet, and are not covered by SemVer guarantees. -experimental: - auditScanner: - enable: false - # The default audit-scanner ServiceAccount is bound to the ClusterRoles: - # - view: Allows read-only access to most objects in a namespace. - # Does not allow viewing secrets, roles or role bindings. - # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources - # and PolicyReports - serviceAccountName: audit-scanner - image: - # The registry is defined in the common.cattle.systemDefaultRegistry value - # kubectl image to be used in the pre-delete helm hook - repository: "kubewarden/audit-scanner" - tag: "latest" - pullPolicy: IfNotPresent - cronJob: - schedule: "*/60 * * * *" # every 60 minutes - failedJobsHistoryLimit: 5 - successfulJobsHistoryLimit: 3 - containerRestartPolicy: Never - skipAdditionalNamespaces: [] + +auditScanner: + enable: false + # The default audit-scanner ServiceAccount is bound to the ClusterRoles: + # - view: Allows read-only access to most objects in a namespace. + # Does not allow viewing secrets, roles or role bindings. + # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources + # and PolicyReports + serviceAccountName: audit-scanner + image: + # The registry is defined in the common.cattle.systemDefaultRegistry value + # kubectl image to be used in the pre-delete helm hook + repository: "kubewarden/audit-scanner" + tag: "latest" + pullPolicy: IfNotPresent + cronJob: + schedule: "*/60 * * * *" # every 60 minutes + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 3 + containerRestartPolicy: Never + skipAdditionalNamespaces: [] diff --git a/charts/kubewarden-controller/templates/_helpers.tpl b/charts/kubewarden-controller/templates/_helpers.tpl index 36b91287..2a2d267f 100644 --- a/charts/kubewarden-controller/templates/_helpers.tpl +++ b/charts/kubewarden-controller/templates/_helpers.tpl @@ -104,7 +104,7 @@ Create the name of the service account to use for kubewarden-controller {{- range .Values.global.skipNamespaces }} - {{ printf "-i %s" . }} {{- end -}} -{{- range .Values.experimental.auditScanner.skipAdditionalNamespaces }} +{{- range .Values.auditScanner.skipAdditionalNamespaces }} - {{ printf "-i %s" . }} {{- end -}} {{- end -}} diff --git a/charts/kubewarden-controller/templates/cronjob.yaml b/charts/kubewarden-controller/templates/cronjob.yaml index 325e7a08..127a510f 100644 --- a/charts/kubewarden-controller/templates/cronjob.yaml +++ b/charts/kubewarden-controller/templates/cronjob.yaml @@ -1,4 +1,4 @@ -{{- if .Values.experimental.auditScanner.enable }} +{{- if .Values.auditScanner.enable }} apiVersion: batch/v1 kind: CronJob metadata: @@ -9,15 +9,15 @@ metadata: annotations: {{- include "kubewarden-controller.annotations" . | nindent 4 }} spec: - schedule: {{ .Values.experimental.auditScanner.cronJob.schedule | quote }} + schedule: {{ .Values.auditScanner.cronJob.schedule | quote }} concurrencyPolicy: Forbid - failedJobsHistoryLimit: {{ .Values.experimental.auditScanner.cronJob.failedJobsHistoryLimit }} - successfulJobsHistoryLimit: {{ .Values.experimental.auditScanner.cronJob.successfulJobsHistoryLimit }} + failedJobsHistoryLimit: {{ .Values.auditScanner.cronJob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.auditScanner.cronJob.successfulJobsHistoryLimit }} jobTemplate: spec: template: spec: - serviceAccountName: {{ .Values.experimental.auditScanner.serviceAccountName }} + serviceAccountName: {{ .Values.auditScanner.serviceAccountName }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} @@ -26,11 +26,11 @@ spec: imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 12 }} {{- end }} - restartPolicy: {{ .Values.experimental.auditScanner.containerRestartPolicy }} + restartPolicy: {{ .Values.auditScanner.containerRestartPolicy }} containers: - name: audit-scanner - image: '{{ template "system_default_registry" . }}{{ .Values.experimental.auditScanner.image.repository }}:{{ .Values.experimental.auditScanner.image.tag }}' - imagePullPolicy: {{ .Values.experimental.auditScanner.image.pullPolicy }} + image: '{{ template "system_default_registry" . }}{{ .Values.auditScanner.image.repository }}:{{ .Values.auditScanner.image.tag }}' + imagePullPolicy: {{ .Values.auditScanner.image.pullPolicy }} command: {{- include "audit-scanner.command" . | nindent 14 -}} {{- with .Values.containerSecurityContext }} diff --git a/charts/kubewarden-controller/templates/rbac.yaml b/charts/kubewarden-controller/templates/rbac.yaml index 23c5c5da..3e472acf 100644 --- a/charts/kubewarden-controller/templates/rbac.yaml +++ b/charts/kubewarden-controller/templates/rbac.yaml @@ -204,7 +204,7 @@ rules: - subjectaccessreviews verbs: - create -{{- if eq .Values.experimental.auditScanner.serviceAccountName "audit-scanner" }} +{{- if eq .Values.auditScanner.serviceAccountName "audit-scanner" }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -312,7 +312,7 @@ subjects: - kind: ServiceAccount name: {{ include "kubewarden-controller.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- if eq .Values.experimental.auditScanner.serviceAccountName "audit-scanner" }} +{{- if eq .Values.auditScanner.serviceAccountName "audit-scanner" }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -328,7 +328,7 @@ roleRef: name: view subjects: - kind: ServiceAccount - name: {{ .Values.experimental.auditScanner.serviceAccountName }} + name: {{ .Values.auditScanner.serviceAccountName }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -345,6 +345,6 @@ roleRef: name: audit-scanner-cluster-role subjects: - kind: ServiceAccount - name: {{ .Values.experimental.auditScanner.serviceAccountName }} + name: {{ .Values.auditScanner.serviceAccountName }} namespace: {{ .Release.Namespace }} {{ end }} diff --git a/charts/kubewarden-controller/templates/serviceaccount.yaml b/charts/kubewarden-controller/templates/serviceaccount.yaml index 06aea74e..5386c31e 100644 --- a/charts/kubewarden-controller/templates/serviceaccount.yaml +++ b/charts/kubewarden-controller/templates/serviceaccount.yaml @@ -8,12 +8,12 @@ metadata: annotations: {{- include "kubewarden-controller.annotations" . | nindent 4 }} -{{- if eq .Values.experimental.auditScanner.serviceAccountName "audit-scanner" }} +{{- if eq .Values.auditScanner.serviceAccountName "audit-scanner" }} --- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.experimental.auditScanner.serviceAccountName }} + name: {{ .Values.auditScanner.serviceAccountName }} namespace: {{ .Release.Namespace }} labels: {{- include "kubewarden-controller.labels" . | nindent 4 }} diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 8d8b2165..c1d0ec10 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -123,26 +123,24 @@ resources: requests: cpu: 250m memory: 50Mi -# experimental Kubewarden features. These features are not recommended for -# production yet, and are not covered by SemVer guarantees. -experimental: - auditScanner: - enable: false - # The default audit-scanner ServiceAccount is bound to the ClusterRoles: - # - view: Allows read-only access to most objects in a namespace. - # Does not allow viewing secrets, roles or role bindings. - # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources - # and PolicyReports - serviceAccountName: audit-scanner - image: - # The registry is defined in the common.cattle.systemDefaultRegistry value - # kubectl image to be used in the pre-delete helm hook - repository: "kubewarden/audit-scanner" - tag: "latest" - pullPolicy: IfNotPresent - cronJob: - schedule: "*/60 * * * *" # every 60 minutes - failedJobsHistoryLimit: 5 - successfulJobsHistoryLimit: 3 - containerRestartPolicy: Never - skipAdditionalNamespaces: [] + +auditScanner: + enable: false + # The default audit-scanner ServiceAccount is bound to the ClusterRoles: + # - view: Allows read-only access to most objects in a namespace. + # Does not allow viewing secrets, roles or role bindings. + # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources + # and PolicyReports + serviceAccountName: audit-scanner + image: + # The registry is defined in the common.cattle.systemDefaultRegistry value + # kubectl image to be used in the pre-delete helm hook + repository: "kubewarden/audit-scanner" + tag: "latest" + pullPolicy: IfNotPresent + cronJob: + schedule: "*/60 * * * *" # every 60 minutes + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 3 + containerRestartPolicy: Never + skipAdditionalNamespaces: [] From 8f28a952f14ae0845fd684550453776c03485b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 11 Jul 2023 16:41:27 +0200 Subject: [PATCH 04/12] feat: Add questions.yaml for kubewarden-controller MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/questions.yaml | 51 +++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 charts/kubewarden-controller/questions.yaml diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml new file mode 100644 index 00000000..a46c1428 --- /dev/null +++ b/charts/kubewarden-controller/questions.yaml @@ -0,0 +1,51 @@ +# This is a Rancher questions file +--- +questions: +- variable: "auditScanner.enable" + type: boolean + default: false + required: true + label: Enable Background Audit check + description: | + The Background Audit Check looks at existing Kubernetes resources and + periodically determines whether they are still compliant with regards to the + policies that are currently defined. + group: "Features" +- variable: "auditScanner.cronJob.schedule" + type: string + default: "*/60 * * * *" + show_if: auditScanner.enable=true + label: Schedule + description: | + Schedule of the Background Audit check. Follows the Unix-cron syntax. + group: "Features" +- variable: "auditScanner.serviceAccountName" + type: string + default: "audit-scanner" + show_if: auditScanner.enable=true + label: ServiceAccount name + description: | + The default audit-scanner ServiceAccount is bound to the ClusterRoles + "view" (allows read-only access to most objects in a namespace, does not + allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role" + (allows read-write to Kubewarden resources and PolicyReports). + group: "Features" +- variable: tls.source + default: "cert-manager-self-signed" + description: "Source for TLS certificates" + label: TLS certificates source + type: enum + options: + - "cert-manager-self-signed" + - "cert-manager" + show_subquestion_if: "cert-manager" + group: "TLS" + subquestions: + - variable: "tls.certManagerIssuerName" + type: string + default: "" + label: cert-manager Issuer name + description: | + Name of cert-manager Issuer + group: "TLS" + show_if: "tls.source=cert-manager" From cbcbbec155915b2ef5d8646a3d5aad46e4a63864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <2196685+viccuad@users.noreply.github.com> Date: Wed, 12 Jul 2023 10:40:16 +0200 Subject: [PATCH 05/12] Update charts/kubewarden-crds/chart-values.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Flavio Castelli Signed-off-by: Víctor Cuadrado Juan <2196685+viccuad@users.noreply.github.com> --- charts/kubewarden-crds/chart-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kubewarden-crds/chart-values.yaml b/charts/kubewarden-crds/chart-values.yaml index 26cd27d2..8f34434e 100644 --- a/charts/kubewarden-crds/chart-values.yaml +++ b/charts/kubewarden-crds/chart-values.yaml @@ -1,3 +1,3 @@ # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs -# Set to false if they are already in the cluster +# Set to false if they are already defined inside of the cluster installPolicyReportCRDs: true From ab9c58aa3ceb97c005dbbe3afec8b67efe3ebbef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <2196685+viccuad@users.noreply.github.com> Date: Wed, 12 Jul 2023 10:40:23 +0200 Subject: [PATCH 06/12] Update charts/kubewarden-crds/values.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Flavio Castelli Signed-off-by: Víctor Cuadrado Juan <2196685+viccuad@users.noreply.github.com> --- charts/kubewarden-crds/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kubewarden-crds/values.yaml b/charts/kubewarden-crds/values.yaml index 0c4784e4..59da2b89 100644 --- a/charts/kubewarden-crds/values.yaml +++ b/charts/kubewarden-crds/values.yaml @@ -1,5 +1,5 @@ # This file was autogenerated. # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs -# Set to false if they are already in the cluster +# Set to false if they are already defined inside of the cluster installPolicyReportCRDs: true From 00a2659a12ec0b7dafdcbf76eebf90679fee4295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 10:49:59 +0200 Subject: [PATCH 07/12] docs: document skipAdditionalNamespaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/chart-values.yaml | 1 + charts/kubewarden-controller/values.yaml | 1 + charts/kubewarden-defaults/chart-values.yaml | 1 + charts/kubewarden-defaults/values.yaml | 1 + 4 files changed, 4 insertions(+) diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index 3755ba19..8b41a7b8 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -107,4 +107,5 @@ auditScanner: failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 3 containerRestartPolicy: Never + # Additional namespaces that the audit scanner will scan: skipAdditionalNamespaces: [] diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index c1d0ec10..75e43771 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -143,4 +143,5 @@ auditScanner: failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 3 containerRestartPolicy: Never + # Additional namespaces that the audit scanner will scan: skipAdditionalNamespaces: [] diff --git a/charts/kubewarden-defaults/chart-values.yaml b/charts/kubewarden-defaults/chart-values.yaml index 92b2de5a..fe1b1d78 100644 --- a/charts/kubewarden-defaults/chart-values.yaml +++ b/charts/kubewarden-defaults/chart-values.yaml @@ -67,6 +67,7 @@ recommendedPolicies: # not support OCI artifacts. # If this field is not defined, the systemDefaultRegistry is used by default. defaultPoliciesRegistry: "" + # Additional namespaces that recommended policies will not apply to: skipAdditionalNamespaces: [] defaultPolicyMode: "monitor" allowPrivilegeEscalationPolicy: diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml index 4e81b50c..898c85d7 100644 --- a/charts/kubewarden-defaults/values.yaml +++ b/charts/kubewarden-defaults/values.yaml @@ -103,6 +103,7 @@ recommendedPolicies: # not support OCI artifacts. # If this field is not defined, the systemDefaultRegistry is used by default. defaultPoliciesRegistry: "" + # Additional namespaces that recommended policies will not apply to: skipAdditionalNamespaces: [] defaultPolicyMode: "monitor" allowPrivilegeEscalationPolicy: From f7e5301d0b16566dc5e3f3d0468aa5fd0b5726ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 10:52:56 +0200 Subject: [PATCH 08/12] review: Rename questions section to Certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/questions.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml index a46c1428..4d9433ff 100644 --- a/charts/kubewarden-controller/questions.yaml +++ b/charts/kubewarden-controller/questions.yaml @@ -39,7 +39,7 @@ questions: - "cert-manager-self-signed" - "cert-manager" show_subquestion_if: "cert-manager" - group: "TLS" + group: "Certificates" subquestions: - variable: "tls.certManagerIssuerName" type: string @@ -47,5 +47,5 @@ questions: label: cert-manager Issuer name description: | Name of cert-manager Issuer - group: "TLS" + group: "Certificates" show_if: "tls.source=cert-manager" From c1c85e652623140e0b99857757688fac1e059901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 10:54:42 +0200 Subject: [PATCH 09/12] Correctly consume installPolicyReportCRDs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-crds/templates/clusterpolicyreports.yaml | 2 +- charts/kubewarden-crds/templates/policyreports.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-crds/templates/clusterpolicyreports.yaml b/charts/kubewarden-crds/templates/clusterpolicyreports.yaml index 8c3a15d7..932a3b8d 100644 --- a/charts/kubewarden-crds/templates/clusterpolicyreports.yaml +++ b/charts/kubewarden-crds/templates/clusterpolicyreports.yaml @@ -1,4 +1,4 @@ -{{- if .Values.policyReports.enable }} +{{- if .Values.installPolicyReportCRDs }} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/charts/kubewarden-crds/templates/policyreports.yaml b/charts/kubewarden-crds/templates/policyreports.yaml index e31cad56..c24850ae 100644 --- a/charts/kubewarden-crds/templates/policyreports.yaml +++ b/charts/kubewarden-crds/templates/policyreports.yaml @@ -1,4 +1,4 @@ -{{- if .Values.policyReports.enable }} +{{- if .Values.installPolicyReportCRDs }} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition From 81852ae8458c73572d0f605ae2f3e89f77bb2784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 10:56:07 +0200 Subject: [PATCH 10/12] deps: Consume audit-scanner v0.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/chart-values.yaml | 2 +- charts/kubewarden-controller/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index 8b41a7b8..20f9926d 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -100,7 +100,7 @@ auditScanner: # The registry is defined in the common.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/audit-scanner" - tag: "latest" + tag: "v0.1.0" pullPolicy: IfNotPresent cronJob: schedule: "*/60 * * * *" # every 60 minutes diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 75e43771..fefed5f3 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -136,7 +136,7 @@ auditScanner: # The registry is defined in the common.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/audit-scanner" - tag: "latest" + tag: "v0.1.0" pullPolicy: IfNotPresent cronJob: schedule: "*/60 * * * *" # every 60 minutes From 5b82a397ca1b5cf4b6d663596f70ab6de9ff2015 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 15:33:02 +0200 Subject: [PATCH 11/12] review: Fix comment wording for skipAdditionalNamespaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/chart-values.yaml | 2 +- charts/kubewarden-controller/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index 20f9926d..242cba05 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -107,5 +107,5 @@ auditScanner: failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 3 containerRestartPolicy: Never - # Additional namespaces that the audit scanner will scan: + # Additional namespaces that the audit scanner will not scan: skipAdditionalNamespaces: [] diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index fefed5f3..8c581a2c 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -143,5 +143,5 @@ auditScanner: failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 3 containerRestartPolicy: Never - # Additional namespaces that the audit scanner will scan: + # Additional namespaces that the audit scanner will not scan: skipAdditionalNamespaces: [] From 9aacc6138b4741c99b091762f30c8fefcc0b4807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 12 Jul 2023 16:19:06 +0200 Subject: [PATCH 12/12] deps: Consume audit-scanner v1.7.0-rc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- charts/kubewarden-controller/chart-values.yaml | 2 +- charts/kubewarden-controller/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml index 242cba05..a8833a64 100644 --- a/charts/kubewarden-controller/chart-values.yaml +++ b/charts/kubewarden-controller/chart-values.yaml @@ -100,7 +100,7 @@ auditScanner: # The registry is defined in the common.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/audit-scanner" - tag: "v0.1.0" + tag: "v1.7.0-rc1" pullPolicy: IfNotPresent cronJob: schedule: "*/60 * * * *" # every 60 minutes diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 8c581a2c..f72f816c 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -136,7 +136,7 @@ auditScanner: # The registry is defined in the common.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/audit-scanner" - tag: "v0.1.0" + tag: "v1.7.0-rc1" pullPolicy: IfNotPresent cronJob: schedule: "*/60 * * * *" # every 60 minutes