chore: Update dependencies and add Kyverno policies for Pod validation

.github/workflows/chainguard.yml

@@ -28,6 +28,7 @@ jobs:
       run: |
         wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz
         tar -xzf melange_0.11.2_linux_386.tar.gz
+        cd melange_0.11.2_linux_386
         sudo mv melange /usr/local/bin/
         melange version
 
@@ -36,6 +37,7 @@ jobs:
       run: |
         wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz
         tar -xzf apko_0.14.7_linux_386.tar.gz
+        cd apko_0.14.7_linux_386
         sudo mv apko /usr/local/bin/
         apko version
 

kyverno/disallow-latest-tag.yaml

@@ -10,7 +10,7 @@ metadata:
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.      "
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: require-image-tag

kyverno/no-root-containers.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: no-root-containers
+spec:
+  rules:
+  - name: require-non-root
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Containers must not run as root"
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              runAsNonRoot: true

kyverno/require-labels.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: check-for-labels
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "label 'app' is required"
+      pattern:
+        metadata:
+          labels:
+            app: "?*"

kyverno/require-requests-limits.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-requests-limits
+  annotations:
+    policies.kyverno.io/title: Require Limits and Requests
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-resources
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "CPU and memory resource requests and limits are required."
+      pattern:
+        spec:
+          containers:
+          - resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"