openshift · kcarmichael08 · Jul 19, 2024 · Jun 7, 2024
diff --git a/modules/high-sev-security-policies.adoc b/modules/high-sev-security-policies.adoc
@@ -18,12 +18,12 @@ The following table lists the default security policies in {product-title} that
 [options="header"]
 |====
 |Life cycle stage |Name |Description | Status
-|Build or Deploy |Fixable CVSS >= 7 |Alerts when deployments with fixable vulnerabilities have a CVSS of at least 7. |Disabled
+|Build or Deploy |Fixable Common Vulnerability Scoring System (CVSS) >= 7 |Alerts when deployments with fixable vulnerabilities have a CVSS of at least 7. However, Red{nbsp}Hat recommends that you create policies using Common Vulnerabilities and Exposures (CVE) severity instead of CVSS score. |Disabled
 |Build or Deploy |Fixable Severity at least Important |Alerts when deployments with fixable vulnerabilities have a severity rating of at least Important. |Enabled
 |Build or Deploy |Secure Shell (ssh) Port Exposed in Image |Alerts when deployments expose port 22, which is commonly reserved for SSH access. |Enabled
 |Deploy |Emergency Deployment Annotation |Alerts when deployments use the emergency annotation, such as "admission.stackrox.io/break-glass":"ticket-1234" to circumvent StackRox Admission controller checks. |Enabled
 |Deploy |Environment Variable Contains Secret |Alerts when deployments have environment variables that contain 'SECRET'. |Enabled
-|Deploy |Fixable CVSS >= 6 and Privileged |Alerts when deployments run in privileged mode with fixable vulnerabilities that have a CVSS of at least 6. |Disabled by default in version 3.72.0 and later
+|Deploy |Fixable CVSS >= 6 and Privileged |Alerts when deployments run in privileged mode with fixable vulnerabilities that have a CVSS of at least 6. However, Red{nbsp}Hat recommends that you create policies using CVE severity instead of CVSS score. |Disabled by default in version 3.72.0 and later
 |Deploy | Privileged Containers with Important and Critical Fixable CVEs |Alerts when containers that run in privileged mode have important or critical fixable vulnerabilities. |Enabled
 |Deploy |Secret Mounted as Environment Variable |Alerts when a deployment has a Kubernetes secret that is mounted as an environment variable. |Disabled
 |Deploy |Secure Shell (ssh) Port Exposed |Alerts when deployments expose port 22, which is commonly reserved for SSH access. |Enabled

diff --git a/modules/policy-criteria.adoc b/modules/policy-criteria.adoc
@@ -81,7 +81,7 @@ AND, OR
 
 6+| *Section: Image contents*
 
-| CVE is fixable
+| The Common Vulnerabilities and Exposures (CVE) is fixable
 | This criterion results in a violation only if the image in the deployment you are evaluating has a fixable CVE.
 | Fixable
 | Boolean
@@ -157,8 +157,8 @@ AND, OR
 *Deploy*, +
 *Runtime* (when used with a Runtime criterion)
 
-| CVSS
-| Common Vulnerability Scoring System, use it to match images with vulnerabilities whose scores are greater than `>`, less than `<`, or equal to `=` the specified CVSS.
+| Common Vulnerability Scoring System (CVSS)
+| CVSS: Use it to match images with vulnerabilities whose scores are greater than `>`, less than `<`, or equal to `=` the specified CVSS.
 | CVSS
 | <, >, \<=, >= or nothing (which implies equal to) +
 
@@ -274,11 +274,21 @@ AND, OR
 6+| *Section: Container configuration*
 
 | Environment Variable
-| Check environment variables by name or value.
+| Check environment variables by name or value. When you create a policy that includes the environment variable attribute,
+you can choose which types of environment variables the policy should match. For example, you can specify raw values, which are provided directly in the deployment YAML, or you can specify references to values from config maps, secrets, fields, or resource requests or limits.
+For any type other than a raw value specified directly in the deployment YAML, the corresponding `value` attribute of the policy rule is ignored. In this case, the policy match is evaluated on the existence of the specified environment variable type. Additionally, this criteria disallows the creation of policies with a non-empty `value` attribute for types other than raw values.
 | Environment Variable
-| RAW=key=value to match an environment variable as directly specified in the deployment configuration with a specific key and value. `value` can be omitted to match on only the key. +
+a| RAW=key=value to match an environment variable as directly specified in the deployment YAML with a specific key and value. You can omit the `value` attribute to match on only the key. +
+
+If the environment variable is not defined in the configuration YAML, then you can use the format `SOURCE=KEY`, where `SOURCE` is one of the following objects:
+
+* SECRET_KEY (SecretKeyRef)
+* CONFIG_MAP_KEY (ConfigMapRef)
+* FIELD (FieldRef)
+* RESOURCE_FIELD (ResourceFieldRef)
+
+The preceding list provides the API object label first, and then provides the user interface label in parentheses.
 
-If the environment variable is not directly defined in the configuration, then the format SOURCE=KEY can be used, where SOURCE is one of SECRET_KEY, CONFIG_MAP_KEY, FIELD or RESOURCE_FIELD. In this case, criteria can only match the key and not the value.
 | ! Regex only for key and value (if using RAW) +
 AND, OR
 | *Deploy*, +
@@ -312,7 +322,8 @@ Examples: +
 
 
 | Container Memory Request
-| Check for the amount of memory reserved for a given resource.
+| Number, including fraction, of MB requested.
+// Do we convert the K8s resource into MB (including convert MiB to MB) ? If so, the documentation should explain this conversion .
 | Container Memory Request
 | (Same as Container CPU Request)
 | AND, OR
@@ -330,25 +341,25 @@ Examples: +
 
 
 | Privileged container
-| Privileged running deployments.
+| Check if a deployment is configured in privileged mode. This criterion only checks the value of the `privileged` field in the respective link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[Pod Security Context].
 | Privileged Container
-| Boolean
+| Boolean: `true` when the value of the `privileged` field in the respective `PodSecurityContext` is set to `true`
 | ✕
 | *Deploy*, +
 *Runtime* (when used with a Runtime criterion)
 
 
 | Root filesystem writeability
-| Containers running with the root file system configured as read only.
+| Check if a deployment is configured in the `readOnlyFilesystem` mode.
 | Read-Only Root Filesystem
-| Boolean
+| Boolean: `true` when the value of the `readOnlyRootFilesystem` field in the respective `PodSecurityContext` is set to `true`
 | ✕
 | *Deploy*, +
 *Runtime* (when used with a Runtime criterion)
 
 
 | Seccomp Profile Type
-| The type of seccomp profile allowed for the container.
+| The type of `seccomp` profile defined for the deployment. If `seccomp` options are provided at both the pod and container level, the container options override the pod options. See link:https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1[Security Context].
 | Seccomp Profile Type
 | One of: +
 
@@ -361,7 +372,7 @@ LOCALHOST
 
 
 | Privilege escalation
-| Provides alerts when a development is configured to allow a container process to gain more privileges than its parent process.
+| Provides alerts when a deployment allows a container process to gain more privileges than its parent process.
 | Allow Privilege Escalation
 | Boolean
 | ✕
@@ -864,7 +875,7 @@ NOT, +
 ! `OR` only
 | *Runtime* ONLY - Kubernetes Events
 
-| Kubernetes Resource
+| Kubernetes Resource Type
 | Type of the accessed Kubernetes resource.
 | Kubernetes Resource
 | One of: +