improve validation error message; update scenario files

pkg/engine/validation.go

@@ -87,13 +87,14 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re
 			// rule application failed
 			glog.V(4).Infof("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s: %v", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, err)
 			response.Success = false
-			response.Message = fmt.Sprintf("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s.", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message)
+			response.Message = fmt.Sprintf("Validation error: %s\nValidation rule '%s' failed at path '%s' for %s/%s/%s.",
+				rule.Validation.Message, rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			return response
 		}
 		// rule application succesful
 		glog.V(4).Infof("rule %s pattern validated succesfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 		response.Success = true
-		response.Message = fmt.Sprintf("Validation rule '%s' succesfully validated", rule.Name)
+		response.Message = fmt.Sprintf("Validation rule '%s' succeeded for %s/%s/%s.", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 		return response
 	}
 
@@ -107,11 +108,12 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re
 				// this pattern was succesfully validated
 				glog.V(4).Infof("anyPattern %v succesfully validated on resource %s/%s/%s", pattern, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 				response.Success = true
-				response.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succesfully validated", rule.Name, index)
+				response.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded for %s/%s/%s.", rule.Name, index, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 				return response
 			}
 			if err != nil {
-				glog.V(4).Infof("anyPattern %v, failed to validate on resource %s/%s/%s at path %s: %v", pattern, resource.GetKind(), resource.GetNamespace(), resource.GetName(), path, err)
+				glog.V(4).Infof("Validation error: %s\nValidation rule %s anyPattern[%d] failed at path %s for %s/%s/%s",
+					rule.Validation.Message, rule.Name, index, path, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 				errs = append(errs, err)
 				failedPaths = append(failedPaths, path)
 			}
@@ -122,13 +124,14 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re
 			response.Success = false
 			response.Success = false
 			var errorStr []string
-			errorStr = append(errorStr, fmt.Sprintf("Validation rule '%s' failed to validate patterns defined in anyPattern. %s.", rule.Name, rule.Validation.Message))
 			for index, err := range errs {
 				glog.V(4).Infof("anyPattern[%d] failed at path %s: %v", index, failedPaths[index], err)
-				str := fmt.Sprintf("anyPattern[%d] failed at path %s", index, failedPaths[index])
+				str := fmt.Sprintf("Validation rule %s anyPattern[%d] failed at path %s for %s/%s/%s.",
+					rule.Name, index, failedPaths[index], resource.GetKind(), resource.GetNamespace(), resource.GetName())
 				errorStr = append(errorStr, str)
 			}
-			response.Message = strings.Join(errorStr, "; ")
+			response.Message = fmt.Sprintf("Validation error: %s\n%s", rule.Validation.Message, strings.Join(errorStr, "\n"))
+
 			return response
 		}
 	}

test/scenarios/other/scenario_mutate_validate_qos.yaml

@@ -28,5 +28,5 @@ expected:
       rules:
         - name: check-cpu-memory-limits
           type: Validation
-          message: Validation rule 'check-cpu-memory-limits' succesfully validated
+          message: Validation rule 'check-cpu-memory-limits' succeeded for Deployment//qos-demo.
           success: true     

test/scenarios/other/scenario_validate_default_proc_mount.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-default-proc-mount
           type: Validation
-          message: "Validation rule 'validate-default-proc-mount' succesfully validated"
+          message: "Validation rule 'validate-default-proc-mount' succeeded for Pod//nginx-proc-mount."
           success: true

test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: prevent-mounting-default-serviceaccount
           type: Validation
-          message: Validation rule 'prevent-mounting-default-serviceaccount' failed at '/spec/serviceAccountName/' for resource Pod//pod-with-default-sa. Prevent mounting of default service account.
+          message: "Validation error: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/' for Pod//pod-with-default-sa."
           success: false

test/scenarios/other/scenario_validate_healthChecks.yaml

@@ -14,9 +14,9 @@ expected:
       rules:
         - name: check-readinessProbe-exists
           type: Validation
-          message: Validation rule 'check-readinessProbe-exists' succesfully validated
+          message: Validation rule 'check-readinessProbe-exists' succeeded for Pod//probe.
           success: true     
         - name: check-livenessProbe-exists
           type: Validation
-          message: Validation rule 'check-livenessProbe-exists' succesfully validated
+          message: Validation rule 'check-livenessProbe-exists' succeeded for Pod//probe.
           success: true     

test/scenarios/other/scenario_validate_selinux_context.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-selinux-options
           type: Validation
-          message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/' for resource Pod/default/busybox-selinux. SELinux level is required."
+          message: "Validation error: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/' for Pod/default/busybox-selinux."
           success: false

test/scenarios/other/scenario_validate_volume_whiltelist.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-volumes-whitelist
           type: Validation
-          message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succesfully validated"
+          message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succeeded for Pod//test-volumes."
           success: true

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml

@@ -14,9 +14,9 @@ expected:
       rules:
         - name: image-tag-notspecified
           type: Validation
-          message: "Validation rule 'image-tag-notspecified' succesfully validated"
+          message: "Validation rule 'image-tag-notspecified' succeeded for Pod//myapp-pod."
           success: true
         - name: image-tag-not-latest
           type: Validation
-          message: "Validation rule 'image-tag-not-latest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. Using 'latest' image tag is restricted. Set image tag to a specific version."
+          message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/' for Pod//myapp-pod."
           success: false   

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml

@@ -14,9 +14,9 @@ expected:
       rules:
         - name: image-tag-notspecified
           type: Validation
-          message: "Validation rule 'image-tag-notspecified' succesfully validated"
+          message: "Validation rule 'image-tag-notspecified' succeeded for Pod//myapp-pod."
           success: true    
         - name: image-tag-not-latest
           type: Validation
-          message: "Validation rule 'image-tag-not-latest' succesfully validated"
+          message: "Validation rule 'image-tag-not-latest' succeeded for Pod//myapp-pod."
           success: true  

test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml

@@ -14,6 +14,6 @@ expected:
       rules:
         - name: deny-runasrootuser
           type: Validation
-          message: "Validation rule 'deny-runasrootuser' anyPattern[1] succesfully validated"
+          message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded for Pod//check-root-user."
           success: true
 

test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: disallow-automoutingapicred
           type: Validation
-          message: Validation rule 'disallow-automoutingapicred' succesfully validated
+          message: Validation rule 'disallow-automoutingapicred' succeeded for Pod//myapp-pod.
           success: true 

test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml

@@ -16,10 +16,10 @@ expected:
       rules:
         - name: check-default-namespace
           type: Validation
-          message: "Validation rule 'check-default-namespace' failed at '/metadata/namespace/' for resource Pod/default/myapp-pod. Using 'default' namespace is restricted."
+          message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/' for Pod/default/myapp-pod."
           success: false
         - name: check-namespace-exist
           type: Validation
-          message: "Validation rule 'check-namespace-exist' succesfully validated"
+          message: "Validation rule 'check-namespace-exist' succeeded for Pod/default/myapp-pod."
           success: true
 

test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-docker-sock-mount
           type: Validation
-          message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed.
+          message: "Validation error: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/' for Pod//pod-with-docker-sock-mount."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: deny-use-of-host-fs
           type: Validation
-          message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed.
+          message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/' for Pod//image-with-hostpath."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: deny-use-of-host-fs
           type: Validation
-          message: Validation rule 'deny-use-of-host-fs' succesfully validated
+          message: Validation rule 'deny-use-of-host-fs' succeeded for Pod//image-with-hostpath.
           success: true

test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-host-network-hostport
           type: Validation
-          message: "Validation rule 'validate-host-network-hostport' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Defining hostNetwork and hostPort are not allowed."
+          message: "Validation error: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/' for Pod//nginx-host-network."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-hostpid-hostipc
           type: Validation
-          message: Validation rule 'validate-hostpid-hostipc' failed at '/spec/hostIPC/' for resource Pod//nginx-with-hostpid. Disallow use of host's pid namespace and host's ipc namespace.
+          message: "Validation error: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/' for Pod//nginx-with-hostpid."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: deny-new-capabilities
           type: Validation
-          message: Validation rule 'deny-new-capabilities' failed to validate patterns defined in anyPattern. Capabilities cannot be added.; anyPattern[0] failed at path /spec/; anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/
+          message: "Validation error: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/ for Pod//add-new-capabilities.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/ for Pod//add-new-capabilities."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml

@@ -13,5 +13,5 @@ expected:
       rules:
         - name: disallow-node-port
           type: Validation
-          message: Validation rule 'disallow-node-port' failed at '/spec/type/' for resource Service//my-service. Disallow service of type NodePort.
+          message: "Validation error: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/' for Service//my-service."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml

@@ -14,6 +14,6 @@ expected:
       rules:
         - name: deny-privileged-priviligedescalation
           type: Validation
-          message: "Validation rule 'deny-privileged-priviligedescalation' failed to validate patterns defined in anyPattern. Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/"
+          message: "Validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/ for Pod//check-privileged-cfg.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/ for Pod//check-privileged-cfg."
           success: false
 

test/scenarios/samples/best_practices/scenario_validate_probes.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: check-probes
           type: Validation
-          message: Validation rule 'check-probes' failed at '/spec/containers/0/livenessProbe/' for resource Pod//myapp-pod. Liveness and readiness probes are required.
+          message: "Validation error: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/' for Pod//myapp-pod."
           success: false 

test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: check-resource-request-limit
           type: Validation
-          message: Validation rule 'check-resource-request-limit' failed at '/spec/containers/0/resources/limits/cpu/' for resource Pod//myapp-pod. CPU and memory resource requests and limits are required.
+          message: "Validation error: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/' for Pod//myapp-pod."
           success: false 

test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-readonly-rootfilesystem
           type: Validation
-          message: Validation rule 'validate-readonly-rootfilesystem' failed at '/spec/containers/0/securityContext/readOnlyRootFilesystem/' for resource Pod//ghost-with-readonly-rootfilesystem. Container require read-only rootfilesystem.
+          message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/' for Pod//ghost-with-readonly-rootfilesystem."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: trusted-registries
           type: Validation
-          message: Validation rule 'trusted-registries' succesfully validated
+          message: Validation rule 'trusted-registries' succeeded for Pod//k8s-nginx.
           success: true

test/scenarios/samples/more/scenario_validate_container_capabilities.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-container-capablities
           type: Validation
-          message: "Validation rule 'validate-container-capablities' failed at '/spec/containers/0/securityContext/capabilities/add/0/' for resource Pod//add-capabilities. Allow certain linux capability."
+          message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/' for Pod//add-capabilities."
           success: false

test/scenarios/samples/more/scenario_validate_fsgroup.yaml

@@ -15,13 +15,13 @@ expected:
       rules:
         - name: validate-userid
           type: Validation
-          message: Validation rule 'validate-userid' succesfully validated
+          message: Validation rule 'validate-userid' succeeded for Pod//fsgroup-demo.
           success: true
         - name: validate-groupid
           type: Validation
-          message: Validation rule 'validate-groupid' succesfully validated
+          message: Validation rule 'validate-groupid' succeeded for Pod//fsgroup-demo.
           success: true
         - name: validate-fsgroup
           type: Validation
-          message: Validation rule 'validate-fsgroup' succesfully validated
+          message: Validation rule 'validate-fsgroup' succeeded for Pod//fsgroup-demo.
           success: true

test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: allow-portrange-with-sysctl
           type: Validation
-          message: "Validation rule 'allow-portrange-with-sysctl' failed at '/spec/securityContext/sysctls/0/value/' for resource Pod//nginx. Allowed port range is from 1024 to 65535."
+          message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/' for Pod//nginx."
           success: false