update disallow_root_user

pkg/testrunner/testrunner_test.go

@@ -10,8 +10,8 @@ func Test_Mutate_Validate_qos(t *testing.T) {
 	testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
 }
 
-func Test_validate_deny_runasrootuser(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml")
+func Test_disallow_root_user(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")
 }
 
 func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {

samples/AddSafeToEvict.md

@@ -10,7 +10,7 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
 
 ## Policy YAML
 
-[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml)
+[add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
 
 ````yaml
 apiVersion: "kyverno.io/v1alpha1"

samples/DisallowRootUser.md

@@ -8,16 +8,22 @@ By default, all processes in a container run as the root user (uid 0). To preven
 
 ## Policy YAML 
 
-[deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) 
+[disallow_root_user.yaml](best_practices/disallow_root_user.yaml) 
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-deny-runasrootuser
+  name: disallow-root-user
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: By default, processes in a container run as a 
+      root user (uid 0). To prevent potential compromise of container hosts, specify a 
+      least privileged user ID when building the container image and require that 
+      application containers run as non root users.
 spec:
   rules:
-  - name: deny-runasrootuser
+  - name: validate-runAsNonRoot
     match:
       resources:
         kinds:

samples/README.md

@@ -36,7 +36,7 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work
 
 These policies are highly recommended.
 
-1. [Run as non-root user](RunAsNonRootUser.md)
+1. [Disallow root user](DisallowRootUser.md)
 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Require read-only root filesystem](RequireReadOnlyFS.md)
@@ -52,7 +52,7 @@ These policies are highly recommended.
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 16. [Disallow Helm Tiller](DisallowHelmTiller.md)
-17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md)
+17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 

samples/best_practices/disallow_root_user.yaml

@@ -1,22 +1,22 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-deny-runasrootuser
+  name: disallow-root-user
   annotations:
-    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/category: Security
     policies.kyverno.io/description: By default, processes in a container run as a 
       root user (uid 0). To prevent potential compromise of container hosts, specify a 
       least privileged user ID when building the container image and require that 
       application containers run as non root users.
 spec:
   rules:
-  - name: deny-runasrootuser
+  - name: validate-runAsNonRoot
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true"
+      message: "Running as root user is not allowed. Set runAsNonRoot to true"
       anyPattern:
       - spec:
           securityContext:

test/scenarios/samples/best_practices/disallow_root_user.yaml

@@ -1,19 +1,18 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/deny_runasrootuser.yaml
+  policy: samples/best_practices/disallow_root_user.yaml
   resource: test/resources/deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse:
-      policy: validate-deny-runasrootuser
+      policy: disallow-root-user
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: check-root-user
       rules:
-        - name: deny-runasrootuser
+        - name: validate-runAsNonRoot
           type: Validation
-          message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded."
           success: true