remove resource info in the validation error

pkg/engine/validation.go

@@ -87,8 +87,8 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re
 			// rule application failed
 			glog.V(4).Infof("Validation rule '%s' failed at '%s' for resource %s/%s/%s. %s: %v", rule.Name, path, resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, err)
 			response.Success = false
-			response.Message = fmt.Sprintf("Validation error for %s/%s/%s: %s\nValidation rule '%s' failed at path '%s'.",
-				resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, rule.Name, path)
+			response.Message = fmt.Sprintf("Validation error: %s\nValidation rule '%s' failed at path '%s'.",
+				rule.Validation.Message, rule.Name, path)
 			return response
 		}
 		// rule application succesful
@@ -129,7 +129,7 @@ func validatePatterns(resource unstructured.Unstructured, rule kyverno.Rule) (re
 				str := fmt.Sprintf("Validation rule %s anyPattern[%d] failed at path %s.", rule.Name, index, failedPaths[index])
 				errorStr = append(errorStr, str)
 			}
-			response.Message = fmt.Sprintf("Validation error for %s/%s/%s: %s\n%s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), rule.Validation.Message, strings.Join(errorStr, "\n"))
+			response.Message = fmt.Sprintf("Validation error: %s\n%s", rule.Validation.Message, strings.Join(errorStr, "\n"))
 
 			return response
 		}

pkg/engine/validation_test.go

@@ -1818,7 +1818,7 @@ func TestValidate_image_tag_fail(t *testing.T) {
 	assert.NilError(t, err)
 	msgs := []string{
 		"Validation rule 'validate-tag' succeeded.",
-		"Validation error for Pod//myapp-pod: imagePullPolicy 'Always' required with tag 'latest'\nValidation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'.",
+		"Validation error: imagePullPolicy 'Always' required with tag 'latest'\nValidation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'.",
 	}
 	er := Validate(policy, *resourceUnstructured)
 	for index, r := range er.PolicyResponse.Rules {
@@ -1992,7 +1992,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	resourceUnstructured, err := ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(policy, *resourceUnstructured)
-	msgs := []string{"Validation error for Pod//myapp-pod: A namespace is required\nValidation rule check-default-namespace anyPattern[0] failed at path /metadata/namespace/.\nValidation rule check-default-namespace anyPattern[1] failed at path /metadata/namespace/."}
+	msgs := []string{"Validation error: A namespace is required\nValidation rule check-default-namespace anyPattern[0] failed at path /metadata/namespace/.\nValidation rule check-default-namespace anyPattern[1] failed at path /metadata/namespace/."}
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
 	}
@@ -2073,7 +2073,7 @@ func TestValidate_host_network_port(t *testing.T) {
 	resourceUnstructured, err := ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(policy, *resourceUnstructured)
-	msgs := []string{"Validation error for Pod//nginx-host-network: Host network and port are not allowed\nValidation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'."}
+	msgs := []string{"Validation error: Host network and port are not allowed\nValidation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'."}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -2250,7 +2250,7 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	resourceUnstructured, err := ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(policy, *resourceUnstructured)
-	msgs := []string{"Validation error for Pod//image-with-hostpath: Host path '/var/lib/' is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'."}
+	msgs := []string{"Validation error: Host path '/var/lib/' is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'."}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -2463,7 +2463,7 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 	resourceUnstructured, err := ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(policy, *resourceUnstructured)
-	msgs := []string{"Validation error for Pod//myapp-pod: pod: validate run as non root user\nValidation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'."}
+	msgs := []string{"Validation error: pod: validate run as non root user\nValidation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'."}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -2847,7 +2847,7 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 	resourceUnstructured, err := ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(policy, *resourceUnstructured)
-	msgs := []string{"Validation error for Pod//image-with-hostpath: Host path is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'."}
+	msgs := []string{"Validation error: Host path is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'."}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])

pkg/testrunner/scenario.go

@@ -439,7 +439,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 
 func testScenario(t *testing.T, path string) {
 	flag.Set("logtostderr", "true")
-	flag.Set("v", "8")
+	// flag.Set("v", "8")
 
 	scenario, err := loadScenario(t, path)
 	if err != nil {

test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: prevent-mounting-default-serviceaccount
           type: Validation
-          message: "Validation error for Pod//pod-with-default-sa: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/'."
+          message: "Validation error: Prevent mounting of default service account\nValidation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/'."
           success: false

test/scenarios/other/scenario_validate_selinux_context.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-selinux-options
           type: Validation
-          message: "Validation error for Pod/default/busybox-selinux: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/'."
+          message: "Validation error: SELinux level is required\nValidation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/'."
           success: false

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml

@@ -18,5 +18,5 @@ expected:
           success: true
         - name: image-tag-not-latest
           type: Validation
-          message: "Validation error for Pod//myapp-pod: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'."
+          message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml

@@ -16,7 +16,7 @@ expected:
       rules:
         - name: check-default-namespace
           type: Validation
-          message: "Validation error for Pod/default/myapp-pod: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'."
+          message: "Validation error: Using 'default' namespace is restricted\nValidation rule 'check-default-namespace' failed at path '/metadata/namespace/'."
           success: false
         - name: check-namespace-exist
           type: Validation

test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-docker-sock-mount
           type: Validation
-          message: "Validation error for Pod//pod-with-docker-sock-mount: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/'."
+          message: "Validation error: Use of the Docker Unix socket is not allowed\nValidation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/'."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml

@@ -12,5 +12,5 @@ expected:
       rules:
         - name: validate-helm-tiller
           type: Validation
-          message: "Validation error for Pod//pod-helm-tiller: Helm Tiller is not allowed\nValidation rule 'validate-helm-tiller' failed at path '/spec/containers/0/image/'."
+          message: "Validation error: Helm Tiller is not allowed\nValidation rule 'validate-helm-tiller' failed at path '/spec/containers/0/image/'."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: deny-use-of-host-fs
           type: Validation
-          message: "Validation error for Pod//image-with-hostpath: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'."
+          message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-host-network-hostport
           type: Validation
-          message: "Validation error for Pod//nginx-host-network: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/'."
+          message: "Validation error: Defining hostNetwork and hostPort are not allowed\nValidation rule 'validate-host-network-hostport' failed at path '/spec/containers/0/ports/0/hostPort/'."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-hostpid-hostipc
           type: Validation
-          message: "Validation error for Pod//nginx-with-hostpid: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/'."
+          message: "Validation error: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/'."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: deny-new-capabilities
           type: Validation
-          message: "Validation error for Pod//add-new-capabilities: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/."
+          message: "Validation error: Capabilities cannot be added\nValidation rule deny-new-capabilities anyPattern[0] failed at path /spec/.\nValidation rule deny-new-capabilities anyPattern[1] failed at path /spec/containers/0/securityContext/capabilities/add/."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml

@@ -13,5 +13,5 @@ expected:
       rules:
         - name: disallow-node-port
           type: Validation
-          message: "Validation error for Service//my-service: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/'."
+          message: "Validation error: Disallow service of type NodePort\nValidation rule 'disallow-node-port' failed at path '/spec/type/'."
           success: false

test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml

@@ -14,6 +14,6 @@ expected:
       rules:
         - name: deny-privileged-priviligedescalation
           type: Validation
-          message: "Validation error for Pod//check-privileged-cfg: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/."
+          message: "Validation error: Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false\nValidation rule deny-privileged-priviligedescalation anyPattern[0] failed at path /spec/securityContext/.\nValidation rule deny-privileged-priviligedescalation anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/."
           success: false
 

test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: known-ingress
           type: Validation
-          message: Validation rule 'known-ingress' succesfully validated
+          message: Validation rule 'known-ingress' succeeded.
           success: true

test/scenarios/samples/best_practices/scenario_validate_probes.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: check-probes
           type: Validation
-          message: "Validation error for Pod//myapp-pod: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/'."
+          message: "Validation error: Liveness and readiness probes are required\nValidation rule 'check-probes' failed at path '/spec/containers/0/livenessProbe/'."
           success: false 

test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: check-resource-request-limit
           type: Validation
-          message: "Validation error for Pod//myapp-pod: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/'."
+          message: "Validation error: CPU and memory resource requests and limits are required\nValidation rule 'check-resource-request-limit' failed at path '/spec/containers/0/resources/limits/cpu/'."
           success: false 

test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-readonly-rootfilesystem
           type: Validation
-          message: "Validation error for Pod//ghost-with-readonly-rootfilesystem: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'."
+          message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'."
           success: false   

test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: known-ingress
           type: Validation
-          message: Validation rule 'known-ingress' failed at '/metadata/annotations/kubernetes.io/ingress.class/' for resource Ingress//test-ingress. Unknown ingress class.
+          message: "Validation error: Unknown ingress class\nValidation rule 'known-ingress' failed at path '/metadata/annotations/kubernetes.io/ingress.class/'."
           success: false

test/scenarios/samples/more/scenario_validate_container_capabilities.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-container-capablities
           type: Validation
-          message: "Validation error for Pod//add-capabilities: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/'."
+          message: "Validation error: Allow certain linux capability\nValidation rule 'validate-container-capablities' failed at path '/spec/containers/0/securityContext/capabilities/add/0/'."
           success: false

test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml

@@ -15,5 +15,5 @@ expected:
       rules:
         - name: allow-portrange-with-sysctl
           type: Validation
-          message: "Validation error for Pod//nginx: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/'."
+          message: "Validation error: Allowed port range is from 1024 to 65535\nValidation rule 'allow-portrange-with-sysctl' failed at path '/spec/securityContext/sysctls/0/value/'."
           success: false