Update checks severities (#950)

* change all ignore checks to warning

* promoting checks initially warning that should be danger.

* fixing docs and examples

* adds changelog

* fix changelog version

docs/changelog.md

@@ -5,6 +5,25 @@ meta:
     content: "Fairwinds Polaris | Changelog"
 
 ---
+
+## 8.0.0
+* Change default severity from `ignore` to `warning` for `priorityClassNotSet`, `metadataAndNameMismatched`, `missingPodDisruptionBudget`, `automountServiceAccountToken`, `missingNetworkPolicy` checks.
+* Change default severity from `warning` to `danger` for `sensitiveContainerEnvVar`, `sensitiveConfigmapContent`, `clusterrolePodExecAttach`, `rolePodExecAttach`, `clusterrolebindingPodExecAttach`, `rolebindingClusterRolePodExecAttach`, `rolebindingRolePodExecAttach`,`clusterrolebindingClusterAdmin`,`rolebindingClusterAdminClusterRole`,`rolebindingClusterAdminRole` checks.
+
+## 7.4.0
+* Skip https certificate verification (#920)
+
+## 7.3.0
+* Add a check for `topologySpreadConstraint` (#879)
+
+## 7.2.0
+* Enable new RBAC / sensitive content / Pod exec checks, add `hasPrefix` and `hasSuffix` functions to the GO template, exempt `system:` name prefixes for RBAC checks, sensitive content checks ignore `valueFrom`, (#832)
+
+## 7.1.0
+* Let Polaris modify YAML without losing comments/formatting (#821)
+* Add checks for RBAC allowing exec or attaching to a Pod (#820)
+* Add `clusterrolebindingClusterAdmin`, `rolebindingClusterAdminRole`, and `rolebindingClusterAdminClusterRole` checks + schema tests (#823)
+
 ## 7.0.2
 * Fixes for pretty CLI output
 * Some new checks (disabled by default)

docs/checks/reliability.md

@@ -14,10 +14,10 @@ key | default | description
 `livenessProbeMissing` | `warning` | Fails when a liveness probe is not configured for a pod.
 `tagNotSpecified` | `danger` | Fails when an image tag is either not specified or `latest`.
 `pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`.
-`priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod.
+`priorityClassNotSet` | `warning` | Fails when a priorityClassName is not set for a pod.
 `deploymentMissingReplicas` | `warning` | Fails when there is only one replica for a deployment.
-`missingPodDisruptionBudget` | `ignore`
-`metadataAndNameMismatched` | `ignore`
+`missingPodDisruptionBudget` | `warning`
+`metadataAndNameMismatched` | `warning`
 `topologySpreadConstraint` | `warning` | Fails when there is no topology spread constraint on the pod
 
 ## Background

docs/checks/security.md

@@ -24,17 +24,17 @@ key | default | description
 `hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is configured.
 `hostPortSet` | `warning` | Fails when `hostPort` attribute is configured.
 `tlsSettingsMissing` | `warning` | Fails when an Ingress lacks TLS settings.
-`sensitiveContainerEnvVar` | `warning` | Fails when the container sets potentially sensitive environment variables.
-`sensitiveConfigmapContent` | `warning` | Fails when potentially sensitive content is detected in the ConfigMap keys or values.
-`missingNetworkPolicy` | `ignore`
-`clusterrolePodExecAttach` | `warning` | Fails when the ClusterRole allows Pods/exec or pods/attach.
-`rolePodExecAttach` | `warning` | Fails when the Role allows Pods/exec or pods/attach.
-`clusterrolebindingPodExecAttach` | `warning` | Fails when the ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
-`rolebindingRolePodExecAttach` | `warning` | Fails when the RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist.
-`rolebindingClusterRolePodExecAttach` | `warning` | Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
-`clusterrolebindingClusterAdmin` | `warning` | Fails when the ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.
-`rolebindingClusterAdminClusterRole` | `warning` | Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.
-`rolebindingClusterAdminRole` | `warning` | Fails when the RoleBinding references a Role with wildcard permissions.
+`sensitiveContainerEnvVar` | `danger` | Fails when the container sets potentially sensitive environment variables.
+`sensitiveConfigmapContent` | `danger` | Fails when potentially sensitive content is detected in the ConfigMap keys or values.
+`missingNetworkPolicy` | `warning`
+`clusterrolePodExecAttach` | `danger` | Fails when the ClusterRole allows Pods/exec or pods/attach.
+`rolePodExecAttach` | `danger` | Fails when the Role allows Pods/exec or pods/attach.
+`clusterrolebindingPodExecAttach` | `danger` | Fails when the ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
+`rolebindingRolePodExecAttach` | `danger` | Fails when the RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist.
+`rolebindingClusterRolePodExecAttach` | `danger` | Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
+`clusterrolebindingClusterAdmin` | `danger` | Fails when the ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.
+`rolebindingClusterAdminClusterRole` | `danger` | Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.
+`rolebindingClusterAdminRole` | `danger` | Fails when the RoleBinding references a Role with wildcard permissions.
 
 ## Background
 

examples/config-full.yaml

@@ -8,8 +8,8 @@ checks:
   livenessProbeMissing: warning
   topologySpreadConstraint: warning
   pdbDisruptionsIsZero: warning
-  missingPodDisruptionBudget: ignore
-  metadataAndNameMismatched: ignore
+  missingPodDisruptionBudget: warning
+  metadataAndNameMismatched: warning
 
   # efficiency
   cpuRequestsMissing: warning
@@ -22,7 +22,7 @@ checks:
   hostIPCSet: danger
   hostPIDSet: danger
   linuxHardening: danger
-  missingNetworkPolicy: ignore
+  missingNetworkPolicy: warning
   notReadOnlyRootFilesystem: warning
   privilegeEscalationAllowed: danger
   runAsRootAllowed: danger

examples/config.yaml

@@ -1,14 +1,14 @@
 checks:
   # reliability
   deploymentMissingReplicas: warning
-  priorityClassNotSet: ignore
+  priorityClassNotSet: warning
   tagNotSpecified: danger
   pullPolicyNotAlways: warning
   readinessProbeMissing: warning
   livenessProbeMissing: warning
-  metadataAndNameMismatched: ignore
+  metadataAndNameMismatched: warning
   pdbDisruptionsIsZero: warning
-  missingPodDisruptionBudget: ignore
+  missingPodDisruptionBudget: warning
   topologySpreadConstraint: warning
 
   # efficiency
@@ -18,11 +18,11 @@ checks:
   memoryLimitsMissing: warning
   
   # security
-  automountServiceAccountToken: ignore
+  automountServiceAccountToken: warning
   hostIPCSet: danger
   hostPIDSet: danger
   linuxHardening: warning
-  missingNetworkPolicy: ignore
+  missingNetworkPolicy: warning
   notReadOnlyRootFilesystem: warning
   privilegeEscalationAllowed: danger
   runAsRootAllowed: danger
@@ -32,17 +32,16 @@ checks:
   hostNetworkSet: danger
   hostPortSet: warning
   tlsSettingsMissing: warning
-  # These are initially warning and will later be promoted to danger.
-  sensitiveContainerEnvVar: warning
-  sensitiveConfigmapContent: warning
-  clusterrolePodExecAttach: warning
-  rolePodExecAttach: warning
-  clusterrolebindingPodExecAttach: warning
-  rolebindingClusterRolePodExecAttach: warning
-  rolebindingRolePodExecAttach: warning
-  clusterrolebindingClusterAdmin: warning
-  rolebindingClusterAdminClusterRole: warning
-  rolebindingClusterAdminRole: warning
+  sensitiveContainerEnvVar: danger
+  sensitiveConfigmapContent: danger
+  clusterrolePodExecAttach: danger
+  rolePodExecAttach: danger
+  clusterrolebindingPodExecAttach: danger
+  rolebindingClusterRolePodExecAttach: danger
+  rolebindingRolePodExecAttach: danger
+  clusterrolebindingClusterAdmin: danger
+  rolebindingClusterAdminClusterRole: danger
+  rolebindingClusterAdminRole: danger
 
 
 mutations: