update doc

samples/README.md

@@ -18,7 +18,6 @@ By default, processes in a container run as a root user (uid 0). To prevent comp
 **Additional Information**
 * [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
 
-
 ## `hostNetwork` and `hostPort` not allowed
 
 Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to.
@@ -26,7 +25,6 @@ To avoid this limitation, use a validate rule to make sure these attributes are
 
 ***Policy YAML***: [disallow_host_network_hostport.yaml](best_practices/disallow_host_network_hostport.yaml)
 
-
 ## Disallow `hostPID` and `hostIPC`
 Sharing the host's PID namespace allows vibility of process on the host, potentially exposing porcess information. 
 Sharing the host's IPC namespace allows container process to communicate with processes on the host. 
@@ -34,14 +32,12 @@ To avoid pod container from having visilbility to host process space, we can che
 
 ***Policy YAML***: [disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)
 
-
 ## Disallow node port
 Node port ranged service is advertised to the public and can be scanned and probed from others exposing all nodes.
 NetworkPolicy resources can currently only control NodePorts by allowing or disallowing all traffic on them. Unless required it is recommend to disable use to service type `NodePort`.
 
 ***Policy YAML***: [disallow_node_port.yaml](best_practices/disallow_node_port.yaml)
 
-
 ## Disable privileged containers
 A process within priveleged containers get almost the same priveleges that are available to processes outside a container providing almost unrestricited host access. With `securityContext.allowPrivilegeEscalation` enabled the process can gain ore priveleges that its parent.
 To restrcit the priveleges it is recommend to run pod containers with `securityContext.priveleged` as `false` and 
@@ -49,31 +45,32 @@ To restrcit the priveleges it is recommend to run pod containers with `securityC
 
 ***Policy YAML***: [disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
 
-
 ## Default network policy
-***Policy YAML***: [require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml)
+When no policies are defined, Kubernetes allows all communications. Kubernetes network policies specify the access permissions for groups of pods providing basic level of security. Policies can be used to make sure networking policies are configured as per requirements.
 
+***Policy YAML***: (TODO)[require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml)
 
 ## Disallow latest image tag
+Even thought latest is default value, its hard to track which version of the image is running and hard to roll back. It is recommend to not use latest and specify the image tag to be used.
+
 ***Policy YAML***: [require_image_tag_not_latest.yaml](best_practices/require_image_tag_not_latest.yaml)
 
 
 ## Require pod resource quota
+As workloads share the host cluster, it is essential to administer and limit resources requested and used. It is a good practice to always specify `resources.requests` and `resources.limits`.
+
 ***Policy YAML***: [require_pod_requests_limits.yaml](best_practices/require_pod_requests_limits.yaml)
 
-
 ## Require pod probes
+(TODO)It is recommended to specify liveness and readiness probes as checks health checks on workloads.
+
 ***Policy YAML***: [require_probes.yaml](best_practices/require_probes.yaml)
 
-
 ## Read-only root filesystem
-
 A read-only root file system helps to enforce an immutable infrastrucutre strategy, the container only need to write on mounted volume that persist the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
 
 ***Policy YAML***: [require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml)
 
-
-
 # Additional Policies
 
 ## Assign Linux capabilities inside Pod