From 4fbc57bfedf451f3b004744ac21c0db43206a215 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Fri, 1 Nov 2019 14:37:17 -0700 Subject: [PATCH] update policy and test case --- samples/best_practices/disallow_new_capabilities.yaml | 10 +++++----- .../scenario_validate_disallow_new_capabilities.yaml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/samples/best_practices/disallow_new_capabilities.yaml b/samples/best_practices/disallow_new_capabilities.yaml index 71e0a6444f..a727d8e44b 100644 --- a/samples/best_practices/disallow_new_capabilities.yaml +++ b/samples/best_practices/disallow_new_capabilities.yaml @@ -20,12 +20,12 @@ spec: message: "Capabilities cannot be added" anyPattern: - spec: - (securityContext): - (capabilities): - X(add): null + =(securityContext): + =(capabilities): + X(add): null - spec: containers: - name: "*" - (securityContext): - (capabilities): + =(securityContext): + =(capabilities): X(add): null \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml index e4994df9fb..9cbcc6a4c9 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml @@ -14,5 +14,5 @@ expected: rules: - name: deny-new-capabilities type: Validation - message: Validation rule 'deny-new-capabilities' failed at '/spec/containers/securityContext/capabilities/add' for resource Pod//capabilities. Capabilities cannot be added + message: Validation rule 'deny-new-capabilities' failed to validate patterns defined in anyPattern. Capabilities cannot be added; anyPattern[0] failed at path /spec/; anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/ success: false \ No newline at end of file