genevive's feedback: clean up annotations

README.md

@@ -294,13 +294,13 @@ The `key` is a combination of the override type (container or pod) and an `overr
 1. **Container overrides**, which override the auditor for that specific container, are formatted as follows:
 
 ```yaml
-container.audit.kubeaudit.io/[container name].[override identifier]
+container.kubeaudit.io/[container name].[override identifier]
 ```
 
 2. **Pod overrides**, which override the auditor for all containers within the pod, are formatted as follows:
 
 ```yaml
-audit.kubeaudit.io/pod.[override identifier]
+kubeaudit.io/[override identifier]
 ```
 
 If the `value` is set to a non-empty string, it will be displayed in the `info` result as the `OverrideReason`:

auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.yml

@@ -6,7 +6,7 @@ metadata:
   annotations:
     container.apparmor.security.beta.kubernetes.io/container2: unconfined
   labels:
-    container.audit.kubeaudit.io/container2.allow-disabled-apparmor: "SomeReason"
+    container.kubeaudit.io/container2.allow-disabled-apparmor: "SomeReason"
 spec:
   containers:
     - name: container

auditors/apparmor/fixtures/apparmor-disabled-overriden.yml

@@ -8,7 +8,7 @@ metadata:
   annotations:
     container.apparmor.security.beta.kubernetes.io/container: unconfined
   labels:
-    container.audit.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason"
+    container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason"
 spec:
   containers:
     - name: container

auditors/asat/fixtures/service-account-token-redundant-override.yml

@@ -8,7 +8,7 @@ spec:
     metadata:
       labels:
         name: replicationcontroller
-        audit.kubeaudit.io/pod.allow-automount-service-account-token: "SomeReason"
+        kubeaudit.io/allow-automount-service-account-token: "SomeReason"
     spec:
       automountServiceAccountToken: false
       containers:

auditors/asat/fixtures/service-account-token-true-allowed.yml

@@ -8,7 +8,7 @@ spec:
     metadata:
       labels:
         name: replicationcontroller
-        audit.kubeaudit.io/pod.allow-automount-service-account-token: "SomeReason"
+        kubeaudit.io/allow-automount-service-account-token: "SomeReason"
     spec:
       automountServiceAccountToken: true
       containers:

auditors/capabilities/fix_test.go

@@ -71,7 +71,7 @@ func TestFixCapabilities(t *testing.T) {
 		},
 		{
 			testName:     "Pod override",
-			overrides:    []string{override.GetPodOverrideLabel(getOverrideLabel("orange"))},
+			overrides:    []string{override.GetOverrideLabel(getOverrideLabel("orange"))},
 			add:          []string{"orange"},
 			expectedAdd:  []string{"orange"},
 			drop:         []string{},

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.yml

@@ -11,10 +11,10 @@ spec:
     metadata:
       labels:
         name: deployment
-        container.audit.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
-        container.audit.kubeaudit.io/container2.allow-capability-chown: "SomeReason"
-        container.audit.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.yml

@@ -11,10 +11,10 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-capability-chown: "SomeReason"
-        container.audit.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
-        container.audit.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
+        kubeaudit.io/allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.yml

@@ -11,8 +11,8 @@ spec:
     metadata:
       labels:
         name: deployment
-        container.audit.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
-        container.audit.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-chown: "SomeReason"
+        container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/capabilities/fixtures/capabilities-some-allowed.yml

@@ -11,8 +11,8 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-capability-chown: "SomeReason"
-        audit.kubeaudit.io/pod.allow-capability-sys-time: "SomeReason"
+        kubeaudit.io/allow-capability-chown: "SomeReason"
+        kubeaudit.io/allow-capability-sys-time: "SomeReason"
     spec:
       containers:
         - name: container

auditors/hostns/fixtures/host-ipc-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-ipc-true-allowed
   labels:
-    audit.kubeaudit.io/pod.allow-namespace-host-IPC: "SomeReason"
+    kubeaudit.io/allow-namespace-host-IPC: "SomeReason"
 spec:
   hostIPC: true
   containers:

auditors/hostns/fixtures/host-network-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-network-true-allowed
   labels:
-    audit.kubeaudit.io/pod.allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
 spec:
   hostNetwork: true
   containers:

auditors/hostns/fixtures/host-pid-true-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: host-pid-true-allowed
   labels:
-    audit.kubeaudit.io/pod.allow-namespace-host-PID: "SomeReason"
+    kubeaudit.io/allow-namespace-host-PID: "SomeReason"
 spec:
   hostPID: true
   containers:

auditors/hostns/fixtures/namespaces-all-true-allowed.yml

@@ -4,9 +4,9 @@ metadata:
   name: pod
   namespace: namespaces-all-true-allowed
   labels:
-    audit.kubeaudit.io/pod.allow-namespace-host-network: "SomeReason"
-    audit.kubeaudit.io/pod.allow-namespace-host-IPC: "SomeReason"
-    audit.kubeaudit.io/pod.allow-namespace-host-PID: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-IPC: "SomeReason"
+    kubeaudit.io/allow-namespace-host-PID: "SomeReason"
 spec:
   hostPID: true
   hostIPC: true

auditors/hostns/fixtures/namespaces-redundant-override.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   namespace: namespaces-redundant-override
   labels:
-    audit.kubeaudit.io/pod.allow-namespace-host-network: "SomeReason"
+    kubeaudit.io/allow-namespace-host-network: "SomeReason"
 spec:
   hostNetwork: false
   containers:

auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.yml

@@ -4,8 +4,8 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
-    container.audit.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed-multi-containers-multi-labels
 spec:
   containers:

auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
+    container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed-multi-containers-single-label
 spec:
   containers:

auditors/mounts/fixtures/proc-mounted-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubeaudit.io/pod.allow-host-path-mount-proc-volume: "SomeReason"
+    kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason"
   namespace: proc-mounted-allowed
 spec:
   containers:

auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.yml

@@ -3,7 +3,7 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-egress-netpol-allowed
   labels:
-    audit.kubeaudit.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason"
 ---
 # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
 apiVersion: networking.k8s.io/v1

auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.yml

@@ -3,7 +3,7 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-ingress-netpol-allowed
   labels:
-    audit.kubeaudit.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason"
 ---
 # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
 apiVersion: networking.k8s.io/v1

auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.yml

@@ -3,8 +3,8 @@ kind: Namespace
 metadata:
   name: namespace-missing-default-deny-netpol-allowed
   labels:
-    audit.kubeaudit.io/namespace.allow-non-default-deny-egress-network-policy: "SomeReason"
-    audit.kubeaudit.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason"
+    kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason"
 ---
 # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md
 kind: NetworkPolicy

auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml

@@ -4,8 +4,8 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
-    container.audit.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-psc-false-allowed-multi-containers-multi-labels
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-psc-false-allowed-multi-containers-single-label
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-psc-false-allowed
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.yml

@@ -11,7 +11,7 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-non-root-redundant-override-pod
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-user-0-allowed.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.yml

@@ -4,8 +4,8 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
-    container.audit.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-user-psc-0-allowed-multi-containers-multi-labels
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    container.audit.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-user-psc-0-allowed-multi-containers-single-label
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-user-psc-0-allowed.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-user-psc-0-allowed
 spec:
   securityContext:

auditors/nonroot/fixtures/run-as-user-redundant-override-container.yml

@@ -11,7 +11,7 @@ spec:
     metadata:
       labels:
         name: deployment
-        audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/nonroot/fixtures/run-as-user-redundant-override-pod.yml

@@ -4,7 +4,7 @@ metadata:
   name: pod
   labels:
     name: pod
-    audit.kubeaudit.io/pod.allow-run-as-root: "SuperuserPrivilegesNeeded"
+    kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded"
   namespace: run-as-user-redundant-override-pod
 spec:
   securityContext:

auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: statefulset
-        audit.kubeaudit.io/pod.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
+        kubeaudit.io/allow-privilege-escalation: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container

auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: statefulset
-        audit.kubeaudit.io/pod.allow-privilege-escalation: ""
+        kubeaudit.io/allow-privilege-escalation: ""
     spec:
       containers:
         - name: container

auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.yml

@@ -12,8 +12,8 @@ spec:
     metadata:
       labels:
         name: statefulset
-        container.audit.kubeaudit.io/container1.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
-        container.audit.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
+        container.kubeaudit.io/container1.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
+        container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container1

auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: statefulset
-        container.audit.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
+        container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded"
     spec:
       containers:
         - name: container1

auditors/privileged/fixtures/privileged-redundant-override.yml

@@ -11,7 +11,7 @@ spec:
     metadata:
       labels:
         name: daemonset
-        audit.kubeaudit.io/pod.allow-privileged: "SomeReason"
+        kubeaudit.io/allow-privileged: "SomeReason"
     spec:
       containers:
         - name: container

auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml

@@ -12,8 +12,8 @@ spec:
     metadata:
       labels:
         name: daemonset
-        container.audit.kubeaudit.io/container1.allow-privileged: "SomeReason"
-        container.audit.kubeaudit.io/container2.allow-privileged: "SomeReason"
+        container.kubeaudit.io/container1.allow-privileged: "SomeReason"
+        container.kubeaudit.io/container2.allow-privileged: "SomeReason"
     spec:
       containers:
         - name: container1

auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml

@@ -12,7 +12,7 @@ spec:
     metadata:
       labels:
         name: daemonset
-        container.audit.kubeaudit.io/container2.allow-privileged: "SomeReason"
+        container.kubeaudit.io/container2.allow-privileged: "SomeReason"
     spec:
       containers:
         - name: container1