From fdc508b26a696ceb2cd3ae481d1f2c660dda59d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
<charles.edouard@nirmata.com>
Date: Mon, 25 Sep 2023 21:57:06 +0200
Subject: [PATCH] chore: add script to update artifacthub digest (#769)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* chore: add script to update artifacthub digest
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* script
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* install
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* install
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix digest
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---------
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
.github/workflows/ci.yml | 61 +++----------------
.hack/update-artifacthub-pkg.sh | 22 +++++++
.hack/verify-files-structure.sh | 53 ++++++++++++++++
.../artifacthub-pkg.yml | 2 +-
.../add-rolebinding/artifacthub-pkg.yml | 2 +-
.../add-safe-to-evict/artifacthub-pkg.yml | 2 +-
.../check-deprecated-apis/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 4 +-
.../require-ro-rootfs/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../enforce-instancetype/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 10 +--
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 1 -
.../check-serviceaccount/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../cordon-and-drain-node/artifacthub-pkg.yml | 4 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../e-l/forbid-cpu-limits/artifacthub-pkg.yml | 4 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
other/e-l/inspect-csr/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../limit-hostpath-vols/artifacthub-pkg.yml | 1 -
.../mitigate-log4shell/artifacthub-pkg.yml | 2 +-
.../namespace-protection/artifacthub-pkg.yml | 2 +-
.../m-q/pdb-minavailable/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../restrict-ingress-host/artifacthub-pkg.yml | 2 +-
other/res/restrict-jobs/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../scale-deployment-zero/artifacthub-pkg.yml | 2 +-
.../unique-ingress-paths/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../disallow-capabilities/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../restrict-volume-types/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
.../add-apparmor/artifacthub-pkg.yml | 2 +-
.../add-capabilities/artifacthub-pkg.yml | 2 +-
.../add-runtimeClassName/artifacthub-pkg.yml | 2 +-
.../artifacthub-pkg.yml | 2 +-
velero/backup-all-volumes/artifacthub-pkg.yml | 6 +-
.../block-velero-restore/artifacthub-pkg.yml | 6 +-
.../artifacthub-pkg.yml | 6 +-
56 files changed, 146 insertions(+), 120 deletions(-)
create mode 100755 .hack/update-artifacthub-pkg.sh
create mode 100755 .hack/verify-files-structure.sh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b2bd02b7..8b5f3dee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,57 +23,9 @@ jobs:
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
path: policies
-
- name: Validate all policies
- run: |
- #!/bin/bash
- set -euo pipefail
-
- # Loop through each policy directory in the repository
- for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
- # Skip the root directory
- if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
- continue
- fi
-
- # Skip directories that contain subdirectories
- if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
- # If it does, skip the filename validation
- continue
- fi
-
- # Get the name of the directory
- dir_name=$(basename "$policy_dir")
-
- # Skip if it is the CRDs directory
- if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
- continue
- fi
-
- # Check if the directory name only contains alphanumeric characters and dashes
- if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
- echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
- exit 1
- fi
-
- # Skip if the directory contains a kustomization.yaml file
- if [[ -f "$policy_dir/kustomization.yaml" ]]; then
- continue
- fi
-
- # Check if a .yml or .yaml file with the same name as the directory exists in the directory
- if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
- echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
- exit 1
- fi
-
- # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
- if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
- echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
- exit 1
- fi
- done
-
+ run: ./.hack/verify-files-structure.sh
+ working-directory: policies
- name: Clone Kyverno
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
@@ -81,12 +33,10 @@ jobs:
path: kyverno
# The target branch of a pull request or the branch/tag of a push
ref: ${{ github.base_ref || github.ref_name }}
-
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ~1.21.1
-
- name: Test Policy
run: go run ./cmd/cli/kubectl-kyverno test ../policies
working-directory: kyverno
@@ -98,8 +48,8 @@ jobs:
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
path: policies
- - name: Clone Kyverno
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ - name: Checkout Kyverno
+ uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
repository: kyverno/kyverno
path: kyverno
@@ -114,6 +64,9 @@ jobs:
set -e
KYVERNO_EXPERIMENTAL=true go run ./cmd/cli/kubectl-kyverno fix test . --save
working-directory: kyverno
+ - name: Check artifacthub-pkg digests
+ run: ./.hack/update-artifacthub-pkg.sh
+ working-directory: policies
- name: Check diff
run: |
set -e
diff --git a/.hack/update-artifacthub-pkg.sh b/.hack/update-artifacthub-pkg.sh
new file mode 100755
index 00000000..7693a636
--- /dev/null
+++ b/.hack/update-artifacthub-pkg.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SED=sed
+
+if [[ "$OSTYPE" == "darwin"* ]]; then
+ SED=gsed
+fi
+
+for FILE in $(find . -name "artifacthub-pkg.yml")
+do
+ FOLDER=$(dirname "$FILE")
+ POLICY=$(basename "$FOLDER")
+ POLICY_FILE="$FOLDER/$POLICY.yaml"
+ echo "Processing policy $POLICY ($POLICY_FILE) ..."
+ INSTALL="kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/${POLICY_FILE/.\//}"
+ $SED -i -z "s#install:.*\`\`\`#install: |-\n \`\`\`shell\n $INSTALL\n \`\`\`#" $FILE
+ DIGEST=$(shasum -U -a 256 "$POLICY_FILE" | cut -d" " -f 1)
+ echo " Digest: $DIGEST"
+ $SED -i "s/^digest:.*/digest: $DIGEST/" $FILE
+done
diff --git a/.hack/verify-files-structure.sh b/.hack/verify-files-structure.sh
new file mode 100755
index 00000000..cf4ba88d
--- /dev/null
+++ b/.hack/verify-files-structure.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Loop through each policy directory in the repository
+for policy_dir in $(find "$GITHUB_WORKSPACE" -type d ! -name '.*' ! -path '*/\.*'); do
+ # Skip the root directory
+ if [[ "$policy_dir" == "$GITHUB_WORKSPACE" ]]; then
+ continue
+ fi
+
+ # Skip directories that contain subdirectories
+ if find "$policy_dir" -mindepth 1 -type d -print -quit | read; then
+ # If it does, skip the filename validation
+ continue
+ fi
+
+ # Get the name of the directory
+ dir_name=$(basename "$policy_dir")
+
+ # Skip if it is the CRDs directory
+ if [[ $dir_name =~ ^.*CRDs.*$ ]]; then
+ continue
+ fi
+
+ # Skip if it is the .hack directory
+ if [[ $dir_name == ".hack" ]]; then
+ continue
+ fi
+
+ # Check if the directory name only contains alphanumeric characters and dashes
+ if [[ ! $dir_name =~ ^[a-zA-Z0-9-]+$ ]]; then
+ echo "Directory $dir_name contains invalid characters. Only alphanumeric characters and dashes are allowed."
+ exit 1
+ fi
+
+ # Skip if the directory contains a kustomization.yaml file
+ if [[ -f "$policy_dir/kustomization.yaml" ]]; then
+ continue
+ fi
+
+ # Check if a .yml or .yaml file with the same name as the directory exists in the directory
+ if [[ ! -f "$policy_dir/$dir_name.yml" ]] && [[ ! -f "$policy_dir/$dir_name.yaml" ]]; then
+ echo "No .yml or .yaml file named $dir_name found in directory $policy_dir"
+ exit 1
+ fi
+
+ # Validate that artifacthub-pkg.yml or artifacthub-pkg.yaml file is found in the same folder as the policy
+ if [[ ! -f "$policy_dir/artifacthub-pkg.yml" ]] && [[ ! -f "$policy_dir/artifacthub-pkg.yaml" ]]; then
+ echo "artifacthub-pkg.yml or artifacthub-pkg.yaml file is not found in the same folder as the policy in directory $policy_dir"
+ exit 1
+ fi
+done
diff --git a/argo/application-field-validation/artifacthub-pkg.yml b/argo/application-field-validation/artifacthub-pkg.yml
index 9fe5482c..e97a0a7a 100644
--- a/argo/application-field-validation/artifacthub-pkg.yml
+++ b/argo/application-field-validation/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Argo"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Application"
-digest: c8ad238bcb8b9014775649b68d78dc902dcd58d2b3d54c536b2ec99c0dc821da
+digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416
diff --git a/best-practices/add-rolebinding/artifacthub-pkg.yml b/best-practices/add-rolebinding/artifacthub-pkg.yml
index 91250c7a..2760f06f 100644
--- a/best-practices/add-rolebinding/artifacthub-pkg.yml
+++ b/best-practices/add-rolebinding/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add RoleBinding
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-rolebinding/add-rolebinding.yaml
```
diff --git a/best-practices/add-safe-to-evict/artifacthub-pkg.yml b/best-practices/add-safe-to-evict/artifacthub-pkg.yml
index 0f23500d..f0c0b325 100644
--- a/best-practices/add-safe-to-evict/artifacthub-pkg.yml
+++ b/best-practices/add-safe-to-evict/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add Safe To Evict
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-safe-to-evict/add-safe-to-evict.yaml
```
diff --git a/best-practices/check-deprecated-apis/artifacthub-pkg.yml b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
index d6b92326..a3eb252f 100644
--- a/best-practices/check-deprecated-apis/artifacthub-pkg.yml
+++ b/best-practices/check-deprecated-apis/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check deprecated APIs
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
```
diff --git a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
index 5c327833..35a403ed 100644
--- a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
+++ b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-04-10T19:47:15.000Z"
description: >-
An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
install: |-
- ```shell
+ ```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
```
keywords:
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Ingress"
-digest: 4c8e14cfe546a3912985257916af8cdae9e8ed3c5b9c8710de0452b0780352e6
+digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd
diff --git a/best-practices/require-ro-rootfs/artifacthub-pkg.yml b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
index f533d207..75389481 100644
--- a/best-practices/require-ro-rootfs/artifacthub-pkg.yml
+++ b/best-practices/require-ro-rootfs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
-digest: 6a96d468500f2d2d152dbde7a04a698c9cc62cc2975c04fb4c740dac187f5f4b
+digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14
diff --git a/castai/add-castai-removal-disabled/artifacthub-pkg.yml b/castai/add-castai-removal-disabled/artifacthub-pkg.yml
index 3761f487..d4881894 100644
--- a/castai/add-castai-removal-disabled/artifacthub-pkg.yml
+++ b/castai/add-castai-removal-disabled/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "CAST AI"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Job, CronJob"
-digest: 18f7de8b701cdf06e44c82655aaa91c386e9e3b44da1e72e04423f2d2a04a4f7
+digest: 992992b1eb3573e61d58ecf18bf58a2df70ce647b69243bc1e2adcdc5cea30ce
diff --git a/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml b/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
index 4b535482..20b7ab33 100644
--- a/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
+++ b/external-secret-operator/add-external-secret-prefix/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "ExternalSecretOperator"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "ExternalSecret"
-digest: e37b41aabc7d65947ee0cdd0707601d3bc2e43ffd6bc87aef76d8620aca5c1b7
+digest: 8b8e211f173edc5ba55b5e11c2a4799da30eb59a8cf0dd442b215e1a9cf79514
diff --git a/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml b/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
index 7f572dc4..e0dc5987 100644
--- a/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
+++ b/istio/add-sidecar-injection-namespace/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-04-10T20:07:52.000Z"
description: >-
In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio-inject` set to `enabled` for all new Namespaces.
install: |-
- ```shell
+ ```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml
```
keywords:
diff --git a/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml b/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
index 178e871b..71289ef9 100644
--- a/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
+++ b/karpenter/add-karpenter-daemonset-priority-class/artifacthub-pkg.yml
@@ -27,4 +27,4 @@ annotations:
kyverno/category: "Karpenter"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "DaemonSet"
-digest: d362d0f39e827f364e3527542260994471420007e6624f4a992d8ce2963b01ac
+digest: 275bf6fb95839933a781efbcaeaea792cf1bd5d4af9833eb37fefc374aed26f3
diff --git a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
index 9b4f29ea..d973e3cb 100644
--- a/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
+++ b/karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
@@ -24,4 +24,4 @@ annotations:
kyverno/category: "Karpenter, EKS Best Practices"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
-digest: cd4fd255ac954d358ccff5df240fcd9ff441d3c53ac9629abc5c31118d9e9892
+digest: 93d84f8ba71d2bf87cb84d4174962cc50ecd0b0f9bb29f6fccb8a8a41d11b500
diff --git a/kubevirt/enforce-instancetype/artifacthub-pkg.yml b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
index 886af02a..73d5da7b 100644
--- a/kubevirt/enforce-instancetype/artifacthub-pkg.yml
+++ b/kubevirt/enforce-instancetype/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "KubeVirt"
kyverno/kubernetesVersion: "1.24-1.25"
kyverno/subject: "VirtualMachine"
-digest: fd5e58353ef32aab91803a63e1a1f95ff0e311344f33a88f99ebe37757e64990
+digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439
diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
index 58d601f6..e6fb8f91 100644
--- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
+++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Disallow Custom Snippets
createdAt: "2023-04-10T20:23:06.000Z"
description: >-
Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
```
diff --git a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
index 08c17fca..25e08a87 100644
--- a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
+++ b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.20"
kyverno/subject: "APIServer"
-digest: d54ffd53d3d442062c5980b6333701a7b18477329422ad030912b1756d30c3a7
+digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3
diff --git a/openshift/inject-infrastructurename/artifacthub-pkg.yml b/openshift/inject-infrastructurename/artifacthub-pkg.yml
index 2c6e0639..5f84ed17 100644
--- a/openshift/inject-infrastructurename/artifacthub-pkg.yml
+++ b/openshift/inject-infrastructurename/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "OpenShift"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "MachineSet"
-digest: 3f9aaaeeea9c2bde0fb8398da2bb64437e73ea8d644031102369beaa7f73e32e
+digest: 55f4f0f016cfed1e26b0a3621fa3ced8cd89134ade53976dec7cd6d7b2d9911a
diff --git a/other/a/add-certificates-volume/artifacthub-pkg.yml b/other/a/add-certificates-volume/artifacthub-pkg.yml
index f91cf4e1..ee191a7c 100644
--- a/other/a/add-certificates-volume/artifacthub-pkg.yml
+++ b/other/a/add-certificates-volume/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod,Volume"
-digest: 41e873cb02f9b6c18d454968681f9797f1c0f3d89dc1610a60581e1e710031fb
+digest: d0bece92401b5c2c3fe482333fed5c09379d383934cd5bc860e416875a6d6267
diff --git a/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml b/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
index 85b6bea7..3c5f448f 100644
--- a/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
+++ b/other/a/apply-pss-restricted-profile/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
-digest: 79ec68a13ec96ac3c01fe6d39eb6fa79e10ef936453e17a76b7d10dfe2c26d96
+digest: 5fe9842816e537b8cdb8d6f231ccf31cefa7e11a936ee38f787e329f7b63ba97
diff --git a/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml b/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
index f68c0235..352c9b7c 100644
--- a/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
+++ b/other/b-d/block-cluster-admin-from-ns/artifacthub-pkg.yml
@@ -6,10 +6,10 @@ createdAt: "2023-05-18T00:00:00.000Z"
description: >-
In some cases we would want to block operations (CREATE/UPDATE/DELETE) of certain privileged users (i.e. cluster-admins), in a specific namespace.
In this policy, Kyverno look for all user operations (`CREATE, UPDATE, DELETE`), on every object kind (Pod,Deployment,Route,Service,etc.), in the testnamespace namespace, and for the `clusterRole cluster-admin`. The `subject User testuser` is also mentioned so it won’t include all the cluster-admins in the cluster, but will be flexiable enough to apply only for a sub-group of the cluster-admins in the cluster.
-install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
- ```
+install: |-
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml
+ ```
keywords:
- rbac
- cluster-admin
@@ -21,4 +21,4 @@ annotations:
policies.kyverno.io/category: other
policies.kyverno.io/subject: Namespace, ClusterRole, User
policies.kyverno.io/minversion: 1.9.0
-digest: 8b212d6056e1871537018ab93e1236f971b42a4c
+digest: 841724d983a9f27618678d596f30e20717115787e0f24304226b79d2e6b892e0
diff --git a/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml b/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
index 554e7c67..44904649 100644
--- a/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
+++ b/other/b-d/block-pod-exec-by-namespace/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Block Pod Exec by Namespace Name
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml
```
diff --git a/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml b/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
index 239681a1..a5e87adf 100644
--- a/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
+++ b/other/b-d/block-pod-exec-by-pod-name/artifacthub-pkg.yml
@@ -7,7 +7,6 @@ description: >-
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml
- ``
```
keywords:
- kyverno
diff --git a/other/b-d/check-serviceaccount/artifacthub-pkg.yml b/other/b-d/check-serviceaccount/artifacthub-pkg.yml
index b417c910..cd590dee 100644
--- a/other/b-d/check-serviceaccount/artifacthub-pkg.yml
+++ b/other/b-d/check-serviceaccount/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check ServiceAccount
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
ServiceAccounts with privileges to create Pods may be able to do so and name a ServiceAccount other than the one used to create it. This policy checks the Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field matches the actual ServiceAccount.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-serviceaccount/check-serviceaccount.yaml
```
diff --git a/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml b/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
index dff69183..08e30c52 100644
--- a/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
+++ b/other/b-d/check-subjectaccessreview/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Check SubjectAccessReview
createdAt: "2023-05-01T00:00:00.000Z"
description: >-
In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/check-subjectaccessreview/check-subjectaccessreview.yaml
```
diff --git a/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml b/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
index 16935d99..8e9a340b 100644
--- a/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
+++ b/other/b-d/cordon-and-drain-node/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
There are cases where either an operations or security incident may occur and Nodes should be evacuated and placed in an unused state for further analysis. For example, a Node is found to be running a vulnerable version of a CRI engine or kernel and to minimize chances of a compromise may need to be decommissioned so another can be built. This policy shows how to use Kyverno to both cordon and drain a given Node and uses a hypothetical label being written to it called `testing=drain` to illustrate the point. For production use, the match block should be modified to trigger on the appropriate condition.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/cordon-and-drain-node/cordon-and-drain-node.yaml
```
keywords:
- kyverno
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Node"
-digest: d9540eced93532fb54d51aa9ce0ca4d4b954737d6cc2eeb82687665bcfde826e
+digest: adbb84bccd2bb5f35c5987eb14aacc51e85a624124ce3281372607f92d6090bb
diff --git a/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml b/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
index bfde9de3..8de4665d 100644
--- a/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
+++ b/other/b-d/create-pod-antiaffinity/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Add Pod Anti-Affinity
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
Applications may involve multiple replicas of the same Pod for availability as well as scale purposes, yet Kubernetes does not by default provide a solution for availability. This policy sets a Pod anti-affinity configuration on Deployments which contain an `app` label if it is not already present.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/create-pod-antiaffinity/create-pod-antiaffinity.yaml
```
diff --git a/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
index 19b45bb1..308e2326 100644
--- a/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
+++ b/other/b-d/deny-commands-in-exec-probe/artifacthub-pkg.yml
@@ -5,7 +5,7 @@ createdAt: "2023-05-01T00:00:00.000Z"
description: >-
Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/b-d/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml
```
diff --git a/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml b/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
index 2977e5a6..a47ee4b0 100644
--- a/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
+++ b/other/e-l/forbid-cpu-limits/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/e-l/forbid-cpu-limits/forbid-cpu-limits.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/forbid-cpu-limits/forbid-cpu-limits.yaml
```
keywords:
- kyverno
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
-digest: ab06fedd32b519429eff449321a29c84db403982f3732621b32188ce9c98f767
+digest: d83f7beccf5eacc5a32cfb36225689b76007755b2f4d04876db11f75459baa62
diff --git a/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml b/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
index a4584c43..672a2467 100644
--- a/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
+++ b/other/e-l/generate-networkpolicy-existing/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Generate NetworkPolicy to Existing Namespaces
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
A NetworkPolicy is often a critical piece when provisioning new Namespaces, but there may be existing Namespaces which also need the same resource. Creating each one individually or manipulating each Namespace in order to trigger creation is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml
```
diff --git a/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml b/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
index 3c9f685a..13aa3bfb 100644
--- a/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
+++ b/other/e-l/inject-sidecar-deployment/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Inject Sidecar Container
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
The sidecar pattern is very common in Kubernetes whereby other applications can insert components via tacit modification of a submitted resource. This is, for example, often how service meshes and secrets applications are able to function transparently. This policy injects a sidecar container, initContainer, and volume into Pods that match an annotation called `vault.hashicorp.com/agent-inject: true`.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/inject-sidecar-deployment/inject-sidecar-deployment.yaml
```
diff --git a/other/e-l/inspect-csr/artifacthub-pkg.yml b/other/e-l/inspect-csr/artifacthub-pkg.yml
index c436d191..518cfa71 100644
--- a/other/e-l/inspect-csr/artifacthub-pkg.yml
+++ b/other/e-l/inspect-csr/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Inspect CertificateSigningRequest
createdAt: "2023-04-25T00:00:00.000Z"
description: >-
The Kubernetes API includes a CertificateSigningRequest resource which can be used to generate a certificate for an entity. Because this API can be abused to create a long-lived credential, it is important to be able to audit this API to understand who/what is creating these CSRs and for what actors they are being created. This policy, intended to always be run in Audit mode and produce failure results in a Policy Report, inspects all incoming CertificateSigningRequests and writes out into the Policy Report information on who/what requested it and parsing the CSR to show the Subject information of that CSR resource.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/inspect-csr/inspect-csr.yaml
```
diff --git a/other/e-l/label-existing-namespaces/artifacthub-pkg.yml b/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
index a237b6e7..2b28f6aa 100644
--- a/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
+++ b/other/e-l/label-existing-namespaces/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Label Existing Namespaces
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
Namespaces which preexist may need to be labeled after the fact and it is time consuming to identify which ones should be labeled and either doing so manually or with a scripted approach. This policy, which triggers on any AdmissionReview request to any Namespace, will result in applying the label `mykey=myvalue` to all existing Namespaces. If this policy is updated to change the desired label key or value, it will cause another mutation which updates all Namespaces.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/label-existing-namespaces/label-existing-namespaces.yaml
```
diff --git a/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml b/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
index 413065cc..7791b7bc 100644
--- a/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
+++ b/other/e-l/limit-hostpath-vols/artifacthub-pkg.yml
@@ -7,7 +7,6 @@ description: >-
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/e-l/limit-hostpath-vols/limit-hostpath-vols.yaml
- ``
```
keywords:
- kyverno
diff --git a/other/m-q/mitigate-log4shell/artifacthub-pkg.yml b/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
index 5f723fc8..597f86da 100644
--- a/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
+++ b/other/m-q/mitigate-log4shell/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Log4Shell Mitigation
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some benefit by limiting exposure, there are still code paths which can exploit this vulnerability. It is highly recommended to upgrade log4j as soon as possible. See https://logging.apache.org/log4j/2.x/security.html for more details. This policy will mutate all initContainers and containers in an incoming Pod to add this environment variable automatically.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/m-q/mitigate-log4shell/mitigate-log4shell.yaml
```
diff --git a/other/m-q/namespace-protection/artifacthub-pkg.yml b/other/m-q/namespace-protection/artifacthub-pkg.yml
index 123f5a1c..568f487f 100644
--- a/other/m-q/namespace-protection/artifacthub-pkg.yml
+++ b/other/m-q/namespace-protection/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Namespace Protection
createdAt: "2023-04-10T20:30:04.000Z"
description: >-
Cases where RBAC may be applied at a higher level and where Namespace-level protections may be necessary can be accomplished with a separate policy. For example, one may want to protect creates, updates, and deletes on only a single Namespace. This policy will block creates, updates, and deletes to any Namespace labeled with `freeze=true`. Caution should be exercised when using rules which match on all kinds (`"*"`) as this will involve, for larger clusters, a substantial amount of processing on Kyverno's part. Additional resource requests and/or limits may be required.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/m-q/namespace-protection/namespace-protection.yaml
```
diff --git a/other/m-q/pdb-minavailable/artifacthub-pkg.yml b/other/m-q/pdb-minavailable/artifacthub-pkg.yml
index f64b7cdc..57ebaf44 100644
--- a/other/m-q/pdb-minavailable/artifacthub-pkg.yml
+++ b/other/m-q/pdb-minavailable/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "PodDisruptionBudget, Deployment, StatefulSet"
-digest: f5fb2bf91603f5fb0f607f5f15124ae0e931e60f0eb23c4b38ff0bc13b55c07b
+digest: bcb87ac5337aad2386c47726f85247202cdbaca62e62a6e96085adaddb7159e7
diff --git a/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml b/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
index eacfa96d..b965f75a 100644
--- a/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
+++ b/other/rec-req/remove-serviceaccount-token/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Pod,ServiceAccount,Volume"
-digest: 43d3e00dc3547628d2efec1ed83f461f56b1e98ec5523836d067fd54b9aa6a2d
+digest: d23bd2501b0c893a15d5d956af131fbaa0d25e6278980e3ba6cce9608841bebd
diff --git a/other/res/restrict-ingress-host/artifacthub-pkg.yml b/other/res/restrict-ingress-host/artifacthub-pkg.yml
index 82bc0b0c..a144695f 100644
--- a/other/res/restrict-ingress-host/artifacthub-pkg.yml
+++ b/other/res/restrict-ingress-host/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: 0f685d07e0611885d3614a013bf7a65cad34ea0d1e960c23724d715254a8dd07
+digest: 626994bf34517beb56b95c46ae5055dabd3173ab94b391c2806a76015b1f46fd
diff --git a/other/res/restrict-jobs/artifacthub-pkg.yml b/other/res/restrict-jobs/artifacthub-pkg.yml
index 07546d3f..b7677069 100644
--- a/other/res/restrict-jobs/artifacthub-pkg.yml
+++ b/other/res/restrict-jobs/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Job"
-digest: 0dc990246332e0389cae2d6182a147137c5c6ffcd3f1fd9684437a90f45b75e5
+digest: a1945324de2d3e44b2edf57393a27c9348778a460df3cd020d9b2a40b28e4305
diff --git a/other/res/restrict-node-affinity/artifacthub-pkg.yml b/other/res/restrict-node-affinity/artifacthub-pkg.yml
index b44ac4a3..454e9fb8 100644
--- a/other/res/restrict-node-affinity/artifacthub-pkg.yml
+++ b/other/res/restrict-node-affinity/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Restrict Node Affinity
createdAt: "2023-04-10T20:30:06.000Z"
description: >-
Pods may use several mechanisms to prefer scheduling on a set of nodes, and nodeAffinity is one of them. nodeAffinity uses expressions to select eligible nodes for scheduling decisions and may override intended placement options by cluster administrators. This policy ensures that nodeAffinity is not used in a Pod spec.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-node-affinity/restrict-node-affinity.yaml
```
diff --git a/other/s-z/scale-deployment-zero/artifacthub-pkg.yml b/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
index aeda2749..86093d7b 100644
--- a/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
+++ b/other/s-z/scale-deployment-zero/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Deployment"
-digest: e788ce3e9d3bec239e132a18bf021ef60922d73f7b3d31a7347cdcd730807f7f
+digest: 3fbc00dd9353159fa0ab0e13bd1a1c07f1b28bc49bd7ad63277241f11812aff3
diff --git a/other/s-z/unique-ingress-paths/artifacthub-pkg.yml b/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
index bf066e64..e18fb3d0 100644
--- a/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
+++ b/other/s-z/unique-ingress-paths/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Ingress"
-digest: 6438f8a31d452b9c3b412ec330edd4efbc8865bb8b04019030c77b5c08b28add
+digest: b7d6475c0f1a2e885ffeec1b6840bfca32b8d690dbefe6646d3dca6b78fdc7b2
diff --git a/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml b/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
index 20c1e8be..d7f922ef 100644
--- a/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
+++ b/other/s-z/verify-manifest-integrity/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Verifying the integrity of resources is important to ensure no tampering has occurred, and in some cases this may need to be extended to certain YAML manifests deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with Sigstore and the signature(s) validated to prevent this tampering while still allowing some exceptions on a per-field basis. This policy verifies Deployments are signed with the expected key but ignores the `spec.replicas` field allowing other teams to change just this value.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/s-z/verify-manifest-integrity/verify-manifest-integrity.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/s-z/verify-manifest-integrity/verify-manifest-integrity.yaml
```
keywords:
- kyverno
diff --git a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
index 7e691a39..29a7671e 100644
--- a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
+++ b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
-digest: 138e5cdd4c48ade80d49c0d7599a99285dec59834703ec333b4561916aa4f042
+digest: 424f0a6b33686600c40b6658dd67ebd4eb596e0975b01120ea994168a2e065c8
diff --git a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
index 455e3455..02febf50 100644
--- a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
+++ b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
@@ -6,7 +6,7 @@ description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities.
install: |-
```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/strict/disallow-capabilities-strict/disallow-capabilities-strict.yaml
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
```
keywords:
- kyverno
diff --git a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
index 003f7c75..c90f47f8 100644
--- a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
+++ b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Require runAsNonRoot
createdAt: "2023-04-10T23:16:53.000Z"
description: >-
Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
```
diff --git a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
index 75cd2ba6..d7b90f51 100644
--- a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
+++ b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "Pod Security Standards (Restricted)"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod,Volume"
-digest: ae033e57fb11b5c713876efb465f102d3c7059440ae7e8e5dab4fef28117dde2
+digest: f050ec83c6176c4124cb678418bba7326d9885bd23ee9669e19761d8ec8a0cf2
diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
index 6818d672..8f6f5ceb 100644
--- a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
+++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml
@@ -4,7 +4,7 @@ displayName: Restricted Pod Security Standards with Container-Level Control Exem
createdAt: "2023-04-10T23:19:50.000Z"
description: >-
The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common configurations that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile may be assigned to the cluster through a single rule. In some cases, specific exemptions must be made on a per-control basis. This policy configures the restricted profile through the latest version of the Pod Security Standards cluster wide while exempting `nginx` and `redis` container images from the Capabilities control check.
-install: |-
+install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml
```
diff --git a/psp-migration/add-apparmor/artifacthub-pkg.yml b/psp-migration/add-apparmor/artifacthub-pkg.yml
index e5f4b00f..dc649380 100644
--- a/psp-migration/add-apparmor/artifacthub-pkg.yml
+++ b/psp-migration/add-apparmor/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod,Annotation"
-digest: fc8cacbbf4086fe2da8ad7e4a635a4283c1e5d9cc27762a7a4ee06e407968bf5
+digest: 082461dca2f21839c429ac792fa4c8cb7a6a86639580345e124e541bf595332d
diff --git a/psp-migration/add-capabilities/artifacthub-pkg.yml b/psp-migration/add-capabilities/artifacthub-pkg.yml
index 01bb9b43..a0219755 100644
--- a/psp-migration/add-capabilities/artifacthub-pkg.yml
+++ b/psp-migration/add-capabilities/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 2d16b8adeb8826cfa2f90d56aab7bb3616d08b678fb978822e827f64bb115b5a
+digest: 5f25e343611f412f21608223ee89a3684280045469ce1053bc7a3418ee57a1c4
diff --git a/psp-migration/add-runtimeClassName/artifacthub-pkg.yml b/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
index 3b9c4832..898b7423 100644
--- a/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
+++ b/psp-migration/add-runtimeClassName/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 865b4bd0f95875c04b76057678b5c4146581414ca9b17fd10b719bd9e50145b1
+digest: 1c05ef4bd3486b75bda76a23da00b220229d3b38b5d22ffa141c779a28b2a15b
diff --git a/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml b/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
index e9b2b443..7aced0b9 100644
--- a/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
+++ b/psp-migration/restrict-runtimeClassName/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
kyverno/category: "PSP Migration"
kyverno/kubernetesVersion: "1.24"
kyverno/subject: "Pod"
-digest: 4ef56ff9a8131df118e9b52312c70ea17a6c785a0c55c6dc305859ce5da6b653
+digest: e4916e7d06c1fa8afeb2568c330a36c4e44b98a844002270ea2070ba8fae7752
diff --git a/velero/backup-all-volumes/artifacthub-pkg.yml b/velero/backup-all-volumes/artifacthub-pkg.yml
index 155dd95b..d971ac18 100644
--- a/velero/backup-all-volumes/artifacthub-pkg.yml
+++ b/velero/backup-all-volumes/artifacthub-pkg.yml
@@ -11,9 +11,9 @@ description: >-
all volumes are listed in the aforementioned annotation if a Namespace with the label
`velero-backup-pvc=true`.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/backup-all-volumes/backup-all-volumes.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/backup-all-volumes/backup-all-volumes.yaml
+ ```
keywords:
- velero
- kyverno
diff --git a/velero/block-velero-restore/artifacthub-pkg.yml b/velero/block-velero-restore/artifacthub-pkg.yml
index 9dcffcb1..f4b815f1 100644
--- a/velero/block-velero-restore/artifacthub-pkg.yml
+++ b/velero/block-velero-restore/artifacthub-pkg.yml
@@ -10,9 +10,9 @@ description: >-
It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace
then operation fails and warning message is throw.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/block-velero-restore/block-velero-restore.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/block-velero-restore/block-velero-restore.yaml
+ ```
keywords:
- velero
- kyverno
diff --git a/velero/validate-cron-schedule/artifacthub-pkg.yml b/velero/validate-cron-schedule/artifacthub-pkg.yml
index 303beb92..077c1291 100644
--- a/velero/validate-cron-schedule/artifacthub-pkg.yml
+++ b/velero/validate-cron-schedule/artifacthub-pkg.yml
@@ -7,9 +7,9 @@ description: >-
A Velero Schedule is given in Cron format and must be accurate to ensure
operation. This policy validates that the schedule is a valid Cron format.
install: |-
- ```shell
- kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/validate-cron-schedule/validate-cron-schedule.yaml
- ```
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero/validate-cron-schedule/validate-cron-schedule.yaml
+ ```
keywords:
- velero
- kyverno
--
GitLab