* first pass at adding exemptions
* Update config.yaml
* make config_test more reliable
* add flag to disallow exemptions in dashboard
* add disallow-exemptions flag to CLI
* add comments
* fix exemptions flag
* fix alert on dashboard
* minor style changes
* added ability to run dashboard from a stored audit result file.
* added ability to run dashboard from a stored audit result file.
* more changes
* debugging
* de
* all working as anticipated locally
* .
* updated way of decoding YAML/JSON files.
* remmoved unneded code
* renamed fn names, moved logic around and cleaned up main.go
* deleted output files from weird places.
* deleted test file
* Added testing for webhook using KIND
* fixed branching error
* added tests to CircleCI
* added tests to CircleCI
* attempt to stop failing circleci test
* moved location of testing for webhook in CircleCI
* debugging
* more debugging
* .
* .
* added download of webhook to test
* ..
* ...
* corrected sleep comand
* .
* .
* code working now, clean up
* testing smaller sleep times
* increased sleep time
* responded to comments on github
* .
* debug
* more edits
* debugging second test failing.
* debugging
* tests doing opposite of what they should be debugging.
* debugging
* .
* .
* fixing error in installation of webhook.
* .
* timeout increase
* trying to install webhook
* .
* .
* webhook still not i installing properly
* ..
* ..
* add log message
* ..
* changed order of test_k8s, removed set -e
* ..
* namespace polaris
* .
* .......
* intial testing for new strategy.
* intial testing for new strategy.
* .
* ...
* final edits, working now
* fixed files, cleaned up logs, added more detail to webhook starting documentation.
* ?
* added test files for other controller types, adding testing for them in webhook_test.sh
* increased sleep time
* testing
* finally added tests for jobs
* changed while loop condition to include webhook.
* .
* lskdfsjkl
* sd
* lskfjlskj
* .
* final
* added timeout test for dashboard to try to aleviate error
* .
* .
* install the dashboard
* ...
* initial test for new kube_dashboard_test
* initial test for new kube_dashboard_test
* ?
* deleting unused code
* final change for dashboard test
* final
**Changes**
- Refactored the way controllers work to be an interface
- Added configurable controllers to include in scans
- Added daemonsets, jobs and cronjobs in scans
- Added `ReplicationController` type controllers to the supported list
- Adjusted logic for failed YAML parsing to bubble up errors
- Added better logic for calculating summaries on cluster wide results
- Relocated responsibilities for counting types into validators vs spreading it around more packages
- Fixed bug where cronjob parsing was using wrong KIND
- Added fixtures for mocking new controller types
- Added example yamls to test scanning files
- Added functions to NamespacedResult(s) to reduce code complexity deep set iterations
- Refactored how results get added to namespacedresults so adding more later is easier
- Minor signature changes for interface implementing structs for controllers
* add pod test
* add pod test 2
* update tests
* Added pod tests for configured Host IPC, Host PID, and Host Newtowrk.
* Fixed expected vs. actual mixup
* Fixing Container Security Context Logic
Kubernetes rationalizes Container Security Context in conjunction with the
Pod Spec Security Context. In this scenario you can 'leave out' certain
security context settings and rely on the pod spec definition to still
set these settings for you. The RunAsNonRoot setting originally only checked
to see if the value was set at the container level, vs also checking if it
was enabled at the pod level.
I have attached the container's parent pod spec to the container validate
struct in case any other things like this arise in the future.
I have also refactored the logic for validating bool pointers, since these
can be tricky, if you want to avoid dereferences pointer issues.
Changes:
- Added parent pod spec of container to validate certain settings which affect container spec
- Refactored the logic statements for validating bool pointers (used helpers)
- Added tests for this pod.container.securityContext condition
