Upgrade to Kyverno 1.13.1 (#269)

* Upgrade to Kyverno 1.13.1

.github/config/kyverno-values.yaml

@@ -12,28 +12,13 @@ admissionController:
       exceptionNamespace: kyverno
       webhookTimeout: 30
 config:
-  # TODO: Remove once fixed: https://github.com/kyverno/kyverno/issues/3190
-  resourceFilters:
-  - "[ConfigMap,*,*]"
-  - "[*,local-path-storage,*]"
-  - "[Event,*,*]"
-  - "[*,default,*]"
-  - "[*,kube-system,*]"
-  - "[*,kube-public,*]"
-  - "[*,kube-node-lease,*]"
-  - "[Node,*,*]"
-  - "[APIService,*,*]"
-  - "[TokenReview,*,*]"
-  - "[SubjectAccessReview,*,*]"
-  - "[SelfSubjectAccessReview,*,*]"
-  - "[*,kyverno,*]"
-  - "[Binding,*,*]"
-  - "[ReplicaSet,*,*]"
-  - "[ReportChangeRequest,*,*]"
-  - "[ClusterReportChangeRequest,*,*]"
-  - "[*,keycloak,*]"
+  resourceFiltersIncludeNamespaces:
+  - local-path-storage
+  - default
+  - kyverno
+  - keycloak
   webhooks:
-  - namespaceSelector:
+    namespaceSelector:
       matchExpressions:
         - key: osc.edu/role
           operator: In

.github/workflows/test-private.yaml

@@ -87,7 +87,7 @@ jobs:
       - name: Install Kyverno
         run: |
           helm repo add kyverno https://kyverno.github.io/kyverno/
-          helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.1.4
+          helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.3.3
           timeout 120 /bin/bash -c 'until kubectl get pods -n kyverno -l app.kubernetes.io/component=admission-controller -o jsonpath="{range .items[*]}{.status.containerStatuses[*].ready}{end}" | grep "true" ; do echo "Waiting for Kyverno" ; sleep 10 ; done'
           helm dependency build charts/kyverno-policies
           helm install kyverno-policies charts/kyverno-policies -n kyverno -f .github/config/kyverno-policies-values.yaml

.github/workflows/test.yaml

@@ -94,7 +94,7 @@ jobs:
       - name: Install Kyverno
         run: |
           helm repo add kyverno https://kyverno.github.io/kyverno/
-          helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.1.4
+          helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.3.3
           timeout 60 /bin/bash -c 'until kubectl get pods -n kyverno -l app.kubernetes.io/component=admission-controller -o jsonpath="{.items[0].status.phase}" | grep Running ; do echo "Waiting for Kyverno" ; sleep 10 ; done'
           sleep 60
       - name: Install cert-manager

Makefile

@@ -1,6 +1,6 @@
 ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 KYVERNO_GIT = https://github.com/kyverno/kyverno.git
-KYVERNO_VERSION := "v1.11.4"
+KYVERNO_VERSION := "v1.13.1"
 KYVERNO_DIR := $(ROOT_DIR)/kyverno-cli
 #KYVENOR_CLI := $(KYVERNO_DIR)/cmd/cli/kubectl-kyverno/kubectl-kyverno
 KYVENOR_CLI := $(KYVERNO_DIR)/kyverno

charts/kyverno-policies/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: kyverno-policies
 description: OSC Kyverno policies deployment
 type: application
-version: 0.28.1
-appVersion: "v1.11.4"
+version: 0.29.0
+appVersion: "v1.13.1"
 maintainers:
   - name: treydock
 dependencies:
   - name: kyverno-policies
-    version: 3.1.4
+    version: 3.3.1
     repository: https://kyverno.github.io/kyverno/
   - name: osc-common
     version: 0.7.0

charts/kyverno-policies/values.yaml

@@ -65,13 +65,6 @@ kyverno-policies:
 #          - external-dns
 #          - prometheus
   policyExclude:
-    disallow-capabilities-strict:
-      any:
-        # TODO: Remove once ood_core updated
-        # https://github.com/OSC/ood_core/pull/748
-        - resources:
-            namespaces:
-            - "user-?*"
     disallow-host-path:
       any:
         - resources:
@@ -87,13 +80,6 @@ kyverno-policies:
                 values:
                 - webservice
                 - paas
-    restrict-seccomp-strict:
-      any:
-        # TODO: Remove once ood_core updated
-        # https://github.com/OSC/ood_core/pull/748
-        - resources:
-            namespaces:
-            - "user-?*"
     restrict-volume-types:
       any:
         - resources:

tests/kyverno-policies/add-account/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-account
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-account
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-account/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 policies:
   - name: add-account
     rules:

tests/kyverno-policies/add-annotations/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-annotations
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: values
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-annotations/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 namespaceSelector:
   - name: user-test
     labels:

tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-image-pull-secret
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-image-pull-secret
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-ingress-class-name
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-ingress-class-name
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-ingress-class-name/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 namespaceSelector:
   - name: webservice
     labels:

tests/kyverno-policies/add-nodeselector/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: ondemand
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: ondemand
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-nodeselector/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 namespaceSelector:
   - name: user-test
     labels:

tests/kyverno-policies/add-role/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-role
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-role
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-role/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 policies:
   - name: add-role
     rules:

tests/kyverno-policies/add-service-account/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: add-service-account
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-service-account
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/add-service-account/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 policies:
   - name: add-service-account
     rules:

tests/kyverno-policies/authorized-registries/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: authorized-registries
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: authorized-registries
 policies:
   - policy.yaml
 resources:
@@ -9,24 +12,21 @@ results:
   - policy: authorized-registries
     rule: authorized-registries-users
     resources:
-      - test-skip
+      - test/test-skip
     kind: Pod
-    namespace: foo
     result: skip
   - policy: authorized-registries
     rule: authorized-registries-users
     resources:
-      - test-pass
-      - test-pass-site
+      - user-test/test-pass
+      - user-test/test-pass-site
     kind: Pod
-    namespace: user-test
     result: pass
   - policy: authorized-registries
     rule: authorized-registries-users
     resources:
-      - test-fail
+      - user-test/test-fail
     kind: Pod
-    namespace: user-test
     result: fail
   - policy: authorized-registries
     rule: authorized-registries-webservices
@@ -37,19 +37,17 @@ results:
   - policy: authorized-registries
     rule: authorized-registries-webservices
     resources:
-      - test-pass-webservice
-      - test-pass2-webservice
-      - test-pass3-webservice
-      - test-pass-site-webservice
+      - webservice/test-pass-webservice
+      - webservice/test-pass2-webservice
+      - webservice/test-pass3-webservice
+      - webservice/test-pass-site-webservice
     kind: Pod
-    namespace: webservice
     result: pass
   - policy: authorized-registries
     rule: authorized-registries-webservices
     resources:
-      - test-fail-webservice
+      - webservice/test-fail-webservice
     kind: Pod
-    namespace: webservice
     result: fail
   - policy: authorized-registries
     rule: authorized-registries-paas
@@ -60,17 +58,15 @@ results:
   - policy: authorized-registries
     rule: authorized-registries-paas
     resources:
-      - test-pass-paas
-      - test-pass2-paas
-      - test-pass3-paas
-      - test-pass-site-paas
+      - paas/test-pass-paas
+      - paas/test-pass2-paas
+      - paas/test-pass3-paas
+      - paas/test-pass-site-paas
     kind: Pod
-    namespace: paas
     result: pass
   - policy: authorized-registries
     rule: authorized-registries-paas
     resources:
-      - test-fail-paas
+      - paas/test-fail-paas
     kind: Pod
-    namespace: paas
     result: fail

tests/kyverno-policies/authorized-registries/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 namespaceSelector:
   - name: test
     labels:

tests/kyverno-policies/block-images-with-volumes/kyverno-test.yaml

@@ -1,4 +1,7 @@
-name: block-images-with-volumes
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: block-images-with-volumes
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/block-images-with-volumes/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 policies:
   - name: block-images-with-volumes
     resources:

tests/kyverno-policies/disallow-container-sock-mounts/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: disallow-container-sock-mounts
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-container-sock-mounts
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/disallow-nfs/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: disallow-nfs
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-nfs
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/imagepullpolicy-always/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: imagepullpolicy-always
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: imagepullpolicy-always
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/ingress-require-tls/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: ingress-require-tls
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: ingress-require-tls
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/mutate-calico-registry/kyverno-test.yaml

@@ -1,5 +1,8 @@
 ---
-name: mutate-calico-registry
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: mutate-calico-registry
 policies:
   - policy.yaml
 resources:

tests/kyverno-policies/mutate-calico-registry/variables.yaml

@@ -1,3 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
 policies:
   - name: mutate-calico-registry
     resources: