update kyverno version and policy

Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>

devel/addon/kyverno/BUILD.bazel

@@ -1,17 +1,17 @@
 load("@io_bazel_rules_docker//container:bundle.bzl", "container_bundle")
 
 container_bundle(
-    name = "bundle_v1.3.6",
+    name = "bundle_v1.7.1",
     images = {
-        "ghcr.io/kyverno/kyverno:v1.3.6": "@io_kyverno//image",
+        "ghcr.io/kyverno/kyverno:v1.7.1": "@io_kyverno//image",
     },
     tags = ["manual"],
 )
 
 container_bundle(
-    name = "pre_bundle_v1.3.6",
+    name = "pre_bundle_v1.7.1",
     images = {
-        "ghcr.io/kyverno/kyvernopre:v1.3.6": "@io_kyverno_pre//image",
+        "ghcr.io/kyverno/kyvernopre:v1.7.1": "@io_kyverno_pre//image",
     },
     tags = ["manual"],
 )

devel/addon/kyverno/install.sh

@@ -31,9 +31,9 @@ source "${SCRIPT_ROOT}/../../lib/lib.sh"
 check_tool kubectl
 check_tool helm
 
-CHART_VERSION="v1.3.6"
-IMAGE_TAG="v1.3.6"
-PRE_IMAGE_TAG="v1.3.6"
+CHART_VERSION="v2.5.1"
+IMAGE_TAG="v1.7.1"
+PRE_IMAGE_TAG="v1.7.1"
 
 require_image "ghcr.io/kyverno/kyverno:${IMAGE_TAG}" "//devel/addon/kyverno:bundle_${IMAGE_TAG}"
 require_image "ghcr.io/kyverno/kyvernopre:${PRE_IMAGE_TAG}" "//devel/addon/kyverno:pre_bundle_${PRE_IMAGE_TAG}"

devel/addon/kyverno/kustomization.yaml

@@ -4,7 +4,7 @@
 # Use as follows:
 #  kustomize build . > policy.yaml
 bases:
-  - https://github.com/kyverno/policies/pod-security
+  - https://github.com/kyverno/policies/pod-security/enforce
 patches:
   - patch: |-
       - op: replace

make/config/kyverno/kustomization.yaml

@@ -4,7 +4,7 @@
 # Use as follows:
 #  kustomize build . > policy.yaml
 bases:
-  - https://github.com/kyverno/policies/pod-security
+  - https://github.com/kyverno/policies/pod-security/enforce
 patches:
   - patch: |-
       - op: replace

make/e2e-setup.mk

@@ -13,8 +13,8 @@ CRI_ARCH := $(HOST_ARCH)
 K8S_VERSION := 1.24
 
 IMAGE_ingressnginx_amd64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:7464dc90abfaa084204176bcc0728f182b0611849395787143f6854dc6c38c85
-IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.3.6@sha256:7d7972e7d9ed2a6da27b06ccb1c3c5d3544838d6cedb67a050ba7d655461ef52
-IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.3.6@sha256:94fc7f204917a86dcdbc18977e843701854aa9f84c215adce36c26de2adf13df
+IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:aec4b029660d47aea025336150fdc2822c991f592d5170d754b6acaf158b513e
+IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:1bcec6bc854720e22f439c6dcea02fcf689f31976babcf03a449d750c2b1f34a
 IMAGE_vault_amd64 := index.docker.io/library/vault:1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01
 IMAGE_bind_amd64 := docker.io/eafxx/bind:latest-9f74179f@sha256:0b8c766f5bedbcbe559c7970c8e923aa0c4ca771e62fcf8dba64ffab980c9a51
 IMAGE_sampleexternalissuer_amd64 := ghcr.io/cert-manager/sample-external-issuer/controller:v0.1.1@sha256:7dafe98c73d229bbac08067fccf9b2884c63c8e1412fe18f9986f59232cf3cb5
@@ -23,8 +23,8 @@ IMAGE_pebble_amd64 := local/pebble:local
 IMAGE_vaultretagged_amd64 := local/vault:local
 
 IMAGE_ingressnginx_arm64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:86be28e506653cbe29214cb272d60e7c8841ddaf530da29aa22b1b1017faa956
-IMAGE_kyverno_arm64 := ghcr.io/kyverno/kyverno:v1.3.6@sha256:fa1e44e927433f217ef507299aeebf27f9b24a21a5f27d07b3b8acf26b48d5e6
-IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.3.6@sha256:f1a85fb6a95ccc9770e668116e0252c7e7c42b6403f3451047e154b8367cb987
+IMAGE_kyverno_arm64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:4355f1f65ea5e952886e929a15628f0c6704905035b4741c6f560378871c9335
+IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:141234fb74242155c7b843180b90ee5fb6a20c9e77598bd9c138c687059cdafd
 IMAGE_vault_arm64 := index.docker.io/library/vault:1.2.3@sha256:226a269b83c4b28ff8a512e76f1e7b707eccea012e4c3ab4c7af7fff1777ca2d
 IMAGE_bind_arm64 := docker.io/eafxx/bind:latest-9f74179f@sha256:85de273f24762c0445035d36290a440e8c5a6a64e9ae6227d92e8b0b0dc7dd6d
 IMAGE_sampleexternalissuer_arm64 := # 🚧 NOT AVAILABLE FOR arm64 🚧
@@ -173,8 +173,12 @@ feature_gates_webhook := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=
 feature_gates_cainjector := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=%, $(subst $(comma),$(space),$(FEATURE_GATES))))
 
 # TODO: move these commands to separate scripts for readability
+#
+# ⚠ The following components are installed *before* cert-manager:
+# * GatewayAPI: so that cert-manager can watch those CRs.
+# * Kyverno: so that it can check the cert-manager manifests against the policy in `config/kyverno/`.
 .PHONY: e2e-setup-certmanager
-e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controller acmesolver cainjector webhook ctl,$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) $(foreach binaryname,controller acmesolver cainjector webhook ctl,load-$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) e2e-setup-gatewayapi $(BINDIR)/scratch/kind-exists | $(BINDIR)/tools/kubectl $(BINDIR)/tools/kind
+e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controller acmesolver cainjector webhook ctl,$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) $(foreach binaryname,controller acmesolver cainjector webhook ctl,load-$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) e2e-setup-gatewayapi e2e-setup-kyverno $(BINDIR)/scratch/kind-exists | $(BINDIR)/tools/kubectl $(BINDIR)/tools/kind
 	@$(eval TAG = $(shell tar xfO $(BINDIR)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
 	$(BINDIR)/tools/helm upgrade \
 		--install \
@@ -236,7 +240,7 @@ e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ing
 		ingress-nginx ingress-nginx/ingress-nginx >/dev/null
 
 .PHONY: e2e-setup-kyverno
-e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) make/config/kyverno/policy.yaml $(BINDIR)/scratch/kind-exists e2e-setup-certmanager $(BINDIR)/tools/kubectl $(BINDIR)/tools/helm
+e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) make/config/kyverno/policy.yaml $(BINDIR)/scratch/kind-exists $(BINDIR)/tools/kubectl $(BINDIR)/tools/helm
 	@$(eval TAG=$(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
 	$(BINDIR)/tools/helm repo add kyverno --force-update https://kyverno.github.io/kyverno/ >/dev/null
 	$(BINDIR)/tools/helm upgrade \
@@ -244,9 +248,9 @@ e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$
 		--wait \
 		--namespace kyverno \
 		--create-namespace \
-		--version v1.3.6 \
-		--set image.tag=v1.3.6 \
-		--set initImage.tag=v1.3.6 \
+		--version v2.5.1 \
+		--set image.tag=v1.7.1 \
+		--set initImage.tag=v1.7.1 \
 		--set image.pullPolicy=Never \
 		--set initImage.pullPolicy=Never \
 		kyverno kyverno/kyverno >/dev/null

test/e2e/images.bzl

@@ -50,16 +50,16 @@ def install():
         name = "io_kyverno",
         registry = "ghcr.io",
         repository = "kyverno/kyverno",
-        tag = "v1.3.6",
-        digest = "sha256:7d7972e7d9ed2a6da27b06ccb1c3c5d3544838d6cedb67a050ba7d655461ef52",
+        tag = "v1.7.1",
+        digest = "sha256:9c73f1841ebc61b6a23c935154521cb12289a38de3422f56aa87a7d7ff9b39fe",
     )
 
     container_pull(
         name = "io_kyverno_pre",
         registry = "ghcr.io",
         repository = "kyverno/kyvernopre",
-        tag = "v1.3.6",
-        digest = "sha256:94fc7f204917a86dcdbc18977e843701854aa9f84c215adce36c26de2adf13df",
+        tag = "v1.7.1",
+        digest = "sha256:185d2eebc60cc693056d9359f0434b7eca4152b06f21f58c6289815257c41af8",
     )
 
     ## Fetch vault for use during e2e tests