2025.3.31

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # use the 'all' overlay to get all available policies
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.31
  # or select individual overlay for specific policies
  - https://github.com/metio/vap-collection//overlays/best-practices/?ref=2025.3.31
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.31
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.31

Check the migration guide for any required actions on your part.

What's Changed

• ban usage of the default namespace for all resources by @sebhoss in #33

Full Changelog: 2025.3.24...2025.3.31

2025.3.24

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # use the 'all' overlay to get all available policies
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.24
  # or select individual overlay for specific policies
  - https://github.com/metio/vap-collection//overlays/best-practices/?ref=2025.3.24
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.24
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.24

Check the migration guide for any required actions on your part.

What's Changed

• add require-run-as-non-root-user policy by @sebhoss in #29
• simplify restrict-seccomp-profile-types by @sebhoss in #30
• add require-seccomp-profile-type policy by @sebhoss in #31
• add restrict-volume-types policy by @sebhoss in #32

Full Changelog: 2025.3.17...2025.3.24

2025.3.17

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # use the 'all' overlay to get all available policies
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.17
  # or select individual overlay for specific policies
  - https://github.com/metio/vap-collection//overlays/best-practices/?ref=2025.3.17
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.17
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.17

Check the migration guide for any required actions on your part.

What's Changed

• add require-requests-limits policy by @sebhoss in #26
• add ban-default-namespace policy by @sebhoss in #27
• add require-run-as-nonroot policy by @sebhoss in #28

Full Changelog: 2025.3.10...2025.3.17

2025.3.10

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # use the 'all' overlay to get all available policies
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.10
  # or select individual overlay for specific policies
  - https://github.com/metio/vap-collection//overlays/best-practices/?ref=2025.3.10
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.10
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.10

Check the migration guide for any required actions on your part.

What's Changed

• extend restrict-container-capabilities to jobs by @sebhoss in #7
• add ban-host-path-usage policy by @sebhoss in #8
• ban host namespace usage by @sebhoss in #9
• add ban-privileged-containers policy by @sebhoss in #10
• add restrict-seccomp-profile-types policy by @sebhoss in #11
• add restrict-proc-mount-type policy by @sebhoss in #12
• add require-disabled-privilege-escalation policy by @sebhoss in #13
• add restrict-selinux-types policy by @sebhoss in #14
• add ban-selinux-user policy by @sebhoss in #15
• add ban-selinux-role policy by @sebhoss in #16
• add ban-host-process policy by @sebhoss in #17
• add ban-or-restrict-host-ports policy by @sebhoss in #18
• add restrict-apparmor-types policy by @sebhoss in #19
• add ban-apparmor-annotation policy by @sebhoss in #20
• add ban-nodeport-services policy by @sebhoss in #21
• add ban-localhost-services policy by @sebhoss in #22
• add ban-external-ip-services policy by @sebhoss in #23
• add ban-sa-automount-sa-token policy by @sebhoss in #24
• add ban-pod-automount-sa-token policy by @sebhoss in #25

Full Changelog: 2025.3.3...2025.3.10

2025.3.3

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.3
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.3
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.3

Check the migration guide for any required actions on your part.

What's Changed

• fix audit value expression by @sebhoss in #1
• check sysctls of daemonsets/deployments/statefulsets/cronjobs/jobs by @sebhoss in #2
• allow more sysctls by @sebhoss in #3
• add policy docs by @sebhoss in #4
• prettify expressions by @sebhoss in #5
• extend only-allow-net-bind-service-capability to jobs by @sebhoss in #6

New Contributors

• @sebhoss made their first contribution in #1

Full Changelog: 2025.3.1...2025.3.3

2025.3.1

Usage

Specify one or more of the available overlays in your local kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - https://github.com/metio/vap-collection//overlays/all/?ref=2025.3.1
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-baseline/?ref=2025.3.1
  - https://github.com/metio/vap-collection//overlays/pod-security-standards-restricted/?ref=2025.3.1

Check the migration guide for any required actions on your part.

Full Changelog: https://github.com/metio/vap-collection/commits/2025.3.1