renames result field

Shopify · Jul 11, 2022 · dd892ec · dd892ec
1 parent 5f2d8eb
commit dd892ec
Show file tree

Hide file tree

Showing 23 changed files with 71 additions and 64 deletions.
diff --git a/auditors/apparmor/apparmor.go b/auditors/apparmor/apparmor.go
@@ -65,7 +65,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isAppArmorAnnotationMissing(containerAnnotation, annotations) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AppArmorAnnotationMissing,
+			Rule:     AppArmorAnnotationMissing,
 			Severity: kubeaudit.Error,
 			Message:  fmt.Sprintf("AppArmor annotation missing. The annotation '%s' should be added.", containerAnnotation),
 			Metadata: kubeaudit.Metadata{
@@ -82,7 +82,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isAppArmorDisabled(containerAnnotation, annotations) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AppArmorDisabled,
+			Rule:     AppArmorDisabled,
 			Message:  fmt.Sprintf("AppArmor is disabled. The apparmor annotation should be set to '%s' or start with '%s'.", ProfileRuntimeDefault, ProfileNamePrefix),
 			Severity: kubeaudit.Error,
 			Metadata: kubeaudit.Metadata{
@@ -110,7 +110,7 @@ func auditPodAnnotations(resource k8s.Resource, containerNames []string) []*kube
 		if !contains(containerNames, containerName) {
 			auditResults = append(auditResults, &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     AppArmorInvalidAnnotation,
+				Rule:     AppArmorInvalidAnnotation,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("AppArmor annotation key refers to a container that doesn't exist. Remove the annotation '%s: %s'.", annotationKey, annotationValue),
 				Metadata: kubeaudit.Metadata{

diff --git a/auditors/asat/asat.go b/auditors/asat/asat.go
@@ -46,7 +46,7 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A
 	if isDeprecatedServiceAccountName(podSpec) && !hasServiceAccountName(podSpec) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AutomountServiceAccountTokenDeprecated,
+			Rule:     AutomountServiceAccountTokenDeprecated,
 			Severity: kubeaudit.Warn,
 			Message:  "serviceAccount is a deprecated alias for serviceAccountName. serviceAccountName should be used instead.",
 			PendingFix: &fixDeprecatedServiceAccountName{
@@ -62,7 +62,7 @@ func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.A
 	if usesDefaultServiceAccount(podSpec) && isAutomountTokenTrue(podSpec, defaultServiceAccount) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AutomountServiceAccountTokenTrueAndDefaultSA,
+			Rule:     AutomountServiceAccountTokenTrueAndDefaultSA,
 			Severity: kubeaudit.Error,
 			Message:  "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.",
 			PendingFix: &fixDefaultServiceAccountWithAutomountToken{

diff --git a/auditors/capabilities/capabilities.go b/auditors/capabilities/capabilities.go
@@ -76,7 +76,7 @@ func auditContainer(container *k8s.ContainerV1, capability string, allowAddList
 			message := fmt.Sprintf("Capability \"%s\" added. It should be removed from the capability add list. If you need this capability, add an override label such as '%s: SomeReason'.", capability, override.GetContainerOverrideLabel(container.Name, getOverrideLabel(capability)))
 			auditResult := &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     CapabilityAdded,
+				Rule:     CapabilityAdded,
 				Severity: kubeaudit.Error,
 				Message:  message,
 				PendingFix: &fixCapabilityAdded{
@@ -105,7 +105,7 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult
 		message := "Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL."
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     CapabilityOrSecurityContextMissing,
+			Rule:     CapabilityOrSecurityContextMissing,
 			Severity: kubeaudit.Error,
 			Message:  message,
 			PendingFix: &fixMissingSecurityContextOrCapability{
@@ -121,7 +121,7 @@ func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult
 		message := "Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label."
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     CapabilityShouldDropAll,
+			Rule:     CapabilityShouldDropAll,
 			Severity: kubeaudit.Error,
 			Message:  message,
 			PendingFix: &fixCapabilityNotDroppedAll{

diff --git a/auditors/deprecatedapis/depreceatedapis.go b/auditors/deprecatedapis/depreceatedapis.go
@@ -120,7 +120,7 @@ func (deprecatedAPIs *DeprecatedAPIs) Audit(resource k8s.Resource, _ []k8s.Resou
 				}
 				auditResult := &kubeaudit.AuditResult{
 					Auditor:  Name,
-					Name:     DeprecatedAPIUsed,
+					Rule:     DeprecatedAPIUsed,
 					Severity: severity,
 					Message:  deprecationMessage,
 					Metadata: metadata,

diff --git a/auditors/hostns/hostns.go b/auditors/hostns/hostns.go
@@ -63,7 +63,7 @@ func auditHostNetwork(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 		}
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     NamespaceHostNetworkTrue,
+			Rule:     NamespaceHostNetworkTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostNetwork is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostNetworkTrue{
@@ -84,7 +84,7 @@ func auditHostIPC(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 		}
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     NamespaceHostIPCTrue,
+			Rule:     NamespaceHostIPCTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostIPC is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostIPCTrue{
@@ -105,7 +105,7 @@ func auditHostPID(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult {
 		}
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     NamespaceHostPIDTrue,
+			Rule:     NamespaceHostPIDTrue,
 			Severity: kubeaudit.Error,
 			Message:  "hostPID is set to 'true' in PodSpec. It should be set to 'false'.",
 			PendingFix: &fixHostPIDTrue{

diff --git a/auditors/image/image.go b/auditors/image/image.go
@@ -51,7 +51,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 	if isImageTagMissing(containerTag) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     ImageTagMissing,
+			Rule:     ImageTagMissing,
 			Severity: kubeaudit.Warn,
 			Message:  "Image tag is missing.",
 			Metadata: kubeaudit.Metadata{
@@ -63,7 +63,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 	if isImageTagIncorrect(name, tag, containerName, containerTag) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     ImageTagIncorrect,
+			Rule:     ImageTagIncorrect,
 			Severity: kubeaudit.Error,
 			Message:  fmt.Sprintf("Container tag is incorrect. It should be set to '%s'.", tag),
 			Metadata: kubeaudit.Metadata{
@@ -75,7 +75,7 @@ func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditRe
 	if isImageCorrect(name, tag, containerName, containerTag) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     ImageCorrect,
+			Rule:     ImageCorrect,
 			Severity: kubeaudit.Info,
 			Message:  "Image tag is correct",
 			Metadata: kubeaudit.Metadata{

diff --git a/auditors/limits/limits.go b/auditors/limits/limits.go
@@ -66,7 +66,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 	if isLimitsNil(container) {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     LimitsNotSet,
+			Rule:     LimitsNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource limits not set.",
 			Metadata: kubeaudit.Metadata{
@@ -83,7 +83,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 	if isCPULimitUnset(container) {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     LimitsCPUNotSet,
+			Rule:     LimitsCPUNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource CPU limit not set.",
 			Metadata: kubeaudit.Metadata{
@@ -95,7 +95,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 		maxCPU := limits.maxCPU.String()
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     LimitsCPUExceeded,
+			Rule:     LimitsCPUExceeded,
 			Severity: kubeaudit.Warn,
 			Message:  fmt.Sprintf("CPU limit exceeded. It is set to '%s' which exceeds the max CPU limit of '%s'.", cpu, maxCPU),
 			Metadata: kubeaudit.Metadata{
@@ -110,7 +110,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 	if isMemoryLimitUnset(container) {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     LimitsMemoryNotSet,
+			Rule:     LimitsMemoryNotSet,
 			Severity: kubeaudit.Warn,
 			Message:  "Resource Memory limit not set.",
 			Metadata: kubeaudit.Metadata{
@@ -122,7 +122,7 @@ func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults [
 		maxMemory := limits.maxMemory.String()
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     LimitsMemoryExceeded,
+			Rule:     LimitsMemoryExceeded,
 			Severity: kubeaudit.Warn,
 			Message:  fmt.Sprintf("Memory limit exceeded. It is set to '%s' which exceeds the max Memory limit of '%s'.", memory, maxMemory),
 			Metadata: kubeaudit.Metadata{

diff --git a/auditors/mounts/mounts.go b/auditors/mounts/mounts.go
@@ -101,7 +101,7 @@ func auditContainer(container *k8s.ContainerV1, sensitiveVolumes map[string]v1.V
 		if volume, ok := sensitiveVolumes[mount.Name]; ok {
 			auditResults = append(auditResults, &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     SensitivePathsMounted,
+				Rule:     SensitivePathsMounted,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("Sensitive path mounted as volume: %s (hostPath: %s). It should be removed from the container's mounts list.", mount.Name, volume.HostPath.Path),
 				Metadata: kubeaudit.Metadata{

diff --git a/auditors/netpols/netpols.go b/auditors/netpols/netpols.go
@@ -73,7 +73,7 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe
 	if allIngressTrafficAllowed(networkPolicy) {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AllowAllIngressNetworkPolicyExists,
+			Rule:     AllowAllIngressNetworkPolicyExists,
 			Severity: kubeaudit.Warn,
 			Message:  "Found allow all ingress traffic NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -86,7 +86,7 @@ func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditRe
 	if allEgressTrafficAllowed(networkPolicy) {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AllowAllEgressNetworkPolicyExists,
+			Rule:     AllowAllEgressNetworkPolicyExists,
 			Severity: kubeaudit.Warn,
 			Message:  "Found allow all egress traffic NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -111,7 +111,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 		if !hasDefaultDenyIngress {
 			auditResult := &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     MissingDefaultDenyIngressNetworkPolicy,
+				Rule:     MissingDefaultDenyIngressNetworkPolicy,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("All ingress traffic should be blocked by default for namespace %s.", namespace),
 				Metadata: kubeaudit.Metadata{
@@ -129,7 +129,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 		if !hasDefaultDenyEgress {
 			auditResult := &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     MissingDefaultDenyEgressNetworkPolicy,
+				Rule:     MissingDefaultDenyEgressNetworkPolicy,
 				Severity: kubeaudit.Error,
 				Message:  fmt.Sprintf("All egress traffic should be blocked by default for namespace %s.", namespace),
 				Metadata: kubeaudit.Metadata{
@@ -154,7 +154,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	if !hasIngressOverride && !hasEgressOverride {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     MissingDefaultDenyIngressAndEgressNetworkPolicy,
+			Rule:     MissingDefaultDenyIngressAndEgressNetworkPolicy,
 			Severity: kubeaudit.Error,
 			Message:  "Namespace is missing a default deny ingress and egress NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -171,7 +171,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	if hasIngressOverride && hasEgressOverride {
 		auditResult := &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy),
+			Rule:     override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy),
 			Severity: kubeaudit.Warn,
 			Message:  "Namespace is missing a default deny ingress and egress NetworkPolicy.",
 			Metadata: kubeaudit.Metadata{
@@ -186,7 +186,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 	// fixed and the other is overridden
 	auditResult := &kubeaudit.AuditResult{
 		Auditor:  Name,
-		Name:     MissingDefaultDenyIngressNetworkPolicy,
+		Rule:     MissingDefaultDenyIngressNetworkPolicy,
 		Severity: kubeaudit.Error,
 		Message:  "Namespace is missing a default deny ingress NetworkPolicy.",
 		Metadata: kubeaudit.Metadata{
@@ -202,7 +202,7 @@ func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resou
 
 	auditResult = &kubeaudit.AuditResult{
 		Auditor:  Name,
-		Name:     MissingDefaultDenyEgressNetworkPolicy,
+		Rule:     MissingDefaultDenyEgressNetworkPolicy,
 		Severity: kubeaudit.Error,
 		Message:  "Namespace is missing a default deny egress NetworkPolicy.",
 		Metadata: kubeaudit.Metadata{

diff --git a/auditors/nonroot/nonroot.go b/auditors/nonroot/nonroot.go
@@ -57,7 +57,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 		if *container.SecurityContext.RunAsUser == 0 {
 			return &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     RunAsUserCSCRoot,
+				Rule:     RunAsUserCSCRoot,
 				Severity: kubeaudit.Error,
 				Message:  "runAsUser is set to UID 0 (root user) in the container SecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 				PendingFix: &fixRunAsNonRoot{
@@ -73,7 +73,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 			if *podSpec.SecurityContext.RunAsUser == 0 {
 				return &kubeaudit.AuditResult{
 					Auditor:  Name,
-					Name:     RunAsUserPSCRoot,
+					Rule:     RunAsUserPSCRoot,
 					Severity: kubeaudit.Warn,
 					Message:  "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 					Metadata: kubeaudit.Metadata{
@@ -90,7 +90,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 		if *podSpec.SecurityContext.RunAsUser == 0 {
 			return &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     RunAsUserPSCRoot,
+				Rule:     RunAsUserPSCRoot,
 				Severity: kubeaudit.Error,
 				Message:  "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.",
 				PendingFix: &fixRunAsNonRoot{
@@ -108,7 +108,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isContainerRunAsNonRootCSCFalse(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     RunAsNonRootCSCFalse,
+			Rule:     RunAsNonRootCSCFalse,
 			Severity: kubeaudit.Error,
 			Message:  "runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.",
 			PendingFix: &fixRunAsNonRoot{
@@ -124,7 +124,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 		if isPodRunAsNonRootNil(podSpec) {
 			return &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     RunAsNonRootPSCNilCSCNil,
+				Rule:     RunAsNonRootPSCNilCSCNil,
 				Severity: kubeaudit.Error,
 				Message:  "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.",
 				PendingFix: &fixRunAsNonRoot{
@@ -139,7 +139,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 		if isPodRunAsNonRootFalse(podSpec) {
 			return &kubeaudit.AuditResult{
 				Auditor:  Name,
-				Name:     RunAsNonRootPSCFalseCSCNil,
+				Rule:     RunAsNonRootPSCFalseCSCNil,
 				Severity: kubeaudit.Error,
 				Message:  "runAsNonRoot is set to false in the PodSecurityContext. Either set it to true or set runAsUser to a value > 0.",
 				PendingFix: &fixRunAsNonRoot{

diff --git a/auditors/privesc/privesc.go b/auditors/privesc/privesc.go
@@ -45,7 +45,7 @@ func auditContainer(container *k8s.ContainerV1) *kubeaudit.AuditResult {
 	if isAllowPrivilegeEscalationNil(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AllowPrivilegeEscalationNil,
+			Rule:     AllowPrivilegeEscalationNil,
 			Severity: kubeaudit.Error,
 			Message:  "allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.",
 			PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{
@@ -60,7 +60,7 @@ func auditContainer(container *k8s.ContainerV1) *kubeaudit.AuditResult {
 	if isAllowPrivilegeEscalationTrue(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     AllowPrivilegeEscalationTrue,
+			Rule:     AllowPrivilegeEscalationTrue,
 			Severity: kubeaudit.Error,
 			Message:  "allowPrivilegeEscalation set to 'true'. It should be set to 'false'.",
 			PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{

diff --git a/auditors/privileged/privileged.go b/auditors/privileged/privileged.go
@@ -44,7 +44,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isPrivilegedNil(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     PrivilegedNil,
+			Rule:     PrivilegedNil,
 			Severity: kubeaudit.Warn,
 			Message:  "privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.",
 			PendingFix: &fixPrivileged{
@@ -59,7 +59,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isPrivilegedTrue(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     PrivilegedTrue,
+			Rule:     PrivilegedTrue,
 			Severity: kubeaudit.Error,
 			Message:  "privileged is set to 'true' in container SecurityContext. It should be set to 'false'.",
 			PendingFix: &fixPrivileged{

diff --git a/auditors/rootfs/rootfs.go b/auditors/rootfs/rootfs.go
@@ -44,7 +44,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isReadOnlyRootFilesystemNil(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     ReadOnlyRootFilesystemNil,
+			Rule:     ReadOnlyRootFilesystemNil,
 			Severity: kubeaudit.Error,
 			Message:  "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.",
 			PendingFix: &fixReadOnlyRootFilesystem{
@@ -59,7 +59,7 @@ func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudi
 	if isReadOnlyRootFilesystemFalse(container) {
 		return &kubeaudit.AuditResult{
 			Auditor:  Name,
-			Name:     ReadOnlyRootFilesystemFalse,
+			Rule:     ReadOnlyRootFilesystemFalse,
 			Severity: kubeaudit.Error,
 			Message:  "readOnlyRootFilesystem is set to 'false' in container SecurityContext. It should be set to 'true'.",
 			PendingFix: &fixReadOnlyRootFilesystem{