Adjust policies to RFC-10 with common policy template

Signed-off-by: Víctor Cuadrado Juan <[email protected]>
kubewarden · Feb 11, 2025 · 6ea9fd7 · 6ea9fd7
1 parent 447987a
commit 6ea9fd7
Show file tree

Hide file tree

Showing 25 changed files with 284 additions and 115 deletions.
diff --git a/charts/policies/allow-privilege-escalation-psp/Chart.yaml b/charts/policies/allow-privilege-escalation-psp/Chart.yaml
@@ -20,19 +20,30 @@ version: 0.1.11
 appVersion: 0.1.11
 
 annotations:
-  # required ones:
+  # Rancher required ones:
   catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart
   catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart
   catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/upstream-version: "0.1.11" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
 
-  # optional ones:
-  # catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
-
-  catalog.cattle.io/scope: management # Chart is only applicable to the management/local cluster and will be only shown as an option for the local cluster
+  # Rancher optional ones:
+  catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/type: "kubewarden-policy"
 
-  catalog.cattle.io/upstream-version: "0.1.11" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
+  # Kubewarden UI specific, copied from metadata.yml
+  io.artifacthub.displayName: Allow Privilege Escalation PSP
+  io.artifacthub.resources: Deployment,Replicaset,Statefulset,Daemonset,Replicationcontroller,Job,Cronjob,Pod
+  io.artifacthub.keywords: PSP, privilege escalation
+  io.kubewarden.policy.description:
+    Replacement for the Kubernetes Pod Security Policy
+    that controls the allowance of privilege escalation in containers and init containers
+    of a pod
+  io.kubewarden.policy.source: https://github.com/kubewarden/allow-privilege-escalation-psp-policy
+  io.kubewarden.policy.severity: medium
+  io.kubewarden.policy.category: PSP
 
-  # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
-  # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
-  catalog.cattle.io/type: cluster-tool
+  # Kubewarden UI specific, recreated from policy metadata.yml
+  kubewarden/mutation: "true"
+  # kubewarden/contextAwareResources: none
diff --git a/charts/policies/allow-privilege-escalation-psp/templates/policy.yaml b/charts/policies/allow-privilege-escalation-psp/templates/policy.yaml
@@ -6,14 +6,23 @@ kind: ClusterAdmissionPolicy
 kind: AdmissionPolicy
 {{- end }}
 metadata:
-  name: {{ .Release.name }}
+  labels:
+    app.kubernetes.io/component: policy
+  annotations:
+    io.kubewarden.policy.severity: {{ index .Chart.Annotations "io.kubewarden.policy.severity" | quote }}
+    io.kubewarden.policy.category: {{ index .Chart.Annotations "io.kubewarden.policy.category" | quote }}
+  name: {{ .Release.Name }}
   {{- if eq .Values.clusterScoped false }}
   namespace: {{ .Release.namespace }}
   {{- end }}
 spec:
-  module: '{{ .Values.spec.module.repository }}:{{ .Values.spec.module.tag }}'
+  module: {{ .Values.global.cattle.systemDefaultRegistry }}/{{ .Values.module.repository }}:{{ .Values.module.tag }}
   mode: {{ .Values.spec.mode }}
+  {{- if eq (index .Chart.Annotations "kubewarden/mutation") "false" }}
+  mutating: false # policy doesn't support mutation
+  {{- else }}
   mutating: {{ .Values.spec.mutating }}
+  {{- end }}
   settings:
     default_allow_privilege_escalation: {{ .Values.spec.settings.default_allow_privilege_escalation }}
   rules:

diff --git a/charts/policies/allow-privilege-escalation-psp/values.yaml b/charts/policies/allow-privilege-escalation-psp/values.yaml
@@ -1,9 +1,12 @@
 ---
+global:
+  cattle:
+    systemDefaultRegistry: ghcr.io
+module:
+  repository: "kubewarden/policies/allow-privilege-escalation-psp"
+  tag: "v0.1.11"
 clusterScoped: true # for ClusterAdmissionPolicy, or AdmissionPolicy
 spec:
-  module:
-    repository: "ghcr.io/kubewarden/policies/allow-privilege-escalation-psp"
-    tag: "v0.1.11"
   mode: "protect"
   mutating: false
   settings:

diff --git a/charts/policies/apparmor-psp/Chart.yaml b/charts/policies/apparmor-psp/Chart.yaml
@@ -25,13 +25,24 @@ annotations:
   catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart
   catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/upstream-version: "0.1.9" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
 
   # optional ones:
-  # catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/type: "kubewarden-policy"
 
-  catalog.cattle.io/scope: management # Chart is only applicable to the management/local cluster and will be only shown as an option for the local cluster
-  catalog.cattle.io/upstream-version: "0.1.9" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
+  # Kubewarden UI specific, copied from metadata.yml
+  io.artifacthub.displayName: Apparmor PSP
+  io.artifacthub.resources: Pod
+  io.artifacthub.keywords: psp, apparmor
+  io.kubewarden.policy.description:
+    Replacement for the Kubernetes Pod Security Policy
+    that controls the usage of AppArmor profiles
+  io.kubewarden.policy.source: https://github.com/kubewarden/apparmor-psp-policy
+  io.kubewarden.policy.severity: medium
+  io.kubewarden.policy.category: PSP
 
-  # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
-  # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
-  catalog.cattle.io/type: cluster-tool
+  # Kubewarden UI specific, recreated from policy metadata.yml
+  kubewarden/mutation: "false"
+  # kubewarden/contextAwareResources: none
diff --git a/charts/policies/apparmor-psp/templates/policy.yaml b/charts/policies/apparmor-psp/templates/policy.yaml
@@ -6,14 +6,23 @@ kind: ClusterAdmissionPolicy
 kind: AdmissionPolicy
 {{- end }}
 metadata:
-  name: {{ .Release.name }}
+  labels:
+    app.kubernetes.io/component: policy
+  annotations:
+    io.kubewarden.policy.severity: {{ index .Chart.Annotations "io.kubewarden.policy.severity" | quote }}
+    io.kubewarden.policy.category: {{ index .Chart.Annotations "io.kubewarden.policy.category" | quote }}
+  name: {{ .Release.Name }}
   {{- if eq .Values.clusterScoped false }}
   namespace: {{ .Release.namespace }}
   {{- end }}
 spec:
-  module: '{{ .Values.spec.module.repository }}:{{ .Values.spec.module.tag }}'
+  module: {{ .Values.global.cattle.systemDefaultRegistry }}/{{ .Values.module.repository }}:{{ .Values.module.tag }}
   mode: {{ .Values.spec.mode }}
+  {{- if eq (index .Chart.Annotations "kubewarden/mutation") "false" }}
+  mutating: false # policy doesn't support mutation
+  {{- else }}
   mutating: {{ .Values.spec.mutating }}
+  {{- end }}
   rules:
     {{- toYaml .Values.spec.rules | nindent 4 }}
   settings:

diff --git a/charts/policies/apparmor-psp/values.yaml b/charts/policies/apparmor-psp/values.yaml
@@ -1,11 +1,14 @@
 ---
+global:
+  cattle:
+    systemDefaultRegistry: ghcr.io
+module:
+  repository: "kubewarden/policies/apparmor-psp"
+  tag: "v0.1.9"
 clusterScoped: true # for ClusterAdmissionPolicy, or AdmissionPolicy
 spec:
   module:
-    repository: "ghcr.io/kubewarden/policies/apparmor-psp"
-    tag: "v0.1.9"
   mode: "protect"
-  mutating: false
   rules:
     -
       apiGroups:

diff --git a/charts/policies/capabilities-psp/Chart.yaml b/charts/policies/capabilities-psp/Chart.yaml
@@ -25,13 +25,24 @@ annotations:
   catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart
   catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/upstream-version: "0.1.9" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
 
-  # optional ones:
-  # catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  # Rancher optional ones:
+  catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/type: "kubewarden-policy"
 
-  catalog.cattle.io/scope: management # Chart is only applicable to the management/local cluster and will be only shown as an option for the local cluster
-  catalog.cattle.io/upstream-version: "0.1.9" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
+  # Kubewarden UI specific, copied from metadata.yml
+  io.artifacthub.displayName: Capabilities PSP
+  io.artifacthub.resources: Pod,Deployment,ReplicaSet,StatefulSet,DaemonSet,Job,CronJob,ReplicationController
+  io.artifacthub.keywords: psp, container, capability, capabilities
+  io.kubewarden.policy.description:
+    Replacement for the Kubernetes Pod Security Policy
+    that controls the usage of capabilities
+  io.kubewarden.policy.source: https://github.com/kubewarden/capabilities-psp-policy
+  io.kubewarden.policy.severity: medium
+  io.kubewarden.policy.category: PSP
 
-  # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
-  # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
-  catalog.cattle.io/type: cluster-tool
+  # Kubewarden UI specific, recreated from policy metadata.yml
+  kubewarden/mutation: "true"
+  # kubewarden/contextAwareResources: none
diff --git a/charts/policies/capabilities-psp/templates/policy.yaml b/charts/policies/capabilities-psp/templates/policy.yaml
@@ -6,14 +6,23 @@ kind: ClusterAdmissionPolicy
 kind: AdmissionPolicy
 {{- end }}
 metadata:
-  name: {{ .Release.name }}
+  labels:
+    app.kubernetes.io/component: policy
+  annotations:
+    io.kubewarden.policy.severity: {{ index .Chart.Annotations "io.kubewarden.policy.severity" | quote }}
+    io.kubewarden.policy.category: {{ index .Chart.Annotations "io.kubewarden.policy.category" | quote }}
+  name: {{ .Release.Name }}
   {{- if eq .Values.clusterScoped false }}
   namespace: {{ .Release.namespace }}
   {{- end }}
 spec:
-  module: '{{ .Values.spec.module.repository }}:{{ .Values.spec.module.tag }}'
+  module: {{ .Values.global.cattle.systemDefaultRegistry }}/{{ .Values.module.repository }}:{{ .Values.module.tag }}
   mode: {{ .Values.spec.mode }}
+  {{- if eq (index .Chart.Annotations "kubewarden/mutation") "false" }}
+  mutating: false # policy doesn't support mutation
+  {{- else }}
   mutating: {{ .Values.spec.mutating }}
+  {{- end }}
   rules:
     {{- toYaml .Values.spec.rules | nindent 4 }}
   settings:

diff --git a/charts/policies/capabilities-psp/values.yaml b/charts/policies/capabilities-psp/values.yaml
@@ -1,9 +1,12 @@
 ---
+global:
+  cattle:
+    systemDefaultRegistry: ghcr.io
+module:
+  repository: "kubewarden/policies/capabilities-psp"
+  tag: "v0.2.0"
 clusterScoped: true # for ClusterAdmissionPolicy, or AdmissionPolicy
 spec:
-  module:
-    repository: "ghcr.io/kubewarden/policies/capabilities-psp"
-    tag: "v0.2.0"
   mode: "protect"
   mutating: false
   rules:

diff --git a/charts/policies/pod-privileged/Chart.yaml b/charts/policies/pod-privileged/Chart.yaml
@@ -20,18 +20,27 @@ version: 0.2.1
 appVersion: 0.2.1
 
 annotations:
-  # required ones:
+  # Rancher required ones:
   catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart
   catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart
   catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/upstream-version: "0.2.1" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
 
-  # optional ones:
-  # catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  # Rancher optional ones:
+  catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/type: "kubewarden-policy"
 
-  catalog.cattle.io/scope: management # Chart is only applicable to the management/local cluster and will be only shown as an option for the local cluster
-  catalog.cattle.io/upstream-version: "0.2.1" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
+  # Kubewarden UI specific, copied from metadata.yml
+  io.artifacthub.displayName: Pod Privileged Policy
+  io.artifacthub.resources: Pod
+  io.artifacthub.keywords: psp, pod, container, privileged
+  io.kubewarden.policy.description: Limit the ability to create privileged containers
+  io.kubewarden.policy.source: https://github.com/kubewarden/pod-privileged-policy
+  io.kubewarden.policy.category: PSP
+  io.kubewarden.policy.severity: medium
 
-  # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
-  # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
-  catalog.cattle.io/type: cluster-tool
+  # Kubewarden UI specific, recreated from policy metadata.yml
+  kubewarden/mutation: "false"
+  # kubewarden/contextAwareResources: none
diff --git a/charts/policies/pod-privileged/questions.yaml b/charts/policies/pod-privileged/questions.yaml
@@ -25,11 +25,3 @@ questions:
     "monitor" will log them. Transitioning from "monitor" to "protect" is
     allowed, but not from "protect" to "monitor".
   group: Settings
-- variable: "spec.mutating"
-  type: boolean
-  default: false
-  required: true
-  label: mutating
-  description: Whether the policy has the ability to mutate incoming requests or
-    not.
-  group: Settings
diff --git a/charts/policies/pod-privileged/templates/policy.yaml b/charts/policies/pod-privileged/templates/policy.yaml
@@ -6,14 +6,23 @@ kind: ClusterAdmissionPolicy
 kind: AdmissionPolicy
 {{- end }}
 metadata:
-  name: {{ .Release.name }}
+  labels:
+    app.kubernetes.io/component: policy
+  annotations:
+    io.kubewarden.policy.severity: {{ index .Chart.Annotations "io.kubewarden.policy.severity" | quote }}
+    io.kubewarden.policy.category: {{ index .Chart.Annotations "io.kubewarden.policy.category" | quote }}
+  name: {{ .Release.Name }}
   {{- if eq .Values.clusterScoped false }}
   namespace: {{ .Release.namespace }}
   {{- end }}
 spec:
-  module: '{{ .Values.spec.module.repository }}:{{ .Values.spec.module.tag }}'
+  module: {{ .Values.global.cattle.systemDefaultRegistry }}/{{ .Values.module.repository }}:{{ .Values.module.tag }}
   mode: {{ .Values.spec.mode }}
+  {{- if eq (index .Chart.Annotations "kubewarden/mutation") "false" }}
+  mutating: false # policy doesn't support mutation
+  {{- else }}
   mutating: {{ .Values.spec.mutating }}
+  {{- end }}
   settings:
   rules:
     {{- toYaml .Values.spec.rules | nindent 4 }}
diff --git a/charts/policies/pod-privileged/values.yaml b/charts/policies/pod-privileged/values.yaml
@@ -1,11 +1,13 @@
 ---
+global:
+  cattle:
+    systemDefaultRegistry: ghcr.io
+module:
+  repository: "kubewarden/policies/pod-privileged"
+  tag: "v0.2.1"
 kind: ClusterAdmissionPolicy
 spec:
-  module:
-    repository: "ghcr.io/kubewarden/policies/pod-privileged"
-    tag: "v0.2.1"
   mode: "protect"
-  mutating: false
   settings:
   rules:
     -

diff --git a/charts/policies/pod-runtime-class/Chart.yaml b/charts/policies/pod-runtime-class/Chart.yaml
@@ -20,18 +20,27 @@ version: 0.1.4
 appVersion: 0.1.4
 
 annotations:
-  # required ones:
+  # Rancher required ones:
   catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart
   catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart
   catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/upstream-version: "0.1.4" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
 
-  # optional ones:
-  # catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  # Rancher optional ones:
+  catalog.cattle.io/requires-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart.
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/type: "kubewarden-policy"
 
-  catalog.cattle.io/scope: management # Chart is only applicable to the management/local cluster and will be only shown as an option for the local cluster
-  catalog.cattle.io/upstream-version: "0.1.4" # The version of the upstream chart or app. It prevents the unexpected "downgrade" when upgrading an installed chart that uses our 100.x.x+upVersion version schema.
+  # Kubewarden UI specific, copied from metadata.yml
+  io.artifacthub.displayName: Pod Runtime
+  io.artifacthub.resources: Pod
+  io.artifacthub.keywords: pod, runtime, container runtime
+  io.kubewarden.policy.description: Policy that controls the usage of Pod runtimeClass
+  io.kubewarden.policy.source: https://github.com/kubewarden/pod-runtime-class-policy
+  io.kubewarden.policy.severity: medium
+  io.kubewarden.policy.category: Container runtime
 
-  # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template`
-  # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`.
-  catalog.cattle.io/type: cluster-tool
+  # Kubewarden UI specific, recreated from policy metadata.yml
+  kubewarden/mutation: "true"
+  # kubewarden/contextAwareResources: none
diff --git a/charts/policies/pod-runtime-class/templates/policy.yaml b/charts/policies/pod-runtime-class/templates/policy.yaml
@@ -6,14 +6,23 @@ kind: ClusterAdmissionPolicy
 kind: AdmissionPolicy
 {{- end }}
 metadata:
-  name: {{ .Release.name }}
+  labels:
+    app.kubernetes.io/component: policy
+  annotations:
+    io.kubewarden.policy.severity: {{ index .Chart.Annotations "io.kubewarden.policy.severity" | quote }}
+    io.kubewarden.policy.category: {{ index .Chart.Annotations "io.kubewarden.policy.category" | quote }}
+  name: {{ .Release.Name }}
   {{- if eq .Values.clusterScoped false }}
   namespace: {{ .Release.namespace }}
   {{- end }}
 spec:
-  module: '{{ .Values.spec.module.repository }}:{{ .Values.spec.module.tag }}'
+  module: {{ .Values.global.cattle.systemDefaultRegistry }}/{{ .Values.module.repository }}:{{ .Values.module.tag }}
   mode: {{ .Values.spec.mode }}
+  {{- if eq (index .Chart.Annotations "kubewarden/mutation") "false" }}
+  mutating: false # policy doesn't support mutation
+  {{- else }}
   mutating: {{ .Values.spec.mutating }}
+  {{- end }}
   rules:
     {{- toYaml .Values.spec.rules | nindent 4 }}
   settings: