update markdown

2025-03-05 07:26:55 +00:00 · 2019-12-30 16:45:22 -08:00 · 2019-12-30 16:45:22 -08:00 · e9ac8b8b28
commit e9ac8b8b28
parent 456190b7f8
3 changed files with 13 additions and 20 deletions
--- a/samples/DisallowBindMounts.md
+++ b/samples/DisallowBindMounts.md
@ -22,6 +22,6 @@ spec:
      message: "Host path volumes are not allowed"
      pattern: 
        spec: 
-          volumes: 
+          =(volumes): 
          - X(hostPath): null
 ````
--- a/samples/DisallowPrivilegedContainers.md
+++ b/samples/DisallowPrivilegedContainers.md
@ -22,15 +22,13 @@ spec:
        - Pod
    validate:
      message: "Privileged mode is not allowed. Set privileged to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            privileged: false
-      - spec:
+      pattern:
+        spec:
          containers:
-          - name: "*"
-            securityContext:
-              privileged: false
+          - =(securityContext):
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5707-L5711
+              # k8s default to false
+              =(privileged): false
  - name: validate-allowPrivilegeEscalation
    match:
      resources:
@ -38,13 +36,10 @@ spec:
        - Pod
    validate:
      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            allowPrivilegeEscalation: false
-      - spec:
+      pattern:
+        spec:
          containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
+              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5754
              allowPrivilegeEscalation: false
 ````
--- a/samples/DisallowRootUser.md
+++ b/samples/DisallowRootUser.md
@ -15,7 +15,6 @@ apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: disallow-root-user
-  annotations:
 spec:
  rules:
  - name: validate-runAsNonRoot
@ -24,14 +23,13 @@ spec:
        kinds:
        - Pod
    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true"
+      message: "Running as root user is not allowed. Set runAsNonRoot to true"
      anyPattern:
      - spec:
          securityContext:
            runAsNonRoot: true
      - spec:
          containers:
-          - name: "*"
-            securityContext:
+          - securityContext:
              runAsNonRoot: true
 ````