github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-06 17:26:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
928 Commits 28 Branches 117 Tags
7.0.2
Commit Graph

72 Commits

Author SHA1 Message Date
ivanfetch-fw
206322271c FWI-2509: Add sensitiveContainerEnvVar and sensitiveConfigMapContent checks (#817) 
* Add sensitiveContainerEnvVar and sensitiveConfigMapContent checks

* Update full example configfile
 2022-08-05 11:58:57 -04:00
ivanfetch-fw
e5b9236268 FWI-2476: Add missingNetworkPolicy, automountServiceAccountToken, and linuxHardening checks (#816) 
* Add missingNetworkPolicy, automountServiceAccountToken, and linuxHardening checks
 2022-08-05 09:44:18 -06:00
Robert Brennan
08682075c6 Enable pullPolicyNotAlways (#795) 
* add more mutations

* fix tests

* add more test cases

* Update insecureCapabilities.yaml

* Update dangerousCapabilities.yaml

* fix tests

* fix tests

* add pullPolicyNotAlways as default mutation
 2022-07-11 13:20:17 -04:00
Robert Brennan
50319fb1b8 fix webhook test (#798) 
* add logs to webhook test

* fix cleanup

* add more logs

* fix webhhook test
 2022-07-11 13:06:21 -04:00
Barnabas Makonda
25a120ba65 update dependencies (#777) 2022-06-07 20:27:26 +03:00
Robert Brennan
f71ca999c9 Change target: Pod to target: PodSpec (#726) 
* change target pod to target pod spec

* add checks

* update docs

* fix tests

Co-authored-by: MAKOSCAFEE <barnabasmakonda@gmail.com>
 2022-06-07 07:37:25 -06:00
Robert Brennan
6c33168378 update release process (#744) 
* update release process

* fix lint

* remove kubectl docs

* update webhook install

* fix webhook_test

* fix dashboard test

* Update kube_dashboard_test.sh

* Update webhook_test.sh

Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
 2022-04-28 17:16:17 -04:00
Barnabas Makonda
a59063bdb2 Add fix command to mutate and update IaC (#746) 
* added fix command

* update fix command to walk through the folder to find all files

* added ability to add comment

* fix comment prefix

* trim whitespaces to the line

* refactor update mutated file

* remove filepath as is not needed anymore

* remove filepath as is not needed anymore

* remove timestamp and status if creation is null

* added comments and fix tests

* remove hardcoded mutation in config

* revert comment deletion

* separate mutated to success files

* read multiple resources in a file and update both

* Remove mutation in config.yaml
 2022-04-28 18:28:33 +03:00
Barnabas Makonda
321bfa8f1f Added more mutations and refactor test to test each mutation separately (#734) 
* added more mutations and refactor test to test each mutation separately

* added more mutation definitions

* update spec for controller

* added mutations for cpu and memory request and limits

* update request memory mutation

* added liveness and probes

* rmeove hostport mutation

* added multiple mutations for request and limits memory

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-04-08 17:19:14 +03:00
Andrew Suderman
78838a606d Add a --namespace flag to the in-cluster audit (#742) 2022-04-08 07:54:03 -06:00
Andrew Suderman
bd8b2962dc Fix license headers (#736) 
* Update license headers

* Fmt

Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
 2022-03-31 11:02:10 -04:00
Barnabas Makonda
a4c0b0f555 Add mutation field to imagePolicyNotAlways (#712) 
* added mutation field in checks and config

* added test

* fix tests

* revert resolve export

* remove Patched resources as moving that to separate functionality apart from validation

* go mod tidy

* move mutation to the container level

* change prefix based on the resource kind

* collect all mutations from results and apply

* added test for cronjob and deployment apart from just pod

* test cronjob prefix

* return a copy of mutation

* fix tests and comments

* address feedback comments

* fix warning formating

* refactor getJSONSchemaPrefix function
 2022-03-25 16:38:58 +03:00
Barnabas Makonda
e91b9b8824 Update serverity for polaris check (#690) 
* update serverity for polaris check

* update test checks

* update changelog and fix test failure

* update tests/checks

* update replicas for webhook

* update config-full.yaml

* update tags

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-01-20 17:08:39 +03:00
Robert Brennan
c0d8eb6318 handle case-insensitivity for capabilities (#619) 
* handle lowercase letters in ALL for capabilities

* change all caps to regexp

* revert file
 2021-08-31 11:40:47 -04:00
Robert Brennan
19bf91e13b change test for PDB disruptions (#620) 2021-08-31 11:40:36 -04:00
Robert Brennan
b923caf79e better support for namespaces in additional schemas (#593) 
* better support for namespaces in additional schemas

* add alertmanager check

* Revert " revert file"

This reverts commit f55839b87aeec5af20ac28ecff664d17ac1159b3.

* remove alertmanager check
 2021-07-27 10:31:34 -04:00
Cydnee Owens
cbc15ad069 Pod level testing (#546) 
* update runAsPrivileged to test at pod level

* update runAsPrivileged to test at pod level

* add pod level success/failure tests

* add insuecure capabilities pod level testing

* update checks to include good/bad security

* update checks for good/bad security

* remove good security from runAsPrivileged
 2021-05-25 12:59:28 -04:00
Cydnee Owens
1ede736971 update notReadOnlyRootFilesystem check (#543) 
* update notReadOnlyRootFilesystem check

* remove run as user

* add pod level testing to notreadonlyrootFileSystem and update schema_test.go file

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-24 15:21:04 -07:00
Cydnee Owens
1935abd563 Test layout refactor (#545) 
* refactor test structure

* update syntax to include template/spec layout

* update syntax to include template/spec layout

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-24 16:30:10 -04:00
Cydnee Owens
842ccf4853 Multiple replicas (#534) 
* add file structure and success/failure yaml files

* add success/fail check tests for liveness probe missing

* add success/fail check tests for readiness probe missing

* add cpu limit missing success/failure

* add cpu requests missing success/failure

* add hostPortMissing success/failure

* add readinessProbeMissing success/failure

* Add success/failure test for dangerousCapabilities

* add success test

* submit for review for potential bug

* remove outdated files

* fix test cases

Co-authored-by: Robert Brennan <contact@rbren.io>
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-18 13:16:08 -07:00
Cydnee Owens
2c56a313a1 add failure, failure.latest and success.yaml file (#541) 
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-18 12:40:55 -07:00
Cydnee Owens
d011bb454a add failure.all.yaml for dangerouscapabilities test (#538) 
* add failure.all.yaml for dangerouscapabilities test

* change to [ALL] failing test

* add failure.all.yaml for dangerouscapabilities test

* change to [ALL] failing test

* fix dangerous caps test

Co-authored-by: Robert Brennan <contact@rbren.io>
 2021-05-11 13:12:46 -07:00
Cydnee Owens
c9811171ce Check testing (#535) 
* add file structure and success/failure yaml files

* add success/fail check tests for liveness probe missing

* add success/fail check tests for readiness probe missing

* add cpu limit missing success/failure

* add cpu requests missing success/failure

* add hostPortMissing success/failure

* add readinessProbeMissing success/failure

* Add success/failure test for dangerousCapabilities

* add success test

* add success/failure tests

* name change pdbDisruptionsGreaterThanZero to pdbDisruptionsIsZero for test

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-07 09:46:26 -07:00
Cydnee Owens
30eebaf16a add memory limits and requests success/failure tests (#537) 2021-05-06 14:15:22 -07:00
Robert Brennan
f753fc91f2 Support multi-resource templates (#524) 
* able to run multi-resource tests

* start passing resource provider through

* working end-to-end

* better support for go templating

* fix tests

* delint

* add test

* add json annotations

* remove panics

* fix annotation

* fix for groupkinds

* add comment

* add docs

* change jsonSchema field to schemaString

* rename check

* add pdb to tests

* add ingress to tests

* update deps

* fix up policy import

* update go

* fix check name

* funk it up

* better docs
 2021-05-06 14:01:20 -04:00
Cydnee Owens
239a321588 Liveness probe (#529) 
* add file structure and success/failure yaml files

* add success/fail check tests for liveness probe missing

* add success/fail check tests for readiness probe missing

* add cpu limit missing success/failure

* add cpu requests missing success/failure

* add hostPortMissing success/failure

* add readinessProbeMissing success/failure

* delete misspelled file folder readinessProb

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2021-05-06 09:11:10 -07:00
Robert Brennan
371e30fe3d Add support for check templates (#520) 
* Add basic flow

* Add arbitrary validator

* Pipe config through to resource provider

* Set arbitraries on resource provider

* Add arbitrary validation to fullaudit

* Add conf argument

* Fix resource setting from string

* PR updates

* Fix nil map error

* Delete lingering print, add pdb check, start implementing validator test

* move ingress to arbitrary

* fix compile

* refactor a bunch

* add tls tests

* tests passing

* resource provider helper

* refactor tests

* fix exemptions

* fix check test

* fix up resource creation from API

* fix init containers

* fix cronjob test

* fix pod tests

* combine controllers and-noncontrollers in resource provider

* delint

* add ingress backward compat

* fix tests

* reenable test

* rename a fn

* remove unused fn

* remove if

* first pass

* more progress

* debug

* update jsonschema

* Revert "update jsonschema"

This reverts commit 45e6c398ff.

* Revert "Revert "update jsonschema""

This reverts commit f8c5ec223824694c43a6af9dae9319f1f0e30b37.

* templating working

* rename check

* add failure details to results

* minor edits

* add runAsRoot test

* Revert "Revert "Revert "update jsonschema"""

This reverts commit fcdacdc3c22e32c580541901f99e154d00bedbc8.

* minor fixes

* most tests passing

* fix json annotations

* logspam

* delint

* add comment

Co-authored-by: Jordan Doig <jordan.steele.doig@gmail.com>
 2021-04-09 09:08:31 -04:00
Jordan Doig
63fd576d3e Add support for arbitrary Kinds (#505) 
* Add basic flow

* Add arbitrary validator

* Pipe config through to resource provider

* Set arbitraries on resource provider

* Add arbitrary validation to fullaudit

* Add conf argument

* Fix resource setting from string

* PR updates

* Fix nil map error

* Delete lingering print, add pdb check, start implementing validator test

* move ingress to arbitrary

* fix compile

* refactor a bunch

* add tls tests

* tests passing

* resource provider helper

* refactor tests

* fix exemptions

* fix check test

* fix up resource creation from API

* fix init containers

* fix cronjob test

* fix pod tests

* combine controllers and-noncontrollers in resource provider

* delint

* add ingress backward compat

* fix tests

* reenable test

* rename a fn

* remove unused fn

* remove if

Co-authored-by: Robert Brennan <contact@rbren.io>
 2021-03-26 08:29:59 -04:00
Jordan Doig
4c3d0e0603 Set full object ObjectMeta on new workload from Pod (#471) 
* Unmarshal OriginalObjectJSON into ObjectMeta

* Unmarshal to unst before converting too v1 Object

* Add passing annotated deployment webhook test case

* fix meta accessor

* fix tests

* remove logs

* fix tests

Co-authored-by: Robert Brennan <contact@rbren.io>
 2021-02-26 15:33:40 -05:00
Robert Brennan
a5852f3003 Make it easier to run webhook tests locally (#476) 
* make it easy to run webhook tests locally

* modify tests so they run locally

* follow the logs

* add instructions

* make it easy to run webhook tests locally

* modify tests so they run locally

* follow the logs

* add instructions

* use universal date command

* fix sed command for portability

* fix date command

* make entire image configurable

* fix instructions
 2021-02-16 11:48:19 -05:00
Robert Brennan
c16aac808f fix checks for k8s defaults (#496) 
* fix insecure caps check

* add more tests

* fix privilege escalation allowed
 2021-02-11 17:11:16 -05:00
Jordan Doig
bc866a4d18 Merge branch 'master' into jd/out-of-control 2021-01-14 11:20:35 -07:00
Robert Brennan
ec557f7ce8 Update dependencies (#470) 
* update to v20

* fix tests
 2021-01-08 14:01:01 -05:00
Jordan Doig
3a8655de81 Update validate ingress test 2021-01-04 20:44:38 -07:00
Jordan Doig
8840f0dc5b Remove last ControllerResult reference 2021-01-04 10:08:57 -07:00
skatika
86b3ab5186 Revert nil slice declarations 2020-12-22 14:27:53 -05:00
skatika
a4e45a0e95 Merge branch 'master' of github.com:FairwindsOps/polaris into ssk/container-exemptions 
# Conflicts:
#	README.md
#	pkg/validator/controller_test.go
#	pkg/validator/fullaudit_test.go
 2020-12-18 09:57:35 -05:00
skatika
dd2976794a Implement namespace and container exemptions. Also refactoring according to gofmt 2020-12-18 09:50:04 -05:00
Robert Brennan
7c98598858 Fix test fixtures, add a test for controllers (#455) 
* first pass at fixing test fixtures

* tests mostly working

* add controller test

* remove debug stuff

* delint

* revert test file

* remove extra controllers from fixtures

* delint

* fix messages
 2020-12-17 17:32:01 -05:00
skatika
fdd30717e5 Remove unused parameter 2020-12-17 09:54:29 -05:00
baderbuddy
86b856a88c Update yaml to latest chart version (#443) 
* Update yaml to latest chart version

* Install cert-manager

* Try quoting set

* Try more logging

* Try earlier version of cert-manager

* Update issuer NS

* Fix test mistake

* Fix certificate values

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2020-12-04 10:40:27 -05:00
baderbuddy
7c9f01639b Update dependencies (#400) 
* Start working on updating dependencies:

* Fix webhook

* Rollback jsonschema update

* Checkin new config

* Fix run as root

* Update versions of kind

* Fix typo in kind URL

* Fix kind config

* Add csr permissions

* Fix weird image thing

* Fixed certificates

* Add to logging

* Approve cert manually

* Fix approval

* Add cert script

* Fix deployment

* Add requests/limits

* Wait if certificate doesn't exist yet

* Add check for file size

* Add variable

* Try a different imagE

* Fix command

* Update certificate logic

* Add healthz

* Don't check cert size

* Remove stat

* Fix vet

* Put in change that makes no sense

* Fix cert names

* Roll back

* Try changing config

* Add logging for each request

* Cleanup code some

* Remove bad deployments

* Fix client injection

* Update timeout

* Add logging

* Fixed e2e webhook tests

* Add permissions for approval

* Fix permissions for CSR

* Remove logging code

* Remove refresh certs file

* Fix merge issues

* Update deployments

* Try beta of admission controller config

* Target 1.15 for testing

* Add beta versions of resourceS

* Lower webhook timeout

* Refactor out a method

* Fix up PR issues

* Fix more tabs

* Remove unnecessary messageS

* Fix go.sum

* Fix go.sum
 2020-09-11 08:53:14 -04:00
Robert Brennan
b4e3d40f4b Add priority class check, some test infra (#342) 
* add check for priority-class

* add test message

* lint
 2020-06-22 16:34:48 -04:00
Robert Brennan
b557786325 Stop webhook from preventing scaling events (#293) 
* test deployment scaling

* stop watching pods in the webhook

* fix check

* add pod check back

* skip webhook for owned pods
 2020-05-18 15:17:21 -04:00
Robert Brennan
6792fba91f Delete controllers package (#270) 
* rename root fs check

* speed up docker build

* refactor webhook to be more generic

* delete controllers pkg

* revert deploy

* fix example config

* remove controllersToScan config

* fix lint error

* fix webhook name

* FileSystem -> Filesystem

* update deps

* skip node owners

* clean up meta tracking

Co-authored-by: Robert Brennan <bobby.brennan@gmail.com>
 2020-04-27 10:43:02 -04:00
Bader Boland
a5828a2d3b Fix tests 2020-03-25 14:23:18 -04:00
Bader Boland
7fdebfc4db Fix tests 2020-03-17 09:19:33 -04:00
Robert Brennan
33d4192871 fix test deploy files 2020-03-06 18:39:56 +00:00
Robert Brennan
d2bb2f126b test extra controller versions 2020-02-26 19:26:18 +00:00
Robert Brennan
3e9193af7f remove cronjob cases 2020-02-25 21:39:46 +00:00