update other policies

pkg/testrunner/testrunner_test.go

@@ -61,7 +61,7 @@ func Test_add_ns_quota(t *testing.T) {
 }
 
 func Test_validate_disallow_node_port(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/disallow_node_port.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/restrict_node_port.yaml")
 }
 
 func Test_validate_disallow_default_serviceaccount(t *testing.T) {

samples/README.md

@@ -47,19 +47,19 @@ These policies are highly recommended.
 9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
 10. [Disallow latest image tag](DisallowLatestTag.md)
 11. [Disallow Helm Tiller](DisallowHelmTiller.md)
-12. [Restrict image registries](RestrictImageRegistries.md)
+12. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+13. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+14. [Add default network policy](DefaultDenyAllIngress.md)
-15. [Add default network policy](DefaultDenyAllIngress.md)
+15. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
-16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
+16. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
-17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 
-The policies provide additional best practices and are worthy of close consideration. These policies may require workload specific changes. 
+The policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 
 
-18. [Limit use of `NodePort` services](LimitNodePort.md)
+17. [Restrict image registries](RestrictImageRegistries.md)
-19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
+18. [Restrict `NodePort` services](RestrictNodePort.md)
-20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
+19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
-21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
+20. [Restrict Linux Capabilities](RestrictLinuxCapabilities.md)
+21. [Restrict kernel parameter access](ConfigureKernelParmeters.md)
 22. [Restrict ingress classes](KnownIngressClass.md)

samples/RestrictLinuxCapabilities.md

@@ -1,16 +1,21 @@
-# Assign Linux capabilities
+# Restrict Linux capabilities
+
+Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. A best practice is to limit the allowed capabilities to a minimal required set for each pod.
+
+## Additional Information
+
+* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h)
 
-Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in `securityContext.capabilites`. 
 
 ## Policy YAML
 
-[policy_validate_container_capabilities.yaml](more/policy_validate_container_capabilities.yaml)
+[restrict_capabilities.yaml](more/restrict_capabilities.yaml)
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-container-capablities
+  name: restrict-capabilities
 spec:
   rules:
   - name: validate-container-capablities
@@ -19,7 +24,7 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Allow certain linux capability"
+      message: "Allow select linux capabilities"
       pattern:
         spec:
           containers:
@@ -29,6 +34,3 @@ spec:
 
 ````
 
-## Additional Information
-
-* [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h)

samples/RestrictNodePort.md

@@ -1,4 +1,4 @@
-# Limit `NodePort` services
+# Restrict use of `NodePort` services
 
 A Kubernetes service of type `NodePort` uses a host port (on every node in the cluster) to receive traffic from any source. 
 
@@ -8,14 +8,14 @@ Although NodePort services can be useful, their use should be limited to service
 
 ## Policy YAML
 
-[disallow_node_port.yaml](best_practices/disallow_node_port.yaml)
+[restrict_node_port.yaml](best_practices/restrict_node_port.yaml)
 
 ````yaml
 
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: limit-node-port
+  name: restrict-node-port
 spec:
   rules:
   - name: validate-node-port
@@ -24,7 +24,7 @@ spec:
         kinds:
         - Service
     validate:
-      message: "Disallow service of type NodePort"
+      message: "Service of type NodePort is not allowed"
       pattern: 
         spec:
           type: "!NodePort"

samples/best_practices/restrict_node_port.yaml

@@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: limit-nodeport
+  name: restrict-nodeport
   annotations:
     policies.kyverno.io/category: Security
     policies.kyverno.io/description: A Kubernetes service of type NodePort uses a 
@@ -16,7 +16,7 @@ spec:
         kinds:
         - Service
     validate:
-      message: "Disallow service of type NodePort"
+      message: "Services of type NodePort are not allowed"
       pattern: 
         spec:
           type: "!NodePort"

test/scenarios/samples/best_practices/restrict_node_port.yaml

@@ -1,10 +1,10 @@
 input:
-  policy: samples/best_practices/disallow_node_port.yaml
+  policy: samples/best_practices/restrict_node_port.yaml
   resource: test/resources/disallow_node_port.yaml
 expected:
   validation:
     policyresponse:
-      policy: limit-nodeport
+      policy: restrict-nodeport
       resource:
         kind: Service
         apiVersion: v1