* update
* update go mod
* tidy
* revert go mod
* fix port
* move pod test case
* downgrade controller-runtime
* revert updates
* fix nil pointer
* add logs
* fix var
* remove test requirement
* fix decoder
* fix mutate
* fix test case
* fix logs
* fmt
* fix owned pods in mutate
* fix test
* add logs
* add mutations to tests
* convert to json for patch
* fix up tests
* remove nil check
* fix logs
* add logs
* add env vars to webhook tests
* add login flow
* add logout functionality
* improve code
* implement token and status print
* implement status command
* add user to login
* improve server port management
* improve login flow
* fix login flow
* make insights URL for login configurable
* remove comments
* fix logrus directive usage
* add upload-insights command
* remove unnecessary usage of pointer
* error when using upload-insights and audit-path simultaneously
* upload-insights support
* set priority to reports
* adds report verification
* fix logging to meet expected results
* renaming variable name
* improve results printing
* improve variable naming
* remove TODO
* Update checks severities (#950)
* change all ignore checks to warning
* promoting checks initially warning that should be danger.
* fixing docs and examples
* adds changelog
* fix changelog version
* improve general error message
* update workloads to be able grab its version
* print URL on stdout on browser error
* use os.WriteFile instead of low-level API
* renaming fn params
* add insights client
* validating token on auth status
* minor fix
* only query for re-auth if token is still valid
* update some dependencies in go and CI (#951)
* update some dependencies
* update testing requirements
* Fix cert-manager
* lots of deprecated versions
* attempts
* review suggestions
* avoid nil pointer
* fix fixtures
* fix test
---------
Co-authored-by: Robert Brennan <contact@rbren.io>
* update changelog
---------
Co-authored-by: Andrew Suderman <andy@fairwinds.com>
Co-authored-by: Robert Brennan <contact@rbren.io>
* Add persistentpostrun to root cmd and postrun to version cmd
* Change PLG link
* Add PLG link to dashboard
* <strong> the link
Co-authored-by: Andrew Suderman <andy@suderman.dev>
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* Add debug logging for JSON Schema validation and Go templating
* Fix `--help` to display the full Polaris usage
* add valid log possible levels to `--log-level` flag help
* add debug info
* remove extra build step
* try and fix memory usage
* fix pointers
* add more debug logs
* fix up caching for replicasets
* fix import
* replace info with debug
* add logs
* dont cache jobs
* gofmt
* fix import
* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* make cert dir option
* log message for multi-resource checks in admission
* Update pkg/validator/schema.go
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Pretty output: remove 2 leading line breaks and 1 trailing after container results
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* validator: don't add empty results in ApplyAllSchemaChecksToAllResources
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
* Add `target PodTemplate` which exposes the full Pod (not only the spec)
* Fix PotTemplate in conjunction with how pod-schema-checks are handled
* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases
* Clarify PldTemplate logic for `IsActionable()`
* Add a template `Polaris` variable, expose `Polaris.PodSpec` for checks of `target: PodSpec`.
Polaris checks that are `target: PodSpec` have reflected the original
resource (such as a pod-controller) in the Go template, instead of
reflecting the pod `spec` field. This update makes the PodSpec available
in a new template variable `Polaris.PodSpec`.
* added fix command
* update fix command to walk through the folder to find all files
* added ability to add comment
* fix comment prefix
* trim whitespaces to the line
* refactor update mutated file
* remove filepath as is not needed anymore
* remove filepath as is not needed anymore
* remove timestamp and status if creation is null
* added comments and fix tests
* remove hardcoded mutation in config
* revert comment deletion
* separate mutated to success files
* read multiple resources in a file and update both
* Remove mutation in config.yaml
* added more mutations and refactor test to test each mutation separately
* added more mutation definitions
* update spec for controller
* added mutations for cpu and memory request and limits
* update request memory mutation
* added liveness and probes
* rmeove hostport mutation
* added multiple mutations for request and limits memory
Co-authored-by: Robert Brennan <accounts@rbren.io>
* added mutation field in checks and config
* added test
* fix tests
* revert resolve export
* remove Patched resources as moving that to separate functionality apart from validation
* go mod tidy
* move mutation to the container level
* change prefix based on the resource kind
* collect all mutations from results and apply
* added test for cronjob and deployment apart from just pod
* test cronjob prefix
* return a copy of mutation
* fix tests and comments
* address feedback comments
* fix warning formating
* refactor getJSONSchemaPrefix function
