chore(deps): update kubezero-cache-dependencies

charts/kubezero-cache/Chart.yaml

@@ -17,7 +17,7 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: redis
-    version: 21.2.4
+    version: 21.2.3
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
   - name: redis-cluster

charts/kubezero-policy/Chart.yaml

@@ -20,7 +20,4 @@ dependencies:
     version: 3.4.2
     repository: https://kyverno.github.io/kyverno/
     condition: kyverno.enabled
-  - name: policies
-    version: 0.1.0
-    condition: policies.enabled
 kubeVersion: ">= 1.30.0-0"

charts/kubezero-policy/README.md

@@ -18,7 +18,6 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | policies | 0.1.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 | https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 |
 
@@ -28,22 +27,4 @@ Kubernetes: `>= 1.30.0-0`
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| kyverno.admissionController.revisionHistoryLimit | int | `2` |  |
-| kyverno.backgroundController.revisionHistoryLimit | int | `2` |  |
-| kyverno.cleanupController.rbac.clusterRole.extraResources[0].apiGroups[0] | string | `"postgresql.cnpg.io"` |  |
-| kyverno.cleanupController.rbac.clusterRole.extraResources[0].resources[0] | string | `"backups"` |  |
-| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[0] | string | `"delete"` |  |
-| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[1] | string | `"list"` |  |
-| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[2] | string | `"watch"` |  |
-| kyverno.cleanupController.revisionHistoryLimit | int | `2` |  |
-| kyverno.config.preserve | bool | `false` |  |
-| kyverno.config.webhookAnnotations."argocd.argoproj.io/installation-id" | string | `"KubeZero-ArgoCD"` |  |
-| kyverno.crds.migration.enabled | bool | `false` |  |
 | kyverno.enabled | bool | `false` |  |
-| kyverno.features.logging.format | string | `"json"` |  |
-| kyverno.grafana.enabled | bool | `false` |  |
-| kyverno.policyReportsCleanup.enabled | bool | `false` |  |
-| kyverno.reportsController.enabled | bool | `false` |  |
-| kyverno.reportsController.revisionHistoryLimit | int | `2` |  |
-| kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `true` |  |
-| kyverno.webhooksCleanup.enabled | bool | `true` |  |

charts/kubezero-policy/charts/policies/Chart.yaml

@@ -1,18 +0,0 @@
-apiVersion: v2
-name: policies
-description: KubeZero collection of Kyverno policies
-type: application
-version: 0.1.0
-home: https://kubezero.com
-icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
-keywords:
-  - kubezero
-  - kyverno
-maintainers:
-  - name: Stefan Reimer
-    email: stefan@zero-downtime.net
-dependencies:
-  - name: kubezero-lib
-    version: 0.2.1
-    repository: https://cdn.zero-downtime.net/charts/
-kubeVersion: ">= 1.30.0-0"

charts/kubezero-policy/charts/policies/README.md.gotmpl

@@ -1,18 +0,0 @@
-{{ template "chart.header" . }}
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-{{ template "chart.requirementsSection" . }}
-
-# Kyverno
-
-{{ template "chart.valuesSection" . }}

charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml

@@ -1,70 +0,0 @@
-{{- if .Values.aws.enabled }}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: add-aws-iam-pod-identity
-  annotations:
-    policies.kyverno.io/title: AWS Pod Identity
-    policies.kyverno.io/category: aws
-    kyverno.io/kyverno-version: 1.14.0
-    kyverno.io/kubernetes-version: "1.31"
-    policies.kyverno.io/subject: Pod
-    policies.kyverno.io/description: >-
-      This provides the EKS Pod Identity Webhook functionality for KubeZero.
-      Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
-      will get the required environment variables as well as volumes injected
-      to make the SDKs automatically find and use the IAM role.
-spec:
-  useServerSideApply: true
-  background: false
-  rules:
-    - name: add-aws-iam-oidc-mapping
-      context:
-      - name: saAnnotations
-        apiCall:
-          urlPath: "/api/v1/namespaces/{{`{{request.namespace}}`}}/serviceaccounts/{{`{{request.object.spec.serviceAccountName}}`}}"
-          jmesPath: "metadata.annotations || ''"
-      match:
-        any:
-        - resources:
-            kinds:
-            - Pod
-            operations:
-            - CREATE
-      preconditions:
-        all:
-        - key: "{{`{{request.object.spec.serviceAccountName || '' }}`}}"
-          operator: NotEquals
-          value: ""
-        - key: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" || '' }}`}}"
-          operator: NotEquals
-          value: ""
-      mutate:
-        foreach:
-        - list: "request.object.spec.containers"
-          patchStrategicMerge:
-            spec:
-              containers:
-              - (name): "{{`{{ element.name }}`}}"
-                env:
-                - name: AWS_REGION
-                  value: {{ .Values.aws.region }}
-                - name: AWS_ROLE_ARN
-                  value: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" }}`}}"
-                - name: AWS_WEB_IDENTITY_TOKEN_FILE
-                  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-                - name: AWS_STS_REGIONAL_ENDPOINTS
-                  value: regional
-                volumeMounts:
-                - name: aws-token
-                  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-                  readOnly: true
-              volumes:
-              - name: aws-token
-                projected:
-                  sources:
-                  - serviceAccountToken:
-                      path: token
-                      expirationSeconds: 86400
-                      audience: "sts.amazonaws.com"
-{{- end }}

charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml

@@ -1,62 +0,0 @@
-{{- if .Values.bestPractices.enabled }}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: disallow-container-sock-mounts
-  annotations:
-    policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
-    policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod
-    policies.kyverno.io/minversion: 1.11.0
-    kyverno.io/kubernetes-version: "1.26-1.27"
-    policies.kyverno.io/description: >-
-      Container daemon socket bind mounts allows access to the container engine on the
-      node. This access can be used for privilege escalation and to manage containers
-      outside of Kubernetes, and hence should not be allowed. This policy validates that
-      the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
-      to or replacement of this policy, preventing users from mounting the parent directories
-      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
-spec:
-  background: true
-  rules:
-  - name: validate-socket-mounts
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-          operations:
-          - CREATE
-          - UPDATE
-    validate:
-      failureAction: Enforce
-      cel:
-        variables:
-          - name: hasVolumes
-            expression: "!has(object.spec.volumes)"
-          - name: volumes
-            expression: "object.spec.volumes"
-          - name: volumesWithHostPath
-            expression: "variables.volumes.filter(volume, has(volume.hostPath))"
-        expressions:
-          - expression: >-
-              variables.hasVolumes ||
-              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
-            message: "Use of the Docker Unix socket is not allowed."
-
-          - expression: >-
-              variables.hasVolumes ||
-              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
-            message: "Use of the Containerd Unix socket is not allowed."
-
-          - expression: >-
-              variables.hasVolumes ||
-              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
-            message: "Use of the CRI-O Unix socket is not allowed."
-
-          - expression: >-
-              variables.hasVolumes ||
-              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
-            message: "Use of the Docker CRI socket is not allowed."
-{{- end }}

charts/kubezero-policy/charts/policies/update.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-set -ex
-
-. ../../scripts/lib-update.sh
-
-login_ecr_public
-update_helm
-
-update_docs

charts/kubezero-policy/charts/policies/values.yaml

@@ -1,6 +0,0 @@
-bestPractices:
-  enabled: false
-
-aws:
-  enabled: false
-  region: us-west-2

charts/kubezero-policy/values.yaml

@@ -5,7 +5,7 @@ kyverno:
   policyReportsCleanup:
     enabled: false
   webhooksCleanup:
-    enabled: true
+    enabled: false
     autoDeleteWebhooks:
       enabled: true
 
@@ -51,6 +51,7 @@ kyverno:
 
   backgroundController:
     revisionHistoryLimit: 2
+    enabled: false
 
   reportsController:
     revisionHistoryLimit: 2

charts/kubezero/templates/policy.yaml

@@ -23,14 +23,6 @@ kyverno:
   reportsController:
     serviceMonitor:
       enabled: {{ .Values.metrics.enabled }}
-
-policies:
-  {{- if eq .Values.global.platform "aws" }}
-  aws:
-    enabled: true
-    region: {{ .global.aws.region }}
-  {{- end }}
-
 {{- end }}
 
 {{- define "policy-argo" }}

charts/kubezero/values.yaml

@@ -30,6 +30,11 @@ addons:
   aws-eks-asg-rolling-update-handler:
     enabled: false
 
+policy:
+  enabled: false
+  namespace: kyverno
+  targetRevision: 0.1.0
+
 network:
   enabled: true
   retain: true
@@ -37,11 +42,6 @@ network:
   cilium:
     enabled: true
 
-policy:
-  enabled: false
-  namespace: kyverno
-  targetRevision: 0.1.0
-
 cert-manager:
   enabled: false
   namespace: cert-manager

docs/kube-bench.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata: