chore: test basic validation rule feature

charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml

@@ -2,7 +2,7 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: add-aws-iam-oidc-mapping
+  name: add-aws-iam-pod-identity
   annotations:
     policies.kyverno.io/title: AWS Pod Identity
     policies.kyverno.io/category: aws
@@ -10,6 +10,7 @@ metadata:
     kyverno.io/kubernetes-version: "1.31"
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
+      This provides the EKS Pod Identity Webhook functionality for KubeZero.
       Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
       will get the required environment variables as well as volumes injected
       to make the SDKs automatically find and use the IAM role.

charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml

@@ -18,7 +18,6 @@ metadata:
       to or replacement of this policy, preventing users from mounting the parent directories
       (/var/run and /var) may be necessary to completely prevent socket bind mounts.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-socket-mounts
@@ -31,6 +30,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Enforce
       cel:
         variables:
           - name: hasVolumes

docs/kube-bench.yaml

@@ -1,10 +1,3 @@
-#apiVersion: v1
-#kind: ServiceAccount
-#metadata:
-#  name: kube-bench
-#  annotations:
-#    kubezero.com/aws-iam-role-arn: arn:aws:iam::123456789012:role/kube-bench
-#---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -15,7 +8,6 @@ spec:
       labels:
         app: kube-bench
     spec:
-#     serviceAccountName: kube-bench
       containers:
         - command: ["kube-bench"]
           #args: