* Fix: rolebindingRolePodExecAttach check
Fix the case of a RoleBinding that points to a ClusterRole.
In that case, we ignore the RoleBinding since it will be evaluated by the rolebindingClusterRolePodExecAttach check.
* add tests for role-binding that uses a cluster-role binding
---------
Co-authored-by: Vitor Vezani <vitor.vezani@fairwinds.com>
* Add local path replacement for Polaris module
* expose fix.Execute
* Remove local module replacement in go.mod
* Fix error handling and return error instead of exiting the program
* update
* update go mod
* tidy
* revert go mod
* fix port
* move pod test case
* downgrade controller-runtime
* revert updates
* fix nil pointer
* add logs
* fix var
* remove test requirement
* fix decoder
* fix mutate
* fix test case
* fix logs
* fmt
* fix owned pods in mutate
* fix test
* add logs
* add mutations to tests
* convert to json for patch
* fix up tests
* remove nil check
* fix logs
* add logs
* add env vars to webhook tests
* add login flow
* add logout functionality
* improve code
* implement token and status print
* implement status command
* add user to login
* improve server port management
* improve login flow
* fix login flow
* make insights URL for login configurable
* remove comments
* fix logrus directive usage
* add upload-insights command
* remove unnecessary usage of pointer
* error when using upload-insights and audit-path simultaneously
* upload-insights support
* set priority to reports
* adds report verification
* fix logging to meet expected results
* renaming variable name
* improve results printing
* improve variable naming
* remove TODO
* Update checks severities (#950)
* change all ignore checks to warning
* promoting checks initially warning that should be danger.
* fixing docs and examples
* adds changelog
* fix changelog version
* improve general error message
* update workloads to be able grab its version
* print URL on stdout on browser error
* use os.WriteFile instead of low-level API
* renaming fn params
* add insights client
* validating token on auth status
* minor fix
* only query for re-auth if token is still valid
* update some dependencies in go and CI (#951)
* update some dependencies
* update testing requirements
* Fix cert-manager
* lots of deprecated versions
* attempts
* review suggestions
* avoid nil pointer
* fix fixtures
* fix test
---------
Co-authored-by: Robert Brennan <contact@rbren.io>
* update changelog
---------
Co-authored-by: Andrew Suderman <andy@fairwinds.com>
Co-authored-by: Robert Brennan <contact@rbren.io>
* Add persistentpostrun to root cmd and postrun to version cmd
* Change PLG link
* Add PLG link to dashboard
* <strong> the link
Co-authored-by: Andrew Suderman <andy@suderman.dev>
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* Add debug logging for JSON Schema validation and Go templating
* Fix `--help` to display the full Polaris usage
* add valid log possible levels to `--log-level` flag help
* add debug info
* remove extra build step
* try and fix memory usage
* fix pointers
* add more debug logs
* fix up caching for replicasets
* fix import
* replace info with debug
* add logs
* dont cache jobs
* gofmt
* fix import
* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* make cert dir option
* log message for multi-resource checks in admission
* Update pkg/validator/schema.go
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Pretty output: remove 2 leading line breaks and 1 trailing after container results
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* validator: don't add empty results in ApplyAllSchemaChecksToAllResources
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
* Add `target PodTemplate` which exposes the full Pod (not only the spec)
* Fix PotTemplate in conjunction with how pod-schema-checks are handled
* Add test for GO template `Polaris` sub-keys, help `NewGenericResourceFromPod` to set `PodTemplate` in more cases
* Clarify PldTemplate logic for `IsActionable()`
