From bcff5f10bce4d29a4e0847ef683d6978999805a1 Mon Sep 17 00:00:00 2001 From: Bobby Brennan Date: Wed, 10 Apr 2019 21:00:24 +0000 Subject: [PATCH] pull out messages into separate file, some rephrasing phrasing fix tests --- pkg/validator/container.go | 102 ++++++++++++++++------------- pkg/validator/container_test.go | 90 ++++++++++--------------- pkg/validator/messages/messages.go | 82 +++++++++++++++++++++++ pkg/validator/pod.go | 17 ++--- 4 files changed, 185 insertions(+), 106 deletions(-) create mode 100644 pkg/validator/messages/messages.go diff --git a/pkg/validator/container.go b/pkg/validator/container.go index d82a17bc..c31351ec 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -19,6 +19,7 @@ import ( "strings" conf "github.com/reactiveops/fairwinds/pkg/config" + "github.com/reactiveops/fairwinds/pkg/validator/messages" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" ) @@ -63,27 +64,27 @@ func (cv *ContainerValidation) validateResources(resConf *conf.Resources) { res := cv.Container.Resources if resConf.CPURequestsMissing.IsActionable() && res.Requests.Cpu().MilliValue() == 0 { - cv.addFailure("CPU Requests are not set", resConf.CPURequestsMissing) + cv.addFailure(messages.CPURequestsMissing, resConf.CPURequestsMissing) } else { - cv.validateResourceRange("CPU Requests", &resConf.CPURequestRanges, res.Requests.Cpu()) + cv.validateResourceRange(messages.CPURequestsLabel, &resConf.CPURequestRanges, res.Requests.Cpu()) } if resConf.CPULimitsMissing.IsActionable() && res.Limits.Cpu().MilliValue() == 0 { - cv.addFailure("CPU Limits are not set", resConf.CPULimitsMissing) + cv.addFailure(messages.CPULimitsMissing, resConf.CPULimitsMissing) } else { - cv.validateResourceRange("CPU Limits", &resConf.CPULimitRanges, res.Requests.Cpu()) + cv.validateResourceRange(messages.CPULimitsLabel, &resConf.CPULimitRanges, res.Requests.Cpu()) } if resConf.MemoryRequestsMissing.IsActionable() && res.Requests.Memory().MilliValue() == 0 { - cv.addFailure("Memory Requests are not set", resConf.MemoryRequestsMissing) + cv.addFailure(messages.MemoryRequestsMissing, resConf.MemoryRequestsMissing) } else { - cv.validateResourceRange("Memory Requests", &resConf.MemoryRequestRanges, res.Requests.Memory()) + cv.validateResourceRange(messages.MemoryRequestsLabel, &resConf.MemoryRequestRanges, res.Requests.Memory()) } if resConf.MemoryLimitsMissing.IsActionable() && res.Limits.Memory().MilliValue() == 0 { - cv.addFailure("Memory Limits are not set", resConf.MemoryLimitsMissing) + cv.addFailure(messages.MemoryLimitsMissing, resConf.MemoryLimitsMissing) } else { - cv.validateResourceRange("Memory Limits", &resConf.MemoryLimitRanges, res.Limits.Memory()) + cv.validateResourceRange(messages.MemoryLimitsLabel, &resConf.MemoryLimitRanges, res.Limits.Memory()) } } @@ -94,32 +95,32 @@ func (cv *ContainerValidation) validateResourceRange(resourceName string, rangeC errorBelow := rangeConf.Error.Below if errorAbove != nil && errorAbove.MilliValue() < res.MilliValue() { - cv.addError(fmt.Sprintf("%s are too high", resourceName)) + cv.addError(fmt.Sprintf(messages.ResourceAmountTooHigh, resourceName, errorAbove.String())) } else if warnAbove != nil && warnAbove.MilliValue() < res.MilliValue() { - cv.addWarning(fmt.Sprintf("%s are too high", resourceName)) + cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooHigh, resourceName, warnAbove.String())) } else if errorBelow != nil && errorBelow.MilliValue() > res.MilliValue() { - cv.addError(fmt.Sprintf("%s are too low", resourceName)) + cv.addError(fmt.Sprintf(messages.ResourceAmountTooLow, resourceName, errorBelow.String())) } else if warnBelow != nil && warnBelow.MilliValue() > res.MilliValue() { - cv.addWarning(fmt.Sprintf("%s are too low", resourceName)) + cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooLow, resourceName, warnBelow.String())) } else { - cv.addSuccess(fmt.Sprintf("%s are within the expected range", resourceName)) + cv.addSuccess(fmt.Sprintf(messages.ResourceAmountCorrect, resourceName)) } } func (cv *ContainerValidation) validateHealthChecks(conf *conf.HealthChecks) { if conf.ReadinessProbeMissing.IsActionable() { if cv.Container.ReadinessProbe == nil { - cv.addFailure("Readiness probe needs to be configured", conf.ReadinessProbeMissing) + cv.addFailure(messages.ReadinessProbeNotConfigured, conf.ReadinessProbeMissing) } else { - cv.addSuccess("Readiness probe configured") + cv.addSuccess(messages.ReadinessProbeConfigured) } } if conf.LivenessProbeMissing.IsActionable() { if cv.Container.LivenessProbe == nil { - cv.addFailure("Liveness probe needs to be configured", conf.LivenessProbeMissing) + cv.addFailure(messages.LivenessProbeNotConfigured, conf.LivenessProbeMissing) } else { - cv.addSuccess("Liveness probe configured") + cv.addSuccess(messages.LivenessProbeConfigured) } } } @@ -128,9 +129,9 @@ func (cv *ContainerValidation) validateImage(imageConf *conf.Images) { if imageConf.TagNotSpecified.IsActionable() { img := strings.Split(cv.Container.Image, ":") if len(img) == 1 || img[1] == "latest" { - cv.addFailure("Image tag should be specified", imageConf.TagNotSpecified) + cv.addFailure(messages.ImageTagNotSpecified, imageConf.TagNotSpecified) } else { - cv.addSuccess("Image tag specified") + cv.addSuccess(messages.ImageTagSpecified) } } } @@ -146,9 +147,9 @@ func (cv *ContainerValidation) validateNetworking(networkConf *conf.Networking) } if hostPortSet { - cv.addFailure("Host port is configured, but it shouldn't be", networkConf.HostAliasSet) + cv.addFailure(messages.HostPortSet, networkConf.HostAliasSet) } else { - cv.addSuccess("Host port is not configured") + cv.addSuccess(messages.HostPortNotSet) } } } @@ -161,55 +162,68 @@ func (cv *ContainerValidation) validateSecurity(securityConf *conf.Security) { if securityConf.RunAsRootAllowed.IsActionable() { if securityContext.RunAsNonRoot == (*bool)(nil) || !*securityContext.RunAsNonRoot { - cv.addFailure("Container is allowed to run as root", securityConf.RunAsRootAllowed) + cv.addFailure(messages.RunAsRootEnabled, securityConf.RunAsRootAllowed) } else { - cv.addSuccess("Container is not allowed to run as root") + cv.addSuccess(messages.RunAsRootDisabled) } } if securityConf.RunAsPrivileged.IsActionable() { if securityContext.Privileged == (*bool)(nil) || !*securityContext.Privileged { - cv.addSuccess("Container is not running as privileged") + cv.addSuccess(messages.RunAsPrivilegedDisabled) } else { - cv.addFailure("Container is running as privileged", securityConf.RunAsPrivileged) + cv.addFailure(messages.RunAsPrivilegedEnabled, securityConf.RunAsPrivileged) } } if securityConf.NotReadOnlyRootFileSystem.IsActionable() { if securityContext.ReadOnlyRootFilesystem == (*bool)(nil) || !*securityContext.ReadOnlyRootFilesystem { - cv.addFailure("Container is not running with a read only filesystem", securityConf.NotReadOnlyRootFileSystem) + cv.addFailure(messages.WritableFilesystem, securityConf.NotReadOnlyRootFileSystem) } else { - cv.addSuccess("Container is running with a read only filesystem") + cv.addSuccess(messages.ReadOnlyFilesystem) } } if securityConf.PrivilegeEscalationAllowed.IsActionable() { if securityContext.AllowPrivilegeEscalation == (*bool)(nil) || !*securityContext.AllowPrivilegeEscalation { - cv.addSuccess("Container does not allow privilege escalation") + cv.addSuccess(messages.PrivilegeEscalationDisallowed) } else { - cv.addFailure("Container allows privilege escalation", securityConf.PrivilegeEscalationAllowed) + cv.addFailure(messages.PrivilegeEscalationAllowed, securityConf.PrivilegeEscalationAllowed) } } - cv.validateCapabilities(securityConf.Capabilities.Error, conf.SeverityError) - cv.validateCapabilities(securityConf.Capabilities.Warning, conf.SeverityWarning) + hasSecurityError := + !cv.validateCapabilities(securityConf.Capabilities.Error, conf.SeverityError) + hasSecurityWarning := + !cv.validateCapabilities(securityConf.Capabilities.Warning, conf.SeverityWarning) + hasSecurityCheck := func(confLists conf.SecurityCapabilityLists) bool { + return len(confLists.IfAnyAdded) > 0 || + len(confLists.IfAnyAddedBeyond) > 0 || + len(confLists.IfAnyNotDropped) > 0 + } + if !hasSecurityError && !hasSecurityWarning && + (hasSecurityCheck(securityConf.Capabilities.Error) || + hasSecurityCheck(securityConf.Capabilities.Warning)) { + cv.addSuccess(messages.SecurityCapabilitiesOK) + } } -func (cv *ContainerValidation) validateCapabilities(confLists conf.SecurityCapabilityLists, severity conf.Severity) { +func (cv *ContainerValidation) validateCapabilities(confLists conf.SecurityCapabilityLists, severity conf.Severity) bool { capabilities := &corev1.Capabilities{} if cv.Container.SecurityContext != nil && cv.Container.SecurityContext.Capabilities != nil { capabilities = cv.Container.SecurityContext.Capabilities } + everythingOK := true if len(confLists.IfAnyAdded) > 0 { intersectAdds := capIntersection(capabilities.Add, confLists.IfAnyAdded) if len(intersectAdds) > 0 { capsString := commaSeparatedCapabilities(intersectAdds) - cv.addFailure(fmt.Sprintf("Security capabilities added from %v list: %v", severity, capsString), severity) + cv.addFailure(fmt.Sprintf(messages.HasBadSecurityCapabilities, capsString), severity) + everythingOK = false } else if capContains(capabilities.Add, "ALL") { - cv.addFailure(fmt.Sprintf("All security capabilities added, violating %v list", severity), severity) - } else { - cv.addSuccess(fmt.Sprintf("No security capabilities added from %v list", severity)) + cv.addFailure(fmt.Sprintf(messages.HasBadSecurityCapabilities, "ALL"), severity) + everythingOK = false } } @@ -217,24 +231,24 @@ func (cv *ContainerValidation) validateCapabilities(confLists conf.SecurityCapab differentAdds := capDifference(capabilities.Add, confLists.IfAnyAddedBeyond) if len(differentAdds) > 0 { capsString := commaSeparatedCapabilities(differentAdds) - cv.addFailure(fmt.Sprintf("Security capabilities added beyond %v list: %v", severity, capsString), severity) + cv.addFailure(fmt.Sprintf(messages.HasBadSecurityCapabilities, capsString), severity) + everythingOK = false } else if capContains(capabilities.Add, "ALL") { - cv.addFailure(fmt.Sprintf("All security capabilities added, going beyond %v list", severity), severity) - } else { - cv.addSuccess(fmt.Sprintf("No security capabilities added beyond %v list", severity)) + cv.addFailure(fmt.Sprintf(messages.HasBadSecurityCapabilities, "ALL"), severity) + everythingOK = false } } if len(confLists.IfAnyNotDropped) > 0 { missingDrops := capDifference(confLists.IfAnyNotDropped, capabilities.Drop) - if len(missingDrops) > 0 && !capContains(capabilities.Drop, "ALL") { capsString := commaSeparatedCapabilities(missingDrops) - cv.addFailure(fmt.Sprintf("Security capabilities not dropped from %v list: %v", severity, capsString), severity) - } else { - cv.addSuccess(fmt.Sprintf("Required security capabilities dropped from %v list", severity)) + cv.addFailure(fmt.Sprintf(messages.SecurityCapabilitiesNotDropped, capsString), severity) + everythingOK = false } } + + return everythingOK } func commaSeparatedCapabilities(caps []corev1.Capability) string { diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index a3dac2e1..3e86a73a 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -89,22 +89,22 @@ func TestValidateResourcesEmptyContainer(t *testing.T) { expectedWarnings := []*ResultMessage{ { Type: "warning", - Message: "CPU Requests are not set", + Message: "CPU requests should be set", }, { Type: "warning", - Message: "Memory Requests are not set", + Message: "Memory requests should be set", }, } expectedErrors := []*ResultMessage{ { Type: "error", - Message: "CPU Limits are not set", + Message: "CPU limits should be set", }, { Type: "error", - Message: "Memory Limits are not set", + Message: "Memory limits should be set", }, } @@ -133,22 +133,22 @@ func TestValidateResourcesPartiallyValid(t *testing.T) { expectedWarnings := []*ResultMessage{ { Type: "warning", - Message: "CPU Requests are too low", + Message: "CPU requests should be higher than 200m", }, { Type: "warning", - Message: "CPU Limits are too low", + Message: "CPU limits should be higher than 300m", }, } expectedErrors := []*ResultMessage{ { Type: "error", - Message: "Memory Requests are too low", + Message: "Memory requests should be higher than 100M", }, { Type: "error", - Message: "Memory Limits are too low", + Message: "Memory limits should be higher than 200M", }, } @@ -235,8 +235,8 @@ func TestValidateHealthChecks(t *testing.T) { }, } - l := &ResultMessage{Type: "warning", Message: "Liveness probe needs to be configured"} - r := &ResultMessage{Type: "error", Message: "Readiness probe needs to be configured"} + l := &ResultMessage{Type: "warning", Message: "Liveness probe should be configured"} + r := &ResultMessage{Type: "error", Message: "Readiness probe should be configured"} f1 := []*ResultMessage{} f2 := []*ResultMessage{r} w1 := []*ResultMessage{l} @@ -437,22 +437,19 @@ func TestValidateSecurity(t *testing.T) { securityConf: standardConf, cv: emptyCV, expectedMessages: []*ResultMessage{{ - Message: "Container is allowed to run as root", + Message: "Should not be running as root", Type: "warning", }, { - Message: "Container is not running with a read only filesystem", + Message: "Filesystem should be read only", Type: "warning", }, { - Message: "Container is not running as privileged", + Message: "Not running as privileged", Type: "success", }, { - Message: "Container does not allow privilege escalation", + Message: "Privilege escalation not allowed", Type: "success", }, { - Message: "No security capabilities added from error list", - Type: "success", - }, { - Message: "No security capabilities added beyond warning list", + Message: "Security capabilities are within the configured limits", Type: "success", }}, }, @@ -461,22 +458,22 @@ func TestValidateSecurity(t *testing.T) { securityConf: standardConf, cv: badCV, expectedMessages: []*ResultMessage{{ - Message: "Security capabilities added from error list: SYS_ADMIN, NET_ADMIN", + Message: "The following security capabilities should not be added: SYS_ADMIN, NET_ADMIN", Type: "error", }, { - Message: "Container allows privilege escalation", + Message: "Privilege escalation should not be allowed", Type: "error", }, { - Message: "Container is running as privileged", + Message: "Should not be running as privileged", Type: "error", }, { - Message: "Security capabilities added beyond warning list: AUDIT_CONTROL, SYS_ADMIN, NET_ADMIN", + Message: "The following security capabilities should not be added: AUDIT_CONTROL, SYS_ADMIN, NET_ADMIN", Type: "warning", }, { - Message: "Container is allowed to run as root", + Message: "Should not be running as root", Type: "warning", }, { - Message: "Container is not running with a read only filesystem", + Message: "Filesystem should be read only", Type: "warning", }}, }, @@ -485,22 +482,19 @@ func TestValidateSecurity(t *testing.T) { securityConf: standardConf, cv: goodCV, expectedMessages: []*ResultMessage{{ - Message: "Container is not allowed to run as root", + Message: "Not running as root", Type: "success", }, { - Message: "Container is running with a read only filesystem", + Message: "Filesystem is read only", Type: "success", }, { - Message: "Container is not running as privileged", + Message: "Not running as privileged", Type: "success", }, { - Message: "Container does not allow privilege escalation", + Message: "Privilege escalation not allowed", Type: "success", }, { - Message: "No security capabilities added from error list", - Type: "success", - }, { - Message: "No security capabilities added beyond warning list", + Message: "Security capabilities are within the configured limits", Type: "success", }}, }, @@ -509,25 +503,19 @@ func TestValidateSecurity(t *testing.T) { securityConf: strongConf, cv: goodCV, expectedMessages: []*ResultMessage{{ - Message: "Security capabilities not dropped from error list: DAC_OVERRIDE, SYS_CHROOT", + Message: "The following security capabilities should be dropped: DAC_OVERRIDE, SYS_CHROOT", Type: "error", }, { - Message: "Container is not allowed to run as root", + Message: "Not running as root", Type: "success", }, { - Message: "Container is running with a read only filesystem", + Message: "Filesystem is read only", Type: "success", }, { - Message: "Container is not running as privileged", + Message: "Not running as privileged", Type: "success", }, { - Message: "Container does not allow privilege escalation", - Type: "success", - }, { - Message: "No security capabilities added from error list", - Type: "success", - }, { - Message: "No security capabilities added beyond warning list", + Message: "Privilege escalation not allowed", Type: "success", }}, }, @@ -536,25 +524,19 @@ func TestValidateSecurity(t *testing.T) { securityConf: strongConf, cv: strongCV, expectedMessages: []*ResultMessage{{ - Message: "Container is not allowed to run as root", + Message: "Not running as root", Type: "success", }, { - Message: "Container is running with a read only filesystem", + Message: "Filesystem is read only", Type: "success", }, { - Message: "Container is not running as privileged", + Message: "Not running as privileged", Type: "success", }, { - Message: "Container does not allow privilege escalation", + Message: "Privilege escalation not allowed", Type: "success", }, { - Message: "No security capabilities added from error list", - Type: "success", - }, { - Message: "Required security capabilities dropped from error list", - Type: "success", - }, { - Message: "No security capabilities added beyond warning list", + Message: "Security capabilities are within the configured limits", Type: "success", }}, }, diff --git a/pkg/validator/messages/messages.go b/pkg/validator/messages/messages.go new file mode 100644 index 00000000..7661a682 --- /dev/null +++ b/pkg/validator/messages/messages.go @@ -0,0 +1,82 @@ +package messages + +const ( + // CPURequestsLabel label + CPURequestsLabel = "CPU requests" + // CPULimitsLabel label + CPULimitsLabel = "CPU limits" + // MemoryRequestsLabel label + MemoryRequestsLabel = "Memory requests" + // MemoryLimitsLabel label + MemoryLimitsLabel = "Memory limits" + + // CPURequestsMissing message + CPURequestsMissing = "CPU requests should be set" + // CPULimitsMissing message + CPULimitsMissing = "CPU limits should be set" + // MemoryRequestsMissing message + MemoryRequestsMissing = "Memory requests should be set" + // MemoryLimitsMissing message + MemoryLimitsMissing = "Memory limits should be set" + // ResourceAmountTooHigh message + ResourceAmountTooHigh = "%s should be lower than %s" + // ResourceAmountTooLow message + ResourceAmountTooLow = "%s should be higher than %s" + // ResourceAmountCorrect message + ResourceAmountCorrect = "%s are within the expected range" + // ReadinessProbeNotConfigured message + ReadinessProbeNotConfigured = "Readiness probe should be configured" + // ReadinessProbeConfigured message + ReadinessProbeConfigured = "Readiness probe configured" + // LivenessProbeNotConfigured message + LivenessProbeNotConfigured = "Liveness probe should be configured" + // LivenessProbeConfigured message + LivenessProbeConfigured = "Liveness probe is configured" + // ImageTagNotSpecified message + ImageTagNotSpecified = "Image tag should be specified" + // ImageTagSpecified message + ImageTagSpecified = "Image tag is specified" + // HostPortSet message + HostPortSet = "Host port should not be configured" + // HostPortNotSet message + HostPortNotSet = "Host port is not configured" + // RunAsRootEnabled message + RunAsRootEnabled = "Should not be running as root" + // RunAsRootDisabled message + RunAsRootDisabled = "Not running as root" + // RunAsPrivilegedEnabled message + RunAsPrivilegedEnabled = "Should not be running as privileged" + // RunAsPrivilegedDisabled message + RunAsPrivilegedDisabled = "Not running as privileged" + // ReadOnlyFilesystem message + ReadOnlyFilesystem = "Filesystem is read only" + // WritableFilesystem message + WritableFilesystem = "Filesystem should be read only" + // PrivilegeEscalationAllowed message + PrivilegeEscalationAllowed = "Privilege escalation should not be allowed" + // PrivilegeEscalationDisallowed message + PrivilegeEscalationDisallowed = "Privilege escalation not allowed" + // HasBadSecurityCapabilities message + HasBadSecurityCapabilities = "The following security capabilities should not be added: %v" + // SecurityCapabilitiesOK message + SecurityCapabilitiesOK = "Security capabilities are within the configured limits" + // SecurityCapabilitiesNotDropped message + SecurityCapabilitiesNotDropped = "The following security capabilities should be dropped: %v" + + // HostAliasConfigured message + HostAliasConfigured = "Host alias should not be configured" + // HostAliasNotConfigured message + HostAliasNotConfigured = "Host alias is not configured" + // HostIPCConfigured message + HostIPCConfigured = "Host IPC should not be configured" + // HostIPCNotConfigured message + HostIPCNotConfigured = "Host IPC is not configured" + // HostPIDConfigured message + HostPIDConfigured = "Host PID should not be configured" + // HostPIDNotConfigured message + HostPIDNotConfigured = "Host PID is not configured" + // HostNetworkConfigured message + HostNetworkConfigured = "Host network should not be configured" + // HostNetworkNotConfigured message + HostNetworkNotConfigured = "Host network is not configured" +) diff --git a/pkg/validator/pod.go b/pkg/validator/pod.go index 3595fb9b..0464a580 100644 --- a/pkg/validator/pod.go +++ b/pkg/validator/pod.go @@ -16,6 +16,7 @@ package validator import ( conf "github.com/reactiveops/fairwinds/pkg/config" + "github.com/reactiveops/fairwinds/pkg/validator/messages" corev1 "k8s.io/api/core/v1" logf "sigs.k8s.io/controller-runtime/pkg/runtime/log" ) @@ -87,9 +88,9 @@ func (pv *PodValidation) validateHostAlias(networkConf *conf.Networking) { } if hostAliasSet { - pv.addFailure("Host alias should is configured, but it shouldn't be", networkConf.HostAliasSet) + pv.addFailure(messages.HostAliasConfigured, networkConf.HostAliasSet) } else { - pv.addSuccess("Host alias is not configured") + pv.addSuccess(messages.HostAliasNotConfigured) } } } @@ -97,9 +98,9 @@ func (pv *PodValidation) validateHostAlias(networkConf *conf.Networking) { func (pv *PodValidation) validateHostIPC(networkConf *conf.Networking) { if networkConf.HostIPCSet.IsActionable() { if pv.Pod.HostIPC { - pv.addFailure("Host IPC is configured, but it shouldn't be", networkConf.HostIPCSet) + pv.addFailure(messages.HostIPCConfigured, networkConf.HostIPCSet) } else { - pv.addSuccess("Host IPC is not configured") + pv.addSuccess(messages.HostIPCNotConfigured) } } } @@ -107,9 +108,9 @@ func (pv *PodValidation) validateHostIPC(networkConf *conf.Networking) { func (pv *PodValidation) validateHostPID(networkConf *conf.Networking) { if networkConf.HostPIDSet.IsActionable() { if pv.Pod.HostPID { - pv.addFailure("Host PID is configured, but it shouldn't be", networkConf.HostPIDSet) + pv.addFailure(messages.HostPIDConfigured, networkConf.HostPIDSet) } else { - pv.addSuccess("Host PID is not configured") + pv.addSuccess(messages.HostPIDNotConfigured) } } } @@ -117,9 +118,9 @@ func (pv *PodValidation) validateHostPID(networkConf *conf.Networking) { func (pv *PodValidation) validateHostNetwork(networkConf *conf.Networking) { if networkConf.HostNetworkSet.IsActionable() { if pv.Pod.HostNetwork { - pv.addFailure("Host network is configured, but it shouldn't be", networkConf.HostNetworkSet) + pv.addFailure(messages.HostNetworkConfigured, networkConf.HostNetworkSet) } else { - pv.addSuccess("Host network is not configured") + pv.addSuccess(messages.HostNetworkNotConfigured) } } }