mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-08 02:06:53 +00:00
a59063bdb2
* added fix command * update fix command to walk through the folder to find all files * added ability to add comment * fix comment prefix * trim whitespaces to the line * refactor update mutated file * remove filepath as is not needed anymore * remove filepath as is not needed anymore * remove timestamp and status if creation is null * added comments and fix tests * remove hardcoded mutation in config * revert comment deletion * separate mutated to success files * read multiple resources in a file and update both * Remove mutation in config.yaml
204 lines
4.4 KiB
YAML
204 lines
4.4 KiB
YAML
checks:
|
|
# reliability
|
|
deploymentMissingReplicas: warning
|
|
priorityClassNotSet: ignore
|
|
tagNotSpecified: danger
|
|
pullPolicyNotAlways: warning
|
|
readinessProbeMissing: warning
|
|
livenessProbeMissing: warning
|
|
metadataAndNameMismatched: ignore
|
|
pdbDisruptionsIsZero: warning
|
|
missingPodDisruptionBudget: ignore
|
|
|
|
# efficiency
|
|
cpuRequestsMissing: warning
|
|
cpuLimitsMissing: warning
|
|
memoryRequestsMissing: warning
|
|
memoryLimitsMissing: warning
|
|
# security
|
|
hostIPCSet: danger
|
|
hostPIDSet: danger
|
|
notReadOnlyRootFilesystem: warning
|
|
privilegeEscalationAllowed: danger
|
|
runAsRootAllowed: danger
|
|
runAsPrivileged: danger
|
|
dangerousCapabilities: danger
|
|
insecureCapabilities: warning
|
|
hostNetworkSet: danger
|
|
hostPortSet: warning
|
|
tlsSettingsMissing: warning
|
|
|
|
exemptions:
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- kube-apiserver
|
|
- kube-proxy
|
|
- kube-scheduler
|
|
- etcd-manager-events
|
|
- kube-controller-manager
|
|
- kube-dns
|
|
- etcd-manager-main
|
|
rules:
|
|
- hostPortSet
|
|
- hostNetworkSet
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- cpuRequestsMissing
|
|
- cpuLimitsMissing
|
|
- memoryRequestsMissing
|
|
- memoryLimitsMissing
|
|
- runAsRootAllowed
|
|
- runAsPrivileged
|
|
- notReadOnlyRootFilesystem
|
|
- hostPIDSet
|
|
|
|
- controllerNames:
|
|
- kube-flannel-ds
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- notReadOnlyRootFilesystem
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- cpuLimitsMissing
|
|
|
|
- controllerNames:
|
|
- cert-manager
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
|
|
- controllerNames:
|
|
- cluster-autoscaler
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
|
|
- controllerNames:
|
|
- vpa
|
|
rules:
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- datadog
|
|
rules:
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- nginx-ingress-controller
|
|
rules:
|
|
- privilegeEscalationAllowed
|
|
- insecureCapabilities
|
|
- runAsRootAllowed
|
|
|
|
- controllerNames:
|
|
- dns-controller
|
|
- datadog-datadog
|
|
- kube-flannel-ds
|
|
- kube2iam
|
|
- aws-iam-authenticator
|
|
- datadog
|
|
- kube2iam
|
|
rules:
|
|
- hostNetworkSet
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- kubernetes-dashboard
|
|
- install-cni
|
|
- kube2iam
|
|
rules:
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- runAsRootAllowed
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-controller
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- cert-manager
|
|
- dns-controller
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- insights-agent-goldilocks-vpa-install
|
|
- datadog
|
|
rules:
|
|
- cpuRequestsMissing
|
|
- cpuLimitsMissing
|
|
- memoryRequestsMissing
|
|
- memoryLimitsMissing
|
|
|
|
- controllerNames:
|
|
- kube2iam
|
|
- kube-flannel-ds
|
|
rules:
|
|
- runAsPrivileged
|
|
|
|
- controllerNames:
|
|
- kube-hunter
|
|
rules:
|
|
- hostPIDSet
|
|
|
|
- controllerNames:
|
|
- polaris
|
|
- kube-hunter
|
|
- goldilocks
|
|
- insights-agent-goldilocks-vpa-install
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- insights-agent-goldilocks-controller
|
|
rules:
|
|
- livenessProbeMissing
|
|
- readinessProbeMissing
|
|
|
|
- controllerNames:
|
|
- insights-agent-goldilocks-vpa-install
|
|
- kube-hunter
|
|
rules:
|
|
- runAsRootAllowed
|