From d694674f7c56eaa2e54f95e952f5cf8b10b51951 Mon Sep 17 00:00:00 2001
From: Tim Missal <t.missal@dvz-mv.de>
Date: Mon, 21 Nov 2022 13:14:10 +0000
Subject: [PATCH] =?UTF-8?q?Resolve=20""background"=3Dtrue=20und=20action?=
 =?UTF-8?q?=3Daudit=20=C3=BCberall=20gleich=20setzen"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 policies/disallow-privileged-containers.yaml    | 2 +-
 policies/imagepullpolicy-always.yaml            | 4 ++--
 policies/require-health-and-liveness-check.yaml | 1 +
 policies/require-limits-and-requests.yaml       | 1 +
 policies/require-unique-uid-per-workload.yaml   | 6 +++---
 policies/require_ro_rootfs.yaml                 | 3 ++-
 policies/restrict-external-ips.yaml             | 1 +
 policies/restrict-image-registries.yaml         | 4 ++--
 8 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/policies/disallow-privileged-containers.yaml b/policies/disallow-privileged-containers.yaml
index be9b8f5..81769ea 100644
--- a/policies/disallow-privileged-containers.yaml
+++ b/policies/disallow-privileged-containers.yaml
@@ -32,4 +32,4 @@ spec:
                   =(privileged): "false"
             containers:
               - =(securityContext):
-                  =(privileged): "false"
\ No newline at end of file
+                  =(privileged): "false"
diff --git a/policies/imagepullpolicy-always.yaml b/policies/imagepullpolicy-always.yaml
index d75111d..21e752c 100644
--- a/policies/imagepullpolicy-always.yaml
+++ b/policies/imagepullpolicy-always.yaml
@@ -15,7 +15,7 @@ metadata:
     policies.o4oe.de/category: should
 spec:
   validationFailureAction: audit
-  background: false
+  background: true
   rules:
   - name: imagepullpolicy-always
     match:
@@ -29,4 +29,4 @@ spec:
         spec:
           containers:
           - (image): "*:latest | !*:*"
-            imagePullPolicy: "Always"
\ No newline at end of file
+            imagePullPolicy: "Always"
diff --git a/policies/require-health-and-liveness-check.yaml b/policies/require-health-and-liveness-check.yaml
index 613099a..efbe1ee 100644
--- a/policies/require-health-and-liveness-check.yaml
+++ b/policies/require-health-and-liveness-check.yaml
@@ -21,6 +21,7 @@ metadata:
     policies.o4oe.de/bsi-protection-requirement: standard
     policies.o4oe.de/category: should
 spec:
+  background: true
   validationFailureAction: audit
   rules:
   - name: validate-livenessProbe-readinessProbe
diff --git a/policies/require-limits-and-requests.yaml b/policies/require-limits-and-requests.yaml
index d89fa0b..7022f09 100644
--- a/policies/require-limits-and-requests.yaml
+++ b/policies/require-limits-and-requests.yaml
@@ -19,6 +19,7 @@ metadata:
       policies.o4oe.de/bsi-protection-requirement: standard
       policies.o4oe.de/category: should   
 spec:
+  background: true
   validationFailureAction: audit
   rules:
   - name: validate-resources
diff --git a/policies/require-unique-uid-per-workload.yaml b/policies/require-unique-uid-per-workload.yaml
index 21ea77e..e88cf90 100644
--- a/policies/require-unique-uid-per-workload.yaml
+++ b/policies/require-unique-uid-per-workload.yaml
@@ -18,8 +18,8 @@ metadata:
   labels:
     policies.o4oe.de/category: must
 spec:
-  background: false
-  validationFailureAction: enforce
+  background: true
+  validationFailureAction: audit
   rules:
   - name: require-unique-uid
     match:
@@ -46,4 +46,4 @@ spec:
         # this checks uids for ALL containers in any pod of the workload
         - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}"
           operator: In
-          value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}"
\ No newline at end of file
+          value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}"
diff --git a/policies/require_ro_rootfs.yaml b/policies/require_ro_rootfs.yaml
index fbfefcd..890298e 100644
--- a/policies/require_ro_rootfs.yaml
+++ b/policies/require_ro_rootfs.yaml
@@ -17,6 +17,7 @@ metadata:
     policies.o4oe.de/bsi-protection-requirement: standard
     policies.o4oe.de/category: should
 spec:
+  background: true
   validationFailureAction: audit
   rules:
   - name: validate-readOnlyRootFilesystem
@@ -30,4 +31,4 @@ spec:
         spec:
           containers:
           - securityContext:
-              readOnlyRootFilesystem: true
\ No newline at end of file
+              readOnlyRootFilesystem: true
diff --git a/policies/restrict-external-ips.yaml b/policies/restrict-external-ips.yaml
index 263c084..4ce4747 100644
--- a/policies/restrict-external-ips.yaml
+++ b/policies/restrict-external-ips.yaml
@@ -16,6 +16,7 @@ metadata:
       
       This Policy applies to all types of kind "Service", including ClusterIP and LoadBalancer.
 spec:
+  background: true
   validationFailureAction: audit
   rules:
   - name: check-ips
diff --git a/policies/restrict-image-registries.yaml b/policies/restrict-image-registries.yaml
index 44447d2..4e73971 100644
--- a/policies/restrict-image-registries.yaml
+++ b/policies/restrict-image-registries.yaml
@@ -16,8 +16,8 @@ metadata:
     policies.o4oe.de/bsi-protection-requirement: basic
     policies.o4oe.de/category: must
 spec:
-  background: false
-  validationFailureAction: enforce
+  background: true
+  validationFailureAction: audit
   rules:
   - name: validate-registries
     match:
-- 
GitLab