[BUG] Incorrect violation is reported

[realshuting]

Describe the bug
There is a pod has the following volume mounts, but a violation is reported for this volume.
Volume mounts in pod:

     volumeMounts:
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: default-token-f7vk4
        readOnly: true

Message in violation:

      message: |-
        Validation error: Use of the Docker Unix socket is not allowed
        Validation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/'.

To Reproduce

1. Create best practice policy disallow-docker-sock-mount to your cluster
2. run kubectl run nginx --image=nginx
   A namespacedpolicyviolation is reported.

Screenshots
pod.yaml

apiVersion: v1
items:
- apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: "2019-11-16T01:49:48Z"
    generateName: nginx-7cdbd8cdc9-
    labels:
      pod-template-hash: 7cdbd8cdc9
      run: nginx
    name: nginx-7cdbd8cdc9-lzf2h
    namespace: test2
    ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: true
      controller: true
      kind: ReplicaSet
      name: nginx-7cdbd8cdc9
      uid: 5f16a7f5-0813-11ea-bef2-068789d2dc77
    resourceVersion: "22000"
    selfLink: /api/v1/namespaces/test2/pods/nginx-7cdbd8cdc9-lzf2h
    uid: 5f1d1ffd-0813-11ea-bef2-068789d2dc77
  spec:
    containers:
    - image: nginx
      imagePullPolicy: Always
      name: nginx
      resources: {}
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: default-token-f7vk4
        readOnly: true
    dnsPolicy: ClusterFirst
    enableServiceLinks: true
    nodeName: ip-10-10-128-9
    priority: 0
    restartPolicy: Always
    schedulerName: default-scheduler
    securityContext: {}
    serviceAccount: default
    serviceAccountName: default
    terminationGracePeriodSeconds: 30
    tolerations:
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
      tolerationSeconds: 300
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
      tolerationSeconds: 300
    volumes:
    - name: default-token-f7vk4
      secret:
        defaultMode: 420
        secretName: default-token-f7vk4

namespacedpolicyviolation:

apiVersion: v1
items:
- apiVersion: kyverno.io/v1
  kind: NamespacedPolicyViolation
  metadata:
    creationTimestamp: "2019-11-16T01:51:26Z"
    generateName: pv-
    generation: 1
    labels:
      policy: disallow-docker-sock-mount
      resource: Pod.test2.nginx-7cdbd8cdc9-lzf2h
    name: pv-j4d4k
    namespace: test2
    resourceVersion: "22159"
    selfLink: /apis/kyverno.io/v1/namespaces/test2/namespacedpolicyviolations/pv-j4d4k
    uid: 99f8c9cb-0813-11ea-bef2-068789d2dc77
  spec:
    policy: disallow-docker-sock-mount
    resource:
      kind: Pod
      name: nginx-7cdbd8cdc9-lzf2h
      namespace: test2
    rules:
    - managedResource: {}
      message: |-
        Validation error: Use of the Docker Unix socket is not allowed
        Validation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/'.
      name: validate-docker-sock-mount
      type: Validation
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

[shivdudhani]

The resource failed as the policy expects volumes tag to the of type map:
https://github.com/nirmata/kyverno/blob/17ec220711bfbb17b1161daa743ad2d4dad146b2/samples/best_practices/disallow_docker_sock_mount.yaml#L21-L23.

The policy can be corrected as follows:

          =(volumes):
            - =(hostPath):
                path: "!/var/run/docker.sock"

corrected in PR #513