Adds demo folder

[santoshkal]

This PR adds a demo folder with the commands for all the features of Genval, including genai implementation.
All the relevant template inputs, configs, and policies are available in the ./templates directory.

[dryrunsecurity]

DryRun Security Summary

The pull request introduces improvements to Kubernetes API security and functionality, including new admission control policies, removal of sensitive information, and updates to various API resources and infrastructure components.

Expand for full summary

Summary:

The code changes in this pull request cover a diverse range of updates to the Kubernetes API and related infrastructure. The changes include improvements to application security, such as the removal of sensitive information from documentation, as well as updates to the Kubernetes Admission API, which is a critical component for enforcing security policies within a Kubernetes cluster.

The changes also introduce new features, such as the ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources, which allow for the definition and application of custom admission control policies using a domain-specific language (CEL). This provides cluster administrators with a powerful tool for implementing security controls at the API level.

Additionally, the changes include updates to various Kubernetes API types and resources, such as the StorageVersion, AdmissionReview, and workload-related resources (Deployment, DaemonSet, etc.). These changes are primarily focused on improving the functionality and maintainability of the Kubernetes API, which is an important aspect of ensuring the overall security and reliability of Kubernetes-based applications.

Files Changed:

• demo/demo.md: The changes remove a section containing sensitive password information, which is a positive security practice.
• .vscode/settings.json: The changes disable the automatic configuration of Makefile projects, which could have performance or behavioral implications that should be considered.
• .gitignore: The changes remove the exclusion of the demo/ directory and add an exception for a Dockerfile file, which may expose or hide sensitive information that should be reviewed.
• demo/genai-commands.md and demo/commands.md: The changes introduce the genai command and demonstrate the use of the Genval tool for generating and validating security policies, which is a valuable security feature.
• templates/defaultpolicies/cue/policy/combined.cue: The changes enforce various security best practices for container configurations, such as disabling privilege escalation and running containers as a non-root user.
• pkg/validate/printresults.go: The changes improve the logging and reporting of policy evaluation results, which can aid in security monitoring and troubleshooting.
• Various *.go_gen.cue files: These changes are primarily related to the generation of Go code for different versions of the Kubernetes API, including the Admission API, API Discovery, and other internal APIs. While these changes do not directly introduce security vulnerabilities, they are important for maintaining the security and integrity of the Kubernetes API infrastructure.

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.