diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 0b2da0a..131e722 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.29.1 +version: 0.29.2 appVersion: "v1.13.2" maintainers: - name: treydock diff --git a/charts/kyverno-policies/templates/ingress-allowed-dns.yaml b/charts/kyverno-policies/templates/ingress-allowed-dns.yaml index 0a349d4..7c8df13 100644 --- a/charts/kyverno-policies/templates/ingress-allowed-dns.yaml +++ b/charts/kyverno-policies/templates/ingress-allowed-dns.yaml @@ -34,5 +34,5 @@ spec: operator: Equals value: "*.osc.edu" - key: "{{`{{ element.host }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{ allowed | split(@, ',') }}`}}" diff --git a/charts/kyverno-policies/templates/namespace-account.yaml b/charts/kyverno-policies/templates/namespace-account.yaml index 8fe5021..3d0f89f 100644 --- a/charts/kyverno-policies/templates/namespace-account.yaml +++ b/charts/kyverno-policies/templates/namespace-account.yaml @@ -50,5 +50,5 @@ spec: deny: conditions: - key: "{{`{{ request.object.metadata.labels.account }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{`}} userGroupMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" diff --git a/charts/kyverno-policies/templates/pod-account-validation.yaml b/charts/kyverno-policies/templates/pod-account-validation.yaml index f0e083a..0e077eb 100644 --- a/charts/kyverno-policies/templates/pod-account-validation.yaml +++ b/charts/kyverno-policies/templates/pod-account-validation.yaml @@ -54,7 +54,7 @@ spec: deny: conditions: - key: "{{`{{ request.object.metadata.labels.account }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{ userGroupMap.data.\"{{ request.object.metadata.namespace }}\" }}`}}" - name: paas-user-authorized-for-account match: @@ -92,5 +92,5 @@ spec: deny: conditions: - key: "{{`{{ request.object.metadata.labels.account }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{ userGroupMap.data.\"user-{{ serviceAccount }}\" }}`}}" diff --git a/charts/kyverno-policies/templates/pod-groups-validation.yaml b/charts/kyverno-policies/templates/pod-groups-validation.yaml index 9e1d48b..fad4dd9 100644 --- a/charts/kyverno-policies/templates/pod-groups-validation.yaml +++ b/charts/kyverno-policies/templates/pod-groups-validation.yaml @@ -31,5 +31,5 @@ spec: deny: conditions: - key: "{{`{{ request.object.spec.securityContext.supplementalGroups[*].to_string(@) }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{ userGIDMap.data.\"{{ request.object.metadata.namespace }}\" }}`}}" diff --git a/charts/kyverno-policies/templates/pod-service-account-validation.yaml b/charts/kyverno-policies/templates/pod-service-account-validation.yaml index b64aa55..80b143f 100644 --- a/charts/kyverno-policies/templates/pod-service-account-validation.yaml +++ b/charts/kyverno-policies/templates/pod-service-account-validation.yaml @@ -102,7 +102,7 @@ spec: deny: conditions: - key: "{{`{{ request.object.spec.securityContext.supplementalGroups[*].to_string(@) }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{`}} userGIDMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - name: paas-require-valid-service-account match: @@ -190,5 +190,5 @@ spec: deny: conditions: - key: "{{`{{ request.object.spec.securityContext.supplementalGroups[*].to_string(@) }}`}}" - operator: NotIn + operator: AnyNotIn value: "{{`{{ userGIDMap.data.\"user-{{ serviceAccount }}\" }}`}}"