add disallow_host_network_hostport.yaml

examples/best_practices/policy_validate_host_network_port.yaml

@@ -1,16 +1,16 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-host-network-port
+  name: validate-host-network-hostport
 spec:
   rules:
-  - name: validate-host-network-port
+  - name: validate-host-network-hostport
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Host network and port are not allowed"
+      message: "hostNetwork and hostPort are not allowed"
       pattern:
         spec:
           hostNetwork: false

pkg/testrunner/testrunner_test.go

@@ -89,7 +89,7 @@ func Test_validate_host_path(t *testing.T) {
 }
 
 func Test_validate_host_network_port(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_host_network_port.yaml")
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml")
 }
 
 func Test_validate_hostPID_hostIPC(t *testing.T) {

samples/best_practices/disallow_host_network_hostport.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-host-network-hostport
+spec:
+  rules:
+  - name: validate-host-network-hostport
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "hostNetwork and hostPort are not allowed"
+      pattern:
+        spec:
+          hostNetwork: false
+          containers:
+          - name: "*"
+            ports:
+            - hostPort: null

test/manifest/disallow_host_network_hostport.yaml.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-network
+spec:
+  hostNetwork: false
+  containers:
+  - name: nginx-host-network
+    image: nginx
+    ports:
+    - containerPort: 80
+      hostPort: 80

test/scenarios/test/scenario_validate_deny_runasrootuser.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/deny_runasrootuser.yaml
-  resource: test/manifest/resource_validate_deny_runasrootuser.yaml
+  resource: test/manifest/deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_host_network_hostport.yaml
+  resource: test/manifest/disallow_host_network_hostport.yaml.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-host-network-hostport
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "nginx-host-network"
+      rules:
+        - name: validate-host-network-hostport
+          type: Validation
+          message: "Validation rule 'validate-host-network-hostport' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. hostNetwork and hostPort are not allowed"
+          success: false   

test/scenarios/test/scenario_validate_host_network_port.yaml

@@ -1,18 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/best_practices/policy_validate_host_network_port.yaml
-  resource: examples/best_practices/resources/resource_validate_host_netwok_port.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-host-network-port
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: "nginx-host-network"
-      rules:
-        - name: validate-host-network-port
-          type: Validation
-          message: "Validation rule 'validate-host-network-port' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Host network and port are not allowed"
-          success: false