* Add persistentpostrun to root cmd and postrun to version cmd
* Change PLG link
* Add PLG link to dashboard
* <strong> the link
Co-authored-by: Andrew Suderman <andy@suderman.dev>
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* Add debug logging for JSON Schema validation and Go templating
* Fix `--help` to display the full Polaris usage
* add valid log possible levels to `--log-level` flag help
* add debug info
* remove extra build step
* try and fix memory usage
* fix pointers
* add more debug logs
* fix up caching for replicasets
* fix import
* replace info with debug
* add logs
* dont cache jobs
* gofmt
* fix import
* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* make cert dir option
* log message for multi-resource checks in admission
* Update pkg/validator/schema.go
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Pretty output: remove 2 leading line breaks and 1 trailing after container results
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* validator: don't add empty results in ApplyAllSchemaChecksToAllResources
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
* Add `target PodTemplate` which exposes the full Pod (not only the spec)
* Fix PotTemplate in conjunction with how pod-schema-checks are handled
* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases
* Clarify PldTemplate logic for `IsActionable()`
* Add a template `Polaris` variable, expose `Polaris.PodSpec` for checks of `target: PodSpec`.
Polaris checks that are `target: PodSpec` have reflected the original
resource (such as a pod-controller) in the Go template, instead of
reflecting the pod `spec` field. This update makes the PodSpec available
in a new template variable `Polaris.PodSpec`.
* added fix command
* update fix command to walk through the folder to find all files
* added ability to add comment
* fix comment prefix
* trim whitespaces to the line
* refactor update mutated file
* remove filepath as is not needed anymore
* remove filepath as is not needed anymore
* remove timestamp and status if creation is null
* added comments and fix tests
* remove hardcoded mutation in config
* revert comment deletion
* separate mutated to success files
* read multiple resources in a file and update both
* Remove mutation in config.yaml
* added more mutations and refactor test to test each mutation separately
* added more mutation definitions
* update spec for controller
* added mutations for cpu and memory request and limits
* update request memory mutation
* added liveness and probes
* rmeove hostport mutation
* added multiple mutations for request and limits memory
Co-authored-by: Robert Brennan <accounts@rbren.io>
* added mutation field in checks and config
* added test
* fix tests
* revert resolve export
* remove Patched resources as moving that to separate functionality apart from validation
* go mod tidy
* move mutation to the container level
* change prefix based on the resource kind
* collect all mutations from results and apply
* added test for cronjob and deployment apart from just pod
* test cronjob prefix
* return a copy of mutation
* fix tests and comments
* address feedback comments
* fix warning formating
* refactor getJSONSchemaPrefix function
This change follows up #635 and lets end-users decide to disallow exemption rules defined as part of the config file or the controller annotations (whether none, any or both). The main use case here is to be able to prevent users with edit privileges over a controller to add a new exemption rule through an annotation which may obfuscate the actual policies we want to enforce.
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* able to run multi-resource tests
* start passing resource provider through
* working end-to-end
* better support for go templating
* fix tests
* delint
* add test
* add json annotations
* remove panics
* fix annotation
* fix for groupkinds
* add comment
* add docs
* change jsonSchema field to schemaString
* rename check
* add pdb to tests
* add ingress to tests
* update deps
* fix up policy import
* update go
* fix check name
* funk it up
* better docs
