Merge pull request #78 from anusha94/add-summary-to-chart-pss

Update message field

charts/pod-security-baseline/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-baseline-policies
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.2.2
+version: 0.2.3
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/pod-security-baseline/pols/disallow-capabilities.yaml

@@ -25,9 +25,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
-          FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
-          are disallowed.
+          Adding capabilities beyond those listed in the policy rule is disallowed.
         deny:
           conditions:
             all:

charts/pod-security-baseline/pols/disallow-host-namespaces.yaml

@@ -27,8 +27,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
-          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
+          Sharing the host namespaces is disallowed.
         pattern:
           spec:
             =(hostPID): "false"

charts/pod-security-baseline/pols/disallow-host-path.yaml

@@ -26,7 +26,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
+          HostPath volumes are forbidden.
         pattern:
           spec:
             =(volumes):

charts/pod-security-baseline/pols/disallow-host-ports.yaml

@@ -26,9 +26,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
-          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
-          must either be unset or set to `0`.
+          Use of host ports is disallowed.
         pattern:
           spec:
             =(ephemeralContainers):

charts/pod-security-baseline/pols/disallow-host-process.yaml

@@ -27,10 +27,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
-          spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
-          and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined
-          or set to `false`.
+          HostProcess containers are disallowed.
         pattern:
           spec:
             =(ephemeralContainers):

charts/pod-security-baseline/pols/disallow-privileged-containers.yaml

@@ -25,8 +25,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
-          and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
+          Privileged mode is disallowed.
         pattern:
           spec:
             =(ephemeralContainers):

charts/pod-security-baseline/pols/disallow-proc-mount.yaml

@@ -27,10 +27,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Changing the proc mount from the default is not allowed. The fields
-          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
-          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
-          set to `Default`.
+          Changing the proc mount from the default is not allowed.
         pattern:
           spec:
             =(ephemeralContainers):

charts/pod-security-baseline/pols/disallow-selinux.yaml

@@ -25,10 +25,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Setting the SELinux type is restricted. The fields
-          spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
-          , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
-          must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
+          Setting the SELinux type is restricted.
         pattern:
           spec:
             =(securityContext):

charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml

@@ -28,9 +28,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Specifying other AppArmor profiles is disallowed. The annotation
-          `container.apparmor.security.beta.kubernetes.io` if defined
-          must not be set to anything other than `runtime/default` or `localhost/*`.
+          Specifying other AppArmor profiles is disallowed.
         pattern:
           =(metadata):
             =(annotations):

charts/pod-security-baseline/pols/restrict-seccomp.yaml

@@ -26,12 +26,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Use of custom Seccomp profiles is disallowed. The fields
-          spec.securityContext.seccompProfile.type,
-          spec.containers[*].securityContext.seccompProfile.type,
-          spec.initContainers[*].securityContext.seccompProfile.type, and
-          spec.ephemeralContainers[*].securityContext.seccompProfile.type
-          must be unset or set to `RuntimeDefault` or `Localhost`.
+          Use of custom Seccomp profiles is disallowed.
         pattern:
           spec:
             =(securityContext):

charts/pod-security-baseline/pols/restrict-sysctls.yaml

@@ -30,10 +30,6 @@ spec:
       validate:
         message: >-
           Setting additional sysctls above the allowed type is disallowed.
-          The field spec.securityContext.sysctls must be unset or not use any other names
-          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
-          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
-          net.ipv4.ping_group_range.
         pattern:
           spec:
             =(securityContext):

charts/pod-security-restricted/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-restricted-policies
 description: Pod Security Standards (restricted) policy set
 type: application
-version: 0.2.2
+version: 0.2.3
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/pod-security-restricted/pols/disallow-privilege-escalation.yaml

@@ -25,11 +25,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Privilege escalation is disallowed. The fields
-          spec.containers[*].securityContext.allowPrivilegeEscalation,
-          spec.initContainers[*].securityContext.allowPrivilegeEscalation,
-          and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
-          must be set to `false`.
+          Privilege escalation is disallowed.
         pattern:
           spec:
             =(ephemeralContainers):

charts/pod-security-restricted/pols/require-run-as-non-root-user.yaml

@@ -25,10 +25,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Running as root is not allowed. The fields spec.securityContext.runAsUser,
-          spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
-          and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or
-          set to a number greater than zero.
+          Running the container as root user is not allowed.
         pattern:
           spec:
             =(securityContext):

charts/pod-security-restricted/pols/require-run-as-nonroot.yaml

@@ -26,10 +26,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
-          must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
-          spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
-          must be set to `true`.
+          Running the container as root is not allowed.
         anyPattern:
           - spec:
               securityContext:

charts/pod-security-restricted/pols/restrict-seccomp-strict.yaml

@@ -28,12 +28,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Use of custom Seccomp profiles is disallowed. The fields
-          spec.securityContext.seccompProfile.type,
-          spec.containers[*].securityContext.seccompProfile.type,
-          spec.initContainers[*].securityContext.seccompProfile.type, and
-          spec.ephemeralContainers[*].securityContext.seccompProfile.type
-          must be set to `RuntimeDefault` or `Localhost`.
+          Use of custom Seccomp profiles is disallowed.
         anyPattern:
           - spec:
               securityContext:

charts/pod-security-restricted/pols/restrict-volume-types.yaml

@@ -27,8 +27,7 @@ spec:
                 - Pod
       validate:
         message: >-
-          Only the following types of volumes may be used: configMap, csi, downwardAPI,
-          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
+          Using volume types beyond those listed in the policy rule is disallowed.
         deny:
           conditions:
             all: