Merge pull request #584 from nirmata/371_omitempty

add anchors for omitempty tag

samples/DisallowBindMounts.md

@@ -22,6 +22,6 @@ spec:
       message: "Host path volumes are not allowed"
       pattern: 
         spec: 
-          volumes: 
+          =(volumes): 
           - X(hostPath): null
 ````

samples/DisallowPrivilegedContainers.md

@@ -22,15 +22,13 @@ spec:
         - Pod
     validate:
       message: "Privileged mode is not allowed. Set privileged to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            privileged: false
-      - spec:
+      pattern:
+        spec:
           containers:
-          - name: "*"
-            securityContext:
-              privileged: false
+          - =(securityContext):
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5707-L5711
+              # k8s default to false
+              =(privileged): false
   - name: validate-allowPrivilegeEscalation
     match:
       resources:
@@ -38,13 +36,10 @@ spec:
         - Pod
     validate:
       message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            allowPrivilegeEscalation: false
-      - spec:
+      pattern:
+        spec:
           containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5754
               allowPrivilegeEscalation: false
 ````

samples/DisallowRootUser.md

@@ -30,7 +30,6 @@ spec:
             runAsNonRoot: true
       - spec:
           containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
               runAsNonRoot: true
 ````

samples/best_practices/disallow_privileged.yaml

@@ -18,15 +18,13 @@ spec:
         - Pod
     validate:
       message: "Privileged mode is not allowed. Set privileged to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            privileged: false
-      - spec:
+      pattern:
+        spec:
           containers:
-          - name: "*"
-            securityContext:
-              privileged: false
+          - =(securityContext):
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5707-L5711
+              # k8s default to false
+              =(privileged): false
   - name: validate-allowPrivilegeEscalation
     match:
       resources:
@@ -34,13 +32,10 @@ spec:
         - Pod
     validate:
       message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            allowPrivilegeEscalation: false
-      - spec:
+      pattern:
+        spec:
           containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5754
               allowPrivilegeEscalation: false
 

samples/best_practices/disallow_root_user.yaml

@@ -20,9 +20,10 @@ spec:
       anyPattern:
       - spec:
           securityContext:
+            # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L3165
             runAsNonRoot: true
       - spec:
           containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5742
               runAsNonRoot: true