Policy updates

best-practices/add_safe_to_evict/add_safe_to_evict.yaml

@@ -5,7 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/category: Other
     policies.kyverno.io/subject: Pod,Annotation
-    policies.kyverno.io/minversion: 1.4.3
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/description: >-
       The Kubernetes cluster autoscaler does not evict pods that 
       use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
@@ -14,9 +14,10 @@ spec:
   rules: 
   - name: annotate-empty-dir
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     mutate:
       patchStrategicMerge:
         metadata:
@@ -27,9 +28,10 @@ spec:
           - <(emptyDir): {}
   - name: annotate-host-path
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     mutate:
       patchStrategicMerge:
         metadata:

best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Disallow empty Ingress host
     policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
@@ -17,9 +18,10 @@ spec:
   rules:
     - name: disallow-empty-ingress-host
       match:
-        resources:
-          kinds:
-            - Ingress
+        any:
+        - resources:
+            kinds:
+              - Ingress
       validate:
         message: "The Ingress host name must be defined, not empty."
         deny:

best-practices/disallow_helm_tiller/disallow_helm_tiller.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Disallow Helm Tiller
     policies.kyverno.io/category: Sample
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
@@ -19,9 +20,10 @@ spec:
   rules:
     - name: validate-helm-tiller
       match:
-        resources:
-          kinds:
-            - Pod
+        any:
+        - resources:
+            kinds:
+              - Pod
       validate:
         message: "Helm Tiller is not allowed"
         pattern:

best-practices/disallow_latest_tag/disallow_latest_tag.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Disallow Latest Tag
     policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
@@ -18,9 +19,10 @@ spec:
   rules:
   - name: require-image-tag
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     validate:
       message: "An image tag is required."
       pattern:
@@ -29,9 +31,10 @@ spec:
           - image: "*:*"
   - name: validate-image-tag
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     validate:
       message: "Using a mutable image tag e.g. 'latest' is not allowed."
       pattern:

best-practices/require_labels/require_labels.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Require Labels
     policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod, Label
     policies.kyverno.io/description: >-
@@ -18,9 +19,10 @@ spec:
   rules:
   - name: check-for-labels
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     validate:
       message: "The label `app.kubernetes.io/name` is required."
       pattern:

best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Restrict External IPs
     policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Service
     policies.kyverno.io/description: >-
@@ -18,9 +19,10 @@ spec:
   rules:
   - name: check-ips
     match:
-      resources:
-        kinds:
-        - Service
+      any:
+      - resources:
+          kinds:
+          - Service
     validate:
       message: "externalIPs are not allowed."
       pattern:

best-practices/restrict_node_port/restrict_node_port.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     policies.kyverno.io/title: Disallow NodePort
     policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Service
     policies.kyverno.io/description: >-
@@ -19,9 +20,10 @@ spec:
   rules:
   - name: validate-nodeport
     match:
-      resources:
-        kinds:
-        - Service
+      any:
+      - resources:
+          kinds:
+          - Service
     validate:
       message: "Services of type NodePort are not allowed."
       pattern:

cert-manager/limit-dnsnames/limit-dnsnames.yaml

@@ -6,7 +6,7 @@ metadata:
     policies.kyverno.io/title: Limit dnsNames
     policies.kyverno.io/category: Cert-Manager
     policies.kyverno.io/severity: medium
-    policies.kyverno.io/minversion: 1.3.6
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/subject: Certificate
     policies.kyverno.io/description: >-
       Some applications will not accept certificates containing more than a single name.
@@ -18,13 +18,15 @@ spec:
   rules:
   - name: limit-dnsnames
     match:
-      resources:
-        kinds:
-        - Certificate
+      any:
+      - resources:
+          kinds:
+          - Certificate
     validate:
       message: Only one dnsNames entry allowed per certificate request.
       deny:
         conditions:
-        - key: "{{request.object.spec.dnsNames || `[]` | length(@)}}"
-          operator: GreaterThan
-          value: "1"
+          all:
+          - key: "{{request.object.spec.dnsNames || `[]` | length(@)}}"
+            operator: GreaterThan
+            value: "1"

cert-manager/limit-duration/limit-duration.yaml

@@ -6,7 +6,7 @@ metadata:
     policies.kyverno.io/title: Certificate max duration 100 days
     policies.kyverno.io/category: Cert-Manager
     policies.kyverno.io/severity: medium
-    policies.kyverno.io/minversion: 1.3.6
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/subject: Certificate
     policies.kyverno.io/description: >-
       Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.
@@ -16,9 +16,10 @@ spec:
   rules:
   - name: certificate-duration-max-100days 
     match:
-      resources:
-        kinds:
-        - Certificate
+      any:
+      - resources:
+          kinds:
+          - Certificate
     preconditions:
       all:
       - key: "{{ contains(request.object.spec.issuerRef.name, 'letsencrypt') }}"
@@ -31,6 +32,7 @@ spec:
       message: "certificate duration must be < than 2400h (100 days)"
       deny:
         conditions:
-        - key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}"
-          operator: NotEquals
-          value: 2400
+          all:
+          - key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}"
+            operator: NotEquals
+            value: 2400

cert-manager/restrict-issuer/restrict-issuer.yaml

@@ -18,9 +18,10 @@ spec:
   rules:
   - name: restrict-corp-cert-issuer
     match:
-      resources:
-        kinds:
-        - Certificate
+      any:
+      - resources:
+          kinds:
+          - Certificate
     validate:
       message: When requesting a cert for this domain, you must use our corporate issuer.
       pattern:

consul/enforce-min-tls-version/enforce-min-tls-version.yaml

@@ -1,30 +1,31 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
- name: enforce-min-tls-version
- annotations:
-   policies.kyverno.io/title: Enforce Consul min TLS version 
-   policies.kyverno.io/category: Consul
-   policies.kyverno.io/severity: medium
-   policies.kyverno.io/subject: Mesh
-   kyverno.io/kyverno-version: 1.8.0
-   policies.kyverno.io/minversion: 1.6.0
-   kyverno.io/kubernetes-version: "1.24"
-   policies.kyverno.io/description: >-
-     This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.
+  name: enforce-min-tls-version
+  annotations:
+    policies.kyverno.io/title: Enforce Consul min TLS version 
+    policies.kyverno.io/category: Consul
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Mesh
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/description: >-
+      This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer.
 spec:
- validationFailureAction: enforce
- background: true
- rules:
-   - name: check-for-tls-version
-     match:
-       resources:
-         kinds:
-           - Mesh
-     validate:
-       message: The minimum version of TLS is TLS v1_2
-       pattern:
-         spec:
-             tls:
-               incoming:
-                 tlsMinVersion: TLSv1_2
+  validationFailureAction: enforce
+  background: true
+  rules:
+  - name: check-for-tls-version
+    match:
+      any:
+      - resources:
+          kinds:
+            - Mesh
+    validate:
+      message: The minimum version of TLS is TLS v1_2
+      pattern:
+        spec:
+          tls:
+            incoming:
+              tlsMinVersion: TLSv1_2

other/add-default-securitycontext/add-default-securitycontext.yaml

@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Add Default securityContext
     policies.kyverno.io/category: Sample
     policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/description: >-
       A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod.
       Sometimes choosing default values for users rather than blocking is a better alternative to not impede
@@ -15,9 +16,10 @@ spec:
   rules:
   - name: add-default-securitycontext
     match:
-      resources:
-        kinds:
-        - Pod
+      any:
+      - resources:
+          kinds:
+          - Pod
     mutate:
       patchStrategicMerge:
         spec: