chore: add script to update artifacthub digest (#769)

* chore: add script to update artifacthub digest

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* fix

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* script

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* install

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* install

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* fix digest

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

---------

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

.github/workflows/ci.yml

@@ -23,70 +23,20 @@ jobs:
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           path: policies
-
       - name: Validate all policies
-        run: |
-          #!/bin/bash
-          set -euo pipefail
-
-          # Loop through each policy directory in the repository
-          for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
-            # Skip the root directory
-            if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
-              continue
-            fi
-
-            # Skip directories that contain subdirectories
-            if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
-              # If it does, skip the filename validation
-              continue
-            fi
-
-            # Get the name of the directory
-            dir_name=$(basename "$policy_dir")
-
-            # Skip if it is the CRDs directory
-            if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
-              continue
-            fi
-
-            # Check if the directory name only contains alphanumeric characters and dashes
-            if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
-              echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
-              exit 1
-            fi
-
-            # Skip if the directory contains a kustomization.yaml file
-            if [[ -f "$policy_dir/kustomization.yaml" ]]; then
-              continue
-            fi
-
-            # Check if a .yml or .yaml file with the same name as the directory exists in the directory
-            if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
-              echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
-              exit 1
-            fi
-
-            # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
-            if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
-              echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
-              exit 1
-            fi
-          done  
-
+        run: ./.hack/verify-files-structure.sh
+        working-directory: policies
       - name: Clone Kyverno
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           repository: kyverno/kyverno
           path: kyverno
           # The target branch of a pull request or the branch/tag of a push
           ref: ${{ github.base_ref || github.ref_name }}
-
       - name: Set up Go 
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: ~1.21.1
-
       - name: Test Policy
         run: go run ./cmd/cli/kubectl-kyverno test ../policies
         working-directory: kyverno
@@ -98,8 +48,8 @@ jobs:
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           path: policies
-      - name: Clone Kyverno
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: Checkout Kyverno
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           repository: kyverno/kyverno
           path: kyverno
@@ -114,6 +64,9 @@ jobs:
           set -e
           KYVERNO_EXPERIMENTAL=true go run ./cmd/cli/kubectl-kyverno fix test . --save
         working-directory: kyverno
+      - name: Check artifacthub-pkg digests
+        run: ./.hack/update-artifacthub-pkg.sh
+        working-directory: policies
       - name: Check diff
         run: |
           set -e

.hack/update-artifacthub-pkg.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SED=sed
+
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    SED=gsed
+fi
+
+for FILE in $(find . -name "artifacthub-pkg.yml")
+do
+    FOLDER=$(dirname "$FILE")
+    POLICY=$(basename "$FOLDER")
+    POLICY_FILE="$FOLDER/$POLICY.yaml"
+    echo "Processing policy $POLICY ($POLICY_FILE) ..."
+    INSTALL="kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/${POLICY_FILE/.\//}"
+    $SED -i -z "s#install:.*\`\`\`#install: |-\n  \`\`\`shell\n  $INSTALL\n  \`\`\`#" $FILE
+    DIGEST=$(shasum -U -a 256 "$POLICY_FILE" | cut -d" " -f 1)
+    echo "  Digest: $DIGEST"
+    $SED -i "s/^digest:.*/digest: $DIGEST/" $FILE
+done

.hack/verify-files-structure.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Loop through each policy directory in the repository
+for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
+    # Skip the root directory
+    if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
+        continue
+    fi
+
+    # Skip directories that contain subdirectories
+    if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
+        # If it does, skip the filename validation
+        continue
+    fi
+
+    # Get the name of the directory
+    dir_name=$(basename "$policy_dir")
+
+    # Skip if it is the CRDs directory
+    if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
+        continue
+    fi
+
+    # Skip if it is the .hack directory
+    if [[ $dir_name == ".hack" ]]; then
+        continue
+    fi
+
+    # Check if the directory name only contains alphanumeric characters and dashes
+    if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
+        echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
+        exit 1
+    fi
+
+    # Skip if the directory contains a kustomization.yaml file
+    if [[ -f "$policy_dir/kustomization.yaml" ]]; then
+        continue
+    fi
+
+    # Check if a .yml or .yaml file with the same name as the directory exists in the directory
+    if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
+        echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
+        exit 1
+    fi
+
+    # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
+    if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
+        echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
+        exit 1
+    fi
+done  

argo/application-field-validation/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Argo"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Application"
-digest: c8ad238bcb8b9014775649b68d78dc902dcd58d2b3d54c536b2ec99c0dc821da
+digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416

best-practices/add-rolebinding/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Add RoleBinding
 createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-rolebinding/add-rolebinding.yaml
   ```

best-practices/add-safe-to-evict/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Add Safe To Evict
 createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   The Kubernetes cluster autoscaler does not evict pods that  use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation  cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-safe-to-evict/add-safe-to-evict.yaml
   ```

best-practices/check-deprecated-apis/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Check deprecated APIs
 createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
   ```

best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml

@@ -5,7 +5,7 @@ createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
 install: |-
-  ```shell 
+  ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
   ```
 keywords:
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Ingress"
-digest: 4c8e14cfe546a3912985257916af8cdae9e8ed3c5b9c8710de0452b0780352e6
+digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd

best-practices/require-ro-rootfs/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices, EKS Best Practices"
   kyverno/subject: "Pod"
-digest: 6a96d468500f2d2d152dbde7a04a698c9cc62cc2975c04fb4c740dac187f5f4b
+digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14

castai/add-castai-removal-disabled/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "CAST AI"
   kyverno/kubernetesVersion: "1.25"
   kyverno/subject: "Job, CronJob"
-digest: 18f7de8b701cdf06e44c82655aaa91c386e9e3b44da1e72e04423f2d2a04a4f7
+digest: 992992b1eb3573e61d58ecf18bf58a2df70ce647b69243bc1e2adcdc5cea30ce

external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "ExternalSecretOperator"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "ExternalSecret"
-digest: e37b41aabc7d65947ee0cdd0707601d3bc2e43ffd6bc87aef76d8620aca5c1b7
+digest: 8b8e211f173edc5ba55b5e11c2a4799da30eb59a8cf0dd442b215e1a9cf79514

istio/add-sidecar-injection-namespace/artifacthub-pkg.yml

@@ -5,7 +5,7 @@ createdAt: "2023-04-10T20:07:52.000Z"
 description: >-
   In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio-inject` set to `enabled` for all new Namespaces.
 install: |-
-  ```shell 
+  ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml
   ```
 keywords:

karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml

@@ -27,4 +27,4 @@ annotations:
   kyverno/category: "Karpenter"
   kyverno/kubernetesVersion: "1.26"
   kyverno/subject: "DaemonSet"
-digest: d362d0f39e827f364e3527542260994471420007e6624f4a992d8ce2963b01ac
+digest: 275bf6fb95839933a781efbcaeaea792cf1bd5d4af9833eb37fefc374aed26f3

karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml

@@ -24,4 +24,4 @@ annotations:
   kyverno/category: "Karpenter, EKS Best Practices"
   kyverno/kubernetesVersion: "1.26"
   kyverno/subject: "Pod"
-digest: cd4fd255ac954d358ccff5df240fcd9ff441d3c53ac9629abc5c31118d9e9892
+digest: 93d84f8ba71d2bf87cb84d4174962cc50ecd0b0f9bb29f6fccb8a8a41d11b500

kubevirt/enforce-instancetype/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "KubeVirt"
   kyverno/kubernetesVersion: "1.24-1.25"
   kyverno/subject: "VirtualMachine"
-digest: fd5e58353ef32aab91803a63e1a1f95ff0e311344f33a88f99ebe37757e64990
+digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439

nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Disallow Custom Snippets
 createdAt: "2023-04-10T20:23:06.000Z"
 description: >-
   Users that can create or update ingress objects can use the custom snippets  feature to obtain all secrets in the cluster (CVE-2021-25742). This policy  disables allow-snippet-annotations in the ingress-nginx configuration and  blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
   ```

openshift/enforce-etcd-encryption/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "OpenShift"
   kyverno/kubernetesVersion: "1.20"
   kyverno/subject: "APIServer"
-digest: d54ffd53d3d442062c5980b6333701a7b18477329422ad030912b1756d30c3a7
+digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3

openshift/inject-infrastructurename/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "OpenShift"
   kyverno/kubernetesVersion: "1.26"
   kyverno/subject: "MachineSet"
-digest: 3f9aaaeeea9c2bde0fb8398da2bb64437e73ea8d644031102369beaa7f73e32e
+digest: 55f4f0f016cfed1e26b0a3621fa3ced8cd89134ade53976dec7cd6d7b2d9911a

other/a/add-certificates-volume/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Sample"
   kyverno/kubernetesVersion: "1.21"
   kyverno/subject: "Pod,Volume"
-digest: 41e873cb02f9b6c18d454968681f9797f1c0f3d89dc1610a60581e1e710031fb
+digest: d0bece92401b5c2c3fe482333fed5c09379d383934cd5bc860e416875a6d6267

other/a/apply-pss-restricted-profile/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Other"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Pod"
-digest: 79ec68a13ec96ac3c01fe6d39eb6fa79e10ef936453e17a76b7d10dfe2c26d96
+digest: 5fe9842816e537b8cdb8d6f231ccf31cefa7e11a936ee38f787e329f7b63ba97

other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml

@@ -6,10 +6,10 @@ createdAt: "2023-05-18T00:00:00.000Z"
 description: >-
   In some cases we would want to block operations (CREATE/UPDATE/DELETE) of certain privileged users (i.e. cluster-admins), in a specific namespace.
           In this policy, Kyverno look for all user operations (`CREATE, UPDATE, DELETE`), on every object kind (Pod,Deployment,Route,Service,etc.), in the testnamespace namespace, and for the `clusterRole cluster-admin`. The `subject User testuser` is also mentioned so it won’t include all the cluster-admins in the cluster, but will be flexiable enough to apply only for a sub-group of the cluster-admins in the cluster.
-install: |- 
-    ```shell
-    kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
-    ```   
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
+  ```   
 keywords:
   - rbac
   - cluster-admin 
@@ -21,4 +21,4 @@ annotations:
   policies.kyverno.io/category: other
   policies.kyverno.io/subject: Namespace, ClusterRole, User
   policies.kyverno.io/minversion: 1.9.0
-digest: 8b212d6056e1871537018ab93e1236f971b42a4c
+digest: 841724d983a9f27618678d596f30e20717115787e0f24304226b79d2e6b892e0

other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Block Pod Exec by Namespace Name
 createdAt: "2023-04-10T20:30:03.000Z"
 description: >-
   The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
   ```

other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml

@@ -7,7 +7,6 @@ description: >-
 install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
-  ``
   ```
 keywords:
   - kyverno

other/b-d/check-serviceaccount/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Check ServiceAccount
 createdAt: "2023-04-10T20:30:03.000Z"
 description: >-
   ServiceAccounts with privileges to create Pods may be able to do so and name a ServiceAccount other than the one used to create it. This policy checks the Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field matches the actual ServiceAccount.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-serviceaccount/check-serviceaccount.yaml
   ```

other/b-d/check-subjectaccessreview/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Check SubjectAccessReview
 createdAt: "2023-05-01T00:00:00.000Z"
 description: >-
   In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-subjectaccessreview/check-subjectaccessreview.yaml
   ```

other/b-d/cordon-and-drain-node/artifacthub-pkg.yml

@@ -6,7 +6,7 @@ description: >-
   There are cases where either an operations or security incident may occur and Nodes should be evacuated and placed in an unused state for further analysis. For example, a Node is found to be running a vulnerable version of a CRI engine or kernel and to minimize chances of a compromise may need to be decommissioned so another can be built. This policy shows how to use Kyverno to both cordon and drain a given Node and uses a hypothetical label being written to it called `testing=drain` to illustrate the point. For production use, the match block should be modified to trigger on the appropriate condition.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
   ```
 keywords:
   - kyverno
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "other"
   kyverno/kubernetesVersion: "1.26"
   kyverno/subject: "Node"
-digest: d9540eced93532fb54d51aa9ce0ca4d4b954737d6cc2eeb82687665bcfde826e
+digest: adbb84bccd2bb5f35c5987eb14aacc51e85a624124ce3281372607f92d6090bb

other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml

@@ -4,7 +4,7 @@ displayName: Add Pod Anti-Affinity
 createdAt: "2023-04-10T20:30:03.000Z"
 description: >-
   Applications may involve multiple replicas of the same Pod for availability as well as scale purposes, yet Kubernetes does not by default provide a solution for availability. This policy sets a Pod anti-affinity configuration on Deployments which contain an `app` label if it is not already present.
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/create-pod-antiaffinity/create-pod-antiaffinity.yaml
   ```

other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml

@@ -5,7 +5,7 @@ createdAt: "2023-05-01T00:00:00.000Z"
 description: >-
   Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.
 
-install: |- 
+install: |-
   ```shell
   kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml
   ```