Merge branch 'main' into pod-security-cel-part-3

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

other/e-l/expiration-for-policyexceptions/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Other"
   kyverno/kubernetesVersion: "1.24"
   kyverno/subject: "PolicyException"
-digest: d460ec5a86554ec9e47781e23188598fb71b4e574910493757860f2757c801a1
+digest: 47af946fa7dde4c75c13b3edb3f3ff0bf1c2e481f4e6b34dd443f38500c9a438

other/e-l/expiration-for-policyexceptions/expiration-for-policyexceptions.yaml

@@ -27,7 +27,7 @@ spec:
           kinds:
           - PolicyException
     generate:
-      apiVersion: kyverno.io/v2alpha1
+      apiVersion: kyverno.io/v2beta1
       kind: ClusterCleanupPolicy
       name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
       synchronize: false

other/m-q/policy-for-exceptions/policy-bad.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe01
@@ -12,7 +12,7 @@ spec:
     - rule02
   match: {}
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe02
@@ -33,7 +33,7 @@ spec:
         namespace: some-ns
         name: kube-admin
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe03
@@ -54,7 +54,7 @@ spec:
         namespace: some-ns
         name: kube-admin
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe04
@@ -77,7 +77,7 @@ spec:
         namespace: some-ns
         name: kube-admin
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe05
@@ -96,7 +96,7 @@ spec:
         namespaces:
         - policy-exceptions-ns
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: badpe06

other/m-q/policy-for-exceptions/policy-good.yaml

@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: goodpe01
@@ -9,7 +9,7 @@ spec:
     - rule01
   match: {}
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: goodpe02
@@ -33,7 +33,7 @@ spec:
         namespace: some-ns
         name: kube-admin
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: goodpe03
@@ -58,7 +58,7 @@ spec:
         namespace: some-ns
         name: kube-admin
 ---
-apiVersion: kyverno.io/v2alpha1
+apiVersion: kyverno.io/v2beta1
 kind: PolicyException
 metadata:
   name: goodpe04

other/res/restrict-binding-system-groups/artifacthub-pkg.yml

@@ -20,4 +20,4 @@ annotations:
   kyverno/category: "Security, EKS Best Practices"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: 8de0c1d6797c8925007a6e12a2911edec500ccf987880a581ddb1906e8bf9b87
+digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d

other/res/restrict-binding-system-groups/crb-bad.yaml

@@ -4,11 +4,11 @@ metadata:
   name: badcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:anonymous"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,21 +18,23 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system:unauthenticated"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:unauthenticated"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: badcrb03
 subjects:
-- kind: ServiceAccount
+- kind: Group
   namespace: foo
-  name: manager
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:masters"
+  name: manager
   apiGroup: rbac.authorization.k8s.io

other/res/restrict-binding-system-groups/crb-good.yaml

@@ -4,11 +4,11 @@ metadata:
   name: goodcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: secret-reader
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: secret-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,10 +18,10 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: foo-reader
 roleRef:
   kind: ClusterRole
-  name: foo-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 
 ---
@@ -32,8 +32,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system.foo"
 roleRef:
   kind: ClusterRole
-  name: "system:foo"
+  name: manager
   apiGroup: rbac.authorization.k8s.io

other/res/restrict-binding-system-groups/rb-bad.yaml

@@ -3,36 +3,38 @@ kind: RoleBinding
 metadata:
   name: badrb01
 subjects:
-- kind: User
-  name: foo
+- kind: Group
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:anonymous"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: badrb02
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:unauthenticated"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:unauthenticated"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: badrb03
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:masters"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:masters"
+  name: foo
   apiGroup: rbac.authorization.k8s.io

other/res/restrict-binding-system-groups/rb-good.yaml

@@ -30,9 +30,9 @@ metadata:
   name: goodrb03
 subjects:
 - kind: Group
-  name: foo
+  name: "system:foo"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:foo"
+  name: foo
   apiGroup: rbac.authorization.k8s.io

other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml

@@ -29,8 +29,8 @@ spec:
       validate:
         message: "Binding to system:anonymous is not allowed."
         pattern:
-          roleRef:
-            name: "!system:anonymous"
+          subjects:
+            - name: "!system:anonymous"
     - name: restrict-unauthenticated
       match:
         any:
@@ -41,8 +41,8 @@ spec:
       validate:
         message: "Binding to system:unauthenticated is not allowed."
         pattern:
-          roleRef:
-            name: "!system:unauthenticated"
+          subjects:
+            - name: "!system:unauthenticated"
     - name: restrict-masters
       match:
         any:
@@ -53,5 +53,6 @@ spec:
       validate:
         message: "Binding to system:masters is not allowed."
         pattern:
-          roleRef:
-            name: "!system:masters"
+          subjects:
+            - name: "!system:masters"
+