kyverno · chipzoller · Aug 14, 2024 · Aug 5, 2024 · Aug 5, 2024 · Aug 6, 2024
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
@@ -19,3 +19,8 @@ spec:
         name: busybox
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: busybox
+        name: busyboxinit
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
@@ -8,3 +8,8 @@ spec:
     image: docker.io/tiller:latest
   - name: somebox
     image: busybox:1.35
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+  - name: someboxinit
+    image: busybox:1.35
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
@@ -7,4 +7,9 @@ spec:
   - name: somebox
     image: busybox:1.35
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: someboxinit
+    image: busybox:1.35
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml
@@ -5,4 +5,7 @@ metadata:
 spec:
   containers:
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
@@ -17,4 +17,8 @@ spec:
       containers:
       - image: busybox:v1.35
         name: busybox
-        command: ["sleep", "3600"]
+        command: ["sleep", "3600"]
+      initContainers:
+      - image: busybox:v1.35
+        name: busyboxinit
+        command: ["sleep", "3600"]
diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:v1.35
   - name: nothelmbox
-    image: busybox:v1.35
+    image: busybox:v1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:v1.35
+  - name: nothelmboxinit
+    image: busybox:v1.35
diff --git a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml
@@ -6,6 +6,10 @@ spec:
   containers:
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+
 ---
 apiVersion: v1
 kind: Pod
@@ -17,6 +21,11 @@ spec:
     image: busybox:1.28
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
 ---
 apiVersion: v1
 kind: Pod
@@ -26,6 +35,9 @@ spec:
   containers:
   - name: busybox
     image: busybox
+  initContainers:
+  - name: busyboxinit
+    image: busybox
 ---
 apiVersion: v1
 kind: Pod
@@ -37,6 +49,11 @@ spec:
     image: busybox
   - name: nginx
     image: nginx
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -59,6 +76,10 @@ spec:
       - image: busybox:1.28
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:1.28
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -80,3 +101,6 @@ spec:
       containers:
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit
diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Sample"
   kyverno/subject: "Pod"
-digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
+digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2
diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
@@ -11,7 +11,7 @@ metadata:
     policies.kyverno.io/description: >-
       Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
       resource accessible to any authenticated user. Tiller can lead to privilege escalation as
-      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+      restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
@@ -26,8 +26,13 @@ spec:
               - Pod
       validate:
         message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*tiller*"
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:latest
   - name: nginx
-    image: nginx:1.35
+    image: nginx:1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:latest
+  - name: nginxinit
+    image: nginx:1.35
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
@@ -7,4 +7,9 @@ spec:
   - name: nginx
     image: nginx:1.35
   - name: busybox
-    image: busybox:latest
+    image: busybox:latest
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.35
+  - name: busyboxinit
+    image: busybox:latest
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
@@ -8,6 +8,11 @@ spec:
     image: busybox
   - name: nginx
     image: nginx:1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx:1.35
 ---
 apiVersion: v1
 kind: Pod
@@ -19,6 +24,11 @@ spec:
     image: nginx:1.35
   - name: busybox
     image: busybox
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.35
+  - name: busyboxinit
+    image: busybox
 ---
 apiVersion: v1
 kind: Pod
@@ -29,4 +39,9 @@ spec:
   - name: busybox
     image: busybox
   - name: nginx
-    image: nginx:latest
+    image: nginx:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx:latest
diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml
@@ -5,4 +5,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox:v1.35
+    image: busybox:v1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:v1.35
diff --git a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml
@@ -8,6 +8,9 @@ spec:
   containers:
   - name: nginx
     image: nginx:1.12
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.12
 ---
 apiVersion: v1
 kind: Pod
@@ -19,6 +22,9 @@ spec:
   containers:
   - name: nginx
     image: nginx
+  initContainers:
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: v1
 kind: Pod
@@ -32,6 +38,11 @@ spec:
     image: busybox:1.28
   - name: nginx
     image: nginx
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: v1
 kind: Pod
@@ -43,6 +54,9 @@ spec:
   containers:
   - name: nginx
     image: nginx:latest
+  initContainers:
+  - name: nginxinit
+    image: nginx:latest
 ---
 apiVersion: v1
 kind: Pod
@@ -56,6 +70,11 @@ spec:
     image: busybox:1.28
   - name: nginx
     image: nginx:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: nginxinit
+    image: nginx:latest
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -77,6 +96,10 @@ spec:
       - image: busybox:1.28
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:1.28
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -98,6 +121,10 @@ spec:
       - image: busybox
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -119,3 +146,7 @@ spec:
       - image: busybox:latest
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:latest
+        name: busyboxinit
+        command: ["sleep", "9999"]
diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml
@@ -1,6 +1,6 @@
 name: disallow-latest-tag
 version: 1.0.0
-displayName: Disallow Latest Tag
+displayName: Disallow Latest Tags
 createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Pod"
-digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4
+digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a
diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
@@ -25,10 +25,16 @@ spec:
           - Pod
     validate:
       message: "An image tag is required."
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"
+      foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "*:*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "*:*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "*:*"
   - name: validate-image-tag
     match:
       any:
@@ -37,7 +43,13 @@ spec:
           - Pod
     validate:
       message: "Using a mutable image tag e.g. 'latest' is not allowed."
-      pattern:
-        spec:
-          containers:
-          - image: "!*:latest"
+      foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*:latest"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*:latest"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*:latest"