update RequireReadOnlyRootFS

2025-03-29 10:55:05 +00:00 · 2019-11-09 16:18:33 -08:00 · 2019-11-09 16:18:33 -08:00 · fae8ac0325
commit fae8ac0325
parent 121b81a83b
6 changed files with 33 additions and 28 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -52,8 +52,8 @@ func Test_validate_hostPID_hostIPC(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
 }

-func Test_validate_not_readonly_rootfilesystem(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml")
+func Test_validate_ro_rootfs(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")
 }

 func Test_validate_require_namespace_quota(t *testing.T) {
--- a/samples/README.md
+++ b/samples/README.md
@ -39,7 +39,7 @@ These policies are highly recommended.
 1. [Disallow root user](DisallowRootUser.md)
 2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
-4. [Require read-only root filesystem](RequireReadOnlyFS.md)
+4. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
--- a/samples/RequireReadOnlyRootFS.md
+++ b/samples/RequireReadOnlyRootFS.md
@ -4,23 +4,29 @@ A read-only root file system helps to enforce an immutable infrastructure strate

 ## Policy YAML 

-[require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml)
+[require_ro_rootfs.yaml](best_practices/require_ro_rootfs.yaml)


 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-readonly-rootfilesystem
+  name: require-ro-rootfs
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
+      infrastructure strategy; the container only needs to write on the mounted volume that p
+      ersists the state. An immutable root filesystem can also prevent malicious binaries from 
+      writing to the host system.
 spec:
  rules:
-  - name: validate-readonly-rootfilesystem
+  - name: validate-readOnlyRootFilesystem
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Container require read-only rootfilesystem"
+      message: "Root filesystem must be read-only"
      pattern:
        spec:
          containers:
--- a/samples/best_practices/require_readonly_rootfilesystem.yaml
+++ b/samples/best_practices/require_readonly_rootfilesystem.yaml
@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-readonly-rootfilesystem
+  name: require-ro-rootfs
  annotations:
    policies.kyverno.io/category: Security Context
    policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
@ -10,13 +10,13 @@ metadata:
      writing to the host system.
 spec:
  rules:
-  - name: validate-readonly-rootfilesystem
+  - name: validate-readOnlyRootFilesystem
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Container require read-only rootfilesystem"
+      message: "Root filesystem must be read-only"
      pattern:
        spec:
          containers:
--- a/test/scenarios/samples/best_practices/require_ro_rootfs.yaml
+++ b/test/scenarios/samples/best_practices/require_ro_rootfs.yaml
@ -0,0 +1,17 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/require_ro_rootfs.yaml
+  resource: test/resources/require_readonly_rootfilesystem.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: require-ro-rootfs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "ghost-with-readonly-rootfilesystem"
+      rules:
+        - name: validate-readOnlyRootFilesystem
+          type: Validation
+          success: false
--- a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml
@ -1,18 +0,0 @@
-# file path relative to project root
-input:
-  policy: samples/best_practices/require_readonly_rootfilesystem.yaml
-  resource: test/resources/require_readonly_rootfilesystem.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-readonly-rootfilesystem
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: "ghost-with-readonly-rootfilesystem"
-      rules:
-        - name: validate-readonly-rootfilesystem
-          type: Validation
-          message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'."
-          success: false