update disallow_latest_tag

pkg/testrunner/testrunner_test.go

@@ -28,12 +28,12 @@ func Test_generate_networkPolicy(t *testing.T) {
 
 // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
 
-func Test_validate_require_image_tag_not_latest_deny(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml")
+func Test_validate_disallow_latest_tag(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag.yaml")
 }
 
 func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
 }
 
 func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {

samples/DisallowHostPIDIPC.md

@@ -15,10 +15,7 @@ metadata:
   name: disallow-host-pid-ipc
   annotations:
     policies.kyverno.io/category: Security
-    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
-      on the host, potentially exposing process information. Sharing the host's IPC namespace allows 
-      the container process to communicate with processes on the host. To avoid pod container from 
-      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
+    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
   validationFailureAction: audit
   rules:

samples/DisallowLatestTag.md

@@ -4,36 +4,42 @@ The `:latest` tag is mutable and can lead to unexpected errors if the upstream i
 
 ## Policy YAML 
 
-[require_image_tag_not_latest.yaml](best_practices/require_image_tag_not_latest.yaml)
+[disallow_latest_tag.yaml](best_practices/disallow_latest_tag.yaml)
 
 
 ````yaml
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-image-tag
+  name: disallow-latest-tag
+  annotations:
+    policies.kyverno.io/category: Image
+    policies.kyverno.io/description: The ':latest' tag is mutable and can lead to 
+      unexpected errors if the image changes. A best practice is to use an immutable 
+      tag that maps to a specific version of an application pod.
 spec:
   rules:
-  - name: image-tag-notspecified
+  - name: require-tag
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Image tag not specified"  
+      message: "An image tag is required"  
       pattern:
         spec:
           containers:
           - image: "*:*"
-  - name: image-tag-not-latest
+  - name: validate-tag
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Using 'latest' image tag is restricted. Set image tag to a specific version"
+      message: "Using a mutable image tag e.g. 'latest' is not allowed"
       pattern:
         spec:
           containers:
           - image: "!*:latest"
+
 ````

samples/best_practices/disallow_latest_tag.yaml

@@ -1,7 +1,7 @@
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-image-tag
+  name: disallow-latest-tag
   annotations:
     policies.kyverno.io/category: Image
     policies.kyverno.io/description: The ':latest' tag is mutable and can lead to 
@@ -9,24 +9,24 @@ metadata:
       tag that maps to a specific version of an application pod.
 spec:
   rules:
-  - name: image-tag-notspecified
+  - name: require-image-tag
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Image tag not specified"  
+      message: "An image tag is required"  
       pattern:
         spec:
           containers:
           - image: "*:*"
-  - name: image-tag-not-latest
+  - name: validate-image-tag
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Using 'latest' image tag is restricted. Set image tag to a specific version"
+      message: "Using a mutable image tag e.g. 'latest' is not allowed"
       pattern:
         spec:
           containers:

test/scenarios/samples/best_practices/disallow_latest_tag.yaml

@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_latest_tag.yaml
+  resource: test/resources/pod_with_latest_tag.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-latest-tag
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: require-image-tag
+          type: Validation
+          success: true
+        - name: validate-image-tag
+          type: Validation
+          success: false   

test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml

@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_latest_tag.yaml
+  resource: test/resources/pod_with_version_tag.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-latest-tag
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: require-image-tag
+          type: Validation
+          success: true    
+        - name: validate-image-tag
+          type: Validation
+          success: true  

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml

@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
-  policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/resources/require_image_tag_not_latest_deny.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-image-tag
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: image-tag-notspecified
-          type: Validation
-          message: "Validation rule 'image-tag-notspecified' succeeded."
-          success: true
-        - name: image-tag-not-latest
-          type: Validation
-          message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'."
-          success: false   

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml

@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
-  policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/resources/resource_validate_image_tag_latest_pass.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-image-tag
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: image-tag-notspecified
-          type: Validation
-          message: "Validation rule 'image-tag-notspecified' succeeded."
-          success: true    
-        - name: image-tag-not-latest
-          type: Validation
-          message: "Validation rule 'image-tag-not-latest' succeeded."
-          success: true