From fae8ac0325e588fabb0e3eab41fab9147485583c Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sat, 9 Nov 2019 16:18:33 -0800
Subject: [PATCH] update RequireReadOnlyRootFS

---
 pkg/testrunner/testrunner_test.go              |  4 ++--
 samples/README.md                              |  2 +-
 ...eReadOnlyFS.md => RequireReadOnlyRootFS.md} | 14 ++++++++++----
 ...tfilesystem.yaml => require_ro_rootfs.yaml} |  6 +++---
 .../best_practices/require_ro_rootfs.yaml      | 17 +++++++++++++++++
 ...lidate_require_readonly_rootfilesystem.yaml | 18 ------------------
 6 files changed, 33 insertions(+), 28 deletions(-)
 rename samples/{RequireReadOnlyFS.md => RequireReadOnlyRootFS.md} (52%)
 rename samples/best_practices/{require_readonly_rootfilesystem.yaml => require_ro_rootfs.yaml} (82%)
 create mode 100644 test/scenarios/samples/best_practices/require_ro_rootfs.yaml
 delete mode 100644 test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml

diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 219339427f..cb17226124 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -52,8 +52,8 @@ func Test_validate_hostPID_hostIPC(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
 }
 
-func Test_validate_not_readonly_rootfilesystem(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml")
+func Test_validate_ro_rootfs(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")
 }
 
 func Test_validate_require_namespace_quota(t *testing.T) {
diff --git a/samples/README.md b/samples/README.md
index 4196d94c49..6adc53e290 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -39,7 +39,7 @@ These policies are highly recommended.
 1. [Disallow root user](DisallowRootUser.md)
 2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
-4. [Require read-only root filesystem](RequireReadOnlyFS.md)
+4. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
diff --git a/samples/RequireReadOnlyFS.md b/samples/RequireReadOnlyRootFS.md
similarity index 52%
rename from samples/RequireReadOnlyFS.md
rename to samples/RequireReadOnlyRootFS.md
index 6f83c2e09e..65b6dde72a 100644
--- a/samples/RequireReadOnlyFS.md
+++ b/samples/RequireReadOnlyRootFS.md
@@ -4,23 +4,29 @@ A read-only root file system helps to enforce an immutable infrastructure strate
 
 ## Policy YAML 
 
-[require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml)
+[require_ro_rootfs.yaml](best_practices/require_ro_rootfs.yaml)
 
 
 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-readonly-rootfilesystem
+  name: require-ro-rootfs
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
+      infrastructure strategy; the container only needs to write on the mounted volume that p
+      ersists the state. An immutable root filesystem can also prevent malicious binaries from 
+      writing to the host system.
 spec:
   rules:
-  - name: validate-readonly-rootfilesystem
+  - name: validate-readOnlyRootFilesystem
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Container require read-only rootfilesystem"
+      message: "Root filesystem must be read-only"
       pattern:
         spec:
           containers:
diff --git a/samples/best_practices/require_readonly_rootfilesystem.yaml b/samples/best_practices/require_ro_rootfs.yaml
similarity index 82%
rename from samples/best_practices/require_readonly_rootfilesystem.yaml
rename to samples/best_practices/require_ro_rootfs.yaml
index 38bedb1db4..e5b2507943 100644
--- a/samples/best_practices/require_readonly_rootfilesystem.yaml
+++ b/samples/best_practices/require_ro_rootfs.yaml
@@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-readonly-rootfilesystem
+  name: require-ro-rootfs
   annotations:
     policies.kyverno.io/category: Security Context
     policies.kyverno.io/description: A read-only root file system helps to enforce an immutable 
@@ -10,13 +10,13 @@ metadata:
       writing to the host system.
 spec:
   rules:
-  - name: validate-readonly-rootfilesystem
+  - name: validate-readOnlyRootFilesystem
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "Container require read-only rootfilesystem"
+      message: "Root filesystem must be read-only"
       pattern:
         spec:
           containers:
diff --git a/test/scenarios/samples/best_practices/require_ro_rootfs.yaml b/test/scenarios/samples/best_practices/require_ro_rootfs.yaml
new file mode 100644
index 0000000000..0d2b898ebb
--- /dev/null
+++ b/test/scenarios/samples/best_practices/require_ro_rootfs.yaml
@@ -0,0 +1,17 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/require_ro_rootfs.yaml
+  resource: test/resources/require_readonly_rootfilesystem.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: require-ro-rootfs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "ghost-with-readonly-rootfilesystem"
+      rules:
+        - name: validate-readOnlyRootFilesystem
+          type: Validation
+          success: false
diff --git a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml
deleted file mode 100644
index f6b9331a51..0000000000
--- a/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# file path relative to project root
-input:
-  policy: samples/best_practices/require_readonly_rootfilesystem.yaml
-  resource: test/resources/require_readonly_rootfilesystem.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: validate-readonly-rootfilesystem
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: "ghost-with-readonly-rootfilesystem"
-      rules:
-        - name: validate-readonly-rootfilesystem
-          type: Validation
-          message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'."
-          success: false   
\ No newline at end of file