diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b2bd02b7a7040db7ce8dd71744fc3cb5de2bada2..8b5f3deed50b75f0715386463ce9ed94b00fe23f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,57 +23,9 @@ jobs:
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
path: policies
-
- name: Validate all policies
- run: |
- #!/bin/bash
- set -euo pipefail
-
- # Loop through each policy directory in the repository
- for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
- # Skip the root directory
- if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
- continue
- fi
-
- # Skip directories that contain subdirectories
- if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
- # If it does, skip the filename validation
- continue
- fi
-
- # Get the name of the directory
- dir_name=$(basename "$policy_dir")
-
- # Skip if it is the CRDs directory
- if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
- continue
- fi
-
- # Check if the directory name only contains alphanumeric characters and dashes
- if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
- echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
- exit 1
- fi
-
- # Skip if the directory contains a kustomization.yaml file
- if [[ -f "$policy_dir/kustomization.yaml" ]]; then
- continue
- fi
-
- # Check if a .yml or .yaml file with the same name as the directory exists in the directory
- if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
- echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
- exit 1
- fi
-
- # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
- if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
- echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
- exit 1
- fi
- done
-
+ run: ./.hack/verify-files-structure.sh
+ working-directory: policies
- name: Clone Kyverno
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
@@ -81,12 +33,10 @@ jobs:
path: kyverno
# The target branch of a pull request or the branch/tag of a push
ref: ${{ github.base_ref || github.ref_name }}
-
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ~1.21.1
-
- name: Test Policy
run: go run ./cmd/cli/kubectl-kyverno test ../policies
working-directory: kyverno
@@ -98,8 +48,8 @@ jobs:
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
path: policies
- - name: Clone Kyverno
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ - name: Checkout Kyverno
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
repository: kyverno/kyverno
path: kyverno
@@ -114,6 +64,9 @@ jobs:
set -e
KYVERNO_EXPERIMENTAL=true go run ./cmd/cli/kubectl-kyverno fix test . --save
working-directory: kyverno
+ - name: Check artifacthub-pkg digests
+ run: ./.hack/update-artifacthub-pkg.sh
+ working-directory: policies
- name: Check diff
run: |
set -e
diff --git a/.hack/update-artifacthub-pkg.sh b/.hack/update-artifacthub-pkg.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7693a636440c1c7cef5202e497d156b0c755a583
--- /dev/null
+++ b/.hack/update-artifacthub-pkg.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SED=sed
+
+if [[ "$OSTYPE" == "darwin"* ]]; then
+ SED=gsed
+fi
+
+for FILE in $(find . -name "artifacthub-pkg.yml")
+do
+ FOLDER=$(dirname "$FILE")
+ POLICY=$(basename "$FOLDER")
+ POLICY_FILE="$FOLDER/$POLICY.yaml"
+ echo "Processing policy $POLICY ($POLICY_FILE) ..."
+ INSTALL="kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/${POLICY_FILE/.\//}"
+ $SED -i -z "s#install:.*\`\`\`#install: |-\n \`\`\`shell\n $INSTALL\n \`\`\`#" $FILE
+ DIGEST=$(shasum -U -a 256 "$POLICY_FILE" | cut -d" " -f 1)
+ echo " Digest: $DIGEST"
+ $SED -i "s/^digest:.*/digest: $DIGEST/" $FILE
+done
diff --git a/.hack/verify-files-structure.sh b/.hack/verify-files-structure.sh
new file mode 100755
index 0000000000000000000000000000000000000000..cf4ba88db4c80c5fb1fb9dbc35e790e50e5096e9
--- /dev/null
+++ b/.hack/verify-files-structure.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Loop through each policy directory in the repository
+for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
+ # Skip the root directory
+ if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
+ continue
+ fi
+
+ # Skip directories that contain subdirectories
+ if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
+ # If it does, skip the filename validation
+ continue
+ fi
+
+ # Get the name of the directory
+ dir_name=$(basename "$policy_dir")
+
+ # Skip if it is the CRDs directory
+ if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
+ continue
+ fi
+
+ # Skip if it is the .hack directory
+ if [[ $dir_name == ".hack" ]]; then
+ continue
+ fi
+
+ # Check if the directory name only contains alphanumeric characters and dashes
+ if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
+ echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
+ exit 1
+ fi
+
+ # Skip if the directory contains a kustomization.yaml file
+ if [[ -f "$policy_dir/kustomization.yaml" ]]; then
+ continue
+ fi
+
+ # Check if a .yml or .yaml file with the same name as the directory exists in the directory
+ if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
+ echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
+ exit 1
+ fi
+
+ # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
+ if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
+ echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
+ exit 1
+ fi
+done
diff --git a/argo/application-field-validation/artifacthub-pkg.yml b/argo/application-field-validation/artifacthub-pkg.yml
index 9fe5482c00930f5b1754ab5b6d510b303732db29..e97a0a7af15cd6c1679d57b72b1d263f493ddd4a 100644
--- a/argo/application-field-validation/artifacthub-pkg.yml
+++ b/argo/application-field-validation/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Application"
-digest: c8ad238bcb8b9014775649b68d78dc902dcd58d2b3d54c536b2ec99c0dc821da
+digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416
diff --git a/best-practices/add-rolebinding/artifacthub-pkg.yml b/best-practices/add-rolebinding/artifacthub-pkg.yml
index 91250c7aa4cc8d5766e04510285a5ac7170811a5..2760f06f70f412da4817440cdbb15b38857d96ff 100644
--- a/best-practices/add-rolebinding/artifacthub-pkg.yml
+++ b/best-practices/add-rolebinding/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add RoleBinding
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-rolebinding/add-rolebinding.yaml
```
diff --git a/best-practices/add-safe-to-evict/artifacthub-pkg.yml b/best-practices/add-safe-to-evict/artifacthub-pkg.yml
index 0f23500d5739e9df687b1cdedaac4ae959ded0e7..f0c0b32548831a283c849c5152b6cbd3a3d2f7e2 100644
--- a/best-practices/add-safe-to-evict/artifacthub-pkg.yml
+++ b/best-practices/add-safe-to-evict/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add Safe To Evict
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-safe-to-evict/add-safe-to-evict.yaml
```
diff --git a/best-practices/check-deprecated-apis/artifacthub-pkg.yml b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
index d6b9232683edc74a875343aebe53396b764d9f7d..a3eb252f5a136590a1cf1ddde31b700dc085b525 100644
--- a/best-practices/check-deprecated-apis/artifacthub-pkg.yml
+++ b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check deprecated APIs
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
```
diff --git a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
index 5c3278332b2d63da3e643714a685bed680d7b465..35a403ede20c74374f061d345a5b3a5122f69fcf 100644
--- a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
+++ b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-04-10T19:47:15.000Z"
description: >-
An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
install: |-
- ```shell
+ ```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
```
keywords:
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Ingress"
-digest: 4c8e14cfe546a3912985257916af8cdae9e8ed3c5b9c8710de0452b0780352e6
+digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd
diff --git a/best-practices/require-ro-rootfs/artifacthub-pkg.yml b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
index f533d207628674e4d147c25ebe372d568839ce8e..7538948183620b92e42ef5c90b443286e031e736 100644
--- a/best-practices/require-ro-rootfs/artifacthub-pkg.yml
+++ b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 6a96d468500f2d2d152dbde7a04a698c9cc62cc2975c04fb4c740dac187f5f4b
+digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14
diff --git a/castai/add-castai-removal-disabled/artifacthub-pkg.yml b/castai/add-castai-removal-disabled/artifacthub-pkg.yml
index 3761f4873cabcf5a2291fd05efd11f8a8579dcba..d4881894ba0d94e7ea1c4fd355627cbbd8d1fcc1 100644
--- a/castai/add-castai-removal-disabled/artifacthub-pkg.yml
+++ b/castai/add-castai-removal-disabled/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "CAST AI"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Job, CronJob"
-digest: 18f7de8b701cdf06e44c82655aaa91c386e9e3b44da1e72e04423f2d2a04a4f7
+digest: 992992b1eb3573e61d58ecf18bf58a2df70ce647b69243bc1e2adcdc5cea30ce
diff --git a/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml b/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
index 4b535482b37f5434b83ba573267d5f370d9dac7b..20b7ab3301b33f05e5551fbfac4292fc1db54043 100644
--- a/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
+++ b/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "ExternalSecretOperator"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "ExternalSecret"
-digest: e37b41aabc7d65947ee0cdd0707601d3bc2e43ffd6bc87aef76d8620aca5c1b7
+digest: 8b8e211f173edc5ba55b5e11c2a4799da30eb59a8cf0dd442b215e1a9cf79514
diff --git a/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml b/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
index 7f572dc4a9af57967e8a2e7c65b1479fb49b246c..e0dc59871f82b61fa1d2eaa05104fa0c9a3e8a60 100644
--- a/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
+++ b/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-04-10T20:07:52.000Z"
description: >-
In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio-inject` set to `enabled` for all new Namespaces.
install: |-
- ```shell
+ ```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml
```
keywords:
diff --git a/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml b/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
index 178e871b39b9da416cee0dfca9b4963c976bb5b7..71289ef95710f7fedd00d7140dc2ae0874756c2f 100644
--- a/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
+++ b/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
@@ -27,4 +27,4 @@ annotations:
kyverno/category: "Karpenter"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "DaemonSet"
-digest: d362d0f39e827f364e3527542260994471420007e6624f4a992d8ce2963b01ac
+digest: 275bf6fb95839933a781efbcaeaea792cf1bd5d4af9833eb37fefc374aed26f3
diff --git a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
index 9b4f29ea333c6187658b7e9ffda3414ff5945460..d973e3cb64930cceccaa9fb99288458c87f19714 100644
--- a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
+++ b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
@@ -24,4 +24,4 @@ annotations:
kyverno/category: "Karpenter, EKS Best Practices"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
-digest: cd4fd255ac954d358ccff5df240fcd9ff441d3c53ac9629abc5c31118d9e9892
+digest: 93d84f8ba71d2bf87cb84d4174962cc50ecd0b0f9bb29f6fccb8a8a41d11b500
diff --git a/kubevirt/enforce-instancetype/artifacthub-pkg.yml b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
index 886af02afb850c918dcac8685d63fb751a870f78..73d5da7bf4daec9a29ac82bb5b9901013681afdf 100644
--- a/kubevirt/enforce-instancetype/artifacthub-pkg.yml
+++ b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "KubeVirt"
kyverno/kubernetesVersion: "1.24-1.25"
kyverno/subject: "VirtualMachine"
-digest: fd5e58353ef32aab91803a63e1a1f95ff0e311344f33a88f99ebe37757e64990
+digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439
diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
index 58d601f6c8aeee20c855ec4c435becd2072cdcb6..e6fb8f915b7d1a893a2e3e05d4820980d99fe8b7 100644
--- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
+++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Disallow Custom Snippets
createdAt: "2023-04-10T20:23:06.000Z"
description: >-
Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
```
diff --git a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
index 08c17fca87032521d8581528849e3ccc1f74f0ee..25e08a873cc0935d40420b402eac538fd3f1b554 100644
--- a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
+++ b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "APIServer"
-digest: d54ffd53d3d442062c5980b6333701a7b18477329422ad030912b1756d30c3a7
+digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3
diff --git a/openshift/inject-infrastructurename/artifacthub-pkg.yml b/openshift/inject-infrastructurename/artifacthub-pkg.yml
index 2c6e0639d54abb686653903bde56160e309cd2ce..5f84ed178be9d3a42db5d5c63fc6e603d776a901 100644
--- a/openshift/inject-infrastructurename/artifacthub-pkg.yml
+++ b/openshift/inject-infrastructurename/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "MachineSet"
-digest: 3f9aaaeeea9c2bde0fb8398da2bb64437e73ea8d644031102369beaa7f73e32e
+digest: 55f4f0f016cfed1e26b0a3621fa3ced8cd89134ade53976dec7cd6d7b2d9911a
diff --git a/other/a/add-certificates-volume/artifacthub-pkg.yml b/other/a/add-certificates-volume/artifacthub-pkg.yml
index f91cf4e1547de5f690b64b4efed1d1474722904f..ee191a7c7bce1d32c1c3e12e7b68163765b3e030 100644
--- a/other/a/add-certificates-volume/artifacthub-pkg.yml
+++ b/other/a/add-certificates-volume/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod,Volume"
-digest: 41e873cb02f9b6c18d454968681f9797f1c0f3d89dc1610a60581e1e710031fb
+digest: d0bece92401b5c2c3fe482333fed5c09379d383934cd5bc860e416875a6d6267
diff --git a/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml b/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
index 85b6bea7651c8f9e657b01a199e16a1b8beab924..3c5f448f932e08ee347c19fd35c4e1fb727fe87e 100644
--- a/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
+++ b/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 79ec68a13ec96ac3c01fe6d39eb6fa79e10ef936453e17a76b7d10dfe2c26d96
+digest: 5fe9842816e537b8cdb8d6f231ccf31cefa7e11a936ee38f787e329f7b63ba97
diff --git a/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml b/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
index f68c02351b99245d8daa9579cb1ca18a0c168cb7..352c9b7cb56ebeaae7127f857e262232f04552c0 100644
--- a/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
+++ b/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
@@ -6,10 +6,10 @@ createdAt: "2023-05-18T00:00:00.000Z"
description: >-
In some cases we would want to block operations (CREATE/UPDATE/DELETE) of certain privileged users (i.e. cluster-admins), in a specific namespace.
In this policy, Kyverno look for all user operations (`CREATE, UPDATE, DELETE`), on every object kind (Pod,Deployment,Route,Service,etc.), in the testnamespace namespace, and for the `clusterRole cluster-admin`. The `subject User testuser` is also mentioned so it won’t include all the cluster-admins in the cluster, but will be flexiable enough to apply only for a sub-group of the cluster-admins in the cluster.
-install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
- ```
+install: |-
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
+ ```
keywords:
- rbac
- cluster-admin
@@ -21,4 +21,4 @@ annotations:
policies.kyverno.io/category: other
policies.kyverno.io/subject: Namespace, ClusterRole, User
policies.kyverno.io/minversion: 1.9.0
-digest: 8b212d6056e1871537018ab93e1236f971b42a4c
+digest: 841724d983a9f27618678d596f30e20717115787e0f24304226b79d2e6b892e0
diff --git a/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml b/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
index 554e7c675f4bd3995523a5099c82761371a7072d..44904649e220305e2be7a04a17cd1c83a7a02670 100644
--- a/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
+++ b/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Block Pod Exec by Namespace Name
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
```
diff --git a/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml b/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
index 239681a165069fddb884e07cc4fbf498dc553e6e..a5e87adfda916b43fdc448f32c0c19c7a8331634 100644
--- a/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
+++ b/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
@@ -7,7 +7,6 @@ description: >-
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
- ``
```
keywords:
- kyverno
diff --git a/other/b-d/check-serviceaccount/artifacthub-pkg.yml b/other/b-d/check-serviceaccount/artifacthub-pkg.yml
index b417c9107110018a7043d592a90a0842e9c14f7e..cd590dee307b1af6baad8301cd3546e335bcec6c 100644
--- a/other/b-d/check-serviceaccount/artifacthub-pkg.yml
+++ b/other/b-d/check-serviceaccount/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check ServiceAccount
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
ServiceAccounts with privileges to create Pods may be able to do so and name a ServiceAccount other than the one used to create it. This policy checks the Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field matches the actual ServiceAccount.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-serviceaccount/check-serviceaccount.yaml
```
diff --git a/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml b/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
index dff691839fb6d557917167a546c023c7deb8fabc..08e30c5288d2f684d69f55e6d4ba5d606913769c 100644
--- a/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
+++ b/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check SubjectAccessReview
createdAt: "2023-05-01T00:00:00.000Z"
description: >-
In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-subjectaccessreview/check-subjectaccessreview.yaml
```
diff --git a/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml b/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
index 16935d99e4f71cd97f8e62774700ddfb3da07a4d..8e9a340b088bc631df6ad55a052d8e9eacce8cd7 100644
--- a/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
+++ b/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
There are cases where either an operations or security incident may occur and Nodes should be evacuated and placed in an unused state for further analysis. For example, a Node is found to be running a vulnerable version of a CRI engine or kernel and to minimize chances of a compromise may need to be decommissioned so another can be built. This policy shows how to use Kyverno to both cordon and drain a given Node and uses a hypothetical label being written to it called `testing=drain` to illustrate the point. For production use, the match block should be modified to trigger on the appropriate condition.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
```
keywords:
- kyverno
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Node"
-digest: d9540eced93532fb54d51aa9ce0ca4d4b954737d6cc2eeb82687665bcfde826e
+digest: adbb84bccd2bb5f35c5987eb14aacc51e85a624124ce3281372607f92d6090bb
diff --git a/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml b/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
index bfde9de3821640a59a2d935a48ebe815e1e6d00a..8de4665d3f2bbb6e6cbbdb5b11cc100fe1eaec3e 100644
--- a/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
+++ b/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add Pod Anti-Affinity
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
Applications may involve multiple replicas of the same Pod for availability as well as scale purposes, yet Kubernetes does not by default provide a solution for availability. This policy sets a Pod anti-affinity configuration on Deployments which contain an `app` label if it is not already present.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/create-pod-antiaffinity/create-pod-antiaffinity.yaml
```
diff --git a/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
index 19b45bb1778bf2ddcdd2e7718078f27a23922e9a..308e23268da1fbb16862a9192488aafdc5a1835a 100644
--- a/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
+++ b/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-05-01T00:00:00.000Z"
description: >-
Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml
```
diff --git a/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml b/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
index 2977e5a62995376cd3defa45b8dc11800352a700..a47ee4b0b61b705c03bf09dc981a54684809cf5a 100644
--- a/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
+++ b/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/e-l/forbid-cpu-limits/forbid-cpu-limits.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/forbid-cpu-limits/forbid-cpu-limits.yaml
```
keywords:
- kyverno
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
-digest: ab06fedd32b519429eff449321a29c84db403982f3732621b32188ce9c98f767
+digest: d83f7beccf5eacc5a32cfb36225689b76007755b2f4d04876db11f75459baa62
diff --git a/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml b/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
index a4584c43e2840d8556de402e6d437609130e43c7..672a2467ff7f83e2fd325f2e5e9fff00b534ac33 100644
--- a/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
+++ b/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Generate NetworkPolicy to Existing Namespaces
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
A NetworkPolicy is often a critical piece when provisioning new Namespaces, but there may be existing Namespaces which also need the same resource. Creating each one individually or manipulating each Namespace in order to trigger creation is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml
```
diff --git a/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml b/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
index 3c9f685a94b3552fdf89d0bf7464c72f39e7c200..13aa3bfb4529d112f8ae75d2128856dfe885bbf3 100644
--- a/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
+++ b/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Inject Sidecar Container
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/inject-sidecar-deployment/inject-sidecar-deployment.yaml
```
diff --git a/other/e-l/inspect-csr/artifacthub-pkg.yml b/other/e-l/inspect-csr/artifacthub-pkg.yml
index c436d191583a6bb35f3c0c3ad879a6f5a7b9c2c4..518cfa71601598889f2ba83fc6905c200dd7e93c 100644
--- a/other/e-l/inspect-csr/artifacthub-pkg.yml
+++ b/other/e-l/inspect-csr/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Inspect CertificateSigningRequest
createdAt: "2023-04-25T00:00:00.000Z"
description: >-
The Kubernetes API includes a CertificateSigningRequest resource which can be used to generate a certificate for an entity. Because this API can be abused to create a long-lived credential, it is important to be able to audit this API to understand who/what is creating these CSRs and for what actors they are being created. This policy, intended to always be run in Audit mode and produce failure results in a Policy Report, inspects all incoming CertificateSigningRequests and writes out into the Policy Report information on who/what requested it and parsing the CSR to show the Subject information of that CSR resource.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/inspect-csr/inspect-csr.yaml
```
diff --git a/other/e-l/label-existing-namespaces/artifacthub-pkg.yml b/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
index a237b6e7e64f6fc4d02b6569b556e71bf2fd09ee..2b28f6aa421d58b481a2a7d3fcf25fd1b5f77211 100644
--- a/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
+++ b/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Label Existing Namespaces
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
Namespaces which preexist may need to be labeled after the fact and it is time consuming to identify which ones should be labeled and either doing so manually or with a scripted approach. This policy, which triggers on any AdmissionReview request to any Namespace, will result in applying the label `mykey=myvalue` to all existing Namespaces. If this policy is updated to change the desired label key or value, it will cause another mutation which updates all Namespaces.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/label-existing-namespaces/label-existing-namespaces.yaml
```
diff --git a/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml b/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
index 413065ccde09f28cd008d23d577df73ec658466d..7791b7bcd209bd7df0506c73c1f7102560f30ec6 100644
--- a/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
+++ b/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
@@ -7,7 +7,6 @@ description: >-
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/limit-hostpath-vols/limit-hostpath-vols.yaml
- ``
```
keywords:
- kyverno
diff --git a/other/m-q/mitigate-log4shell/artifacthub-pkg.yml b/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
index 5f723fc84e8bee04793377e2a99c4cc9fb46b1de..597f86da57118c0fda06f42458d8b89daab4e3fc 100644
--- a/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
+++ b/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Log4Shell Mitigation
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some benefit by limiting exposure, there are still code paths which can exploit this vulnerability. It is highly recommended to upgrade log4j as soon as possible. See https://logging.apache.org/log4j/2.x/security.html for more details. This policy will mutate all initContainers and containers in an incoming Pod to add this environment variable automatically.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/m-q/mitigate-log4shell/mitigate-log4shell.yaml
```
diff --git a/other/m-q/namespace-protection/artifacthub-pkg.yml b/other/m-q/namespace-protection/artifacthub-pkg.yml
index 123f5a1c0b857a78e0e23386beb1b38fc697c938..568f487f4a07e17f6d57ed2e3cd02d1f2d833003 100644
--- a/other/m-q/namespace-protection/artifacthub-pkg.yml
+++ b/other/m-q/namespace-protection/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Namespace Protection
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
Cases where RBAC may be applied at a higher level and where Namespace-level protections may be necessary can be accomplished with a separate policy. For example, one may want to protect creates, updates, and deletes on only a single Namespace. This policy will block creates, updates, and deletes to any Namespace labeled with `freeze=true`. Caution should be exercised when using rules which match on all kinds (`"*"`) as this will involve, for larger clusters, a substantial amount of processing on Kyverno's part. Additional resource requests and/or limits may be required.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/m-q/namespace-protection/namespace-protection.yaml
```
diff --git a/other/m-q/pdb-minavailable/artifacthub-pkg.yml b/other/m-q/pdb-minavailable/artifacthub-pkg.yml
index f64b7cdc0603194f414ba055ae6f7e841c816f87..57ebaf44d8b4d0ada32235388dff24dd8e0d0b05 100644
--- a/other/m-q/pdb-minavailable/artifacthub-pkg.yml
+++ b/other/m-q/pdb-minavailable/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "PodDisruptionBudget, Deployment, StatefulSet"
-digest: f5fb2bf91603f5fb0f607f5f15124ae0e931e60f0eb23c4b38ff0bc13b55c07b
+digest: bcb87ac5337aad2386c47726f85247202cdbaca62e62a6e96085adaddb7159e7
diff --git a/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml b/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
index eacfa96d192931a34ceaeb254b41d9e4c6015505..b965f75a7c75ade7f1d027bf54be757631a41266 100644
--- a/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
+++ b/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Pod,ServiceAccount,Volume"
-digest: 43d3e00dc3547628d2efec1ed83f461f56b1e98ec5523836d067fd54b9aa6a2d
+digest: d23bd2501b0c893a15d5d956af131fbaa0d25e6278980e3ba6cce9608841bebd
diff --git a/other/res/restrict-ingress-host/artifacthub-pkg.yml b/other/res/restrict-ingress-host/artifacthub-pkg.yml
index 82bc0b0ca3972c603059400dddcc1c85dcd7fdac..a144695f2148e600c28acf04b4b266fa72fd7b28 100644
--- a/other/res/restrict-ingress-host/artifacthub-pkg.yml
+++ b/other/res/restrict-ingress-host/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: 0f685d07e0611885d3614a013bf7a65cad34ea0d1e960c23724d715254a8dd07
+digest: 626994bf34517beb56b95c46ae5055dabd3173ab94b391c2806a76015b1f46fd
diff --git a/other/res/restrict-jobs/artifacthub-pkg.yml b/other/res/restrict-jobs/artifacthub-pkg.yml
index 07546d3f82cd49f25e4d1dfaa2e0a4773d73d134..b76770695bc986665cd918cc2cb0a2dac6ebe897 100644
--- a/other/res/restrict-jobs/artifacthub-pkg.yml
+++ b/other/res/restrict-jobs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Job"
-digest: 0dc990246332e0389cae2d6182a147137c5c6ffcd3f1fd9684437a90f45b75e5
+digest: a1945324de2d3e44b2edf57393a27c9348778a460df3cd020d9b2a40b28e4305
diff --git a/other/res/restrict-node-affinity/artifacthub-pkg.yml b/other/res/restrict-node-affinity/artifacthub-pkg.yml
index b44ac4a379ec74bdee02d787ecafa03a66a38f64..454e9fb899a7f3d21f26543fff26942880870451 100644
--- a/other/res/restrict-node-affinity/artifacthub-pkg.yml
+++ b/other/res/restrict-node-affinity/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Restrict Node Affinity
createdAt: "2023-04-10T20:30:06.000Z"
description: >-
Pods may use several mechanisms to prefer scheduling on a set of nodes, and nodeAffinity is one of them. nodeAffinity uses expressions to select eligible nodes for scheduling decisions and may override intended placement options by cluster administrators. This policy ensures that nodeAffinity is not used in a Pod spec.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-node-affinity/restrict-node-affinity.yaml
```
diff --git a/other/s-z/scale-deployment-zero/artifacthub-pkg.yml b/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
index aeda2749b684e3337323f43088d73f4759d00aeb..86093d7bbb2a8c660cdf070e72f41b63347f86f8 100644
--- a/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
+++ b/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Deployment"
-digest: e788ce3e9d3bec239e132a18bf021ef60922d73f7b3d31a7347cdcd730807f7f
+digest: 3fbc00dd9353159fa0ab0e13bd1a1c07f1b28bc49bd7ad63277241f11812aff3
diff --git a/other/s-z/unique-ingress-paths/artifacthub-pkg.yml b/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
index bf066e6423cccc3f398dc2fb0c87b59f7ab1ac38..e18fb3d0ec365ee622a38e06f7f90f204b905f25 100644
--- a/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
+++ b/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: 6438f8a31d452b9c3b412ec330edd4efbc8865bb8b04019030c77b5c08b28add
+digest: b7d6475c0f1a2e885ffeec1b6840bfca32b8d690dbefe6646d3dca6b78fdc7b2
diff --git a/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml b/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
index 20c1e8be0a5aba2c04e999797d22fd2239f65c49..d7f922ef447ff3294c3188ec7019e933fce0a225 100644
--- a/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
+++ b/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Verifying the integrity of resources is important to ensure no tampering has occurred, and in some cases this may need to be extended to certain YAML manifests deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with Sigstore and the signature(s) validated to prevent this tampering while still allowing some exceptions on a per-field basis. This policy verifies Deployments are signed with the expected key but ignores the `spec.replicas` field allowing other teams to change just this value.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/s-z/verify-manifest-integrity/verify-manifest-integrity.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/s-z/verify-manifest-integrity/verify-manifest-integrity.yaml
```
keywords:
- kyverno
diff --git a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
index 7e691a39fb11daf54eecfb6125a6492b47c46f67..29a7671e8d64ba04f92932715f2a5eced0333acd 100644
--- a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 138e5cdd4c48ade80d49c0d7599a99285dec59834703ec333b4561916aa4f042
+digest: 424f0a6b33686600c40b6658dd67ebd4eb596e0975b01120ea994168a2e065c8
diff --git a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
index 455e3455916ea43a35c47048bac97973b8d27acc..02febf50450dbbd47b773d7eccd480deea7c2cfa 100644
--- a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
+++ b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/strict/disallow-capabilities-strict/disallow-capabilities-strict.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
```
keywords:
- kyverno
diff --git a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
index 003f7c7556ca0278a188122ae1fc724365ead185..c90f47f8dae90ab4a810c416f356636fcdc43157 100644
--- a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
+++ b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Require runAsNonRoot
createdAt: "2023-04-10T23:16:53.000Z"
description: >-
Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
```
diff --git a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
index 75cd2ba6dd30b43f3dcb351c7c731c7e1419b023..d7b90f5139d480db4e9b1020c3409d8e13ef1498 100644
--- a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
+++ b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod,Volume"
-digest: ae033e57fb11b5c713876efb465f102d3c7059440ae7e8e5dab4fef28117dde2
+digest: f050ec83c6176c4124cb678418bba7326d9885bd23ee9669e19761d8ec8a0cf2
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
index 6818d672998d712cb8c095abbea4576a4ac6d3c5..8f6f5ceb515b264f7a13112a49815b2477786f92 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Restricted Pod Security Standards with Container-Level Control Exem
createdAt: "2023-04-10T23:19:50.000Z"
description: >-
The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common configurations that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile may be assigned to the cluster through a single rule. In some cases, specific exemptions must be made on a per-control basis. This policy configures the restricted profile through the latest version of the Pod Security Standards cluster wide while exempting `nginx` and `redis` container images from the Capabilities control check.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml
```
diff --git a/psp-migration/add-apparmor/artifacthub-pkg.yml b/psp-migration/add-apparmor/artifacthub-pkg.yml
index e5f4b00f5019987d62d869b0e629bfda9e93bbab..dc6493807172bd162bfb8db61cbde4cbe7306a3e 100644
--- a/psp-migration/add-apparmor/artifacthub-pkg.yml
+++ b/psp-migration/add-apparmor/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod,Annotation"
-digest: fc8cacbbf4086fe2da8ad7e4a635a4283c1e5d9cc27762a7a4ee06e407968bf5
+digest: 082461dca2f21839c429ac792fa4c8cb7a6a86639580345e124e541bf595332d
diff --git a/psp-migration/add-capabilities/artifacthub-pkg.yml b/psp-migration/add-capabilities/artifacthub-pkg.yml
index 01bb9b43012694b4088673e63eaf26c4e0cf9694..a021975589851837d2714cbe2763abf1eaeca6a8 100644
--- a/psp-migration/add-capabilities/artifacthub-pkg.yml
+++ b/psp-migration/add-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 2d16b8adeb8826cfa2f90d56aab7bb3616d08b678fb978822e827f64bb115b5a
+digest: 5f25e343611f412f21608223ee89a3684280045469ce1053bc7a3418ee57a1c4
diff --git a/psp-migration/add-runtimeClassName/artifacthub-pkg.yml b/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
index 3b9c48328bc968584439bd9903afaa26decb040b..898b74233a4096d4b28490e5167b01b2e0d6f149 100644
--- a/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
+++ b/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 865b4bd0f95875c04b76057678b5c4146581414ca9b17fd10b719bd9e50145b1
+digest: 1c05ef4bd3486b75bda76a23da00b220229d3b38b5d22ffa141c779a28b2a15b
diff --git a/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml b/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
index e9b2b443afadc56aae9cae24494dfb300a57c9fb..7aced0b92f3973be60dfb2e79588eac4dc3f400f 100644
--- a/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
+++ b/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 4ef56ff9a8131df118e9b52312c70ea17a6c785a0c55c6dc305859ce5da6b653
+digest: e4916e7d06c1fa8afeb2568c330a36c4e44b98a844002270ea2070ba8fae7752
diff --git a/velero/backup-all-volumes/artifacthub-pkg.yml b/velero/backup-all-volumes/artifacthub-pkg.yml
index 155dd95ba154d3e402853f6e95b1de956e96e73f..d971ac1835d2822a945f53816255e1735269d61f 100644
--- a/velero/backup-all-volumes/artifacthub-pkg.yml
+++ b/velero/backup-all-volumes/artifacthub-pkg.yml
@@ -11,9 +11,9 @@ description: >-
all volumes are listed in the aforementioned annotation if a Namespace with the label
`velero-backup-pvc=true`.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/backup-all-volumes/backup-all-volumes.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/backup-all-volumes/backup-all-volumes.yaml
+ ```
keywords:
- velero
- kyverno
diff --git a/velero/block-velero-restore/artifacthub-pkg.yml b/velero/block-velero-restore/artifacthub-pkg.yml
index 9dcffcb17af7316255b377f4a0785d0bed797e69..f4b815f13b5a1465584c8819967163236a5c7b5f 100644
--- a/velero/block-velero-restore/artifacthub-pkg.yml
+++ b/velero/block-velero-restore/artifacthub-pkg.yml
@@ -10,9 +10,9 @@ description: >-
It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace
then operation fails and warning message is throw.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/block-velero-restore/block-velero-restore.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/block-velero-restore/block-velero-restore.yaml
+ ```
keywords:
- velero
- kyverno
diff --git a/velero/validate-cron-schedule/artifacthub-pkg.yml b/velero/validate-cron-schedule/artifacthub-pkg.yml
index 303beb92177b20d2139d06840759eb85bc2e19f1..077c1291461aa47198c953541827a0a75463229b 100644
--- a/velero/validate-cron-schedule/artifacthub-pkg.yml
+++ b/velero/validate-cron-schedule/artifacthub-pkg.yml
@@ -7,9 +7,9 @@ description: >-
A Velero Schedule is given in Cron format and must be accurate to ensure
operation. This policy validates that the schedule is a valid Cron format.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/validate-cron-schedule/validate-cron-schedule.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/validate-cron-schedule/validate-cron-schedule.yaml
+ ```
keywords:
- velero
- kyverno