From 1d38f8a417c9739eb5a1b28c5216f431d6939a73 Mon Sep 17 00:00:00 2001 From: Mohamed Awnallah Date: Tue, 25 Jun 2024 04:08:29 +0300 Subject: [PATCH 1/2] multi: iterate all container types In this commit, we ensure policies apply to `ephemeralContainers`, `initContainers`, and `containers`. Signed-off-by: Mohamed Awnallah --- .../require-probes/require-probes.yaml | 2 +- .../set-karpenter-non-cpu-limits.yaml | 4 ++-- .../add-certificates-volume.yaml | 2 +- .../add-image-as-env-var.yaml | 2 +- .../annotate-base-images.yaml | 2 +- .../block-images-with-volumes.yaml | 2 +- .../block-large-images.yaml | 2 +- .../block-stale-images.yaml | 2 +- other/check-nvidia-gpu/check-nvidia-gpu.yaml | 2 +- .../deny-commands-in-exec-probe.yaml | 8 +++---- .../enforce-resources-as-ratio.yaml | 2 +- .../inject-env-var-from-image-label.yaml | 2 +- .../limit-containers-per-pod.yaml | 2 +- .../memory-requests-equal-limits.yaml | 6 ++--- .../only-trustworthy-registries-set-root.yaml | 2 +- .../prepend-image-registry.yaml | 24 +++++++++++++++++++ .../remove-hostpath-volumes.yaml | 2 +- .../remove-serviceaccount-token.yaml | 2 +- .../replace-image-registry-with-harbor.yaml | 15 ++++++++++++ .../replace-image-registry.yaml | 19 +++++++++++++++ .../require-base-image.yaml | 2 +- .../require-image-source.yaml | 2 +- .../require-qos-burstable.yaml | 4 ++-- .../require-qos-guaranteed.yaml | 2 +- .../require-unique-uid-per-workload.yaml | 2 +- .../resolve-image-to-digest.yaml | 2 +- 26 files changed, 88 insertions(+), 30 deletions(-) diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml index ac3036c25..9a6b2d1be 100644 --- a/best-practices/require-probes/require-probes.yaml +++ b/best-practices/require-probes/require-probes.yaml @@ -36,7 +36,7 @@ spec: validate: message: "Liveness, readiness, or startup probes are required for all containers." foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: conditions: all: diff --git a/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml b/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml index 37c18df68..0f5fdeb53 100644 --- a/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml @@ -25,7 +25,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: @@ -43,7 +43,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: diff --git a/other/add-certificates-volume/add-certificates-volume.yaml b/other/add-certificates-volume/add-certificates-volume.yaml index ea5b4732d..9897c96a5 100644 --- a/other/add-certificates-volume/add-certificates-volume.yaml +++ b/other/add-certificates-volume/add-certificates-volume.yaml @@ -36,7 +36,7 @@ spec: - UPDATE mutate: foreach: - - list: "request.object.spec.containers" + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: diff --git a/other/add-image-as-env-var/add-image-as-env-var.yaml b/other/add-image-as-env-var/add-image-as-env-var.yaml index 694fab416..5a3fe183a 100644 --- a/other/add-image-as-env-var/add-image-as-env-var.yaml +++ b/other/add-image-as-env-var/add-image-as-env-var.yaml @@ -26,7 +26,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchesJson6902: |- - op: add path: /spec/containers/{{elementIndex}}/env/- diff --git a/other/annotate-base-images/annotate-base-images.yaml b/other/annotate-base-images/annotate-base-images.yaml index 8bdb7ccaa..92f032dff 100644 --- a/other/annotate-base-images/annotate-base-images.yaml +++ b/other/annotate-base-images/annotate-base-images.yaml @@ -33,7 +33,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/block-images-with-volumes/block-images-with-volumes.yaml b/other/block-images-with-volumes/block-images-with-volumes.yaml index 6f536acd7..10f51b692 100644 --- a/other/block-images-with-volumes/block-images-with-volumes.yaml +++ b/other/block-images-with-volumes/block-images-with-volumes.yaml @@ -32,7 +32,7 @@ spec: validate: message: "Images containing built-in volumes are prohibited." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/block-large-images/block-large-images.yaml b/other/block-large-images/block-large-images.yaml index b98c6e055..5b8af9f7a 100644 --- a/other/block-large-images/block-large-images.yaml +++ b/other/block-large-images/block-large-images.yaml @@ -32,7 +32,7 @@ spec: validate: message: "images with size greater than 2Gi not allowed" foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageSize imageRegistry: diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml index 6aea5cebd..1b90c2480 100644 --- a/other/block-stale-images/block-stale-images.yaml +++ b/other/block-stale-images/block-stale-images.yaml @@ -26,7 +26,7 @@ spec: validate: message: "Images built more than 6 months ago are prohibited." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/check-nvidia-gpu/check-nvidia-gpu.yaml b/other/check-nvidia-gpu/check-nvidia-gpu.yaml index c44194f96..439b86781 100644 --- a/other/check-nvidia-gpu/check-nvidia-gpu.yaml +++ b/other/check-nvidia-gpu/check-nvidia-gpu.yaml @@ -33,7 +33,7 @@ spec: validate: message: "Images which reserve NVIDIA GPUs must be built to use them." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml index 31e1c4420..06e5af964 100644 --- a/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml +++ b/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml @@ -26,7 +26,7 @@ spec: - Pod preconditions: all: - - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}" + - key: "{{ length(request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[] || `[]`) }}" operator: GreaterThan value: 0 - key: "{{ request.operation }}" @@ -40,12 +40,12 @@ spec: - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}" - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}" diff --git a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml index 5acc54620..89b6d5897 100644 --- a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml +++ b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml @@ -34,7 +34,7 @@ spec: validate: message: Limits may not exceed 2.5x the requests. foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" deny: conditions: any: diff --git a/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml b/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml index 7693ee375..056fea964 100644 --- a/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml +++ b/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml @@ -32,7 +32,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: maintainer imageRegistry: diff --git a/other/limit-containers-per-pod/limit-containers-per-pod.yaml b/other/limit-containers-per-pod/limit-containers-per-pod.yaml index c5fc9bd72..b67a2e735 100644 --- a/other/limit-containers-per-pod/limit-containers-per-pod.yaml +++ b/other/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -35,6 +35,6 @@ spec: deny: conditions: any: - - key: "{{request.object.spec.containers[] | length(@)}}" + - key: "{{request.object.spec.[ephemeralContainers, initContainers, containers][] | length(@)}}" operator: GreaterThan value: "4" \ No newline at end of file diff --git a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml index 9afeb8f06..6f6c01e75 100644 --- a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -27,6 +27,6 @@ spec: deny: conditions: any: - - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}" - operator: NotEquals - value: 0 + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][] | [?resources.requests.memory!=resources.limits.memory] | length(@) }}" + operator: GreaterThanOrEquals + value: 1 diff --git a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml index 03d0a8c3b..374cc2f54 100644 --- a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml +++ b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml @@ -32,7 +32,7 @@ spec: validate: message: "Images with root user are not allowed to be pulled from any registry other than ghcr.io." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/prepend-image-registry/prepend-image-registry.yaml b/other/prepend-image-registry/prepend-image-registry.yaml index a1509349f..d393b772d 100644 --- a/other/prepend-image-registry/prepend-image-registry.yaml +++ b/other/prepend-image-registry/prepend-image-registry.yaml @@ -64,3 +64,27 @@ spec: initContainers: - name: "{{ element.name }}" image: registry.io/{{ images.initContainers."{{element.name}}".path}}:{{images.initContainers."{{element.name}}".tag}} + - name: prepend-registry-ephemeralContainers + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + - key: "{{ request.object.spec.ephemeralContainers[] || '' | length(@) }}" + operator: GreaterThanOrEquals + value: 1 + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers" + patchStrategicMerge: + spec: + ephemeralContainers: + - name: "{{ element.name }}" + image: registry.io/{{ images.ephemeralContainers."{{element.name}}".path}}:{{images.ephemeralContainers."{{element.name}}".tag}} diff --git a/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml b/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml index 706ed941d..8be457d27 100644 --- a/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml +++ b/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml @@ -46,7 +46,7 @@ spec: patchesJson6902: |- - path: /spec/volumes/{{elementIndex}} op: remove - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] foreach: - list: " element.volumeMounts || `[]` " order: Descending diff --git a/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml b/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml index a8b1f9193..f6126a1be 100644 --- a/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml +++ b/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml @@ -58,7 +58,7 @@ spec: patchesJson6902: |- - path: /spec/volumes/{{elementIndex}} op: remove - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] foreach: - list: element.volumeMounts order: Descending diff --git a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml index be06f4c42..9aea92067 100755 --- a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml +++ b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml @@ -61,3 +61,18 @@ spec: containers: - name: "{{ element.name }}" image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}} + - list: request.object.spec.ephemeralContainers[] + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + preconditions: + any: + - key: "{{imageData.registry}}" + operator: Equals + value: index.docker.io + patchStrategicMerge: + spec: + containers: + - name: "{{ element.name }}" + image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}} diff --git a/other/replace-image-registry/replace-image-registry.yaml b/other/replace-image-registry/replace-image-registry.yaml index 85df58aa0..48f79d01b 100644 --- a/other/replace-image-registry/replace-image-registry.yaml +++ b/other/replace-image-registry/replace-image-registry.yaml @@ -57,3 +57,22 @@ spec: initContainers: - name: "{{ element.name }}" image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}" + - name: replace-image-registry-pod-ephemeralContainers + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}" + operator: GreaterThanOrEquals + value: 1 + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers" + patchStrategicMerge: + spec: + initContainers: + - name: "{{ element.name }}" + image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}" diff --git a/other/require-base-image/require-base-image.yaml b/other/require-base-image/require-base-image.yaml index 99f77be7c..ab243094f 100644 --- a/other/require-base-image/require-base-image.yaml +++ b/other/require-base-image/require-base-image.yaml @@ -37,7 +37,7 @@ spec: validate: message: "Images must specify a source/base image from which they are built." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/require-image-source/require-image-source.yaml b/other/require-image-source/require-image-source.yaml index 3f475a19b..187336fc8 100644 --- a/other/require-image-source/require-image-source.yaml +++ b/other/require-image-source/require-image-source.yaml @@ -34,7 +34,7 @@ spec: validate: message: "The image source must be specified in a label or annotation." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/require-qos-burstable/require-qos-burstable.yaml b/other/require-qos-burstable/require-qos-burstable.yaml index bbb5810e5..05956a907 100644 --- a/other/require-qos-burstable/require-qos-burstable.yaml +++ b/other/require-qos-burstable/require-qos-burstable.yaml @@ -32,7 +32,7 @@ spec: all: - key: requests operator: AnyNotIn - value: "{{ request.object.spec.containers[].resources.keys(@)[] }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}" - key: limits operator: AnyNotIn - value: "{{ request.object.spec.containers[].resources.keys(@)[] }}" \ No newline at end of file + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}" \ No newline at end of file diff --git a/other/require-qos-guaranteed/require-qos-guaranteed.yaml b/other/require-qos-guaranteed/require-qos-guaranteed.yaml index 8f1f0f3ac..9ae84f0c7 100644 --- a/other/require-qos-guaranteed/require-qos-guaranteed.yaml +++ b/other/require-qos-guaranteed/require-qos-guaranteed.yaml @@ -29,7 +29,7 @@ spec: validate: message: "All containers must define memory and CPU requests and limits where they are equal." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" pattern: resources: requests: diff --git a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml index 653b8edcb..d09095f54 100644 --- a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml +++ b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml @@ -46,6 +46,6 @@ spec: conditions: # this checks uids for ALL containers in any pod of the workload all: - - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}" + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.to_string(runAsUser) }}" operator: AnyIn value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}" \ No newline at end of file diff --git a/other/resolve-image-to-digest/resolve-image-to-digest.yaml b/other/resolve-image-to-digest/resolve-image-to-digest.yaml index cfad5568e..aa980c510 100644 --- a/other/resolve-image-to-digest/resolve-image-to-digest.yaml +++ b/other/resolve-image-to-digest/resolve-image-to-digest.yaml @@ -30,7 +30,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: resolvedRef imageRegistry: From 428be018feb9a35a73349b9ac504c212d9da1270 Mon Sep 17 00:00:00 2001 From: Mohamed Awnallah Date: Tue, 25 Jun 2024 04:17:32 +0300 Subject: [PATCH 2/2] multi: compute sha256 of changed policies In this commit, we compute sha256 of the changed policies using `sha256sum` utility for integrity. Signed-off-by: Mohamed Awnallah --- best-practices/require-probes/artifacthub-pkg.yml | 2 +- karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml | 2 +- other/add-certificates-volume/artifacthub-pkg.yml | 2 +- other/add-image-as-env-var/artifacthub-pkg.yml | 2 +- other/annotate-base-images/artifacthub-pkg.yml | 2 +- other/block-images-with-volumes/artifacthub-pkg.yml | 2 +- other/block-large-images/artifacthub-pkg.yml | 2 +- other/block-stale-images/artifacthub-pkg.yml | 2 +- other/check-nvidia-gpu/artifacthub-pkg.yml | 2 +- other/deny-commands-in-exec-probe/artifacthub-pkg.yml | 2 +- other/enforce-resources-as-ratio/artifacthub-pkg.yml | 2 +- other/inject-env-var-from-image-label/artifacthub-pkg.yml | 2 +- other/limit-containers-per-pod/artifacthub-pkg.yml | 2 +- other/memory-requests-equal-limits/artifacthub-pkg.yml | 2 +- other/only-trustworthy-registries-set-root/artifacthub-pkg.yml | 2 +- other/prepend-image-registry/artifacthub-pkg.yml | 2 +- other/remove-hostpath-volumes/artifacthub-pkg.yml | 2 +- other/remove-serviceaccount-token/artifacthub-pkg.yml | 2 +- other/replace-image-registry-with-harbor/artifacthub-pkg.yml | 2 +- other/replace-image-registry/artifacthub-pkg.yml | 2 +- other/require-base-image/artifacthub-pkg.yml | 2 +- other/require-image-source/artifacthub-pkg.yml | 2 +- other/require-qos-burstable/artifacthub-pkg.yml | 2 +- other/require-qos-guaranteed/artifacthub-pkg.yml | 2 +- other/require-unique-uid-per-workload/artifacthub-pkg.yml | 2 +- other/resolve-image-to-digest/artifacthub-pkg.yml | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) diff --git a/best-practices/require-probes/artifacthub-pkg.yml b/best-practices/require-probes/artifacthub-pkg.yml index c3b224d6d..6847010b3 100644 --- a/best-practices/require-probes/artifacthub-pkg.yml +++ b/best-practices/require-probes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 8160370e07d5daa9a9ff342cc1c923015cadd3101e837f47af6fe2361e69993a +digest: 69812a72c0862c71b4d384a2bf048ebda4b46a72fece31ac90bc62605d7c91ab diff --git a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml index d973e3cb6..3e44ed450 100644 --- a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml +++ b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml @@ -24,4 +24,4 @@ annotations: kyverno/category: "Karpenter, EKS Best Practices" kyverno/kubernetesVersion: "1.26" kyverno/subject: "Pod" -digest: 93d84f8ba71d2bf87cb84d4174962cc50ecd0b0f9bb29f6fccb8a8a41d11b500 +digest: f1e76f16a57f31b55584f2dbd59caa7030d986efb80790147c9810e657840ea4 diff --git a/other/add-certificates-volume/artifacthub-pkg.yml b/other/add-certificates-volume/artifacthub-pkg.yml index 1df0caaca..d84e36cb1 100644 --- a/other/add-certificates-volume/artifacthub-pkg.yml +++ b/other/add-certificates-volume/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Pod,Volume" -digest: d0bece92401b5c2c3fe482333fed5c09379d383934cd5bc860e416875a6d6267 +digest: f3ceb66ca299c702a2fbc2d709ff7f82c5a3dd82310b856eb0c3b1d5dab57e5d diff --git a/other/add-image-as-env-var/artifacthub-pkg.yml b/other/add-image-as-env-var/artifacthub-pkg.yml index 5b430ea7a..eb9ad1af5 100644 --- a/other/add-image-as-env-var/artifacthub-pkg.yml +++ b/other/add-image-as-env-var/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.26" kyverno/subject: "Pod" -digest: a2c5e16677bc0ff1b228b69256ed3cd374df954122cb3c1ef351d36931972136 +digest: 6ed53fcc80991a1d34382e66fe91a5fa5464673b64c4d4c88ce82fdbd010d61d diff --git a/other/annotate-base-images/artifacthub-pkg.yml b/other/annotate-base-images/artifacthub-pkg.yml index 041a03c77..aa424e6b2 100644 --- a/other/annotate-base-images/artifacthub-pkg.yml +++ b/other/annotate-base-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 1aa592a7d3d49643b835c56d97220b9a8728ac3e2160d4be83fbe590db252e9a +digest: e9660e4bc65e802d8b5be8c4705a9376cdf5686b699c79e363f9e1ec902d0441 diff --git a/other/block-images-with-volumes/artifacthub-pkg.yml b/other/block-images-with-volumes/artifacthub-pkg.yml index 622735973..8011b5741 100644 --- a/other/block-images-with-volumes/artifacthub-pkg.yml +++ b/other/block-images-with-volumes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 84345ccd7ae57215dd11b5248f811119d38dcb4648c749146c887ec6c7389940 +digest: b22bdab9f37335fe5f010a4ae44252a77aa4b2f72bb7b39a1b48f103e9a85c54 diff --git a/other/block-large-images/artifacthub-pkg.yml b/other/block-large-images/artifacthub-pkg.yml index 5f5744e98..14771b73c 100644 --- a/other/block-large-images/artifacthub-pkg.yml +++ b/other/block-large-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 3137003b33b29c736e18da96eba3c14b707a825053684304fe8a1f68c3fb7b03 +digest: 9b2d29ef8ea57f0da1c868da87866af0d91cbcc5416447e99b0dd581aa580d1c diff --git a/other/block-stale-images/artifacthub-pkg.yml b/other/block-stale-images/artifacthub-pkg.yml index 396c28038..e8a8d9dea 100644 --- a/other/block-stale-images/artifacthub-pkg.yml +++ b/other/block-stale-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 8e0fab0441480492ab506e9401eda165e86156c63b8768953386dffe7a0efc6b +digest: febc775e685b304d83a24be44159ff3c7525d7f7dc2fd1232a8f2c9958be4b2d diff --git a/other/check-nvidia-gpu/artifacthub-pkg.yml b/other/check-nvidia-gpu/artifacthub-pkg.yml index 810b6637c..5acbeb905 100644 --- a/other/check-nvidia-gpu/artifacthub-pkg.yml +++ b/other/check-nvidia-gpu/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: e5286892d05b3b220ed0b9d8cad3ae4c50e2d394678758e3137661ab8c8b5648 +digest: d3b53c4acdf6efa6a3f3c55e62b1bf886c5380e13d01dcf4812577e1a1ae08f0 diff --git a/other/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other/deny-commands-in-exec-probe/artifacthub-pkg.yml index 324208d15..d68791d2f 100644 --- a/other/deny-commands-in-exec-probe/artifacthub-pkg.yml +++ b/other/deny-commands-in-exec-probe/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.26" kyverno/subject: "Pod" -digest: 3bd86d6873aa7380c01b621c0bfb468a7832ac2d03a5cda4fd8063a432d6d4d1 +digest: 7934e90f438fdb191a5e6a543cd579c938108a15fcc2c1323aed39235f6b7312 diff --git a/other/enforce-resources-as-ratio/artifacthub-pkg.yml b/other/enforce-resources-as-ratio/artifacthub-pkg.yml index d39c3251f..7c3198dfd 100644 --- a/other/enforce-resources-as-ratio/artifacthub-pkg.yml +++ b/other/enforce-resources-as-ratio/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: cf12c44542d243f69c182ef98ea13d14cf1761268193410cfbac79408c3c060e +digest: 5dbddbb353688c86721b2f206e02eaf9675e97732c23ba8a488dd4c3342174fd diff --git a/other/inject-env-var-from-image-label/artifacthub-pkg.yml b/other/inject-env-var-from-image-label/artifacthub-pkg.yml index 1fbecf1a4..fa57daad4 100644 --- a/other/inject-env-var-from-image-label/artifacthub-pkg.yml +++ b/other/inject-env-var-from-image-label/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 42f75a6b260b6b537291422dd43cb59492231dd34a4c398b56e13b54fb6d0475 +digest: e24260cbe86905615dd55fe220b69ed6b3b82b911e998b5c7b713b630b92f60b diff --git a/other/limit-containers-per-pod/artifacthub-pkg.yml b/other/limit-containers-per-pod/artifacthub-pkg.yml index 52beb9890..4b46637d7 100644 --- a/other/limit-containers-per-pod/artifacthub-pkg.yml +++ b/other/limit-containers-per-pod/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 375b0ea0b5a26365b69af559cbbda54c352e8a13c838fdbbdcb9d3f01b4941e9 +digest: 8818000e91df5bba9115310da780e3cadbe402200aa8309fca49ea54d32afa84 diff --git a/other/memory-requests-equal-limits/artifacthub-pkg.yml b/other/memory-requests-equal-limits/artifacthub-pkg.yml index 0eab5d3b2..1915719d6 100644 --- a/other/memory-requests-equal-limits/artifacthub-pkg.yml +++ b/other/memory-requests-equal-limits/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5 +digest: f914d76c5f19c1a9bb10edc8fab73472d4813eb600bd4f6ef561b9f21975f068 diff --git a/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml b/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml index 3ac90f4d1..36bf9020e 100644 --- a/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml +++ b/other/only-trustworthy-registries-set-root/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Other, EKS Best Practices" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 4543cc84b584a3a39e4e279cb032ce21e6dde1271bde7a55c0c3351ab4db722c +digest: 38d6e34d41aa7047bfa80e6179a8cd130dd14624abd196417e7eddcadfc330ff diff --git a/other/prepend-image-registry/artifacthub-pkg.yml b/other/prepend-image-registry/artifacthub-pkg.yml index 261a4cf23..999db7032 100644 --- a/other/prepend-image-registry/artifacthub-pkg.yml +++ b/other/prepend-image-registry/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Pod" -digest: 6325c3d888d0dcba78dcbe2c29f3fe6730addb8c4dda2e3c97b48ff8d3873943 +digest: b87c75b91e96d54d5c6e3356a533295766b37b0175f328d4f2fc703a0def4b38 diff --git a/other/remove-hostpath-volumes/artifacthub-pkg.yml b/other/remove-hostpath-volumes/artifacthub-pkg.yml index 5c230ed05..136c7c874 100644 --- a/other/remove-hostpath-volumes/artifacthub-pkg.yml +++ b/other/remove-hostpath-volumes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.25" kyverno/subject: "Pod,Volume" -digest: ce19781cd972d0f15f3e52a330640d42df9adda5d8cd111ffc2f7b08c8eaf1fd +digest: 65649a85d2f538961c881f7e97dd492f75b71b1ecbc37b1b2aed2b1b14c992b2 diff --git a/other/remove-serviceaccount-token/artifacthub-pkg.yml b/other/remove-serviceaccount-token/artifacthub-pkg.yml index f5c86abc9..25b4e3594 100644 --- a/other/remove-serviceaccount-token/artifacthub-pkg.yml +++ b/other/remove-serviceaccount-token/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.25" kyverno/subject: "Pod,ServiceAccount,Volume" -digest: d23bd2501b0c893a15d5d956af131fbaa0d25e6278980e3ba6cce9608841bebd +digest: d45cb1004833009f73346ab46c47bed7f3b4a733b93be43914217defd7002b50 diff --git a/other/replace-image-registry-with-harbor/artifacthub-pkg.yml b/other/replace-image-registry-with-harbor/artifacthub-pkg.yml index d38d373cd..558514424 100755 --- a/other/replace-image-registry-with-harbor/artifacthub-pkg.yml +++ b/other/replace-image-registry-with-harbor/artifacthub-pkg.yml @@ -31,4 +31,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.27" kyverno/subject: "Pod" -digest: 8f88cbddbaec89d29c062e6f6c8385b75f46b7d958954e637d686e82e893856c \ No newline at end of file +digest: 489642fcf09dcc59705fa58848796eafc1fa72be670f98e02b3ae3930f157f1d diff --git a/other/replace-image-registry/artifacthub-pkg.yml b/other/replace-image-registry/artifacthub-pkg.yml index c15d3cf8f..cea4fb7d9 100644 --- a/other/replace-image-registry/artifacthub-pkg.yml +++ b/other/replace-image-registry/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 9fde3b8caba3a05c5534b588fcd794975b8c1016004fa4ffdfb5bc4e93997e58 +digest: 72ee2c8a17b7232ac21bec317971add1383781c1227f18d279289a10771a7011 diff --git a/other/require-base-image/artifacthub-pkg.yml b/other/require-base-image/artifacthub-pkg.yml index db651d988..dc5080e28 100644 --- a/other/require-base-image/artifacthub-pkg.yml +++ b/other/require-base-image/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 23dcc8f9a56d36ceb6f45b8c7e76b450472e5c22a4a701bea37c25c8df68984e +digest: 36ec28f78945a75ab650893cd252c2fdb80d4893bf6c340d4b68dca41e69d41d diff --git a/other/require-image-source/artifacthub-pkg.yml b/other/require-image-source/artifacthub-pkg.yml index b6e7f081d..0f9c29541 100644 --- a/other/require-image-source/artifacthub-pkg.yml +++ b/other/require-image-source/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 439869ce881c7a4eea43180435dad9eb03c5c9c2cfae470822de7b988b2da514 +digest: bf8c40ca9999ad6c800c655264acb28313da5e8bd64476b3599e79c5ab410fd7 diff --git a/other/require-qos-burstable/artifacthub-pkg.yml b/other/require-qos-burstable/artifacthub-pkg.yml index 99ef9e693..7c53e5840 100644 --- a/other/require-qos-burstable/artifacthub-pkg.yml +++ b/other/require-qos-burstable/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "Pod" -digest: 306ca9dddcba820b33b51b41e32884d7f21cdbfd3d244bfb481688ba44d34b5c +digest: d536f10874b7daea39019f4c28bfbae788ea2ec0f033fc31a7b5ec8dd18cd256 diff --git a/other/require-qos-guaranteed/artifacthub-pkg.yml b/other/require-qos-guaranteed/artifacthub-pkg.yml index 5a67ea056..644b41e30 100644 --- a/other/require-qos-guaranteed/artifacthub-pkg.yml +++ b/other/require-qos-guaranteed/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "Pod" -digest: 3ecceebb826c81f7b5519068a0148af2d3d45055ceff3ad31fd9b21551c1a904 +digest: 42f25ad34247c85f820f63c8c934a448bafff921994cafdc2fcd6b01a7e99428 diff --git a/other/require-unique-uid-per-workload/artifacthub-pkg.yml b/other/require-unique-uid-per-workload/artifacthub-pkg.yml index e07b2f984..90b9f9fe5 100644 --- a/other/require-unique-uid-per-workload/artifacthub-pkg.yml +++ b/other/require-unique-uid-per-workload/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.20" kyverno/subject: "Pod" -digest: 5673faa10e2ca3fe1f6bc9d45f69e7deb22342fe9b4a4981a02b139f52773ef6 +digest: f343c431fc7ab575356771739380e4f76db94a02842a3ac0ed4e9d37ed016e0a diff --git a/other/resolve-image-to-digest/artifacthub-pkg.yml b/other/resolve-image-to-digest/artifacthub-pkg.yml index acc44752f..9b2786b38 100644 --- a/other/resolve-image-to-digest/artifacthub-pkg.yml +++ b/other/resolve-image-to-digest/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 17ee7c56d856f58ab55b7bb0222ca96224798f64b719fcb52ef5e017e7aee7f9 +digest: 08ea46a6dd8328b98a57b5d6cd7a746d93623bc679c5f21563f88ad07add15bc