From 43e76e12379efc204df1e97d07f8927ff64aeb4d Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Thu, 7 Nov 2019 19:03:09 -0800
Subject: [PATCH] fix policy

---
 samples/best_practices/disallow_hostpid_hostipc.yaml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/samples/best_practices/disallow_hostpid_hostipc.yaml b/samples/best_practices/disallow_hostpid_hostipc.yaml
index 32de31b992..c9075173ae 100644
--- a/samples/best_practices/disallow_hostpid_hostipc.yaml
+++ b/samples/best_practices/disallow_hostpid_hostipc.yaml
@@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-hostpid-hostipc
+  name: validate-host-pid-ipc
   annotations:
     policies.kyverno.io/category: Security
     policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
@@ -9,15 +9,16 @@ metadata:
       the container process to communicate with processes on the host. To avoid pod container from 
       having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
+  validationFailureAction: enforce
   rules:
-  - name: validate-hostpid-hostipc
+  - name: validate-host-pid-ipc
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Disallow use of host's pid namespace and host's ipc namespace"
+      message: "Use of host PID and IPC namespaces is not allowed"
       pattern:
         spec:
-          (hostPID): "!true"
-          hostIPC: false
+          =(hostPID): "false"
+          =(hostIPC): "false"