update disallow new capabilities

pkg/testrunner/testrunner_test.go

@@ -111,8 +111,9 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }
+
 func Test_validate_disallow_new_capabilities(t *testing.T) {
-	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
+	testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml")
 }
 
 func Test_validate_disallow_docker_sock_mount(t *testing.T) {

samples/DisallowNewCapabilities.md

@@ -14,9 +14,9 @@ default capabilities.
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-new-capabilities
+  name: disallow-new-capabilities
   annotations:
-    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/category: Security
     policies.kyverno.io/description: Linux allows defining fine-grained permissions using
       capabilities. With Kubernetes, it is possible to add capabilities that escalate the
       level of kernel access and allow other potentially dangerous behaviors. This policy 
@@ -24,13 +24,13 @@ metadata:
       default capabilities. 
 spec:
   rules:
-  - name: deny-new-capabilities
+  - name: validate-add-capabilities
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Capabilities cannot be added"
+      message: "New capabilities cannot be added"
       anyPattern:
       - spec:
         =(securityContext):
@@ -42,4 +42,5 @@ spec:
             =(securityContext):
               =(capabilities):
                 X(add): null
+
 ````

samples/best_practices/disallow_new_capabilities.yaml

@@ -1,9 +1,9 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-new-capabilities
+  name: disallow-new-capabilities
   annotations:
-    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/category: Security
     policies.kyverno.io/description: Linux allows defining fine-grained permissions using
       capabilities. With Kubernetes, it is possible to add capabilities that escalate the
       level of kernel access and allow other potentially dangerous behaviors. This policy 
@@ -11,13 +11,13 @@ metadata:
       default capabilities. 
 spec:
   rules:
-  - name: deny-new-capabilities
+  - name: validate-add-capabilities
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Capabilities cannot be added"
+      message: "New capabilities cannot be added"
       anyPattern:
       - spec:
         =(securityContext):
@@ -28,4 +28,4 @@ spec:
           - name: "*"
             =(securityContext):
               =(capabilities):
-                X(add): null
+                X(add): null

test/scenarios/samples/best_practices/disallow_new_capabilities.yaml

@@ -5,14 +5,13 @@ input:
 expected:
   validation:
     policyresponse:
-      policy: validate-new-capabilities
+      policy: disallow-new-capabilities
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: "add-new-capabilities"
       rules:
-        - name: deny-new-capabilities
+        - name: validate-add-capabilities
           type: Validation
-          message: "Validation error: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/."
           success: false