update markdown

2024-12-14 11:57:48 +00:00 · 2019-11-01 15:10:42 -07:00 · 2019-11-01 15:10:42 -07:00 · 764c353fdd
commit 764c353fdd
parent 4fbc57bfed
1 changed files with 12 additions and 5 deletions
--- a/samples/DisallowNewCapabilities.md
+++ b/samples/DisallowNewCapabilities.md
@ -15,6 +15,13 @@ apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
 spec:
  rules:
  - name: deny-new-capabilities
@ -26,13 +33,13 @@ spec:
      message: "Capabilities cannot be added"
      anyPattern:
      - spec:
-          securityContext:
-            capabilities:
-              X(add): null    
+        =(securityContext):
+          =(capabilities):
+            X(add): null
      - spec:
          containers:
          - name: "*"
-            securityContext:
-              (capabilities):
+            =(securityContext):
+              =(capabilities):
                X(add): null
 ````