github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-22 09:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf889a280bbed494a08e7cb5841420f62dcd479c
polaris/examples/config.yaml
Andrew Suderman a1b63ac417 Fix #547 - add a check for topologySpreadConstraint (#879)
2023-01-04 14:05:23 -07:00

313 lines
7.2 KiB
YAML
Raw Blame History

checks:
# reliability
deploymentMissingReplicas: warning
priorityClassNotSet: ignore
tagNotSpecified: danger
pullPolicyNotAlways: warning
readinessProbeMissing: warning
livenessProbeMissing: warning
metadataAndNameMismatched: ignore
pdbDisruptionsIsZero: warning
missingPodDisruptionBudget: ignore
topologySpreadConstraint: warning
# efficiency
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
# security
automountServiceAccountToken: ignore
hostIPCSet: danger
hostPIDSet: danger
linuxHardening: warning
missingNetworkPolicy: ignore
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
# These are initially warning and will later be promoted to danger.
sensitiveContainerEnvVar: warning
sensitiveConfigmapContent: warning
clusterrolePodExecAttach: warning
rolePodExecAttach: warning
clusterrolebindingPodExecAttach: warning
rolebindingClusterRolePodExecAttach: warning
rolebindingRolePodExecAttach: warning
clusterrolebindingClusterAdmin: warning
rolebindingClusterAdminClusterRole: warning
rolebindingClusterAdminRole: warning
mutations:
- pullPolicyNotAlways
exemptions:
- namespace: kube-system
controllerNames:
- dns-controller
- ebs-csi-controller
- ebs-csi-node
- kindnet
- kops-controller
- kube-dns
- kube-flannel-ds
- kube-proxy
- kube-scheduler
- vpa-recommender
rules:
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- namespace: kube-system
controllerNames:
- coredns
rules:
- automountServiceAccountToken
- missingNetworkPolicy
- namespace: kube-system
controllerNames:
- ebs-csi-controller
rules:
- sensitiveContainerEnvVar
- namespace: kube-system
controllerNames:
- coredns-autoscaler
rules:
- linuxHardening
- namespace: local-path-storage
controllerNames:
- local-path-provisioner
rules:
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- namespace: kube-system
controllerNames:
- kube-apiserver
- kube-proxy
- kube-scheduler
- etcd-manager-events
- kube-controller-manager
- kube-dns
- etcd-manager-main
rules:
- hostPortSet
- hostNetworkSet
- readinessProbeMissing
- livenessProbeMissing
- cpuRequestsMissing
- cpuLimitsMissing
- memoryRequestsMissing
- memoryLimitsMissing
- runAsRootAllowed
- runAsPrivileged
- notReadOnlyRootFilesystem
- hostPIDSet
- namespace: datadog
controllerNames:
- datadogtoken
rules:
- sensitiveConfigmapContent
- namespace: datadog
controllerNames:
- datadog-cluster-agent-apiserver
rules:
- rolebindingClusterAdminRole
- rolebindingRolePodExecAttach
- controllerNames:
- ingress-nginx-controller
rules:
- sensitiveConfigmapContent
- controllerNames:
- ingress-nginx-controller
- ingress-nginx-default-backend
- polaris
- rbac-manager
rules:
- automountServiceAccountToken
- missingNetworkPolicy
- controllerNames:
- aws-iam-authenticator
- aws-load-balancer-controller
- docker-registry
- external-dns
- kube2iam
- metrics-server
rules:
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- controllerNames:
- oauth2-proxy
rules:
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- sensitiveContainerEnvVar
- controllerNames:
- kube-flannel-ds
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- notReadOnlyRootFilesystem
- readinessProbeMissing
- livenessProbeMissing
- cpuLimitsMissing
- controllerNames:
- cert-manager
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- controllerNames:
- cluster-autoscaler
rules:
- notReadOnlyRootFilesystem
- runAsRootAllowed
- readinessProbeMissing
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- controllerNames:
- vpa
rules:
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- notReadOnlyRootFilesystem
- controllerNames:
- datadog
rules:
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
- notReadOnlyRootFilesystem
- automountServiceAccountToken
- linuxHardening
- missingNetworkPolicy
- sensitiveContainerEnvVar
- controllerNames:
- nginx-ingress-controller
rules:
- privilegeEscalationAllowed
- insecureCapabilities
- runAsRootAllowed
- controllerNames:
- dns-controller
- datadog-datadog
- kube-flannel-ds
- kube2iam
- aws-iam-authenticator
- datadog
- kube2iam
rules:
- hostNetworkSet
- controllerNames:
- aws-iam-authenticator
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- dnsmasq
- autoscaler
- kubernetes-dashboard
- install-cni
- kube2iam
rules:
- readinessProbeMissing
- livenessProbeMissing
- controllerNames:
- aws-iam-authenticator
- nginx-ingress-default-backend
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- kubedns
- dnsmasq
- autoscaler
- tiller
- kube2iam
rules:
- runAsRootAllowed
- controllerNames:
- aws-iam-authenticator
- nginx-ingress-controller
- nginx-ingress-default-backend
- aws-cluster-autoscaler
- kube-state-metrics
- dns-controller
- external-dns
- kubedns
- dnsmasq
- autoscaler
- tiller
- kube2iam
rules:
- notReadOnlyRootFilesystem
- controllerNames:
- cert-manager
- dns-controller
- kubedns
- dnsmasq
- autoscaler
- insights-agent-goldilocks-vpa-install
- datadog
rules:
- cpuRequestsMissing
- cpuLimitsMissing
- memoryRequestsMissing
- memoryLimitsMissing
- controllerNames:
- kube2iam
- kube-flannel-ds
rules:
- runAsPrivileged
- controllerNames:
- kube-hunter
rules:
- hostPIDSet
- controllerNames:
- polaris
- kube-hunter
- goldilocks
- insights-agent-goldilocks-vpa-install
rules:
- notReadOnlyRootFilesystem
- controllerNames:
- insights-agent-goldilocks-controller
rules:
- livenessProbeMissing
- readinessProbeMissing
- controllerNames:
- insights-agent-goldilocks-vpa-install
- kube-hunter
rules:
- runAsRootAllowed
Reference in New Issue View Git Blame Copy Permalink