* Add persistentpostrun to root cmd and postrun to version cmd
* Change PLG link
* Add PLG link to dashboard
* <strong> the link
Co-authored-by: Andrew Suderman <andy@suderman.dev>
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* Add debug logging for JSON Schema validation and Go templating
* Fix `--help` to display the full Polaris usage
* add valid log possible levels to `--log-level` flag help
* Use goreleaser to build and push docker images
* Update CircleCI config to install goreleaser dependencies
* Update goreleaser.sh to create a temporary tag when CIRCLE_TAG is not set
* Update Dockerfile for goreleaser
* Update goreleaser.sh to trap errors and cleanup temporary git branch, for local runs
* Update goreleaser.sh to envsubst specific variables, to not break the `sign` section using signature and artifact variables
* Fix goreleaser.sh logic to only release when CIRCLE_TAG is set
* add debug info
* remove extra build step
* try and fix memory usage
* fix pointers
* add more debug logs
* fix up caching for replicasets
* fix import
* replace info with debug
* add logs
* dont cache jobs
* gofmt
* fix import
* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* make cert dir option
* log message for multi-resource checks in admission
* Update pkg/validator/schema.go
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Update README.md
Updates to the header and opening paragraphs.
* Update README.md
* Update README.md
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Pretty output: remove 2 leading line breaks and 1 trailing after container results
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* validator: don't add empty results in ApplyAllSchemaChecksToAllResources
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
