github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-08 10:16:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
906 Commits 28 Branches 117 Tags
rb/machine
Commit Graph

60 Commits

Author SHA1 Message Date
Robert Brennan
f753fc91f2 Support multi-resource templates (#524) 
* able to run multi-resource tests

* start passing resource provider through

* working end-to-end

* better support for go templating

* fix tests

* delint

* add test

* add json annotations

* remove panics

* fix annotation

* fix for groupkinds

* add comment

* add docs

* change jsonSchema field to schemaString

* rename check

* add pdb to tests

* add ingress to tests

* update deps

* fix up policy import

* update go

* fix check name

* funk it up

* better docs
 2021-05-06 14:01:20 -04:00
Robert Brennan
371e30fe3d Add support for check templates (#520) 
* Add basic flow

* Add arbitrary validator

* Pipe config through to resource provider

* Set arbitraries on resource provider

* Add arbitrary validation to fullaudit

* Add conf argument

* Fix resource setting from string

* PR updates

* Fix nil map error

* Delete lingering print, add pdb check, start implementing validator test

* move ingress to arbitrary

* fix compile

* refactor a bunch

* add tls tests

* tests passing

* resource provider helper

* refactor tests

* fix exemptions

* fix check test

* fix up resource creation from API

* fix init containers

* fix cronjob test

* fix pod tests

* combine controllers and-noncontrollers in resource provider

* delint

* add ingress backward compat

* fix tests

* reenable test

* rename a fn

* remove unused fn

* remove if

* first pass

* more progress

* debug

* update jsonschema

* Revert "update jsonschema"

This reverts commit 45e6c398ff.

* Revert "Revert "update jsonschema""

This reverts commit f8c5ec223824694c43a6af9dae9319f1f0e30b37.

* templating working

* rename check

* add failure details to results

* minor edits

* add runAsRoot test

* Revert "Revert "Revert "update jsonschema"""

This reverts commit fcdacdc3c22e32c580541901f99e154d00bedbc8.

* minor fixes

* most tests passing

* fix json annotations

* logspam

* delint

* add comment

Co-authored-by: Jordan Doig <jordan.steele.doig@gmail.com>
 2021-04-09 09:08:31 -04:00
Jordan Doig
63fd576d3e Add support for arbitrary Kinds (#505) 
* Add basic flow

* Add arbitrary validator

* Pipe config through to resource provider

* Set arbitraries on resource provider

* Add arbitrary validation to fullaudit

* Add conf argument

* Fix resource setting from string

* PR updates

* Fix nil map error

* Delete lingering print, add pdb check, start implementing validator test

* move ingress to arbitrary

* fix compile

* refactor a bunch

* add tls tests

* tests passing

* resource provider helper

* refactor tests

* fix exemptions

* fix check test

* fix up resource creation from API

* fix init containers

* fix cronjob test

* fix pod tests

* combine controllers and-noncontrollers in resource provider

* delint

* add ingress backward compat

* fix tests

* reenable test

* rename a fn

* remove unused fn

* remove if

Co-authored-by: Robert Brennan <contact@rbren.io>
 2021-03-26 08:29:59 -04:00
Robert Brennan
c16aac808f fix checks for k8s defaults (#496) 
* fix insecure caps check

* add more tests

* fix privilege escalation allowed
 2021-02-11 17:11:16 -05:00
skatika
86b3ab5186 Revert nil slice declarations 2020-12-22 14:27:53 -05:00
skatika
564803c9f8 Fix instructions 2020-12-22 14:10:15 -05:00
skatika
dd2976794a Implement namespace and container exemptions. Also refactoring according to gofmt 2020-12-18 09:50:04 -05:00
skatika
fdd30717e5 Remove unused parameter 2020-12-17 09:54:29 -05:00
baderbuddy
b3f1b3b478 Recategorize the results into standard categories. (#434) 
* Initial checkin for recategorizing checks

* Fix tests

* Fix tests

* Update example output
 2020-11-04 10:17:37 -05:00
baderbuddy
7c9f01639b Update dependencies (#400) 
* Start working on updating dependencies:

* Fix webhook

* Rollback jsonschema update

* Checkin new config

* Fix run as root

* Update versions of kind

* Fix typo in kind URL

* Fix kind config

* Add csr permissions

* Fix weird image thing

* Fixed certificates

* Add to logging

* Approve cert manually

* Fix approval

* Add cert script

* Fix deployment

* Add requests/limits

* Wait if certificate doesn't exist yet

* Add check for file size

* Add variable

* Try a different imagE

* Fix command

* Update certificate logic

* Add healthz

* Don't check cert size

* Remove stat

* Fix vet

* Put in change that makes no sense

* Fix cert names

* Roll back

* Try changing config

* Add logging for each request

* Cleanup code some

* Remove bad deployments

* Fix client injection

* Update timeout

* Add logging

* Fixed e2e webhook tests

* Add permissions for approval

* Fix permissions for CSR

* Remove logging code

* Remove refresh certs file

* Fix merge issues

* Update deployments

* Try beta of admission controller config

* Target 1.15 for testing

* Add beta versions of resourceS

* Lower webhook timeout

* Refactor out a method

* Fix up PR issues

* Fix more tabs

* Remove unnecessary messageS

* Fix go.sum

* Fix go.sum
 2020-09-11 08:53:14 -04:00
Robert Brennan
2ac6a2b540 Change error to danger (#299) 
* rename 'error' to 'danger'

* update dashboard

* fix docs

* update deploy configs
 2020-05-19 08:41:07 -04:00
baderbuddy
d50d9c81f8 Add the capability for controller level checks (#285) 
* Add controller level checks

* Add check for multipleReplicas

* Fixed spec

* Add controller level check

* Move controller schema checks to their own function.
 2020-05-18 14:57:35 -04:00
baderbuddy
69621f7034 Improve performance (#278) 
* rename root fs check

* speed up docker build

* refactor webhook to be more generic

* delete controllers pkg

* revert deploy

* fix example config

* remove controllersToScan config

* fix lint error

* fix webhook name

* FileSystem -> Filesystem

* update deps

* skip node owners

* clean up meta tracking

* Cache results of dynamic queries

* Dynamically pick types to list.

* Fix unit tests

* Fix the other tests I missed

* Fix container test

* Fix issues from PR feedback

Co-authored-by: Robert Brennan <bobby.brennan@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2020-05-01 13:29:29 -04:00
Robert Brennan
6792fba91f Delete controllers package (#270) 
* rename root fs check

* speed up docker build

* refactor webhook to be more generic

* delete controllers pkg

* revert deploy

* fix example config

* remove controllersToScan config

* fix lint error

* fix webhook name

* FileSystem -> Filesystem

* update deps

* skip node owners

* clean up meta tracking

Co-authored-by: Robert Brennan <bobby.brennan@gmail.com>
 2020-04-27 10:43:02 -04:00
Bader Boland
68fe23018a Feedback from PR 2020-03-23 09:27:36 -04:00
Bader Boland
7f71a352a7 Remove kebab case 2020-01-28 09:34:52 -05:00
Bader Boland
56bba70ef3 Add ability to exclude individual tests 2020-01-24 08:53:34 -05:00
Robert Brennan
e6a44c6ff8 formatting change 2020-01-14 14:50:35 +00:00
Robert Brennan
7637108234 refactor ValidateContainers 2020-01-14 14:50:34 +00:00
Robert Brennan
51cd3523fc messages -> results 2020-01-14 14:50:34 +00:00
Robert Brennan
9f7caabef4 change message type to boolean 2020-01-14 14:50:34 +00:00
Robert Brennan
2770be643f Refactor validation 2020-01-14 14:50:34 +00:00
Robert Brennan
917e630697 move some tests 2020-01-02 20:49:51 +00:00
Robert Brennan
04da47d83e change input config to simplify things 2020-01-02 17:55:21 +00:00
Robert Brennan
5efa416ea9 implement custom checks, implement resource ranges as custom check 2020-01-02 17:55:21 +00:00
Robert Brennan
7b0fe81d01 implement capabilities checks in JSON schema 2020-01-02 17:55:21 +00:00
Robert Brennan
ad3a8e6748 move runAsRootAllowed over to jsonschema 2019-12-23 20:32:38 +00:00
Robert Brennan
3fa627a2cd move networking checks over to json schema 2019-12-23 20:32:38 +00:00
Robert Brennan
30b49c4d7b implement image checks using json schema 2019-12-23 20:32:38 +00:00
Robert Brennan
f2c5752718 migrate health checks to schemas 2019-12-23 20:32:38 +00:00
Robert Brennan
98b47e0aeb Fix resource success messages (#223) 
* add success messages when resources are set

* add tests
 2019-11-13 14:07:32 -05:00
Robert Brennan
4eeabb2c7f pass RunAsNonRoot if RunAsUser > 0 (#219) 2019-11-11 13:21:32 -05:00
Robert Brennan
22ab851681 skip health checks for jobs, cronjobs, and initContainers (#216) 2019-11-06 13:31:17 -05:00
Robert Brennan
2b15f11d57 Add exemptions to config (#204) 
* first pass at adding exemptions

* Update config.yaml

* make config_test more reliable

* add flag to disallow exemptions in dashboard

* add disallow-exemptions flag to CLI

* add comments

* fix exemptions flag

* fix alert on dashboard

* minor style changes
 2019-10-23 17:14:03 -04:00
Robert Brennan
434b1f604f Create capabilitiesAdded and capabilitiesDropped IDs (#207) 
* ensure check IDs are unique

* create capabilitiesAdded and capabilitiesDropped check IDs
 2019-10-02 08:51:47 -04:00
Robert Brennan
c91a85a08a add IDs to each check (#197) 2019-09-11 14:07:08 -04:00
Bobby Brennan
20bd32afb6 Rename ReactiveOps to Fairwinds (#180) 
* Rename ReactiveOps to Fairwinds

* Rename ReactiveOps to Fairwinds
 2019-07-30 15:29:09 -04:00
Nick Huanca
4c7429efbc #146 Fixing Container Security Context Logic (#149) 
* Fixing Container Security Context Logic

Kubernetes rationalizes Container Security Context in conjunction with the
Pod Spec Security Context. In this scenario you can 'leave out' certain
security context settings and rely on the pod spec definition to still
set these settings for you. The RunAsNonRoot setting originally only checked
to see if the value was set at the container level, vs also checking if it
was enabled at the pod level.

I have attached the container's parent pod spec to the container validate
struct in case any other things like this arise in the future.

I have also refactored the logic for validating bool pointers, since these
can be tricky, if you want to avoid dereferences pointer issues.

Changes:
- Added parent pod spec of container to validate certain settings which affect container spec
- Refactored the logic statements for validating bool pointers (used helpers)
- Added tests for this pod.container.securityContext condition
 2019-06-18 11:04:38 -06:00
Rob Scott
9a03f87c0b adding exception for init container resource checks 2019-05-23 16:50:37 +02:00
Rob Scott
f5c7087d6d ensuring that readiness probes in init containers are not validated to fix #112 2019-05-20 21:35:44 +02:00
Rob Scott
02d4444196 updating error message for resource presence checks, updating deployment config to pass with 100% 2019-05-13 22:33:35 -04:00
Bobby Brennan
9bcb832bbd rename all the things 2019-05-09 15:59:23 +00:00
Rob Scott
40e1c1f827 adding image pull policy validation 2019-05-01 16:00:59 -04:00
Bobby Brennan
55363fd7a8 Add categories to dashboard 
add version, cluster stats to output

add comment

update UI

changes to summary aggregation

add category summaries to dash
 2019-04-23 15:07:50 +00:00
Rob Scott
674696c7e1 restructuring config to match up with docs 2019-04-22 12:58:25 -04:00
Bobby Brennan
3ce7e12082 Add version, cluster stats to output and UI (#61) 
* add version, cluster stats to output

* add comment

* fix tests

* add categories to messages

* fix tests

* update UI

* remove empty category totals field

* k8smeta -> metav1
 2019-04-22 12:01:18 -04:00
Bobby Brennan
bcff5f10bc pull out messages into separate file, some rephrasing 
phrasing

fix tests
 2019-04-12 14:56:25 +00:00
Rob Scott
9cfd2b6417 security validation fixes and more thorough tests 2019-04-05 15:10:11 -04:00
Rob Scott
3ea06b81ee security validations fully working 2019-04-05 15:10:11 -04:00
Rob Scott
82164105d7 initial work on security validations 2019-04-05 15:10:00 -04:00