github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-20 08:04:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #77 from reactiveops/rs/config-cleanup

Browse Source 
Better success messaging, deployment config now 100% passing Polaris checks
This commit is contained in:
Rob Scott
2019-05-14 09:28:09 -04:00
committed by GitHub
parent 406b4b8e2d 02d4444196
commit 6ec83e7ca8
9 changed files with 48 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@@ -9,8 +9,8 @@ FROM alpine:3.9
WORKDIR /usr/local/bin
RUN apk --no-cache add ca-certificates
RUN addgroup -S polaris && adduser -S -G polaris polaris
USER polaris
RUN addgroup -S polaris && adduser -u 1200 -S polaris -G polaris
USER 1200
COPY --from=build-env /go/src/github.com/reactiveops/polaris/polaris .
WORKDIR /opt/app

7
deploy/dashboard.yaml
View File

@@ -176,6 +176,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml

7
deploy/helm/polaris/templates/dashboard.deployment.yaml
View File

@@ -53,6 +53,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml

7
deploy/helm/polaris/templates/webhook.deployment.yaml
View File

@@ -63,6 +63,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml

7
deploy/webhook.yaml
View File

@@ -216,6 +216,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml

8
docs/resources.md
View File

@@ -8,10 +8,10 @@ To simplify ensure that these values have been set, the following attributes are
key | default | description
----|---------|------------
`resources.cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured.
`resources.memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured.
`resources.cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured.
`resources.memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured.
`resources.cpuRequestsMissing` | `error` | Fails when `resources.requests.cpu` attribute is not configured.
`resources.memoryRequestsMissing` | `error` | Fails when `resources.requests.memory` attribute is not configured.
`resources.cpuLimitsMissing` | `error` | Fails when `resources.limits.cpu` attribute is not configured.
`resources.memoryLimitsMissing` | `error` | Fails when `resources.limits.memory` attribute is not configured.
## Range Checks

6
pkg/validator/container.go
View File

@@ -97,7 +97,11 @@ func (cv *ContainerValidation) validateResourceRange(resourceName string, rangeC
} else if warnBelow != nil && warnBelow.MilliValue() > res.MilliValue() {
cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooLowFailure, resourceName, warnBelow.String()), category)
} else {
cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
if warnAbove != nil || warnBelow != nil || errorAbove != nil || errorBelow != nil {
cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
} else {
cv.addSuccess(fmt.Sprintf(messages.ResourcePresentSuccess, resourceName), category)
}
}
}

10
pkg/validator/container_test.go
View File

@@ -583,7 +583,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: standardConf,
cv: emptyCV,
expectedMessages: []*ResultMessage{{
Message: "Should not be running as root",
Message: "Should not be allowed to run as root",
Type: "warning",
Category: "Security",
}, {
@@ -625,7 +625,7 @@ func TestValidateSecurity(t *testing.T) {
Type: "warning",
Category: "Security",
}, {
Message: "Should not be running as root",
Message: "Should not be allowed to run as root",
Type: "warning",
Category: "Security",
}, {
@@ -639,7 +639,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: standardConf,
cv: goodCV,
expectedMessages: []*ResultMessage{{
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {
@@ -669,7 +669,7 @@ func TestValidateSecurity(t *testing.T) {
Type: "error",
Category: "Security",
}, {
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {
@@ -691,7 +691,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: strongConf,
cv: strongCV,
expectedMessages: []*ResultMessage{{
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {

6
pkg/validator/messages/messages.go
View File

@@ -35,6 +35,8 @@ const (
ResourceAmountTooLowFailure = "%s should be higher than %s"
// ResourceAmountSuccess message
ResourceAmountSuccess = "%s are within the expected range"
// ResourcePresentSuccess message
ResourcePresentSuccess = "%s are set"
// ReadinessProbeFailure message
ReadinessProbeFailure = "Readiness probe should be configured"
// ReadinessProbeSuccess message
@@ -56,9 +58,9 @@ const (
// HostPortSuccess message
HostPortSuccess = "Host port is not configured"
// RunAsRootFailure message
RunAsRootFailure = "Should not be running as root"
RunAsRootFailure = "Should not be allowed to run as root"
// RunAsRootSuccess message
RunAsRootSuccess = "Not running as root"
RunAsRootSuccess = "Is not allowed to run as root"
// RunAsPrivilegedFailure message
RunAsPrivilegedFailure = "Should not be running as privileged"
// RunAsPrivilegedSuccess message