From 583542aded4332f75919d07a29827bb849e0cf14 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Mon, 16 Jun 2025 14:23:24 +0000
Subject: [PATCH] chore: test basic validation rule feature

---
 .../charts/policies/templates/aws/iam-pod-identity.yaml   | 3 ++-
 .../policies/templates/disallow-cri-sock-mount.yaml       | 2 +-
 docs/kube-bench.yaml                                      | 8 --------
 3 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml b/charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml
index 3119fc5d..93f5294b 100644
--- a/charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml
+++ b/charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml
@@ -2,7 +2,7 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: add-aws-iam-oidc-mapping
+  name: add-aws-iam-pod-identity
   annotations:
     policies.kyverno.io/title: AWS Pod Identity
     policies.kyverno.io/category: aws
@@ -10,6 +10,7 @@ metadata:
     kyverno.io/kubernetes-version: "1.31"
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
+      This provides the EKS Pod Identity Webhook functionality for KubeZero.
       Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
       will get the required environment variables as well as volumes injected
       to make the SDKs automatically find and use the IAM role.
diff --git a/charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml b/charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml
index ce525981..c3360a9b 100644
--- a/charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml
+++ b/charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml
@@ -18,7 +18,6 @@ metadata:
       to or replacement of this policy, preventing users from mounting the parent directories
       (/var/run and /var) may be necessary to completely prevent socket bind mounts.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-socket-mounts
@@ -31,6 +30,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Enforce
       cel:
         variables:
           - name: hasVolumes
diff --git a/docs/kube-bench.yaml b/docs/kube-bench.yaml
index e48fc11f..c19e0134 100644
--- a/docs/kube-bench.yaml
+++ b/docs/kube-bench.yaml
@@ -1,10 +1,3 @@
-#apiVersion: v1
-#kind: ServiceAccount
-#metadata:
-#  name: kube-bench
-#  annotations:
-#    kubezero.com/aws-iam-role-arn: arn:aws:iam::123456789012:role/kube-bench
-#---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -15,7 +8,6 @@ spec:
       labels:
         app: kube-bench
     spec:
-#     serviceAccountName: kube-bench
       containers:
         - command: ["kube-bench"]
           #args: