From 02d444419659c5c422e98a5ad5b2ce7e48b29492 Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Mon, 13 May 2019 22:24:42 -0400 Subject: [PATCH] updating error message for resource presence checks, updating deployment config to pass with 100% --- Dockerfile | 4 ++-- deploy/dashboard.yaml | 7 +++++++ .../helm/polaris/templates/dashboard.deployment.yaml | 7 +++++++ deploy/helm/polaris/templates/webhook.deployment.yaml | 7 +++++++ deploy/webhook.yaml | 7 +++++++ docs/resources.md | 8 ++++---- pkg/validator/container.go | 6 +++++- pkg/validator/container_test.go | 10 +++++----- pkg/validator/messages/messages.go | 6 ++++-- 9 files changed, 48 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1cccbf6e..1264537f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,8 +9,8 @@ FROM alpine:3.9 WORKDIR /usr/local/bin RUN apk --no-cache add ca-certificates -RUN addgroup -S polaris && adduser -S -G polaris polaris -USER polaris +RUN addgroup -S polaris && adduser -u 1200 -S polaris -G polaris +USER 1200 COPY --from=build-env /go/src/github.com/reactiveops/polaris/polaris . WORKDIR /opt/app diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml index bd72c355..1d9fa01d 100644 --- a/deploy/dashboard.yaml +++ b/deploy/dashboard.yaml @@ -176,6 +176,13 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /opt/app/config.yaml diff --git a/deploy/helm/polaris/templates/dashboard.deployment.yaml b/deploy/helm/polaris/templates/dashboard.deployment.yaml index 364a3581..52f8986c 100644 --- a/deploy/helm/polaris/templates/dashboard.deployment.yaml +++ b/deploy/helm/polaris/templates/dashboard.deployment.yaml @@ -53,6 +53,13 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /opt/app/config.yaml diff --git a/deploy/helm/polaris/templates/webhook.deployment.yaml b/deploy/helm/polaris/templates/webhook.deployment.yaml index fb109298..861bd0e3 100644 --- a/deploy/helm/polaris/templates/webhook.deployment.yaml +++ b/deploy/helm/polaris/templates/webhook.deployment.yaml @@ -63,6 +63,13 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /opt/app/config.yaml diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 01a194ee..43d4f78a 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -216,6 +216,13 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /opt/app/config.yaml diff --git a/docs/resources.md b/docs/resources.md index 350a9aaa..d8e4e1d9 100644 --- a/docs/resources.md +++ b/docs/resources.md @@ -8,10 +8,10 @@ To simplify ensure that these values have been set, the following attributes are key | default | description ----|---------|------------ -`resources.cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured. -`resources.memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured. -`resources.cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured. -`resources.memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured. +`resources.cpuRequestsMissing` | `error` | Fails when `resources.requests.cpu` attribute is not configured. +`resources.memoryRequestsMissing` | `error` | Fails when `resources.requests.memory` attribute is not configured. +`resources.cpuLimitsMissing` | `error` | Fails when `resources.limits.cpu` attribute is not configured. +`resources.memoryLimitsMissing` | `error` | Fails when `resources.limits.memory` attribute is not configured. ## Range Checks diff --git a/pkg/validator/container.go b/pkg/validator/container.go index 6ecdf6a1..1010a3a0 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -97,7 +97,11 @@ func (cv *ContainerValidation) validateResourceRange(resourceName string, rangeC } else if warnBelow != nil && warnBelow.MilliValue() > res.MilliValue() { cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooLowFailure, resourceName, warnBelow.String()), category) } else { - cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category) + if warnAbove != nil || warnBelow != nil || errorAbove != nil || errorBelow != nil { + cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category) + } else { + cv.addSuccess(fmt.Sprintf(messages.ResourcePresentSuccess, resourceName), category) + } } } diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index 6bdb5a59..d0457468 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -583,7 +583,7 @@ func TestValidateSecurity(t *testing.T) { securityConf: standardConf, cv: emptyCV, expectedMessages: []*ResultMessage{{ - Message: "Should not be running as root", + Message: "Should not be allowed to run as root", Type: "warning", Category: "Security", }, { @@ -625,7 +625,7 @@ func TestValidateSecurity(t *testing.T) { Type: "warning", Category: "Security", }, { - Message: "Should not be running as root", + Message: "Should not be allowed to run as root", Type: "warning", Category: "Security", }, { @@ -639,7 +639,7 @@ func TestValidateSecurity(t *testing.T) { securityConf: standardConf, cv: goodCV, expectedMessages: []*ResultMessage{{ - Message: "Not running as root", + Message: "Is not allowed to run as root", Type: "success", Category: "Security", }, { @@ -669,7 +669,7 @@ func TestValidateSecurity(t *testing.T) { Type: "error", Category: "Security", }, { - Message: "Not running as root", + Message: "Is not allowed to run as root", Type: "success", Category: "Security", }, { @@ -691,7 +691,7 @@ func TestValidateSecurity(t *testing.T) { securityConf: strongConf, cv: strongCV, expectedMessages: []*ResultMessage{{ - Message: "Not running as root", + Message: "Is not allowed to run as root", Type: "success", Category: "Security", }, { diff --git a/pkg/validator/messages/messages.go b/pkg/validator/messages/messages.go index 7c2a1540..36ba6597 100644 --- a/pkg/validator/messages/messages.go +++ b/pkg/validator/messages/messages.go @@ -35,6 +35,8 @@ const ( ResourceAmountTooLowFailure = "%s should be higher than %s" // ResourceAmountSuccess message ResourceAmountSuccess = "%s are within the expected range" + // ResourcePresentSuccess message + ResourcePresentSuccess = "%s are set" // ReadinessProbeFailure message ReadinessProbeFailure = "Readiness probe should be configured" // ReadinessProbeSuccess message @@ -56,9 +58,9 @@ const ( // HostPortSuccess message HostPortSuccess = "Host port is not configured" // RunAsRootFailure message - RunAsRootFailure = "Should not be running as root" + RunAsRootFailure = "Should not be allowed to run as root" // RunAsRootSuccess message - RunAsRootSuccess = "Not running as root" + RunAsRootSuccess = "Is not allowed to run as root" // RunAsPrivilegedFailure message RunAsPrivilegedFailure = "Should not be running as privileged" // RunAsPrivilegedSuccess message