* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
* Add `target PodTemplate` which exposes the full Pod (not only the spec)
* Fix PotTemplate in conjunction with how pod-schema-checks are handled
* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases
* Clarify PldTemplate logic for `IsActionable()`
* added fix command
* update fix command to walk through the folder to find all files
* added ability to add comment
* fix comment prefix
* trim whitespaces to the line
* refactor update mutated file
* remove filepath as is not needed anymore
* remove filepath as is not needed anymore
* remove timestamp and status if creation is null
* added comments and fix tests
* remove hardcoded mutation in config
* revert comment deletion
* separate mutated to success files
* read multiple resources in a file and update both
* Remove mutation in config.yaml
* added mutation field in checks and config
* added test
* fix tests
* revert resolve export
* remove Patched resources as moving that to separate functionality apart from validation
* go mod tidy
* move mutation to the container level
* change prefix based on the resource kind
* collect all mutations from results and apply
* added test for cronjob and deployment apart from just pod
* test cronjob prefix
* return a copy of mutation
* fix tests and comments
* address feedback comments
* fix warning formating
* refactor getJSONSchemaPrefix function
This change follows up #635 and lets end-users decide to disallow exemption rules defined as part of the config file or the controller annotations (whether none, any or both). The main use case here is to be able to prevent users with edit privileges over a controller to add a new exemption rule through an annotation which may obfuscate the actual policies we want to enforce.
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* able to run multi-resource tests
* start passing resource provider through
* working end-to-end
* better support for go templating
* fix tests
* delint
* add test
* add json annotations
* remove panics
* fix annotation
* fix for groupkinds
* add comment
* add docs
* change jsonSchema field to schemaString
* rename check
* add pdb to tests
* add ingress to tests
* update deps
* fix up policy import
* update go
* fix check name
* funk it up
* better docs
This adds the ability to exempt a controller from all checks similar to
the annotation for "exempt" which exempts all checks.
I added the tests to go with this as well as for the IsActionable
function.
