update disallow_priviledged

pkg/testrunner/testrunner_test.go

@@ -14,8 +14,8 @@ func Test_disallow_root_user(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")
 }
 
-func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml")
+func Test_disallow_priviledged(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_priviledged.yaml")
 }
 
 func Test_validate_healthChecks(t *testing.T) {

samples/DisallowPrivilegedContainers.md

@@ -1,36 +1,50 @@
-# Disable privileged containers
+# Diallow privileged containers
 
 Privileged containers are defined as any container where the container uid 0 is mapped to the host’s uid 0. A process within a privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled, a process can gain privileges from its parent.
 
-To disallow privileged containers and the privilege escalation it is recommended to run pod containers with `securityContext.priveleged` set to `false` and `allowPrivilegeEscalation` set to `false`.
+To disallow privileged containers and privilege escalation, run pod containers with `securityContext.privileged` set to `false` and `securityContext.allowPrivilegeEscalation` set to `false`.
 
 ## Policy YAML 
 
-[disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
+[disallow_privileged.yaml](best_practices/disallow_privileged.yaml)
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-deny-privileged-priviligedescalation
+  name: disallow-privileged
 spec:
   rules:
-  - name: deny-privileged-priviligedescalation
+  - name: validate-privileged
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
+      message: "Privileged mode is not allowed. Set privileged to false"
       anyPattern:
       - spec:
           securityContext:
-            allowPrivilegeEscalation: false
             privileged: false
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              privileged: false
+  - name: validate-allowPrivilegeEscalation
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
+      anyPattern:
+      - spec:
+          securityContext:
+            allowPrivilegeEscalation: false
       - spec:
           containers:
           - name: "*"
             securityContext:
               allowPrivilegeEscalation: false
-              privileged: false    
 ````

samples/README.md

@@ -37,7 +37,7 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work
 These policies are highly recommended.
 
 1. [Disallow root user](DisallowRootUser.md)
-2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
+2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
 4. [Require read-only root filesystem](RequireReadOnlyFS.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)

samples/best_practices/disallow_priviledged_priviligedescalation.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-deny-privileged-priviligedescalation
-  annotations:
-    policies.kyverno.io/category: Security Context
-    policies.kyverno.io/description: Privileged containers are defined as any container 
-      where the container uid 0 is mapped to the host’s uid 0. A process within privileged 
-      containers can get unrestricted host access. With 'securityContext.allowPrivilegeEscalation' 
-      enabled a process can gain privileges from its parent. To disallow privileged containers 
-      and the escalation of privileges it is recommended to run pod containers with 
-      'securityContext.priveleged' as 'false' and 'allowPrivilegeEscalation' as 'false'.
-spec:
-  rules:
-  - name: deny-privileged-priviligedescalation
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            allowPrivilegeEscalation: false
-            privileged: false
-      - spec:
-          containers:
-          - name: "*"
-            securityContext:
-              allowPrivilegeEscalation: false
-              privileged: false    

samples/best_practices/disallow_privileged.yaml

@@ -0,0 +1,39 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-privileged
+spec:
+  rules:
+  - name: validate-privileged
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set privileged to false"
+      anyPattern:
+      - spec:
+          securityContext:
+            privileged: false
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              privileged: false
+  - name: validate-allowPrivilegeEscalation
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
+      anyPattern:
+      - spec:
+          securityContext:
+            allowPrivilegeEscalation: false
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              allowPrivilegeEscalation: false
+

test/resources/disallow_privileged.yaml

@@ -8,4 +8,4 @@ spec:
     image: nginxinc/nginx-unprivileged
     securityContext:
       allowPrivilegeEscalation: true
-      privileged: false
+      privileged: true

test/scenarios/samples/best_practices/disallow_priviledged.yaml

@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_privileged.yaml
+  resource: test/resources/disallow_privileged.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-privileged
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: check-privileged-cfg
+      rules:
+        - name: validate-privileged
+          type: Validation
+          success: false
+        - name: validate-allowPrivilegeEscalation
+          type: Validation
+          success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml
-  resource: test/resources/disallow_priviledged_priviligedescalation.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-deny-privileged-priviligedescalation
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: check-privileged-cfg
-      rules:
-        - name: deny-privileged-priviligedescalation
-          type: Validation
-          message: "Validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/."
-          success: false
-