feat(helm): support custom policies with built-in scanner

deploy/helm/Chart.yaml

@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.4
+version: 0.11.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

deploy/helm/templates/policies.yaml

@@ -863,3 +863,12 @@ data:
     kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
     __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
     __rego_metadata__.type,\n\t}\n}\n"
+  {{- with .Values.additionalPolicies }}
+  {{- range $key, $val := .library }}
+  library.{{ $key }}: {{ $val | quote }}
+  {{- end }}
+  {{- range $key, $val := .policy }}
+  policy.{{ $key }}.rego: {{ $val.rego | quote }}
+  policy.{{ $key }}.kinds: {{ $val.kinds | quote }}
+  {{- end }}
+  {{- end }}

deploy/helm/values.yaml

@@ -476,3 +476,19 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+additionalPolicies:
+  library: {}
+    # kubernetes.rego: |
+    #   << REGO >>
+    # utils.rego: |
+    #   << REGO >>
+  policy: {}
+    # access_to_host_pid:
+    #   rego: |
+    #     << REGO >>
+    #   kinds: Workload
+    # configmap_with_sensitive_data:
+    #   rego: |
+    #     << REGO >>
+    #   kinds: ConfigMap

docs/tutorials/writing-custom-configuration-audit-policies.md

@@ -134,6 +134,17 @@ data:
     }
 ```
 
+When using the Helm chart, this can be accomplished as follows:
+
+```yaml
+additionalPolicies:
+  policy:
+    recommended_labels:
+    kinds: "*"
+    rego: |-
+      ...
+```
+
 In this example, to add a new policy, you must define two data entries in the `starboard-policies-config`
 ConfigMap: