Merge branch 'master' into ap-485j

.github/workflows/codeql.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
+        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
+        uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
+        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
+        uses: actions/dependency-review-action@9f45b2463b475767b61721ccfef113fef513e6aa # v3.1.1

.github/workflows/scorecards.yml

@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
+        uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           sarif_file: results.sarif

.github/workflows/workflow.yaml

@@ -65,7 +65,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        gatekeeper: [ "release-3.13", "release-3.12" ]
+        gatekeeper: [ "release-3.13", "release-3.14" ]
     name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }}"
     steps:
       - name: Harden Runner

scripts/website/generate.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"gopkg.in/yaml.v3"
+	"k8s.io/utils/strings/slices"
 )
 
 const (
@@ -28,6 +29,9 @@ const (
 	mutationPattern      = `(\s*)(type:\s+'category',\s+label:\s+'Mutation',\s+collapsed:\s+true,\s+items:\s*\[\s)(\s*)([^\]]*,)`
 )
 
+// Skip including examples for the following Kinds.
+var skipExampleKinds = []string{"AdmissionReview"}
+
 // Suite ...
 // ToDo (nilekh): Get this struct from the Gatekeeper repo.
 type Suite struct {
@@ -140,7 +144,20 @@ func main() {
 								fmt.Println("error while reading ", testCase.Object)
 								panic(err)
 							}
-							examples += fmt.Sprintf("<details>\n<summary>%s</summary>\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n</details>\n", testCase.Name, exampleContent, exampleRawURL)
+
+							exampleResource := make(map[string]interface{})
+							err = yaml.Unmarshal(exampleContent, &exampleResource)
+							if err != nil {
+								fmt.Printf("error while unmarshaling: %v", exampleRawURL)
+								panic(err)
+							}
+
+							if exampleKind, ok := exampleResource["kind"].(string); !ok {
+								fmt.Printf("error while parsing kind: %v", exampleRawURL)
+								panic(err)
+							} else if !slices.Contains(skipExampleKinds, exampleKind) {
+								examples += fmt.Sprintf("<details>\n<summary>%s</summary>\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n</details>\n", testCase.Name, exampleContent, exampleRawURL)
+							}
 						}
 
 						allExamples += fmt.Sprintf("<details>\n<summary>%s</summary><blockquote>\n\n%s\n%s\n\n</blockquote></details>", test.Name, constraintExample, examples)

website/docs/validation/allow-privilege-escalation.md

@@ -222,37 +222,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: nginx-privilege-escalation-disallowed
-      labels:
-        app: nginx-privilege-escalation
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-        securityContext:
-          allowPrivilegeEscalation: true
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml
-```
-
 </details>
 
 

website/docs/validation/automount-serviceaccount-token.md

@@ -161,36 +161,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/example_disallowed.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: nginx-automountserviceaccounttoken-update
-      labels:
-        app: nginx-automountserviceaccounttoken
-    spec:
-      automountServiceAccountToken: true
-      containers:
-        - name: nginx
-          image: nginx
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml
-```
-
 </details>
 
 

website/docs/validation/capabilities.md

@@ -317,46 +317,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/disallowed_ephemeral.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: opa-disallowed
-      labels:
-        owner: me.agilebank.demo
-    spec:
-      containers:
-        - name: opa
-          image: openpolicyagent/opa:0.9.2
-          args:
-            - "run"
-            - "--server"
-            - "--addr=localhost:8080"
-          securityContext:
-            capabilities:
-              add: ["disallowedcapability"]
-          resources:
-            limits:
-              cpu: "100m"
-              memory: "30Mi"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml
-```
-
 </details>
 
 

website/docs/validation/ephemeralstoragelimit.md

@@ -471,44 +471,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
 ```
 
-</details>
-<details>
-<summary>ephemeral-storage-limit-update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: opa-allowed
-      labels:
-        owner: me.agilebank.demo
-    spec:
-      containers:
-        - name: opa
-          image: openpolicyagent/opa:0.9.2
-          args:
-            - "run"
-            - "--server"
-            - "--addr=localhost:8080"
-          resources:
-            limits:
-              cpu: "100m"
-              memory: "1Gi"
-              ephemeral-storage: "1Pi"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml
-```
-
 </details>
 
 

website/docs/validation/flexvolume-drivers.md

@@ -184,43 +184,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: nginx-flexvolume-driver-disallowed
-      labels:
-        app: nginx-flexvolume-driver
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-        volumeMounts:
-        - mountPath: /test
-          name: test-volume
-          readOnly: true
-      volumes:
-      - name: test-volume
-        flexVolume:
-          driver: "example/testdriver" #"example/lvm"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml
-```
-
 </details>
 
 

website/docs/validation/forbidden-sysctls.md

@@ -208,41 +208,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: nginx-forbidden-sysctls-disallowed
-      labels:
-        app: nginx-forbidden-sysctls
-    spec:
-      containers:
-        - name: nginx
-          image: nginx
-      securityContext:
-        sysctls:
-          - name: kernel.msgmax
-            value: "65536"
-          - name: net.core.somaxconn
-            value: "1024"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml
-```
-
 </details>
 
 

website/docs/validation/fsgroup.md

@@ -216,42 +216,6 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_allowed.yaml
 ```
 
-</details>
-<details>
-<summary>update</summary>
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
-  operation: "UPDATE"
-  object:
-    apiVersion: v1
-    kind: Pod
-    metadata:
-      name: fsgroup-disallowed
-    spec:
-      securityContext:
-        fsGroup: 2000 # directory will have group ID 2000
-      volumes:
-      - name: fsgroup-demo-vol
-        emptyDir: {}
-      containers:
-      - name: fsgroup-demo
-        image: busybox
-        command: [ "sh", "-c", "sleep 1h" ]
-        volumeMounts:
-        - name: fsgroup-demo-vol
-          mountPath: /data/demo
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml
-```
-
 </details>