diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index e5769b4aa2..0637f85d93 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -61,7 +61,7 @@ func Test_add_ns_quota(t *testing.T) {
 }
 
 func Test_validate_disallow_node_port(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/disallow_node_port.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/restrict_node_port.yaml")
 }
 
 func Test_validate_disallow_default_serviceaccount(t *testing.T) {
diff --git a/samples/README.md b/samples/README.md
index 23ae283981..6cd5041ccf 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -47,19 +47,19 @@ These policies are highly recommended.
 9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
 10. [Disallow latest image tag](DisallowLatestTag.md)
 11. [Disallow Helm Tiller](DisallowHelmTiller.md)
-12. [Restrict image registries](RestrictImageRegistries.md)
-13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Add default network policy](DefaultDenyAllIngress.md)
-16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
-17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
+12. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+14. [Add default network policy](DefaultDenyAllIngress.md)
+15. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
+16. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 
-The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 
+The policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 
 
-18. [Limit use of `NodePort` services](LimitNodePort.md)
-19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
-20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
-21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
+17. [Restrict image registries](RestrictImageRegistries.md)
+18. [Restrict `NodePort` services](RestrictNodePort.md)
+19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
+20. [Restrict Linux Capabilities](RestrictLinuxCapabilities.md)
+21. [Restrict kernel parameter access](ConfigureKernelParmeters.md)
 22. [Restrict ingress classes](KnownIngressClass.md)
diff --git a/samples/AssignLinuxCapabilities.md b/samples/RestrictLinuxCapabilities.md
similarity index 71%
rename from samples/AssignLinuxCapabilities.md
rename to samples/RestrictLinuxCapabilities.md
index a15dd8cd73..72dd3daeba 100644
--- a/samples/AssignLinuxCapabilities.md
+++ b/samples/RestrictLinuxCapabilities.md
@@ -1,16 +1,21 @@
-# Assign Linux capabilities
+# Restrict Linux capabilities
+
+Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. A best practice is to limit the allowed capabilities to a minimal required set for each pod.
+
+## Additional Information
+
+* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h)
 
-Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. 
 
 ## Policy YAML
 
-[policy_validate_container_capabilities.yaml](more/policy_validate_container_capabilities.yaml)
+[restrict_capabilities.yaml](more/restrict_capabilities.yaml)
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-container-capablities
+  name: restrict-capabilities
 spec:
   rules:
   - name: validate-container-capablities
@@ -19,7 +24,7 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Allow certain linux capability"
+      message: "Allow select linux capabilities"
       pattern:
         spec:
           containers:
@@ -29,6 +34,3 @@ spec:
 
 ````
 
-## Additional Information
-
-* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h)
diff --git a/samples/LimitNodePort.md b/samples/RestrictNodePort.md
similarity index 76%
rename from samples/LimitNodePort.md
rename to samples/RestrictNodePort.md
index a45ca25438..9c3cda23de 100644
--- a/samples/LimitNodePort.md
+++ b/samples/RestrictNodePort.md
@@ -1,4 +1,4 @@
-# Limit `NodePort` services
+# Restrict use of `NodePort` services
 
 A Kubernetes service of type `NodePort` uses a host port (on every node in the cluster) to receive traffic from any source. 
 
@@ -8,14 +8,14 @@ Although NodePort services can be useful, their use should be limited to service
 
 ## Policy YAML
 
-[disallow_node_port.yaml](best_practices/disallow_node_port.yaml)
+[restrict_node_port.yaml](best_practices/restrict_node_port.yaml)
 
 ````yaml
 
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: limit-node-port
+  name: restrict-node-port
 spec:
   rules:
   - name: validate-node-port
@@ -24,7 +24,7 @@ spec:
         kinds:
         - Service
     validate:
-      message: "Disallow service of type NodePort"
+      message: "Service of type NodePort is not allowed"
       pattern: 
         spec:
           type: "!NodePort"
diff --git a/samples/best_practices/disallow_node_port.yaml b/samples/best_practices/restrict_node_port.yaml
similarity index 88%
rename from samples/best_practices/disallow_node_port.yaml
rename to samples/best_practices/restrict_node_port.yaml
index 0435ce6902..33a9382b43 100644
--- a/samples/best_practices/disallow_node_port.yaml
+++ b/samples/best_practices/restrict_node_port.yaml
@@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: limit-nodeport
+  name: restrict-nodeport
   annotations:
     policies.kyverno.io/category: Security
     policies.kyverno.io/description: A Kubernetes service of type NodePort uses a 
@@ -16,7 +16,7 @@ spec:
         kinds:
         - Service
     validate:
-      message: "Disallow service of type NodePort"
+      message: "Services of type NodePort are not allowed"
       pattern: 
         spec:
           type: "!NodePort"
diff --git a/test/scenarios/samples/best_practices/disallow_node_port.yaml b/test/scenarios/samples/best_practices/restrict_node_port.yaml
similarity index 77%
rename from test/scenarios/samples/best_practices/disallow_node_port.yaml
rename to test/scenarios/samples/best_practices/restrict_node_port.yaml
index f2283778a5..3e80c8ac21 100644
--- a/test/scenarios/samples/best_practices/disallow_node_port.yaml
+++ b/test/scenarios/samples/best_practices/restrict_node_port.yaml
@@ -1,10 +1,10 @@
 input:
-  policy: samples/best_practices/disallow_node_port.yaml
+  policy: samples/best_practices/restrict_node_port.yaml
   resource: test/resources/disallow_node_port.yaml
 expected:
   validation:
     policyresponse:
-      policy: limit-nodeport
+      policy: restrict-nodeport
       resource:
         kind: Service
         apiVersion: v1