github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-07 01:36:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
944 Commits 28 Branches 117 Tags
7.1.1
Commit Graph

944 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Brennan
b6c6bbe893 update docs (#846) 7.1.1 2022-09-22 11:18:44 -04:00
Robert Brennan
8e7100acaf Add debug info to kube resources, better caching strategy (#840) 
* add debug info

* remove extra build step

* try and fix memory usage

* fix pointers

* add more debug logs

* fix up caching for replicasets

* fix import

* replace info with debug

* add logs

* dont cache jobs

* gofmt

* fix import
7.1.0 		2022-09-16 10:07:20 -04:00
Robert Brennan
42d2b3368b update deps (#841) 
* update deps

* update go

* update to go 1.19

* fix cimg

* fix work dir

* fix golint

* revert jsonschema

* fix packr2
 2022-09-15 15:32:43 -04:00
Barnabas Makonda
4d96993a18 [FWI-2357] Let Polaris modify YAML without losing comments/formatting (#821) 
* added fix command implementation

* use node api

* fix tests

* added hostport mutate rule

* update mutating server

* fix array reference and add back leading slash

* added test and refactor findNodes

* more tests

* added more test and fix issue with arrays

* rename findNode function and ensure we capture exceptions

* rename findNode function

* append array value at the end and for single item remove brackets

* append array value at the end and for single item remove brackets

* create array if it does not exists

* fix tests

* handle some exceptions

* fix tests

* fix string format

* guard for PodResult

* fix flag name

* fix privilegeEscalation check

* fix up mutations for local files

* fix pod parsing

* fix object values

* remove logspam

* fix import

* update some comments for health probes

* add an option to not apply any mutations\, and just adjust yaml formatting

* add preliminary support for helm

* logspam

* change up comment strategy

* fix object comments

* format

* fix tests

* add comments

* fix key updates

* fix mutation tests

* tidy

* refactor test

* add test

* add test

* add test for object comments

Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
 2022-09-15 12:38:22 -04:00
Robert Brennan
1486e3090f Add warning message for multi-schema checks in admission (#839) 
* make cert dir option

* log message for multi-resource checks in admission

* Update pkg/validator/schema.go

Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
 2022-09-14 09:01:27 -06:00
Danielle Cook
a2eaa210f6 Update README.md (#833) 
* Update README.md

Updates to the header and opening paragraphs.

* Update README.md

* Update README.md

Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-09-14 09:13:17 -04:00
Robert Brennan
e8e642b010 update dependencies (#836) 
* update dependencies

* revert

* update x/net
 2022-09-13 12:15:37 -04:00
Terraform User
1b50b85157 Managed by Terraform 2022-09-13 08:31:02 -06:00
Terraform User
5f7bbd981b Managed by Terraform 2022-09-07 11:05:01 -06:00
Terraform User
3cf4a88b93 Managed by Terraform 2022-09-07 11:02:30 -06:00
Terraform User
5a2a72b582 Managed by Terraform 2022-09-07 11:02:28 -06:00
Igor Beliakov
01dd7b7b68 Omit empty results, make pretty output less verbose (#767) 
* Pretty output: remove 2 leading line breaks and 1 trailing after container results

Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

* validator: don't add empty results in ApplyAllSchemaChecksToAllResources

Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.

Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-08-25 10:34:06 -04:00
Robert Brennan
6b64369698 Update changelog.md (#825) 
* Update changelog.md

* Update changelog.md
 2022-08-24 12:38:15 -04:00
dependabot[bot]
9448686168 Bump k8s.io/client-go from 0.24.3 to 0.24.4 (#828) 
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.24.3 to 0.24.4.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.24.3...v0.24.4)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
 2022-08-24 12:50:18 +03:00
ivanfetch-fw
01d7a8ac00 FWI-2547: Add checks for RBAC allowing execing or attaching to a Pod (#820) 
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks

* Add schema tests

* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests

* Add the new checks to the full example config

* Update checks' success/failure messages and add some helpful comments

* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case

* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace

* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
 2022-08-23 12:09:44 -06:00
ivanfetch-fw
742b21c6a2 FWI-2582: Add clusterrolebindingClusterAdmin, rolebindingClusterAdminRole, and rolebindingClusterAdminClusterRole checks + schema tests (#823) 
* Add `clusterrolebindingClusterAdmin`, `rolebindingClusterAdminRole`, and `rolebindingClusterAdminClusterRole` checks + schema tests

* Update `rolebindingClusterAdminClusterRole` check to explicitly match the `cluster-admin` default ClusterRole, fix `...all_verbs` schema test, add schema checks for unrelated permissions
 2022-08-22 09:50:58 -06:00
Robert Brennan
b90f091bb6 fix polaris cves (#824) 7.0.2 2022-08-22 09:44:44 -04:00
ivanfetch-fw
e3a6cb3774 Fix namespace checking when validating additional schemas which are not namespaced (#822) 2022-08-18 18:34:32 -06:00
dependabot[bot]
7addced32c Bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 (#815) 
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.8.1 to 1.9.0.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-08-18 16:53:49 -04:00
dependabot[bot]
7e77350428 Bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.3 (#814) 
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.12.1 to 0.12.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.12.1...v0.12.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-08-18 16:53:39 -04:00
dependabot[bot]
af0d548a07 Bump k8s.io/apimachinery from 0.24.1 to 0.24.3 (#807) 
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.24.1 to 0.24.3.
- [Release notes](https://github.com/kubernetes/apimachinery/releases)
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.24.1...v0.24.3)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-08-18 16:45:12 -04:00
dependabot[bot]
3efa3b40c9 Bump k8s.io/client-go from 0.24.1 to 0.24.3 (#806) 
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.24.1 to 0.24.3.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.24.1...v0.24.3)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-08-18 16:45:03 -04:00
ivanfetch-fw
206322271c FWI-2509: Add sensitiveContainerEnvVar and sensitiveConfigMapContent checks (#817) 
* Add sensitiveContainerEnvVar and sensitiveConfigMapContent checks

* Update full example configfile
 2022-08-05 11:58:57 -04:00
ivanfetch-fw
e5b9236268 FWI-2476: Add missingNetworkPolicy, automountServiceAccountToken, and linuxHardening checks (#816) 
* Add missingNetworkPolicy, automountServiceAccountToken, and linuxHardening checks
 2022-08-05 09:44:18 -06:00
ivanfetch-fw
c3b57bf6c7 target: container also populates .Polaris.PodSpec|PodTemplate + a new .Polaris.Container representing the currently checked container, GetPodTemplate serializes data to work around a DeepCopy bug with type int (#812) 2022-07-29 07:45:56 -06:00
Igor Beliakov
652b65b3c2 fix: properly remove emojis in pretty format with no color (#765) 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-07-28 15:39:17 -04:00
dependabot[bot]
41030320bb Bump github.com/stretchr/testify from 1.7.1 to 1.8.0 (#786) 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.1 to 1.8.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.7.1...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-07-28 15:30:09 -04:00
dependabot[bot]
76c42c4799 Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#813) 
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-07-28 15:29:58 -04:00
dependabot[bot]
65add73e70 Bump k8s.io/api from 0.24.1 to 0.24.3 (#808) 
Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.24.1 to 0.24.3.
- [Release notes](https://github.com/kubernetes/api/releases)
- [Commits](https://github.com/kubernetes/api/compare/v0.24.1...v0.24.3)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
 2022-07-28 15:21:50 -04:00
Igor Beliakov
a0000e1919 Suppress empty results when --only-show-failed-tests is passed (#811) 
* Suppress empty results when --only-show-failed-tests is passed

Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

* Fix remaining typo

Signed-off-by: Igor Beliakov <demtis.register@gmail.com>

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-07-26 09:31:08 -04:00
dependabot[bot]
f9e2603b16 Bump alpine from 3.16.0 to 3.16.1 (#810) 
Bumps alpine from 3.16.0 to 3.16.1.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-07-25 17:21:08 +03:00
ivanfetch-fw
50d789fd42 Fix resourceKindMap.addResource() to not assume every Kind has an APIGroup (#805) 
This was causing the `ResourceProvider.Resources` map to essentially
loose resources with no APIGroup, such as ServiceAccounts.
 2022-07-15 13:53:41 -06:00
ivanfetch-fw
25ab600eef Update docs to reflect target: PodTemplate RE: PR #801 (#804) 
* Update docs to reflect `target: PodTemplate` and the template being available via the `Polaris.PodTemplate` variable RE: PR #801

* Fix typo

Co-authored-by: Robert Brennan <accounts@rbren.io>

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-07-14 13:50:41 -06:00
ivanfetch-fw
be45519a22 Add target PodTemplate which exposes the full Pod (not only the spec) (#801) 
* Add `target PodTemplate` which exposes the full Pod (not only the spec)

* Fix PotTemplate in conjunction with how pod-schema-checks are handled

* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases

* Clarify PldTemplate logic for `IsActionable()`
 2022-07-14 12:51:24 -06:00
ivanfetch-fw
ccaa384cd0 expose Polaris.PodSpec for PodSpec targeted checks (#793) 
* Add a template `Polaris` variable, expose `Polaris.PodSpec` for checks of `target: PodSpec`.

Polaris checks that are `target: PodSpec` have reflected the original
resource (such as a pod-controller) in the Go template, instead of
reflecting the pod `spec` field. This update makes the PodSpec available
in a new template variable `Polaris.PodSpec`.
 2022-07-12 08:04:17 -06:00
Robert Brennan
1c09ce9e09 update changelog and docs (#800) 
* update changelog and docs

* add 7.0.1

* fix version
7.0.1 		2022-07-11 14:12:50 -04:00
Robert Brennan
fec00893b1 Update fairwinds-insights.yaml (#799) 2022-07-11 14:06:58 -04:00
Robert Brennan
acadebe9fd add docs for mutation (#792) 
* add docs for mutation

* Update infrastructure-as-code.md
7.0.0 		2022-07-11 13:25:15 -04:00
Robert Brennan
a2ec025230 Add more mutations, fix mutation tests (#790) 
* add more mutations

* fix tests

* add more test cases

* Update insecureCapabilities.yaml

* Update dangerousCapabilities.yaml

* fix tests

* fix tests
 2022-07-11 13:22:14 -04:00
Robert Brennan
08682075c6 Enable pullPolicyNotAlways (#795) 
* add more mutations

* fix tests

* add more test cases

* Update insecureCapabilities.yaml

* Update dangerousCapabilities.yaml

* fix tests

* fix tests

* add pullPolicyNotAlways as default mutation
 2022-07-11 13:20:17 -04:00
Barnabas Makonda
e3e790046f Add checks flag to fix specific checks (#797) 
* add checks to fix  and fix-all-checks flags

* only use one flag

* add example

Co-authored-by: Robert Brennan <accounts@rbren.io>
 2022-07-11 11:12:08 -06:00
Robert Brennan
50319fb1b8 fix webhook test (#798) 
* add logs to webhook test

* fix cleanup

* add more logs

* fix webhhook test
 2022-07-11 13:06:21 -04:00
Robert Brennan
c3eb0811e0 Add flag to enable mutations in webhook (#794) 
* rb/mutation-flag

* add validate flag
 2022-07-11 09:37:54 -04:00
Andrew Suderman
5423449177 Use orb to publish docs (#791) 
* Use orb to publish docs

* copy/pasta

* remove test values

* typo
 2022-07-07 11:52:12 -06:00
Robert Brennan
f713d43697 ensure path exists when adding mutations (#789) 2022-07-07 10:00:36 -04:00
Barnabas Makonda
e896eec89f Expose GetValidateResults function to be used in the polaris package (#763) 
* Expose GetValidateResults function to be used in the polaris package

* change to GetValidatedResults
 2022-06-15 15:28:33 +03:00
Barnabas Makonda
25a120ba65 update dependencies (#777) 2022-06-07 20:27:26 +03:00
intrand
3b865fcea8 skip incomplete or broken YAML - warn user (#678) 
* skip broken yaml (eg, patch file)

* skip in visitFile, not in parser

* restore filepath.Walk() error handling

* restore test; correct assertion

* Update pkg/kube/resources_test.go

Co-authored-by: Robert Brennan <accounts@rbren.io>

* Fix tests

* update kind

Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Luke Reed <luke@lreed.net>
Co-authored-by: Barnabas Makonda <6409210+makoscafee@users.noreply.github.com>
Co-authored-by: MAKOSCAFEE <barnabasmakonda@gmail.com>
 2022-06-07 12:02:27 -04:00
Robert Brennan
f71ca999c9 Change target: Pod to target: PodSpec (#726) 
* change target pod to target pod spec

* add checks

* update docs

* fix tests

Co-authored-by: MAKOSCAFEE <barnabasmakonda@gmail.com>
 2022-06-07 07:37:25 -06:00
dependabot[bot]
276c168839 Bump alpine from 3.15.4 to 3.16.0 (#773) 
Bumps alpine from 3.15.4 to 3.16.0.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-06-01 23:02:14 +03:00