test: Test Argo (#9)

Balsir · May 12, 2023 · 00764f1 · 00764f1
1 parent 18060cb
commit 00764f1
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 78 deletions.
diff --git a/charts/test-chart/Chart.yaml b/charts/test-chart/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # Maintainers
 maintainers:

diff --git a/charts/test-chart/README.md b/charts/test-chart/README.md
@@ -2,7 +2,7 @@
 
 A Helm chart for Kubernetes
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.5.1](https://img.shields.io/badge/Version-0.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Description
 Helm chart to deploy Kyverno policies.
@@ -169,13 +169,12 @@ policies:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | background | bool | `true` | Default background policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/ |
-| enableAll | bool | `false` | Used to enable all policies. Categories or policies with value .disabled will be excluded. |
 | extraManifests | list | `[]` | List of extra manifests to deploy. Can be used to deploy your custom policies. |
 | failurePolicy | string | `"Fail"` | Default failurePolicy policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/ |
 | fullnameOverride | string | `""` | fullnameOverride |
 | nameOverride | string | `""` | nameOverride |
-| policies | object | `{"blockStaleImages":{"enabled":false},"checkServiceAccount":{"enabled":false},"disableAutomountServiceAccountToken":{"enabled":false},"disablePodAutomountServiceAccountToken":{"enabled":false},"disableServiceDiscovery":{"enabled":false},"disallowAllSecrets":{"enabled":false},"disallowCapabilitiesStrict":{"enabled":false},"disallowDefaultNamespace":{"enabled":false},"disallowEmptyIngressHost":{"enabled":false},"disallowHostNamespaces":{"enabled":false},"disallowHostPath":{"enabled":false},"disallowHostPorts":{"enabled":false},"disallowPrivilegeEscalation":{"enabled":false},"disallowPrivilegedContainers":{"enabled":false},"disallowProcMount":{"enabled":false},"disallowSELinux":{"enabled":false},"preventNakedPods":{"enabled":false},"protectNodeTaints":{"enabled":false},"requireEncryptionAwsLoadBalancers":{"enabled":false},"requireLabels":{"enabled":false},"requireRoRootFs":{"enabled":false},"requireRunAsNonRoot":{"enabled":false},"requireRunAsNonRootUser":{"enabled":false},"restrictAppArmor":{"enabled":false},"restrictImageRegistries":{"enabled":false},"restrictIngressWildcard":{"enabled":false},"restrictNodePort":{"enabled":false},"restrictSeccompStrict":{"enabled":false},"restrictServiceExternalIps":{"enabled":false},"restrictSysctls":{"enabled":false},"restrictVolumeTypes":{"enabled":false}}` | Used to enable and override individual policies. Policy override takes precedence over category override. Policy name matches its filename. |
-| policyCategories | object | `{"other":{"enabled":false},"podSecurityBaseline":{"enabled":false},"podSecurityRestricted":{"enabled":false}}` | Used to enable policies in bulk per category. May override policy attributes for the entire category. |
+| policies | object | `{"blockStaleImages":{},"checkServiceAccount":{"background":false},"disableAutomountServiceAccountToken":{},"disablePodAutomountServiceAccountToken":{},"disableServiceDiscovery":{},"disallowAllSecrets":{},"disallowCapabilitiesStrict":{},"disallowDefaultNamespace":{},"disallowEmptyIngressHost":{},"disallowHostNamespaces":{},"disallowHostPath":{},"disallowHostPorts":{},"disallowPrivilegeEscalation":{},"disallowPrivilegedContainers":{},"disallowProcMount":{},"disallowSELinux":{},"preventNakedPods":{},"protectNodeTaints":{"background":false},"requireEncryptionAwsLoadBalancers":{},"requireLabels":{},"requireRoRootFs":{},"requireRunAsNonRoot":{},"requireRunAsNonRootUser":{},"restrictAppArmor":{},"restrictImageRegistries":{},"restrictIngressWildcard":{},"restrictNodePort":{},"restrictSeccompStrict":{},"restrictServiceExternalIps":{},"restrictSysctls":{},"restrictVolumeTypes":{}}` | Used to enable and override individual policies. Policy override takes precedence over category override. Policy name matches its filename. |
+| policyCategories | object | `{"other":{},"podSecurityBaseline":{},"podSecurityRestricted":{}}` | Used to enable policies in bulk per category. May override policy attributes for the entire category. |
 | validationFailureAction | string | `"Audit"` | Default validationFailureAction policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/ |
 | validationFailureActionOverrides | list | `[]` | Default validationFailureActionOverrides policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/ |
 

diff --git a/charts/test-chart/values.yaml b/charts/test-chart/values.yaml
@@ -3,9 +3,6 @@ nameOverride: ""
 # -- fullnameOverride
 fullnameOverride: ""
 
-# -- Used to enable all policies. Categories or policies with value .disabled will be excluded.
-enableAll: false
-
 # -- Default background policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/
 background: true
 # -- Default failurePolicy policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/
@@ -14,99 +11,72 @@ failurePolicy: Fail
 validationFailureAction: Audit
 # -- Default validationFailureActionOverrides policy setting according to https://kyverno.io/docs/writing-policies/policy-settings/
 validationFailureActionOverrides: []
+# validationFailureActionOverrides:
+#   - action: Enforce     # Action to apply
+#     namespaces:       # List of affected namespaces
+#       - default
+#   - action: Audit
+#     namespaces:
+#       - test
 
 # -- Used to enable policies in bulk per category. May override policy attributes for the entire category.
 policyCategories:
 #  exampleCategory:
-#    enabled: false                   # Set true to enable category.
-#    disabled: false                  # Set true to disable all policies in category. Has precedence over .enabled.
+#    enabled: false                   # Set true to enable category. Set to false to explicitly disable category.
 #    validationFailureAction: Audit   # Set validationFailureAction per category.
 #    failurePolicy: Fail              # Set failurePolicy per category.
 #    background: true                 # Set background per category.
-  podSecurityBaseline:
-    enabled: false
-  podSecurityRestricted:
-    enabled: false
-  other:
-    enabled: false
+  podSecurityBaseline: {}
+  podSecurityRestricted: {}
+  other: {}
 
 # -- Used to enable and override individual policies. Policy override takes precedence over category override. Policy name matches its filename.
 policies:
 #  examplePolicy:
-#    enabled: false                   # Set true to enable policy. Policy will be deployed if .Values.enableAll or .Values.<categoryOfPolicy>.
-#    disabled: false                  # Set true to disable policy. Has precedence over .enabled.
+#    enabled: false                   # Set true to enable policy. Set to false to disable policy. If value is false, policy will not be deployed even if the category is enabled.
 #    validationFailureAction: Audit   # Set validationFailureAction per policy.
 #    failurePolicy: Fail              # Set failurePolicy per policy.
 #    background: true                 # Set background per policy.
 #    someOtherAttribute: "foobar"     # Set any other attribute.
 #    rulesOverride: []                # Override all rules within a policy.
 #    exclude: {}                      # Set exclude block for every rule within a policy.
-  blockStaleImages:
-    enabled: false
+  blockStaleImages: {}
 #    imageAge: "4380h" # Images older than imageAge are non-compliant
   checkServiceAccount:
-    enabled: false
-  disableAutomountServiceAccountToken:
-    enabled: false
-  disablePodAutomountServiceAccountToken:
-    enabled: false
-  disableServiceDiscovery:
-    enabled: false
-  disallowAllSecrets:
-    enabled: false
-  disallowCapabilitiesStrict:
-    enabled: false
-  disallowDefaultNamespace:
-    enabled: false
-  disallowEmptyIngressHost:
-    enabled: false
-  disallowHostNamespaces:
-    enabled: false
-  disallowHostPath:
-    enabled: false
-  disallowHostPorts:
-    enabled: false
-  disallowProcMount:
-    enabled: false
-  disallowPrivilegedContainers:
-    enabled: false
-  disallowPrivilegeEscalation:
-    enabled: false
-  disallowSELinux:
-    enabled: false
-  preventNakedPods:
-    enabled: false
+    background: false   # Shouldn't be set to true, because variable {{`{{serviceAccountName}}`}} is not allowed
+  disableAutomountServiceAccountToken: {}
+  disablePodAutomountServiceAccountToken: {}
+  disableServiceDiscovery: {}
+  disallowAllSecrets: {}
+  disallowCapabilitiesStrict: {}
+  disallowDefaultNamespace: {}
+  disallowEmptyIngressHost: {}
+  disallowHostNamespaces: {}
+  disallowHostPath: {}
+  disallowHostPorts: {}
+  disallowProcMount: {}
+  disallowPrivilegedContainers: {}
+  disallowPrivilegeEscalation: {}
+  disallowSELinux: {}
+  preventNakedPods: {}
   protectNodeTaints:
-    enabled: false
-  requireEncryptionAwsLoadBalancers:
-    enabled: false
-  requireLabels:
-    enabled: false
+    background: false   # Checks only live during update, background checks not necessary
+  requireEncryptionAwsLoadBalancers: {}
+  requireLabels: {}
 #    requiredLabels:   # Key-value pairs of required labels and their values
 #      label1: "?*"
-  requireRoRootFs:
-    enabled: false
-  requireRunAsNonRoot:
-    enabled: false
-  requireRunAsNonRootUser:
-    enabled: false
-  restrictAppArmor:
-    enabled: false
-  restrictIngressWildcard:
-    enabled: false
-  restrictImageRegistries:
-    enabled: false
+  requireRoRootFs: {}
+  requireRunAsNonRoot: {}
+  requireRunAsNonRootUser: {}
+  restrictAppArmor: {}
+  restrictIngressWildcard: {}
+  restrictImageRegistries: {}
 #    allowedRegistries: "eu.foo.io/* | bar.io/*"   # Pipe separated list of allowed registries
-  restrictNodePort:
-    enabled: false
-  restrictSeccompStrict:
-    enabled: false
-  restrictServiceExternalIps:
-    enabled: false
-  restrictSysctls:
-    enabled: false
-  restrictVolumeTypes:
-    enabled: false
+  restrictNodePort: {}
+  restrictSeccompStrict: {}
+  restrictServiceExternalIps: {}
+  restrictSysctls: {}
+  restrictVolumeTypes: {}
 
 # -- List of extra manifests to deploy. Can be used to deploy your custom policies.
 extraManifests: []