* add quiet flag to polaris audit CLI command to suppress 'upload to Insights' prompt
* add docs for polaris audit --quiet option
* add additional detail about polaris audit --quiet flag
* add login flow
* add logout functionality
* improve code
* implement token and status print
* implement status command
* add user to login
* improve server port management
* improve login flow
* fix login flow
* make insights URL for login configurable
* remove comments
* fix logrus directive usage
* add upload-insights command
* remove unnecessary usage of pointer
* error when using upload-insights and audit-path simultaneously
* upload-insights support
* set priority to reports
* adds report verification
* fix logging to meet expected results
* renaming variable name
* improve results printing
* improve variable naming
* remove TODO
* Update checks severities (#950)
* change all ignore checks to warning
* promoting checks initially warning that should be danger.
* fixing docs and examples
* adds changelog
* fix changelog version
* improve general error message
* update workloads to be able grab its version
* print URL on stdout on browser error
* use os.WriteFile instead of low-level API
* renaming fn params
* add insights client
* validating token on auth status
* minor fix
* only query for re-auth if token is still valid
* update some dependencies in go and CI (#951)
* update some dependencies
* update testing requirements
* Fix cert-manager
* lots of deprecated versions
* attempts
* review suggestions
* avoid nil pointer
* fix fixtures
* fix test
---------
Co-authored-by: Robert Brennan <contact@rbren.io>
* update changelog
---------
Co-authored-by: Andrew Suderman <andy@fairwinds.com>
Co-authored-by: Robert Brennan <contact@rbren.io>
* change all ignore checks to warning
* promoting checks initially warning that should be danger.
* fixing docs and examples
* adds changelog
* fix changelog version
* Update docs with new checks; make sure both config-full has all config.yml checks
* Update doc on mutating webhooks
---------
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* Update docs to reflect `target: PodTemplate` and the template being available via the `Polaris.PodTemplate` variable RE: PR #801
* Fix typo
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add a template `Polaris` variable, expose `Polaris.PodSpec` for checks of `target: PodSpec`.
Polaris checks that are `target: PodSpec` have reflected the original
resource (such as a pod-controller) in the Go template, instead of
reflecting the pod `spec` field. This update makes the PodSpec available
in a new template variable `Polaris.PodSpec`.
This change follows up #635 and lets end-users decide to disallow exemption rules defined as part of the config file or the controller annotations (whether none, any or both). The main use case here is to be able to prevent users with edit privileges over a controller to add a new exemption rule through an annotation which may obfuscate the actual policies we want to enforce.
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
