update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc

pkg/testrunner/testrunner_test.go

@@ -41,15 +41,15 @@ func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
 }
 
 func Test_validate_disallow_default_namespace(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml")
 }
 
 func Test_validate_host_network_port(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml")
 }
 
-func Test_validate_hostPID_hostIPC(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
+func Test_validate_host_PID_IPC(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml")
 }
 
 func Test_validate_ro_rootfs(t *testing.T) {

samples/DisallowDefaultNamespace.md

@@ -1,6 +1,6 @@
 # Disallow use of default namespace
 
-Kubernetes namespaces provide a way to segment and isolate cluster resources across multiple applictaions and users. It is recommended that each workload be isolated in its own namespace and that use of the default namespace be not allowed.
+Kubernetes namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with namespaces. Namespaces should be required and the default (empty) namespace should not be used.
 
 ## Policy YAML 
 
@@ -10,20 +10,20 @@ Kubernetes namespaces provide a way to segment and isolate cluster resources acr
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-namespace
+  name: disallow-default-namespace
 spec:
   rules:
-  - name: check-default-namespace
+  - name: validate-namespace
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Using 'default' namespace is restricted"
+      message: "Using 'default' namespace is not allowed"
       pattern:
         metadata:
           namespace: "!default"
-  - name: check-namespace-exist
+  - name: require-namespace
     match:
       resources:
         kinds:

samples/DisallowHostPIDIPC.md

@@ -6,13 +6,13 @@ To avoid pod container from having visibility to host process space, validate th
 
 ## Policy YAML 
 
-[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)
+[disallow_host_pid_ipc.yaml](best_practices/disallow_host_pid_ipc.yaml)
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-host-pid-ipc
+  name: disallow-host-pid-ipc
   annotations:
     policies.kyverno.io/category: Security
     policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
@@ -20,9 +20,9 @@ metadata:
       the container process to communicate with processes on the host. To avoid pod container from 
       having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: audit
   rules:
-  - name: validate-host-pid-ipc
+  - name: validate-hostPID-hostIPC
     match:
       resources:
         kinds:

samples/README.md

@@ -44,14 +44,14 @@ These policies are highly recommended.
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
 8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
-9. [Disallow unknown image registries](DisallowUnknownRegistries.md)
+9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
 10. [Disallow latest image tag](DisallowLatestTag.md)
-11. [Disallow use of default namespace](DisallowDefaultNamespace.md)
-12. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
-13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
-16. [Disallow Helm Tiller](DisallowHelmTiller.md)
+11. [Disallow Helm Tiller](DisallowHelmTiller.md)
+12. [Restrict image registries](DisallowUnknownRegistries.md)
+13. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
+14. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+15. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+16. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
@@ -62,4 +62,4 @@ The policies provide additional best practices and are worthy of close considera
 19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
 20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
 21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
-22. [Restrict ingress class](KnownIngressClass.md)
+22. [Restrict ingress classes](KnownIngressClass.md)

samples/best_practices/disallow_default_namespace.yaml

@@ -1,24 +1,26 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-namespace
-  annotations:
-    policies.kyverno.io/category: Workload Isolation
-    policies.kyverno.io/description: With many users spread across multiple teams, restricting 
-      use of the default namespace and subdividing the cluster by namesoace isolates workloads.
+  name: disallow-default-namespace
+  policies.kyverno.io/category: Isolation
+  policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
+    that provide a way to segment and isolate cluster resources across multiple 
+    applications and users. As a best practice, workloads should be isolated with 
+    namespaces. Namespaces should be required and the default (empty) namespace 
+    should not be used.
 spec:
   rules:
-  - name: check-default-namespace
+  - name: validate-namespace
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Using 'default' namespace is restricted"
+      message: "Using 'default' namespace is not allowed"
       pattern:
         metadata:
           namespace: "!default"
-  - name: check-namespace-exist
+  - name: require-namespace
     match:
       resources:
         kinds:
@@ -28,3 +30,4 @@ spec:
       pattern:
         metadata:
           namespace: "?*"
+

samples/best_practices/disallow_host_network_port.yaml

@@ -1,11 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-host-network-hostport
-  annotations:
-    policies.kyverno.io/category: Security
-    policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share 
-      the host network stack, allowing potential snooping of network traffic from an application pod.
+  name: disallow-host-network-port
 spec:
   rules:
   - name: validate-host-network-port
@@ -14,11 +10,11 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Defining hostNetwork and hostPort are not allowed"
+      message: "Using host networking is not allowed"
       pattern:
         spec:
           (hostNetwork): false
           containers:
           - name: "*"
             ports:
-            - hostPort: null
+            - hostPort: null

samples/best_practices/disallow_host_pid_ipc.yaml

@@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-host-pid-ipc
+  name: disallow-host-pid-ipc
   annotations:
     policies.kyverno.io/category: Security
     policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
@@ -11,7 +11,7 @@ metadata:
 spec:
   validationFailureAction: audit
   rules:
-  - name: validate-host-pid-ipc
+  - name: validate-hostPID-hostIPC
     match:
       resources:
         kinds:

test/scenarios/samples/best_practices/disallow_default_namespace.yaml

@@ -5,7 +5,7 @@ input:
 expected:
   validation:
     policyresponse:
-      policy: validate-namespace
+      policy: disallow-default-namespace
       resource:
         kind: Pod
         apiVersion: v1
@@ -14,12 +14,10 @@ expected:
         namespace: 'default'
         name: myapp-pod
       rules:
-        - name: check-default-namespace
+        - name: validate-namespace
           type: Validation
-          message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'."
           success: false
-        - name: check-namespace-exist
+        - name: require-namespace
           type: Validation
-          message: "Validation rule 'check-namespace-exist' succeeded."
           success: true
 

test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml

@@ -1,17 +1,17 @@
 # file path relative to project root
 input:  
-  policy: samples/best_practices/disallow_hostpid_hostipc.yaml
+  policy: samples/best_practices/disallow_host_pid_ipc.yaml
   resource: test/resources/disallow_hostpid_hostipc.yaml
 expected:
   validation:
     policyresponse:
-      policy: validate-host-pid-ipc
+      policy: disallow-host-pid-ipc
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: "nginx-with-hostpid"
       rules:
-        - name: validate-host-pid-ipc
+        - name: validate-hostPID-hostIPC
           type: Validation
-          success: false   
+          success: false