--- # Source: polaris/templates/0-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: polaris --- # Source: polaris/templates/webhook.secret.yaml # The name of this secret is static as it is populated by the webhook pod. apiVersion: v1 kind: Secret metadata: name: polaris-webhook namespace: polaris labels: app: polaris type: Opaque stringData: cert.pem: '' --- # Source: polaris/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: polaris namespace: polaris labels: app: polaris data: config.yaml: |- checks: # resources cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning # images tagNotSpecified: error pullPolicyNotAlways: ignore # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning # networking hostNetworkSet: warning hostPortSet: warning # security hostIPCSet: error hostPIDSet: error notReadOnlyRootFileSystem: warning privilegeEscalationAllowed: error runAsRootAllowed: warning runAsPrivileged: error dangerousCapabilities: error insecureCapabilities: warning controllersToScan: - Deployments - StatefulSets - DaemonSets - CronJobs - Jobs - ReplicationControllers exemptions: - controllerNames: - dns-controller - datadog-datadog - kube-flannel-ds - kube2iam - aws-iam-authenticator - datadog - kube2iam rules: - hostNetworkSet - controllerNames: - aws-iam-authenticator - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - dnsmasq - autoscaler - kubernetes-dashboard - install-cni - kube2iam rules: - readinessProbeMissing - livenessProbeMissing - controllerNames: - aws-iam-authenticator - nginx-ingress-controller - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - runAsRootAllowed - controllerNames: - aws-iam-authenticator - nginx-ingress-controller - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - notReadOnlyRootFileSystem - controllerNames: - cert-manager - dns-controller - kubedns - dnsmasq - autoscaler - insights-agent-goldilocks-vpa-install rules: - cpuRequestsMissing - cpuLimitsMissing - memoryRequestsMissing - memoryLimitsMissing - controllerNames: - kube2iam - kube-flannel-ds rules: - runAsPrivileged - controllerNames: - kube-hunter rules: - hostPIDSet - controllerNames: - polaris - kube-hunter - goldilocks - insights-agent-goldilocks-vpa-install rules: - notReadOnlyRootFileSystem - controllerNames: - insights-agent-goldilocks-controller rules: - livenessProbeMissing - readinessProbeMissing - controllerNames: - insights-agent-goldilocks-vpa-install - kube-hunter rules: - runAsRootAllowed --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: polaris-webhook namespace: polaris labels: app: polaris --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: polaris-webhook labels: app: polaris rules: # auditor rules rbac - apiGroups: - 'apps' - 'extensions' resources: - 'deployments' - 'statefulsets' - 'daemonsets' verbs: - 'get' - 'list' - apiGroups: - 'batch' resources: - 'jobs' - 'cronjobs' verbs: - 'get' - 'list' - apiGroups: - '' resources: - 'nodes' - 'namespaces' - 'pods' - 'replicationcontrollers' verbs: - 'get' - 'list' # required by controller-runtime code doing a cluster wide lookup # when it seems namespace would suffice - apiGroups: - '' resources: - 'secrets' - 'services' verbs: - 'get' - 'list' - 'watch' - apiGroups: - 'admissionregistration.k8s.io' resources: - 'validatingwebhookconfigurations' verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: polaris-webhook labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: polaris-webhook subjects: - kind: ServiceAccount name: polaris-webhook namespace: polaris --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: polaris-webhook namespace: polaris labels: app: polaris rules: # required for current controller-runtime bootstrap method - apiGroups: - '' resources: - 'secrets' - 'services' verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: polaris-webhook namespace: polaris labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: polaris-webhook subjects: - kind: ServiceAccount name: polaris-webhook namespace: polaris --- # Source: polaris/templates/webhook.service.yaml apiVersion: v1 kind: Service metadata: name: polaris-webhook namespace: polaris labels: app: polaris spec: ports: - name: webhook port: 443 protocol: TCP targetPort: 9876 selector: app: polaris component: webhook type: ClusterIP --- # Source: polaris/templates/webhook.deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: polaris-webhook namespace: polaris labels: app: polaris component: webhook spec: replicas: 1 selector: matchLabels: app: polaris component: webhook template: metadata: annotations: checksum/config: 'eb6d6b194c6786d62400fc0578dd5ea5158212b5b29d93d3cde3fa14da8ac501' labels: app: polaris component: webhook spec: containers: - name: webhook command: - polaris - --webhook - --config - /opt/app/config.yaml image: 'quay.io/fairwinds/polaris:0.6' imagePullPolicy: 'Always' ports: - containerPort: 9876 # These are fairly useless readiness/liveness probes for now # Follow this issue for potential improvements: # https://github.com/kubernetes-sigs/controller-runtime/issues/356 livenessProbe: exec: command: - sh - -c - ps -ef | grep polaris initialDelaySeconds: 5 periodSeconds: 5 readinessProbe: exec: command: - sh - -c - ps -ef | grep polaris initialDelaySeconds: 5 periodSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL volumeMounts: - name: config mountPath: /opt/app/config.yaml subPath: config.yaml readOnly: true - name: secret mountPath: /opt/cert/ readOnly: true - name: cr-logs mountPath: /tmp/ readOnly: false serviceAccountName: polaris-webhook nodeSelector: tolerations: volumes: - name: config configMap: name: polaris - name: secret secret: secretName: polaris-webhook - name: cr-logs emptyDir: {} --- # Source: polaris/templates/audit.job.yaml --- # Source: polaris/templates/audit.rbac.yaml --- # Source: polaris/templates/dashboard.deployment.yaml --- # Source: polaris/templates/dashboard.rbac.yaml --- # Source: polaris/templates/dashboard.service.yaml --- # Source: polaris/templates/ingress.yaml