remove titlecase for compat with kyverno 1.8 (#64)

charts/best-practices-k8s/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubernetes-best-practice-policies
 description: Kubernetes Best Practice policy set
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/best-practices-k8s/pols/check_deprecated_apis.yaml

@@ -21,7 +21,7 @@ metadata:
       so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
       This policy requires Kyverno v1.7.4+ to function properly.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-v1-22-removals

charts/best-practices-k8s/pols/disallow_cri_sock_mount.yaml

@@ -14,7 +14,7 @@ metadata:
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-docker-sock-mount

charts/best-practices-k8s/pols/disallow_default_namespace.yaml

@@ -18,7 +18,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-namespace

charts/best-practices-k8s/pols/disallow_empty_ingress_host.yaml

@@ -12,7 +12,7 @@ metadata:
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: enforce
   background: false
   rules:
     - name: disallow-empty-ingress-host

charts/best-practices-k8s/pols/disallow_latest_tag.yaml

@@ -13,7 +13,7 @@ metadata:
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: require-image-tag

charts/best-practices-k8s/pols/require_drop_all.yaml

@@ -15,7 +15,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: require-drop-all

charts/best-practices-k8s/pols/require_drop_cap_net_raw.yaml

@@ -16,7 +16,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: require-drop-cap-net-raw

charts/best-practices-k8s/pols/require_labels.yaml

@@ -13,7 +13,7 @@ metadata:
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: check-for-labels

charts/best-practices-k8s/pols/require_pod_requests_limits.yaml

@@ -16,7 +16,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-resources

charts/best-practices-k8s/pols/require_probes.yaml

@@ -17,7 +17,7 @@ metadata:
       This policy validates that all containers have one of livenessProbe, readinessProbe,
       or startupProbe defined.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-probes

charts/best-practices-k8s/pols/require_ro_rootfs.yaml

@@ -15,7 +15,7 @@ metadata:
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-readOnlyRootFilesystem

charts/best-practices-k8s/pols/restrict-service-external-ips.yaml

@@ -13,7 +13,7 @@ metadata:
       See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
       that the `externalIPs` field is not set on a Service.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: check-ips

charts/best-practices-k8s/pols/restrict_image_registries.yaml

@@ -15,7 +15,7 @@ metadata:
       policy validates that container images only originate from the registry `eu.foo.io` or
       `bar.io`. Use of this policy requires customization to define your allowable registries.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-registries

charts/best-practices-k8s/pols/restrict_node_port.yaml

@@ -14,7 +14,7 @@ metadata:
       with additional upstream security checks. This policy validates that any new Services
       do not use the `NodePort` type.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-nodeport

charts/best-practices-workload-security/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: workload-security-best-practice-policies
 description: Workload Security Best Practice policy set
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/best-practices-workload-security/pols/disallow_cri_sock_mount.yaml

@@ -14,7 +14,7 @@ metadata:
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-docker-sock-mount

charts/best-practices-workload-security/pols/disallow_default_namespace.yaml

@@ -18,7 +18,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-namespace

charts/best-practices-workload-security/pols/disallow_empty_ingress_host.yaml

@@ -12,7 +12,7 @@ metadata:
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: enforce
   background: false
   rules:
     - name: disallow-empty-ingress-host

charts/best-practices-workload-security/pols/disallow_latest_tag.yaml

@@ -13,7 +13,7 @@ metadata:
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: require-image-tag

charts/best-practices-workload-security/pols/require_drop_all.yaml

@@ -15,7 +15,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: require-drop-all

charts/best-practices-workload-security/pols/require_drop_cap_net_raw.yaml

@@ -16,7 +16,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: require-drop-cap-net-raw

charts/best-practices-workload-security/pols/require_labels.yaml

@@ -13,7 +13,7 @@ metadata:
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: check-for-labels

charts/best-practices-workload-security/pols/require_pod_requests_limits.yaml

@@ -16,7 +16,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-resources

charts/best-practices-workload-security/pols/require_probes.yaml

@@ -17,7 +17,7 @@ metadata:
       This policy validates that all containers have one of livenessProbe, readinessProbe,
       or startupProbe defined.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-probes

charts/best-practices-workload-security/pols/require_ro_rootfs.yaml

@@ -15,7 +15,7 @@ metadata:
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-readOnlyRootFilesystem

charts/best-practices-workload-security/pols/restrict-service-external-ips.yaml

@@ -13,7 +13,7 @@ metadata:
       See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
       that the `externalIPs` field is not set on a Service.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: check-ips

charts/best-practices-workload-security/pols/restrict_image_registries.yaml

@@ -15,7 +15,7 @@ metadata:
       policy validates that container images only originate from the registry `eu.foo.io` or
       `bar.io`. Use of this policy requires customization to define your allowable registries.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-registries

charts/best-practices-workload-security/pols/restrict_node_port.yaml

@@ -14,7 +14,7 @@ metadata:
       with additional upstream security checks. This policy validates that any new Services
       do not use the `NodePort` type.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-nodeport

charts/multitenancy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: multitenancy-best-practice-policies
 description: Multitenancy Best Practices policy set
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/multitenancy/pols/allowed-podpriorities.yaml

@@ -15,7 +15,7 @@ metadata:
       PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not
       among them, the Pod is blocked.      
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
   - name: validate-pod-priority

charts/pod-security-baseline/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: pss-baseline-policies
 description: Pod Security Standards (baseline) policy set
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: 0.1.0
 keywords:
   - kubernetes

charts/pod-security-baseline/pols/disallow-capabilities.yaml

@@ -13,7 +13,7 @@ metadata:
     policies.kyverno.io/description: >-
       Adding capabilities beyond those listed in the policy must be disallowed.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: adding-capabilities

charts/pod-security-baseline/pols/disallow-host-namespaces.yaml

@@ -15,7 +15,7 @@ metadata:
       privileges. Pods should not be allowed access to host namespaces. This policy ensures
       fields which make use of these host namespaces are unset or set to `false`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: host-namespaces

charts/pod-security-baseline/pols/disallow-host-path.yaml

@@ -14,7 +14,7 @@ metadata:
       Using host resources can be used to access shared data or escalate privileges
       and should not be allowed. This policy ensures no hostPath volumes are in use.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: host-path

charts/pod-security-baseline/pols/disallow-host-ports-range.yaml

@@ -15,7 +15,7 @@ metadata:
       allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
       field is set to one in the designated list. 
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: host-port-range

charts/pod-security-baseline/pols/disallow-host-ports.yaml

@@ -14,7 +14,7 @@ metadata:
       allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
       field is unset or set to `0`. 
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: host-ports-none

charts/pod-security-baseline/pols/disallow-host-process.yaml

@@ -15,7 +15,7 @@ metadata:
       policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
       the `hostProcess` field, if present, is set to `false`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: host-process-containers

charts/pod-security-baseline/pols/disallow-privileged-containers.yaml

@@ -13,7 +13,7 @@ metadata:
       Privileged mode disables most security mechanisms and must not be allowed. This policy
       ensures Pods do not call for privileged mode.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: privileged-containers

charts/pod-security-baseline/pols/disallow-proc-mount.yaml

@@ -15,7 +15,7 @@ metadata:
       to deviate from the `Default` procMount requires setting a feature gate at the API
       server.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: check-proc-mount

charts/pod-security-baseline/pols/disallow-selinux.yaml

@@ -13,7 +13,7 @@ metadata:
       SELinux options can be used to escalate privileges and should not be allowed. This policy
       ensures that the `seLinuxOptions` field is undefined.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: selinux-type

charts/pod-security-baseline/pols/restrict-apparmor-profiles.yaml

@@ -16,7 +16,7 @@ metadata:
       overrides to an allowed set of profiles. This policy ensures Pods do not
       specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: app-armor

charts/pod-security-baseline/pols/restrict-seccomp.yaml

@@ -15,7 +15,7 @@ metadata:
       set to `RuntimeDefault` or `Localhost`.
 spec:
   background: true
-  validationFailureAction: Audit
+  validationFailureAction: audit
   rules:
     - name: check-seccomp
       match:

charts/pod-security-baseline/pols/restrict-sysctls.yaml

@@ -17,7 +17,7 @@ metadata:
       This policy ensures that only those "safe" subsets can be specified in
       a Pod.
 spec:
-  validationFailureAction: Audit
+  validationFailureAction: audit
   background: true
   rules:
     - name: check-sysctls