Merge branch 'main' into assertion_tree_linkfix

content/en/docs/CRDs/_index.md

@@ -64,4 +64,4 @@ FIELDS:
      seconds.
 ```
 
-Kyverno's support for structural schemas also enables integrated help in Kubernetes enabled Integrated Development Environments (IDEs) like [VS Code](https://code.visualstudio.com/) with the [Kubernetes Extension](https://code.visualstudio.com/docs/azure/kubernetes) installed.
+Kyverno's support for structural schemas also enables integrated help in Kubernetes enabled Integrated Development Environments (IDEs) like [VS Code](https://code.visualstudio.com/) with the [Kubernetes Extension](https://code.visualstudio.com/docs/azure/kubernetes#_install-the-kubernetes-extension) installed.

content/en/policies/argo-cel/application-prevent-default-project/application-prevent-default-project.md

@@ -42,7 +42,7 @@ spec:
       validate:
         cel:
           expressions:
-            - expression: "has(object.spec.project) && object.spec.project != 'default'"
+            - expression: "object.spec.?project.orValue('') != 'default'"
               message: "The default project may not be used in an Application."
 
 

content/en/policies/argo/application-field-validation/application-field-validation.md

@@ -29,7 +29,7 @@ metadata:
       Path or chart must be specified but never both. And destination.name or
       destination.server must be specified but never both.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: source-path-chart

content/en/policies/argo/application-prevent-default-project/application-prevent-default-project.md

@@ -27,7 +27,7 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents the use of the default project in an Application.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: default-project

content/en/policies/argo/application-prevent-updates-project/application-prevent-updates-project.md

@@ -27,7 +27,7 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents updates to the project field after an Application is created.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: project-updates

content/en/policies/argo/applicationset-name-matches-project/applicationset-name-matches-project.md

@@ -28,7 +28,7 @@ metadata:
       This policy ensures that the name of the ApplicationSet is the
       same value provided in the project.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: match-name

content/en/policies/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.md

@@ -31,7 +31,7 @@ metadata:
       enforce that all AppProjects specify clusterResourceBlacklist and that their group
       and kind have wildcards as values.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: has-wildcard

content/en/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.md

@@ -25,14 +25,15 @@ metadata:
     policies.kyverno.io/minversion: 1.7.0
     kyverno.io/kubernetes-version: "1.23"
     policies.kyverno.io/description: >-
-      This policy generates and synchronizes Argo CD cluster secrets from Rancher
+      This policy generates and synchronizes Argo CD cluster secrets from Rancher 
       managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets.
       In this solution, Argo CD integrates with Rancher managed clusters via the central
       Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI.
       The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033
       "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053
       "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
 spec:
+  generateExisting: true
   rules:
   - name: source-rancher-non-local-cluster-and-capi-secret
     match:
@@ -98,7 +99,6 @@ spec:
           }
         jmesPath: 'to_string(@)'
     generate:
-      generateExisting: true
       synchronize: true
       apiVersion: v1
       kind: Secret

content/en/policies/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.md

@@ -48,8 +48,7 @@ spec:
       cel:
         expressions:
           - expression: >-
-              has(object.metadata.annotations) && 
-              'service.beta.kubernetes.io/aws-load-balancer-ssl-cert' in object.metadata.annotations && object.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-ssl-cert'] != ''
+              object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != ''
             message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
 
 

content/en/policies/aws/require-aws-node-irsa/require-aws-node-irsa.md

@@ -33,7 +33,7 @@ metadata:
       the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet
       running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-node-daemonset-irsa

content/en/policies/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.md

@@ -30,7 +30,7 @@ metadata:
       that Services of type LoadBalancer contain the annotation
       service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: aws-loadbalancer-has-ssl-cert

content/en/policies/best-practices-cel/check-deprecated-apis/check-deprecated-apis.md

@@ -0,0 +1,111 @@
+---
+title: "Check deprecated APIs in CEL expressions"
+category: Best Practices in CEL
+version: 
+subject: Kubernetes APIs
+policyType: "validate"
+description: >
+    Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml" target="-blank">/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-deprecated-apis
+  annotations:
+    policies.kyverno.io/title: Check deprecated APIs in CEL expressions
+    policies.kyverno.io/category: Best Practices in CEL 
+    policies.kyverno.io/subject: Kubernetes APIs
+    kyverno.io/kyverno-version: 1.12.1
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      Kubernetes APIs are sometimes deprecated and removed after a few releases.
+      As a best practice, older API versions should be replaced with newer versions.
+      This policy validates for APIs that are deprecated or scheduled for removal.
+      Note that checking for some of these resources may require modifying the Kyverno
+      ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25
+      so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-v1-25-removals
+    match:
+      any:
+      - resources:
+          # NOTE: PodSecurityPolicy is completely removed in 1.25.
+          kinds:
+          - batch/*/CronJob
+          - discovery.k8s.io/*/EndpointSlice
+          - events.k8s.io/*/Event
+          - policy/*/PodDisruptionBudget
+          - policy/*/PodSecurityPolicy
+          - node.k8s.io/*/RuntimeClass
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-26-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - flowcontrol.apiserver.k8s.io/*/FlowSchema
+          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
+          - autoscaling/*/HorizontalPodAutoscaler
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-27-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - storage.k8s.io/*/CSIStorageCapacity
+    celPreconditions:
+      - name: "allowed-api-versions"
+        expression: "object.apiVersion in ['storage.k8s.io/v1beta1']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  - name: validate-v1-29-removals
+    match:
+      any:
+      - resources:
+          kinds:
+          - flowcontrol.apiserver.k8s.io/*/FlowSchema
+          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
+    celPreconditions:
+      - name: "object.apiVersion"
+        expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']"
+    validate:
+      cel:
+        expressions:
+          - expression: "false"
+            messageExpression: >-
+              object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29.
+              See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
+  
+
+```

content/en/policies/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.md

@@ -44,8 +44,7 @@ spec:
         cel:
           expressions:
             - expression: >-
-                !has(object.spec.rules) || 
-                object.spec.rules.all(rule, has(rule.host) && has(rule.http))
+                object.spec.?rules.orValue([]).all(rule, has(rule.host) && has(rule.http))
               message: "The Ingress host name must be defined, not empty."
         
 

content/en/policies/best-practices-cel/require-drop-all/require-drop-all.md

@@ -46,14 +46,11 @@ spec:
         cel:
           variables:
             - name: allContainers
-              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
           expressions:
             - expression: >-
                 variables.allContainers.all(container, 
-                has(container.securityContext) &&
-                has(container.securityContext.capabilities) &&
-                has(container.securityContext.capabilities.drop) &&
-                container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'ALL'))
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL'))
               message: "Containers must drop `ALL` capabilities."
 
 

content/en/policies/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.md

@@ -46,17 +46,15 @@ spec:
       validate:
         cel:
           variables:
+            - name: mustDropCapabilities
+              expression: "['CAP_NET_RAW','NET_RAW']"
             - name: allContainers
-              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
           expressions:
             - expression: >-
                 variables.allContainers.all(container, 
-                has(container.securityContext) &&
-                has(container.securityContext.capabilities) &&
-                has(container.securityContext.capabilities.drop) &&
-                container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))
               message: >-
                 Containers must drop the `CAP_NET_RAW` capability.
-        
 
 ```

content/en/policies/best-practices-cel/require-labels/require-labels.md

@@ -45,8 +45,7 @@ spec:
       cel:
         expressions:
           - expression: >-
-              has(object.metadata.labels) && 
-              'app.kubernetes.io/name' in object.metadata.labels && object.metadata.labels['app.kubernetes.io/name'] != ""
+              object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != ""
             message: "The label `app.kubernetes.io/name` is required." 
 
 

content/en/policies/best-practices-cel/require-ro-rootfs/require-ro-rootfs.md

@@ -47,8 +47,7 @@ spec:
         expressions:
           - expression: >-
               object.spec.containers.all(container,
-              has(container.securityContext) &&
-              container.securityContext.readOnlyRootFilesystem == true)
+              container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true)
             message: "Root filesystem must be read-only."
           
 

content/en/policies/best-practices-cel/restrict-image-registries/restrict-image-registries.md

@@ -46,7 +46,7 @@ spec:
       cel:
         variables:
           - name: allContainers
-            expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+            expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
         expressions:
           - expression: "variables.allContainers.all(container, container.image.startsWith('eu.foo.io/') || container.image.startsWith('bar.io/'))"
             message: "Unknown image registry."

content/en/policies/best-practices/check-deprecated-apis/check-deprecated-apis.md

@@ -35,7 +35,7 @@ metadata:
       so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
       This policy requires Kyverno v1.7.4+ to function properly.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-v1-25-removals

content/en/policies/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.md

@@ -30,7 +30,7 @@ metadata:
       to or replacement of this policy, preventing users from mounting the parent directories
       (/var/run and /var) may be necessary to completely prevent socket bind mounts.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-docker-sock-mount

content/en/policies/best-practices/disallow-default-namespace/disallow-default-namespace.md

@@ -32,7 +32,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-namespace

content/en/policies/best-practices/disallow-helm-tiller/disallow-helm-tiller.md

@@ -5,7 +5,7 @@ version: 1.6.0
 subject: Pod
 policyType: "validate"
 description: >
-    Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
+    Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
 ---
 
 ## Policy Definition
@@ -25,11 +25,11 @@ metadata:
     policies.kyverno.io/description: >-
       Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
       resource accessible to any authenticated user. Tiller can lead to privilege escalation as
-      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+      restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: validate-helm-tiller
@@ -40,10 +40,15 @@ spec:
               - Pod
       validate:
         message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*tiller*"
 
 ```