* Add `target PodTemplate` which exposes the full Pod (not only the spec)
* Fix PotTemplate in conjunction with how pod-schema-checks are handled
* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases
* Clarify PldTemplate logic for `IsActionable()`
* Add a template `Polaris` variable, expose `Polaris.PodSpec` for checks of `target: PodSpec`.
Polaris checks that are `target: PodSpec` have reflected the original
resource (such as a pod-controller) in the Go template, instead of
reflecting the pod `spec` field. This update makes the PodSpec available
in a new template variable `Polaris.PodSpec`.
* added fix command
* update fix command to walk through the folder to find all files
* added ability to add comment
* fix comment prefix
* trim whitespaces to the line
* refactor update mutated file
* remove filepath as is not needed anymore
* remove filepath as is not needed anymore
* remove timestamp and status if creation is null
* added comments and fix tests
* remove hardcoded mutation in config
* revert comment deletion
* separate mutated to success files
* read multiple resources in a file and update both
* Remove mutation in config.yaml
* added more mutations and refactor test to test each mutation separately
* added more mutation definitions
* update spec for controller
* added mutations for cpu and memory request and limits
* update request memory mutation
* added liveness and probes
* rmeove hostport mutation
* added multiple mutations for request and limits memory
Co-authored-by: Robert Brennan <accounts@rbren.io>
* added mutation field in checks and config
* added test
* fix tests
* revert resolve export
* remove Patched resources as moving that to separate functionality apart from validation
* go mod tidy
* move mutation to the container level
* change prefix based on the resource kind
* collect all mutations from results and apply
* added test for cronjob and deployment apart from just pod
* test cronjob prefix
* return a copy of mutation
* fix tests and comments
* address feedback comments
* fix warning formating
* refactor getJSONSchemaPrefix function
This change follows up #635 and lets end-users decide to disallow exemption rules defined as part of the config file or the controller annotations (whether none, any or both). The main use case here is to be able to prevent users with edit privileges over a controller to add a new exemption rule through an annotation which may obfuscate the actual policies we want to enforce.
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* able to run multi-resource tests
* start passing resource provider through
* working end-to-end
* better support for go templating
* fix tests
* delint
* add test
* add json annotations
* remove panics
* fix annotation
* fix for groupkinds
* add comment
* add docs
* change jsonSchema field to schemaString
* rename check
* add pdb to tests
* add ingress to tests
* update deps
* fix up policy import
* update go
* fix check name
* funk it up
* better docs
* Unmarshal OriginalObjectJSON into ObjectMeta
* Unmarshal to unst before converting too v1 Object
* Add passing annotated deployment webhook test case
* fix meta accessor
* fix tests
* remove logs
* fix tests
Co-authored-by: Robert Brennan <contact@rbren.io>
