From 4e0177c2a65e643078a9a6bfe5f15db133a97278 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Mon, 4 Nov 2019 17:54:06 -0800 Subject: [PATCH] improve validation error message; update scenario files --- pkg/engine/validation.go | 17 ++++++++++------- .../other/scenario_mutate_validate_qos.yaml | 2 +- .../scenario_validate_default_proc_mount.yaml | 2 +- ...alidate_disallow_default_serviceaccount.yaml | 2 +- .../other/scenario_validate_healthChecks.yaml | 4 ++-- .../scenario_validate_selinux_context.yaml | 2 +- .../scenario_validate_volume_whiltelist.yaml | 2 +- ...adate_require_image_tag_not_latest_deny.yaml | 4 ++-- ...adate_require_image_tag_not_latest_pass.yaml | 4 ++-- .../scenario_validate_deny_runasrootuser.yaml | 2 +- ...o_validate_disallow_automountingapicred.yaml | 2 +- ...rio_validate_disallow_default_namespace.yaml | 4 ++-- ...rio_validate_disallow_docker_sock_mount.yaml | 2 +- ...nario_validate_disallow_host_filesystem.yaml | 2 +- ..._validate_disallow_host_filesystem_pass.yaml | 2 +- ...validate_disallow_host_network_hostport.yaml | 2 +- ...nario_validate_disallow_hostpid_hostipc.yaml | 2 +- ...ario_validate_disallow_new_capabilities.yaml | 2 +- .../scenario_validate_disallow_node_port.yaml | 2 +- ...isallow_priviledged_privelegesecalation.yaml | 2 +- .../scenario_validate_probes.yaml | 2 +- ...io_validate_require_pod_requests_limits.yaml | 2 +- ...alidate_require_readonly_rootfilesystem.yaml | 2 +- ...nario_validate_trusted_image_registries.yaml | 2 +- ...cenario_validate_container_capabilities.yaml | 2 +- .../samples/more/scenario_validate_fsgroup.yaml | 6 +++--- .../more/scenario_validate_sysctl_configs.yaml | 2 +- 27 files changed, 42 insertions(+), 39 deletions(-) diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 44c14f6ba6..0598c21ee7 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -87,13 +87,14 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re // rule application failed glog.V(4).Infof("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s: %v", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, err) response.Success = false - response.Message = fmt.Sprintf("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s.", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message) + response.Message = fmt.Sprintf("Validation error: %s\nValidation rule '%s' failed at path '%s' for %s/%s/%s.", + rule.Validation.Message, rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName()) return response } // rule application succesful glog.V(4).Infof("rule %s pattern validated succesfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName()) response.Success = true - response.Message = fmt.Sprintf("Validation rule '%s' succesfully validated", rule.Name) + response.Message = fmt.Sprintf("Validation rule '%s' succeeded for %s/%s/%s.", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName()) return response } @@ -107,11 +108,12 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re // this pattern was succesfully validated glog.V(4).Infof("anyPattern %v succesfully validated on resource %s/%s/%s", pattern, resource.GetKind(), resource.GetNamespace(), resource.GetName()) response.Success = true - response.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succesfully validated", rule.Name, index) + response.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded for %s/%s/%s.", rule.Name, index, resource.GetKind(), resource.GetNamespace(), resource.GetName()) return response } if err != nil { - glog.V(4).Infof("anyPattern %v, failed to validate on resource %s/%s/%s at path %s: %v", pattern, resource.GetKind(), resource.GetNamespace(), resource.GetName(), path, err) + glog.V(4).Infof("Validation error: %s\nValidation rule %s anyPattern[%d] failed at path %s for %s/%s/%s", + rule.Validation.Message, rule.Name, index, path, resource.GetKind(), resource.GetNamespace(), resource.GetName()) errs = append(errs, err) failedPaths = append(failedPaths, path) } @@ -122,13 +124,14 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re response.Success = false response.Success = false var errorStr []string - errorStr = append(errorStr, fmt.Sprintf("Validation rule '%s' failed to validate patterns defined in anyPattern. %s.", rule.Name, rule.Validation.Message)) for index, err := range errs { glog.V(4).Infof("anyPattern[%d] failed at path %s: %v", index, failedPaths[index], err) - str := fmt.Sprintf("anyPattern[%d] failed at path %s", index, failedPaths[index]) + str := fmt.Sprintf("Validation rule %s anyPattern[%d] failed at path %s for %s/%s/%s.", + rule.Name, index, failedPaths[index], resource.GetKind(), resource.GetNamespace(), resource.GetName()) errorStr = append(errorStr, str) } - response.Message = strings.Join(errorStr, "; ") + response.Message = fmt.Sprintf("Validation error: %s\n%s", rule.Validation.Message, strings.Join(errorStr, "\n")) + return response } } diff --git a/test/scenarios/other/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml index 5fce2dfbd8..f50aa7ef6c 100644 --- a/test/scenarios/other/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml @@ -28,5 +28,5 @@ expected: rules: - name: check-cpu-memory-limits type: Validation - message: Validation rule 'check-cpu-memory-limits' succesfully validated + message: Validation rule 'check-cpu-memory-limits' succeeded for Deployment//qos-demo. success: true \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_default_proc_mount.yaml b/test/scenarios/other/scenario_validate_default_proc_mount.yaml index d618de9c91..043e00b577 100644 --- a/test/scenarios/other/scenario_validate_default_proc_mount.yaml +++ b/test/scenarios/other/scenario_validate_default_proc_mount.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-default-proc-mount type: Validation - message: "Validation rule 'validate-default-proc-mount' succesfully validated" + message: "Validation rule 'validate-default-proc-mount' succeeded for Pod//nginx-proc-mount." success: true \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml index c284481738..8c9d66c011 100644 --- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml +++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml @@ -14,5 +14,5 @@ expected: rules: - name: prevent-mounting-default-serviceaccount type: Validation - message: Validation rule 'prevent-mounting-default-serviceaccount' failed at '/spec/serviceAccountName/' for resource Pod//pod-with-default-sa. Prevent mounting of default service account. + message: "Validation error: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/' for Pod//pod-with-default-sa." success: false \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_healthChecks.yaml b/test/scenarios/other/scenario_validate_healthChecks.yaml index 3e433dc80c..878280756a 100644 --- a/test/scenarios/other/scenario_validate_healthChecks.yaml +++ b/test/scenarios/other/scenario_validate_healthChecks.yaml @@ -14,9 +14,9 @@ expected: rules: - name: check-readinessProbe-exists type: Validation - message: Validation rule 'check-readinessProbe-exists' succesfully validated + message: Validation rule 'check-readinessProbe-exists' succeeded for Pod//probe. success: true - name: check-livenessProbe-exists type: Validation - message: Validation rule 'check-livenessProbe-exists' succesfully validated + message: Validation rule 'check-livenessProbe-exists' succeeded for Pod//probe. success: true diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml index 65fcbc6e7b..4f4becd429 100644 --- a/test/scenarios/other/scenario_validate_selinux_context.yaml +++ b/test/scenarios/other/scenario_validate_selinux_context.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-selinux-options type: Validation - message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/' for resource Pod/default/busybox-selinux. SELinux level is required." + message: "Validation error: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/' for Pod/default/busybox-selinux." success: false \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml index b10b7e72ce..4c5af3de74 100644 --- a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml +++ b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-volumes-whitelist type: Validation - message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succesfully validated" + message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succeeded for Pod//test-volumes." success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml index 39815c1fdf..ce4c081002 100644 --- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml +++ b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml @@ -14,9 +14,9 @@ expected: rules: - name: image-tag-notspecified type: Validation - message: "Validation rule 'image-tag-notspecified' succesfully validated" + message: "Validation rule 'image-tag-notspecified' succeeded for Pod//myapp-pod." success: true - name: image-tag-not-latest type: Validation - message: "Validation rule 'image-tag-not-latest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. Using 'latest' image tag is restricted. Set image tag to a specific version." + message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/' for Pod//myapp-pod." success: false diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml index 69175f9db0..b48e4135c1 100644 --- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml +++ b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml @@ -14,9 +14,9 @@ expected: rules: - name: image-tag-notspecified type: Validation - message: "Validation rule 'image-tag-notspecified' succesfully validated" + message: "Validation rule 'image-tag-notspecified' succeeded for Pod//myapp-pod." success: true - name: image-tag-not-latest type: Validation - message: "Validation rule 'image-tag-not-latest' succesfully validated" + message: "Validation rule 'image-tag-not-latest' succeeded for Pod//myapp-pod." success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml b/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml index 5d8fc2c996..c1f2c2f3e0 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml @@ -14,6 +14,6 @@ expected: rules: - name: deny-runasrootuser type: Validation - message: "Validation rule 'deny-runasrootuser' anyPattern[1] succesfully validated" + message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded for Pod//check-root-user." success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml index 6fed418a3c..0d280c0768 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml @@ -14,5 +14,5 @@ expected: rules: - name: disallow-automoutingapicred type: Validation - message: Validation rule 'disallow-automoutingapicred' succesfully validated + message: Validation rule 'disallow-automoutingapicred' succeeded for Pod//myapp-pod. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml index 8cbf88334b..c29b65df39 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml @@ -16,10 +16,10 @@ expected: rules: - name: check-default-namespace type: Validation - message: "Validation rule 'check-default-namespace' failed at '/metadata/namespace/' for resource Pod/default/myapp-pod. Using 'default' namespace is restricted." + message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/' for Pod/default/myapp-pod." success: false - name: check-namespace-exist type: Validation - message: "Validation rule 'check-namespace-exist' succesfully validated" + message: "Validation rule 'check-namespace-exist' succeeded for Pod/default/myapp-pod." success: true diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml index f36c778842..eb64b19488 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-docker-sock-mount type: Validation - message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed. + message: "Validation error: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/' for Pod//pod-with-docker-sock-mount." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml index c23f015771..455b90ec0d 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml @@ -14,5 +14,5 @@ expected: rules: - name: deny-use-of-host-fs type: Validation - message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed. + message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/' for Pod//image-with-hostpath." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml index 72a4227add..defc51c16f 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml @@ -14,5 +14,5 @@ expected: rules: - name: deny-use-of-host-fs type: Validation - message: Validation rule 'deny-use-of-host-fs' succesfully validated + message: Validation rule 'deny-use-of-host-fs' succeeded for Pod//image-with-hostpath. success: true \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml index 36ecb6ab6a..12237c122f 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-host-network-hostport type: Validation - message: "Validation rule 'validate-host-network-hostport' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Defining hostNetwork and hostPort are not allowed." + message: "Validation error: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/' for Pod//nginx-host-network." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml index 0b7222ff31..916cf5b898 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-hostpid-hostipc type: Validation - message: Validation rule 'validate-hostpid-hostipc' failed at '/spec/hostIPC/' for resource Pod//nginx-with-hostpid. Disallow use of host's pid namespace and host's ipc namespace. + message: "Validation error: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/' for Pod//nginx-with-hostpid." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml index 2ceff790ae..c9fc8bc3b2 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml @@ -14,5 +14,5 @@ expected: rules: - name: deny-new-capabilities type: Validation - message: Validation rule 'deny-new-capabilities' failed to validate patterns defined in anyPattern. Capabilities cannot be added.; anyPattern[0] failed at path /spec/; anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/ + message: "Validation error: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/ for Pod//add-new-capabilities.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/ for Pod//add-new-capabilities." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml index bddc1ad253..d4ce058b6b 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml @@ -13,5 +13,5 @@ expected: rules: - name: disallow-node-port type: Validation - message: Validation rule 'disallow-node-port' failed at '/spec/type/' for resource Service//my-service. Disallow service of type NodePort. + message: "Validation error: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/' for Service//my-service." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml index 127d0c7abd..01c5350fc7 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml @@ -14,6 +14,6 @@ expected: rules: - name: deny-privileged-priviligedescalation type: Validation - message: "Validation rule 'deny-privileged-priviligedescalation' failed to validate patterns defined in anyPattern. Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/" + message: "Validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/ for Pod//check-privileged-cfg.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/ for Pod//check-privileged-cfg." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml index 30d30bb9f6..697eae4e6a 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml @@ -14,5 +14,5 @@ expected: rules: - name: check-probes type: Validation - message: Validation rule 'check-probes' failed at '/spec/containers/0/livenessProbe/' for resource Pod//myapp-pod. Liveness and readiness probes are required. + message: "Validation error: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/' for Pod//myapp-pod." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml index beeb6e76a8..ad9cb6d4c8 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml @@ -14,5 +14,5 @@ expected: rules: - name: check-resource-request-limit type: Validation - message: Validation rule 'check-resource-request-limit' failed at '/spec/containers/0/resources/limits/cpu/' for resource Pod//myapp-pod. CPU and memory resource requests and limits are required. + message: "Validation error: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/' for Pod//myapp-pod." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml index f33e7edc69..ce75cb96b8 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-readonly-rootfilesystem type: Validation - message: Validation rule 'validate-readonly-rootfilesystem' failed at '/spec/containers/0/securityContext/readOnlyRootFilesystem/' for resource Pod//ghost-with-readonly-rootfilesystem. Container require read-only rootfilesystem. + message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/' for Pod//ghost-with-readonly-rootfilesystem." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml b/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml index 0adf0564c1..350ef2e850 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml @@ -14,5 +14,5 @@ expected: rules: - name: trusted-registries type: Validation - message: Validation rule 'trusted-registries' succesfully validated + message: Validation rule 'trusted-registries' succeeded for Pod//k8s-nginx. success: true \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml index 7d261b61e8..67519319a9 100644 --- a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml +++ b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-container-capablities type: Validation - message: "Validation rule 'validate-container-capablities' failed at '/spec/containers/0/securityContext/capabilities/add/0/' for resource Pod//add-capabilities. Allow certain linux capability." + message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/' for Pod//add-capabilities." success: false \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_fsgroup.yaml b/test/scenarios/samples/more/scenario_validate_fsgroup.yaml index c262e3b84b..d6044f1c6d 100644 --- a/test/scenarios/samples/more/scenario_validate_fsgroup.yaml +++ b/test/scenarios/samples/more/scenario_validate_fsgroup.yaml @@ -15,13 +15,13 @@ expected: rules: - name: validate-userid type: Validation - message: Validation rule 'validate-userid' succesfully validated + message: Validation rule 'validate-userid' succeeded for Pod//fsgroup-demo. success: true - name: validate-groupid type: Validation - message: Validation rule 'validate-groupid' succesfully validated + message: Validation rule 'validate-groupid' succeeded for Pod//fsgroup-demo. success: true - name: validate-fsgroup type: Validation - message: Validation rule 'validate-fsgroup' succesfully validated + message: Validation rule 'validate-fsgroup' succeeded for Pod//fsgroup-demo. success: true diff --git a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml index 74c7881956..bdc4b9896b 100644 --- a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml +++ b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml @@ -15,5 +15,5 @@ expected: rules: - name: allow-portrange-with-sysctl type: Validation - message: "Validation rule 'allow-portrange-with-sysctl' failed at '/spec/securityContext/sysctls/0/value/' for resource Pod//nginx. Allowed port range is from 1024 to 65535." + message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/' for Pod//nginx." success: false \ No newline at end of file