75f70352ba
**Changes** - Refactored the way controllers work to be an interface - Added configurable controllers to include in scans - Added daemonsets, jobs and cronjobs in scans - Added `ReplicationController` type controllers to the supported list - Adjusted logic for failed YAML parsing to bubble up errors - Added better logic for calculating summaries on cluster wide results - Relocated responsibilities for counting types into validators vs spreading it around more packages - Fixed bug where cronjob parsing was using wrong KIND - Added fixtures for mocking new controller types - Added example yamls to test scanning files - Added functions to NamespacedResult(s) to reduce code complexity deep set iterations - Refactored how results get added to namespacedresults so adding more later is easier - Minor signature changes for interface implementing structs for controllers
1.8 KiB
Security
Polaris supports a number of checks related to security.
| key | default | description |
|---|---|---|
security.hostIPCSet |
error |
Fails when hostIPC attribute is configured. |
security.hostPIDSet |
error |
Fails when hostPID attribute is configured. |
security.notReadOnlyRootFileSystem |
warning |
Fails when securityContext.readOnlyRootFilesystem is not true. |
security.privilegeEscalationAllowed |
error |
Fails when securityContext.allowPrivilegeEscalation is true. |
security.runAsRootAllowed |
error |
Fails when securityContext.runAsNonRoot is not true. |
security.runAsPrivileged |
error |
Fails when securityContext.privileged is true. |
Security Capabilities
Additional validations are available to ensure pods are running with a limited set of capabilities. More information is available in our Security Capabilities documentation.
Background
Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, and using read only file systems wherever possible.
Much of this configuration can be found in the securityContext attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.