add pss exceptions

giantswarm · Aug 15, 2023 · 0f3aa7b · 0f3aa7b
1 parent 4fb3a49
commit 0f3aa7b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -5,3 +5,9 @@ CVE-2019-10743 until=2021-10-17
 CVE-2022-29153
 CVE-2022-29153
 sonatype-2021-1401
+
+# pkg:golang/k8s.io/apiserver@v0.20.12
+CVE-2020-8561 until=2023-10-01
+
+# pkg:golang/google.golang.org/grpc@v1.36.1
+CVE-2023-32731 until=2023-10-01
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Added required exceptions fot PSS.
+
 ## [0.8.0] - 2022-09-14
 
 ### Changed

diff --git a/helm/azure-scheduled-events-app/templates/pss-exceptions.yaml b/helm/azure-scheduled-events-app/templates/pss-exceptions.yaml
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: {{ include "resource.default.name"  . }}-exceptions
+  namespace: {{ include "resource.default.namespace"  . }}
+spec:
+  exceptions:
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root 
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - adding-capabilities-strict
+    - autogen-adding-capabilities-strict
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ include "resource.default.namespace"  . }}
+        names:
+        - {{ include "resource.default.name"  . }}*