From d34a5ecc209881960c11c48979dc6bf971bb7cdc Mon Sep 17 00:00:00 2001
From: Jean-Francois Roy <jf@devklog.net>
Date: Wed, 11 Sep 2024 21:12:43 -0700
Subject: [PATCH] fix(kyverno): add NET_RAW to gluetun exception, remove
 apparmor

---
 .../apps/kyverno/kyverno-policies/app/clusterpolicy.yaml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/apps/kyverno/kyverno-policies/app/clusterpolicy.yaml b/kubernetes/apps/kyverno/kyverno-policies/app/clusterpolicy.yaml
index 4e8d9f98..573b42f8 100644
--- a/kubernetes/apps/kyverno/kyverno-policies/app/clusterpolicy.yaml
+++ b/kubernetes/apps/kyverno/kyverno-policies/app/clusterpolicy.yaml
@@ -13,8 +13,8 @@ metadata:
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       This policy enforces the latest version of the Pod Security Standards baseline profile by
-      default cluster wide. This policy allows NET_ADMIN in capabilities and Unconfined AppArmor for
-      gluetun containers on pods with the label "gluetun=true".
+      default cluster wide. This policy allows capabilities for gluetun containers on pods with the
+      label "gluetun=true".
 spec:
   background: true
   validationFailureAction: Enforce
@@ -67,7 +67,7 @@ spec:
               restrictedField: spec.initContainers[*].securityContext.capabilities.add
               values:
                 - NET_ADMIN
-            - controlName: AppArmor
+                - NET_RAW
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy