kyverno · chipzoller · Aug 14, 2024 · Aug 5, 2024 · Aug 5, 2024 · Aug 6, 2024
diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Sample"
   kyverno/subject: "Pod"
-digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
+digest: 31126cee424a796fe9a4078d879a2d650fa6a3efc267d714a90a54604d91a9de
diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
@@ -11,7 +11,7 @@ metadata:
     policies.kyverno.io/description: >-
       Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
       resource accessible to any authenticated user. Tiller can lead to privilege escalation as
-      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+      restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
@@ -26,8 +26,13 @@ spec:
               - Pod
       validate:
         message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        foreach:
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*tiller*"