Changelog📜
Format: Keep a Changelog
[3.2.6-bb.1] - 2024-10-23📜
Changed📜
- Added block-ephemeral-containers policy and test-ephemeral.sh as test
[3.2.6-bb.0] - 2024-10-09📜
Changed📜
ironbank/opensource/kubernetes/kubectl
updated fromv1.29.7
tov1.30.5
- updated chart from
kyverno-chart-3.2.5
tokyverno-chart-3.2.6
and app version fromv1.12.5
tov1.12.6
- updated
ironbank/opensource/kubernetes/kubectl
updated fromv1.29.7
tov1.30.5
[3.2.5-bb.7] - 2024-09-16📜
Changed📜
- add wait job
- update gluon from 0.5.3 to 0.5.4
[3.2.5-bb.6] - 2024-09-09📜
Changed📜
- update ironbank public container signing key
[3.2.5-bb.5] - 2024-09-09📜
Changed📜
- set generateExisting to false
[3.2.5-bb.4] - 2024-08-20📜
Changed📜
- Added GenerateExisting option for clone-config.yaml
- Updated gluon from 0.5.2 to 0.5.3
[3.2.5-bb.3] - 2024-08-02📜
Changed📜
- Added app and version to require-labels policy & update manifest
[3.2.5-bb.2] - 2024-07-31📜
Changed📜
- Updated chart/templates/exception-require-non-root-group.yaml:apiVersion: from
kyverno.io/v2beta1
to the latest versionkyverno.io/v2
- chart/templates/exception-require-non-root-user.yaml:apiVersion: from
kyverno.io/v2beta1
tokyverno.io/v2
- chart/templates/update-automountserviceaccounttokens.yaml apiVersion:
from
kyverno.io/v2beta1
to the latest versionkyverno.io/v2
[3.2.5-bb.1] - 2024-07-27📜
Changed📜
- Gluon updated from
0.5.0
to0.5.2
ironbank/opensource/kubernetes/kubectl
updated fromv1.29.4
tov1.29.7
[3.2.5-bb.0] - 2024-07-23📜
Changed📜
- Updated versions in version and annotations under Chart.yaml to match Kyverno chart that we are currently using - 3.2.5
[3.2.3-bb.0] - 2024-07-18📜
Changed📜
- update helm chart from
kyverno-chart-3.0.4
tokyverno-chart-3.2.3
and app version fromv1.11.0
tov1.12.3
[3.0.4-bb.34] - 2024-07-16📜
Changed📜
- Added metadata annotation to disallow-istio-injection-bypass policy
[3.0.4-bb.33] - 2024-06-17📜
Changed📜
- Fixed error in execption-require-non-root-group.yaml and in the non-root-user.yaml
[3.0.4-bb.32] - 2024-05-23📜
Changed📜
- setting autogen rules to
Deployment,ReplicaSet,DaemonSet,StatefulSet
as default to mitagate false positive behavior
[3.0.4-bb.31] - 2024-05-16📜
Changed📜
- updated commentted example in values.yaml file for
update-automountserviceaccounttokens:
[3.0.4-bb.30] - 2024-05-03📜
Changed📜
- gluon updated from 0.4.8 to 0.5.0
- ironbank/opensource/kubernetes/kubectl updated from v1.29.3 to v1.29.4
- ironbank/redhat/ubi/ubi9-minimal updated from 9.3 to 9.4
[3.0.4-bb.29] - 2024-04-19📜
Changed📜
- Added support for checking deprecated API policy for Kubernetes v1.32.
- ironbank/opensource/kubernetes/kubectl updated from v1.28.7 to v1.29.3
[3.0.4-bb.28] - 2024-03-20📜
Changed📜
- Ensuring
kube-system
namespace is excluded from policy action
[3.0.4-bb.27] - 2024-03-07📜
Changed📜
- Removed duplicate
pod-policies.kyverno.io/autogen-controllers
annotation is disallow-tolerations ClusterPolicy.
[3.0.4-bb.26] - 2024-02-29📜
Changed📜
- Fixed audit and mutator for AutomountServiceAccountTokens for StatefulSet and Deployments
[3.0.4-bb.25] - 2024-02-20📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.28.6 to v1.28.7
- gluon chart updated from 0.3.1 to 0.4.8
[3.0.4-bb.24] - 2024-01-31📜
Changed📜
- Updated allowed
sysctls
per Pod Security Standards
[3.0.4-bb.23] - 2024-01-30📜
Changed📜
- Fixed issue with kyverno policy related to wildcarding serviceAccounts in the automountServiceAccountToken clusterPolicy
[3.0.4-bb.22] - 2024-01-29📜
Changed📜
- Hardcoded annotation pod-policies.kyverno.io/autogen-controllers removed from disallowed-namespaces ClusterPolicy.
- Default value for {{.Values.autogenController}} set to none instead of empty string
[3.0.4-bb.21] - 2024-01-26📜
Changed📜
- Refactored PodsToHarden format
[3.0.4-bb.20] - 2024-01-25📜
Changed📜
- Fixed issue with kyverno policy related to wildcarding serviceAccounts in the automountServiceAccountToken clusterPolicy
[3.0.4-bb.19] - 2024-01-19📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.28.4 to v1.28.6
- ironbank/redhat/ubi/ubi9-minimal updated from 8.9 to 9.3
[3.0.4-bb.18] - 2024-01-05📜
Changed📜
- update to ironbank/redhat/ubi/ubi8-minimal to ironbank/redhat/ubi/ubi9-minimal
[3.0.4-bb.17] - 2023-12-21📜
Changed📜
- Fixed issue with kyverno policy related to automountServiceAccountToken exemptions
- Added kyverno policy related to mutating pods with respect to automountServiceAccountToken hardening
[3.0.4-bb.17] - 2023-12-21📜
Changed📜
- Fixed issue with kyverno policy related to automountServiceAccountToken exemptions
- Added kyverno policy related to mutating pods with respect to automountServiceAccountToken hardening
[3.0.4-bb.16] - 2023-12-15📜
Changed📜
- add
ctlog.ignoreSCT: true
torequire-image-signature
policy
[3.0.4-bb.15] - 2023-12-05📜
Changed📜
- set
failurePolicy
toIgnore
by default for audit policies with new helper function
[3.0.4-bb.14] - 2023-12-04📜
Changed📜
- Exclude default SA from serviceaccount mutation in update-automountserviceaccounttokens
[3.0.4-bb.13] - 2023-12-01📜
Changed📜
- Fix following upstream (Kyverno 1.11.0) changes in signature verification default behavior, adding new
ignoreTlog
andurl
fields torequire-image-signature
policy to ignore checking transaction logs for Iron Bank images.
[3.0.4-bb.12] - 2023-11-17📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.28.3 to v1.28.4
- ironbank/redhat/ubi/ubi8-minimal updated from 8.8 to 8.9
[3.0.4-bb.11] - 2023-11-15📜
Changed📜
- Added support for checking deprecated API policy for Kubernetes v1.29.
[3.0.4-bb.10] - 2023-11-13📜
Changed📜
- Added ClusterPolicy to disable automountserviceaccounttoken on default serviceaccounts
[3.0.4-bb.9] - 2023-11-09📜
Added📜
- require-non-root-user-exception template for istio-init containers
[3.0.4-bb.8] - 2023-11-07📜
Added📜
- istio.enabled toggle for below PolicyException template
- require-non-root-group-exception template for istio-init containers
[3.0.4-bb.7] - 2023-11-01📜
Changed📜
- Fixed test for ClusterPolicy automountserviceaccounttoken
[3.0.4-bb.6] - 2023-10-31📜
Changed📜
- Default ClusterPolicy automountserviceaccounttoken to disabled
[3.0.4-bb.5] - 2023-10-27📜
Changed📜
- Added ClusterPolicy to disable automountserviceaccounttoken on the serviceaccounts and enable on the pods
[3.0.4-bb.4] - 2023-10-25📜
Changed📜
- Removed exceptions for Kyverno Reporter, Gitlab Runners, and Gitlab Shared Secrets (moved to bigbang repo)
[3.0.4-bb.3] - 2023-10-22📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from 1.27.3 to v1.28.3
[3.0.4-bb.2] - 2023-10-11📜
Changed📜
- Added Kyverno Policy for Auditing Automount Service Account Token usage.
- Added exceptions for Kyverno Reporter, Gitlab Runners, and Gitlab Shared Secrets
[3.0.4-bb.1] - 2023-10-11📜
Changed📜
- respect
autogenControllers
,background
, andfailurePolicy
values across all policies
[3.0.4-bb.0] - 2023-09-20📜
Changed📜
- changed CI test script and values to work better with newer kyverno chart version 3.0.0 for app version 1.10.X
- disabled require-non-root-group and require-non-root-user policy tests until a fix is added
[1.1.0-bb.10] - 2023-08-29📜
Added📜
- precondition support for excluding istio-init containers from require-group policy
[1.1.0-bb.9] - 2023-08-01📜
Added📜
- added DEVELOPMENT_MAINTENANCE.md
[1.1.0-bb.8] - 2023-07-27📜
Changed📜
- re-added IB key to test values for package/BB CI
- modified disallow-image-tags, require-image-signature, update-image-registry
- added timeout to test-policies.sh
[1.1.0-bb.7] - 2023-06-16📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.26.4 to 1.27.3
- ironbank/redhat/ubi/ubi9-minimal updated from 8.7 to 8.8
[1.1.0-bb.6] - 2023-04-15📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.26.3 to v1.26.4
[1.1.0-bb.5] - 2023-03-30📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.26.2 to v1.26.3
[1.1.0-bb.4] - 2023-03-29📜
Changed📜
- modified enabled policy test to only run on package pipelines
[1.1.0-bb.3] - 2023-03-04📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.26.1 to v1.26.2
[1.1.0-bb.2] - 2023-02-07📜
Changed📜
- Updated kubectl to v1.26.1
- Updated gluon to 0.3.2
[1.1.0-bb.1] - 2023-01-26📜
Changed📜
- Updated kubectl to v1.25.6
- Updated gluon to 0.3.1
[1.1.0-bb.0] - 2023-01-11📜
Changed📜
- Removed
disallow-shared-subpath-volume-writes
policy (no longer beneficial for any non-EOL k8s versions) - Removed Ironbank key from test values
[1.0.1-bb.12] - 20223-01-06📜
Changed📜
- Added support for checking deprecated API policy for Kubernetes v1.27.
[1.0.1-bb.11] - 2022-12-20📜
Changed📜
- Updated default values for require-image-signature to align with upstream documentation
[1.0.1-bb.10] - 2022-12-5📜
Changed📜
- Changed values.yaml to fail images from ironbank that are not signed.
[1.0.1-bb.9] - 2022-12-13📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.25.4 to v1.25.5
[1.0.1-bb.8] - 2022-11-16📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.25.3 to v1.25.4
- registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal updated from 8.6 to 8.7
[1.0.1-bb.7] - 2022-10-25📜
Changed📜
- Changed
require-non-root-user
to support container exclusions
[1.0.1-bb.6] - 2022-10-18📜
Changed📜
- ironbank/opensource/kubernetes/kubectl updated from v1.24.4 to v1.25.3
[1.0.1-bb.5] - 2022-09-14📜
Changed📜
- Changed
disallow-nodeport-services
toaudit
- Updated Gluon to
0.3.0
- Fixed
disallow-pod-exec
fromattach
toaudit
[1.0.1-bb.4] - 2022-09-08📜
Changed📜
- Updated
ttlSecondsAfterFinished
time to extend lifecycle
[1.0.1-bb.3] - 2022-08-31📜
Changed📜
- Added support for policy container exclusion
[1.0.1-bb-2] - 2022-08-30📜
Changed📜
- updated kubectl from
v.1.22.2
tov1.24.4
[1.0.1-bb-1] - 2022-08-17📜
Changed📜
- Fixed issue with
disallow-deprecated-apis
failing to install when checking old API versions
[1.0.1-bb-0] - 2022-07-05📜
Changed📜
- Updated policy preconditions to check for operation of create or update only
[1.0.0-bb.13] - 2022-06-21📜
Changed📜
- Enabled
disallow-nodeport-services
policy in enforcing mode
[1.0.0-bb.12] - 2022-05-31📜
Changed📜
- Separate host path policies from volume and hostpath
[1.0.0-bb.11] - 2022-06-01📜
Changed📜
- redhat ubi minimal from 8.5 to 8.6
[1.0.0-bb.10] - 2022-05-24📜
Changed📜
- Added policy to catch Persistent Volumes of type Hostpath
- Modified
restrict--host-path-mount.yaml
[1.0.0-bb.9] - 2022-05-13📜
Changed📜
- Removed audit clusterpolicies
- disabled
disallow-istio-injection-bypass
- disabled
require-drop-all-capabilities
- disabled
require-istio-on-namespaces
- disabled
restrict-capabilities
[1.0.0-bb.8] - 2022-03-29📜
Changed📜
- Removed 1.22 deprecated API versions from test to support pipeline update to 1.23
[1.0.0-bb.7] - 2022-03-03📜
Changed📜
- Renamed
disallow-default-namespace
todisallow-namespaces
. Parameterized list of disallowed namespaces, withdefault
as the default. - Decoupled testing from namespace
- Used default namespace for testing
- Updated test script to set policy action automatically
[1.0.0-bb.6] - 2022-03-02📜
Changed📜
- Added
localhost/*
as another acceptable default AppArmor profile - Updated metadata in
Chart.yaml
- Fixed typo for
restrict-capabilities
action invalues.yaml
- Fixed
disallow-default-namespace
to allow blank namespace in pod controller template, but require pod controller to have a namespace. - Fixed
restrict-host-path
to ignore pods with no volumes - Fixed
require-non-root-group
exclusions indentions - Fixed
disallow-deprecated-apis
matching to work with exclusions - Updated
disallow-deprecated-apis
with Kubernetes 1.26 deprecations - Updated
require-requests-equal-limits
to work with Kyverno 1.6.0 - Add
system:service-account-issuer-discovery
to the exclusion list fordisallow-rbac-on-default-serviceaccounts
. Clusters allow service accounts access to discovery. - Fixed
disallow-rbac-on-default-serviceaccounts
to ignore role bindings without a subject. - Fixed
require-non-root-user
to allow eitherrunAsNonRoot: true
orrunAsUser: >0
. - Fixed
disallow-tolerations
to check pod controllers - Renamed
require-ro-host-path
torestrict-host-path-write
and added anallow
list for paths - Renamed
restrict-host-path
torestrict-host-path-mount
to distinguish fromrestrict-host-path-write
- Increased memory allocation for
wait-for-ready
job to avoid OOM errors - Renamed
disallow-subpath-volumes
todisallow-shared-subpath-volume-writes
to clarify functionality. - Fixed
disallow-shared-subpath-volume-writes
to narrow conditions specific to vulnerability - Fixed
helpers.tpl
match and exclusion to handleany
andall
permutations
Added📜
wait.sh
added to pipeline to wait for all policies to be ready before running helm test
Removed📜
disallow-host-path
policy overlappedrestrict-volume-types
policy and was removed
[1.0.0-bb.5] - 2022-02-03📜
Changed📜
- Updated kubectl to 1.22
- Removed version from UBI image in most test resources (latest is ok)
[1.0.0-bb.4] - 2022-01-31📜
Changed📜
- Updated policy names and parameters to be inline with
docs/naming.md
- Split restrict-selinux policy into restrict-selinux-type and disallow-selinux-options policies
[1.0.0-bb.3] - 2022-01-28📜
Added📜
- update-image-pull-policy policy
- disallow-subpath-volumes policy
- update-token-automount policy
- require-annotations policy
- require-image-signature
- require-istio-on-namespaces policy
- disallow-istio-injection-bypass policy
- require-labels policy
- disallow-annotations policy
- disallow-labels policy
- disallow-pod-exec policy
- disallow-tolerations policy
- max. on cpu and memory limits in require-cpu-limits and require-memory-limits policies
- Gatekeeper policy vs. Kyverno policy documentation
- Policy description documentation
Changed📜
- require-resource-limits split into require-cpu-limits and require-memory-limits policies
- Added timestamp to wait-for-ready job so upgrades do not try to change immutable job.
Removed📜
- cve-add-log4j2-mitigation policy (Mitigation proved to be insufficient)
[1.0.0-bb.2] - 2022-01-14📜
Added📜
- restrict-external-names policy
- disallow-host-path policy
- disallow-nodeport-services policy
- disallow-rbac-on-default-serviceaccounts policy
- require-drop-all-capabilities policy
- require-labels policy
- require-probes policy
- require-requests-equal-limits policy
- require-resource-limits policy
- require-ro-host-path policy
- restrict-host-path policy
Changed📜
- Simplified restrict-capabilities policy
- Updated disallow-selinux to restrict-selinux-type in accordance with Pod Security Standards
[1.0.0-bb.1] - 2021-12-20📜
Added📜
- restrict-external-ips policy
- disallow-host-namespace policy
- disallow-default-namespace policy
- disallow-privilege-escalation policy
- disallow-privileged-containers policy
- disallow-selinux policy
- require-non-root-group policy
- require-non-root-user policy
- require-ro-rootfs policy
- restrict-apparmor policy
- restrict-group-id policy
- restrict-host-ports policy
- restrict-image-registries policy
- disallow-image-tags policy
- restrict-proc-mount policy
- restrict-seccomp policy
- restrict-sysctls policy
- restrict-user-id policy
- restrict-volume-types policy
[1.0.0-bb.0] - 2021-12-2📜
Added📜
- Initial creation of the chart