From 5ce8fd7a9ac24184b01145933039720f41232911 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Fri, 8 Nov 2019 19:25:43 -0800
Subject: [PATCH] update disallow_root_user

---
 pkg/testrunner/testrunner_test.go                    |  4 ++--
 samples/AddSafeToEvict.md                            |  2 +-
 samples/{RunAsNonRootUser.md => DisallowRootUser.md} | 12 +++++++++---
 samples/README.md                                    |  4 ++--
 ...ny_runasrootuser.yaml => disallow_root_user.yaml} |  8 ++++----
 ...ny_runasrootuser.yaml => disallow_root_user.yaml} |  7 +++----
 6 files changed, 21 insertions(+), 16 deletions(-)
 rename samples/{RunAsNonRootUser.md => DisallowRootUser.md} (65%)
 rename samples/best_practices/{deny_runasrootuser.yaml => disallow_root_user.yaml} (78%)
 rename test/scenarios/samples/best_practices/{scenario_validate_deny_runasrootuser.yaml => disallow_root_user.yaml} (59%)

diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 31293fca40..0abebd96dc 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -10,8 +10,8 @@ func Test_Mutate_Validate_qos(t *testing.T) {
 	testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
 }
 
-func Test_validate_deny_runasrootuser(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml")
+func Test_disallow_root_user(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")
 }
 
 func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {
diff --git a/samples/AddSafeToEvict.md b/samples/AddSafeToEvict.md
index ddec6a4168..b52bc3b5d6 100644
--- a/samples/AddSafeToEvict.md
+++ b/samples/AddSafeToEvict.md
@@ -10,7 +10,7 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
 
 ## Policy YAML
 
-[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml)
+[add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
 
 ````yaml
 apiVersion: "kyverno.io/v1alpha1"
diff --git a/samples/RunAsNonRootUser.md b/samples/DisallowRootUser.md
similarity index 65%
rename from samples/RunAsNonRootUser.md
rename to samples/DisallowRootUser.md
index e2257418b5..9e1291d5af 100644
--- a/samples/RunAsNonRootUser.md
+++ b/samples/DisallowRootUser.md
@@ -8,16 +8,22 @@ By default, all processes in a container run as the root user (uid 0). To preven
 
 ## Policy YAML 
 
-[deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) 
+[disallow_root_user.yaml](best_practices/disallow_root_user.yaml) 
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-deny-runasrootuser
+  name: disallow-root-user
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: By default, processes in a container run as a 
+      root user (uid 0). To prevent potential compromise of container hosts, specify a 
+      least privileged user ID when building the container image and require that 
+      application containers run as non root users.
 spec:
   rules:
-  - name: deny-runasrootuser
+  - name: validate-runAsNonRoot
     match:
       resources:
         kinds:
diff --git a/samples/README.md b/samples/README.md
index 4bad1c3f8c..5604b96a59 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -36,7 +36,7 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work
 
 These policies are highly recommended.
 
-1. [Run as non-root user](RunAsNonRootUser.md)
+1. [Disallow root user](DisallowRootUser.md)
 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Require read-only root filesystem](RequireReadOnlyFS.md)
@@ -52,7 +52,7 @@ These policies are highly recommended.
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
 16. [Disallow Helm Tiller](DisallowHelmTiller.md)
-17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md)
+17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 
diff --git a/samples/best_practices/deny_runasrootuser.yaml b/samples/best_practices/disallow_root_user.yaml
similarity index 78%
rename from samples/best_practices/deny_runasrootuser.yaml
rename to samples/best_practices/disallow_root_user.yaml
index dd653c995a..5201126195 100644
--- a/samples/best_practices/deny_runasrootuser.yaml
+++ b/samples/best_practices/disallow_root_user.yaml
@@ -1,22 +1,22 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-deny-runasrootuser
+  name: disallow-root-user
   annotations:
-    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/category: Security
     policies.kyverno.io/description: By default, processes in a container run as a 
       root user (uid 0). To prevent potential compromise of container hosts, specify a 
       least privileged user ID when building the container image and require that 
       application containers run as non root users.
 spec:
   rules:
-  - name: deny-runasrootuser
+  - name: validate-runAsNonRoot
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true"
+      message: "Running as root user is not allowed. Set runAsNonRoot to true"
       anyPattern:
       - spec:
           securityContext:
diff --git a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml b/test/scenarios/samples/best_practices/disallow_root_user.yaml
similarity index 59%
rename from test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml
rename to test/scenarios/samples/best_practices/disallow_root_user.yaml
index f06635771e..6d8186c66c 100644
--- a/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml
+++ b/test/scenarios/samples/best_practices/disallow_root_user.yaml
@@ -1,19 +1,18 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/deny_runasrootuser.yaml
+  policy: samples/best_practices/disallow_root_user.yaml
   resource: test/resources/deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse:
-      policy: validate-deny-runasrootuser
+      policy: disallow-root-user
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: check-root-user
       rules:
-        - name: deny-runasrootuser
+        - name: validate-runAsNonRoot
           type: Validation
-          message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded."
           success: true