chore: update policies with latest changes

[pankajatnirmata]

Signed-off-by: Pankaj Khushalani [email protected]

Updated policies with changes as mentioned in #11 for v3.5 branch

• I have verified changes for best-practices and pod-security policies using kubectl kyverno test command.
• There were 2 changes found in the cves policies as well.

[pankajatnirmata]

@chipzoller can you review this PR?

[chipzoller]

Why are a couple of these policies under a folder called cves?

[pankajatnirmata]

I am not sure why.
The cves policies were added in this commit by @nsagark

[chipzoller]

I see, they're already in that dir. Whomever put them there misinterpreted their use. They aren't designed to mitigate or help mitigate CVEs, the note in the description refers to min versions of Kubernetes that prevent their operation. They should therefore be moved out of this folder.

[pankajatnirmata]

In that case, for better understanding, should we rename cves to other as these policies come from kyverno/policies/other?

[chipzoller]

It may not be a bad idea to have a folder just dedicated to CVE policies. That's not something we do upstream, but I can see it being useful. If that's not possible for some reason, maybe renaming it would be better.

[pankajatnirmata]

Should this change be taken up in the current PR?

Else I will leave the discussion to you and @nsagark

[chipzoller]

I do not know enough about where/how this repo is used throughout Nirmata and what impact renaming a directory will have. cc @patelrit

[patelrit]

Currently, these policies are used in our SaaS in the default PolicySets. We need to move these policies to the Nirmata GitHub repo. The Add-ons repo is specifically for the platform to deploy add-ons. All the curated policies should be in the Nirmata repo. Once the policies are created in the Nirmata repo, we can use that repo for N4K and NPM customers.