diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index f87ec56804..2748830656 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -87,8 +87,8 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re // rule application failed glog.V(4).Infof("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s: %v", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, err) response.Success = false - response.Message = fmt.Sprintf("Validation error: %s\nValidation rule '%s' failed at path '%s' for %s/%s/%s.", - rule.Validation.Message, rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName()) + response.Message = fmt.Sprintf("Validation error for %s/%s/%s: %s\nValidation rule '%s' failed at path '%s'.", + resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, rule.Name, path) return response } // rule application succesful diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 0aed5aeff4..7486171815 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -1818,7 +1818,7 @@ func TestValidate_image_tag_fail(t *testing.T) { assert.NilError(t, err) msgs := []string{ "Validation rule 'validate-tag' succeeded.", - "Validation error: imagePullPolicy 'Always' required with tag 'latest'\nValidation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/' for Pod//myapp-pod.", + "Validation error for Pod//myapp-pod: imagePullPolicy 'Always' required with tag 'latest'\nValidation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'.", } er := Validate(policy, *resourceUnstructured) for index, r := range er.PolicyResponse.Rules { @@ -2073,7 +2073,7 @@ func TestValidate_host_network_port(t *testing.T) { resourceUnstructured, err := ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(policy, *resourceUnstructured) - msgs := []string{"Validation error: Host network and port are not allowed\nValidation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/' for Pod//nginx-host-network."} + msgs := []string{"Validation error for Pod//nginx-host-network: Host network and port are not allowed\nValidation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'."} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -2250,7 +2250,7 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) { resourceUnstructured, err := ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(policy, *resourceUnstructured) - msgs := []string{"Validation error: Host path '/var/lib/' is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/' for Pod//image-with-hostpath."} + msgs := []string{"Validation error for Pod//image-with-hostpath: Host path '/var/lib/' is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'."} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -2463,7 +2463,7 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) { resourceUnstructured, err := ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(policy, *resourceUnstructured) - msgs := []string{"Validation error: pod: validate run as non root user\nValidation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/' for Pod//myapp-pod."} + msgs := []string{"Validation error for Pod//myapp-pod: pod: validate run as non root user\nValidation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'."} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -2847,7 +2847,7 @@ func TestValidate_negationAnchor_deny(t *testing.T) { resourceUnstructured, err := ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(policy, *resourceUnstructured) - msgs := []string{"Validation error: Host path is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/' for Pod//image-with-hostpath."} + msgs := []string{"Validation error for Pod//image-with-hostpath: Host path is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'."} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml index 8c9d66c011..45dd785be7 100644 --- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml +++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml @@ -14,5 +14,5 @@ expected: rules: - name: prevent-mounting-default-serviceaccount type: Validation - message: "Validation error: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/' for Pod//pod-with-default-sa." + message: "Validation error for Pod//pod-with-default-sa: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/'." success: false \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml index 4f4becd429..56b4112e2f 100644 --- a/test/scenarios/other/scenario_validate_selinux_context.yaml +++ b/test/scenarios/other/scenario_validate_selinux_context.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-selinux-options type: Validation - message: "Validation error: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/' for Pod/default/busybox-selinux." + message: "Validation error for Pod/default/busybox-selinux: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml index 801012b2db..9f58dc6f54 100644 --- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml +++ b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml @@ -18,5 +18,5 @@ expected: success: true - name: image-tag-not-latest type: Validation - message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/' for Pod//myapp-pod." + message: "Validation error for Pod//myapp-pod: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml index 3f2ea9ef2a..a423bd1a06 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml @@ -16,7 +16,7 @@ expected: rules: - name: check-default-namespace type: Validation - message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/' for Pod/default/myapp-pod." + message: "Validation error for Pod/default/myapp-pod: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'." success: false - name: check-namespace-exist type: Validation diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml index eb64b19488..d90413ec24 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-docker-sock-mount type: Validation - message: "Validation error: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/' for Pod//pod-with-docker-sock-mount." + message: "Validation error for Pod//pod-with-docker-sock-mount: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml index 455b90ec0d..27cbcc85ef 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml @@ -14,5 +14,5 @@ expected: rules: - name: deny-use-of-host-fs type: Validation - message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/' for Pod//image-with-hostpath." + message: "Validation error for Pod//image-with-hostpath: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml index 12237c122f..cb82dd3457 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-host-network-hostport type: Validation - message: "Validation error: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/' for Pod//nginx-host-network." + message: "Validation error for Pod//nginx-host-network: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml index 916cf5b898..360f4895dc 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-hostpid-hostipc type: Validation - message: "Validation error: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/' for Pod//nginx-with-hostpid." + message: "Validation error for Pod//nginx-with-hostpid: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml index d4ce058b6b..2807f8f173 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml @@ -13,5 +13,5 @@ expected: rules: - name: disallow-node-port type: Validation - message: "Validation error: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/' for Service//my-service." + message: "Validation error for Service//my-service: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml index 697eae4e6a..ae0c6b1ac0 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_probes.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml @@ -14,5 +14,5 @@ expected: rules: - name: check-probes type: Validation - message: "Validation error: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/' for Pod//myapp-pod." + message: "Validation error for Pod//myapp-pod: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/'." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml index ad9cb6d4c8..1f08792f13 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml @@ -14,5 +14,5 @@ expected: rules: - name: check-resource-request-limit type: Validation - message: "Validation error: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/' for Pod//myapp-pod." + message: "Validation error for Pod//myapp-pod: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/'." success: false diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml index ce75cb96b8..1347cfce73 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-readonly-rootfilesystem type: Validation - message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/' for Pod//ghost-with-readonly-rootfilesystem." + message: "Validation error for Pod//ghost-with-readonly-rootfilesystem: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml index 67519319a9..5dfa59639d 100644 --- a/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml +++ b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-container-capablities type: Validation - message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/' for Pod//add-capabilities." + message: "Validation error for Pod//add-capabilities: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml index bdc4b9896b..058b8276e2 100644 --- a/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml +++ b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml @@ -15,5 +15,5 @@ expected: rules: - name: allow-portrange-with-sysctl type: Validation - message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/' for Pod//nginx." + message: "Validation error for Pod//nginx: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/'." success: false \ No newline at end of file