From 8f8bd0510683e184a5199bdd71e31b533dcd4fc4 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 8 Oct 2019 21:30:19 -0700
Subject: [PATCH] add samples/best_practices/deny_runasrootuser.yaml

---
 ...srootuser.yaml => deny_runasrootuser.yaml} |  0
 ...sallow_priviledgedprivelegesecalation.yaml | 26 +++++++++++++++++++
 .../resource_validate_deny_runasrootuser.yaml |  0
 .../scenario_validate_deny_runasrootuser.yaml |  4 +--
 4 files changed, 28 insertions(+), 2 deletions(-)
 rename samples/best_practices/{policy_validate_deny_runasrootuser.yaml => deny_runasrootuser.yaml} (100%)
 create mode 100644 samples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
 rename {examples/best_practices/resources => test/manifest}/resource_validate_deny_runasrootuser.yaml (100%)

diff --git a/samples/best_practices/policy_validate_deny_runasrootuser.yaml b/samples/best_practices/deny_runasrootuser.yaml
similarity index 100%
rename from samples/best_practices/policy_validate_deny_runasrootuser.yaml
rename to samples/best_practices/deny_runasrootuser.yaml
diff --git a/samples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml b/samples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
new file mode 100644
index 0000000000..4a54ba13cb
--- /dev/null
+++ b/samples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
@@ -0,0 +1,26 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-deny-privileged-disallowpriviligedescalation
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: deny-privileged-disallowpriviligedescalation
+    exclude:
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
+      anyPattern:
+      - spec:
+          securityContext:
+            allowPrivilegeEscalation: false
+            privileged: false
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              allowPrivilegeEscalation: false
+              privileged: false    
diff --git a/examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml b/test/manifest/resource_validate_deny_runasrootuser.yaml
similarity index 100%
rename from examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml
rename to test/manifest/resource_validate_deny_runasrootuser.yaml
diff --git a/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml b/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml
index 580e2f001d..34fe1b9bd4 100644
--- a/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml
+++ b/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml
@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml
-  resource: examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml
+  policy: samples/best_practices/deny_runasrootuser.yaml
+  resource: test/manifest/resource_validate_deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse: