mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-12 04:06:44 +00:00
1a8fb44b78
* first pass * fix up homepage * more work * housekeeping * add script to modify home link * add check docs * build docs site * Create CNAME * fix path to check-docs * update from template * fix logo in readme * fix link * remove logspam * remove old folders * fix all links * fix up readme * change up Insights description * add customization docs * phrasing * title * titles * titles * change webhook docs * refresh template * rebuild site * refresh from template repo * phrasing * add tagline * update readme\, add readme sync script * fix logo * rebuild * fix readme script * rebuild
49 lines
11 KiB
HTML
49 lines
11 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en-US">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta name="viewport" content="width=device-width,initial-scale=1">
|
|
<title>Exemptions | Fairwinds Polaris Documentation</title>
|
|
<meta name="generator" content="VuePress 1.7.1">
|
|
<link rel="icon" href="/favicon.png">
|
|
<script src="/scripts/modify.js"></script>
|
|
<script src="/scripts/leadlander.js"></script>
|
|
<meta name="description" content="Documentation for Fairwinds Polaris - audit and enforce Kubernetes best practices for your workloads">
|
|
|
|
<link rel="preload" href="/assets/css/0.styles.db69974e.css" as="style"><link rel="preload" href="/assets/js/app.65b94829.js" as="script"><link rel="preload" href="/assets/js/3.0cb25b42.js" as="script"><link rel="preload" href="/assets/js/2.28adca5d.js" as="script"><link rel="preload" href="/assets/js/20.5bcacf34.js" as="script"><link rel="prefetch" href="/assets/js/10.9d1a1701.js"><link rel="prefetch" href="/assets/js/11.d7eadcf0.js"><link rel="prefetch" href="/assets/js/12.85c0eab0.js"><link rel="prefetch" href="/assets/js/13.0487faf0.js"><link rel="prefetch" href="/assets/js/14.60ea393e.js"><link rel="prefetch" href="/assets/js/15.00f25aaa.js"><link rel="prefetch" href="/assets/js/16.cb0515ce.js"><link rel="prefetch" href="/assets/js/17.013e9969.js"><link rel="prefetch" href="/assets/js/18.a0fcb2d2.js"><link rel="prefetch" href="/assets/js/19.9fe045af.js"><link rel="prefetch" href="/assets/js/21.2f58615f.js"><link rel="prefetch" href="/assets/js/22.90ebc6b9.js"><link rel="prefetch" href="/assets/js/4.be9896b6.js"><link rel="prefetch" href="/assets/js/5.665b3e6a.js"><link rel="prefetch" href="/assets/js/6.a5e340ed.js"><link rel="prefetch" href="/assets/js/7.dbd47d64.js"><link rel="prefetch" href="/assets/js/8.5a82b7c2.js"><link rel="prefetch" href="/assets/js/9.4f55b6b3.js">
|
|
<link rel="stylesheet" href="/assets/css/0.styles.db69974e.css">
|
|
</head>
|
|
<body>
|
|
<div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/" class="home-link router-link-active"><img src="/img/fairwinds-logo.svg" alt="Fairwinds Polaris Documentation" class="logo"> <span class="site-name can-hide">Fairwinds Polaris Documentation</span></a> <div class="links"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><a href="https://github.com/FairwindsOps/polaris" target="_blank" rel="noopener noreferrer" class="nav-link external">
|
|
View on GitHub
|
|
<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></div> <!----></nav></div></header> <div class="sidebar-mask"></div> <aside class="sidebar"><nav class="nav-links"><div class="nav-item"><a href="https://github.com/FairwindsOps/polaris" target="_blank" rel="noopener noreferrer" class="nav-link external">
|
|
View on GitHub
|
|
<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></div> <!----></nav> <ul class="sidebar-links"><li><section class="sidebar-group depth-0"><a href="/" class="sidebar-heading clickable router-link-active"><span>Polaris</span> <!----></a> <ul class="sidebar-links sidebar-group-items"><li><a href="/changelog/" class="sidebar-link">Changelog</a></li><li><a href="/code-of-conduct/" class="sidebar-link">Code of Conduct</a></li><li><a href="/contributing/" class="sidebar-link">Contributing</a></li></ul></section></li><li><section class="sidebar-group depth-0"><p class="sidebar-heading"><span>Ways to Run Polaris</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/dashboard/" class="sidebar-link">Dashboard</a></li><li><a href="/admission-controller/" class="sidebar-link">Admission Controller</a></li><li><a href="/infrastructure-as-code/" class="sidebar-link">Infrastructure as Code</a></li></ul></section></li><li><section class="sidebar-group depth-0"><p class="sidebar-heading open"><span>Customization</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/customization/configuration/" class="sidebar-link">Configuration</a></li><li><a href="/customization/checks/" class="sidebar-link">Check Settings</a></li><li><a href="/customization/custom-checks/" class="sidebar-link">Custom Checks</a></li><li><a href="/customization/exemptions/" aria-current="page" class="active sidebar-link">Exemptions</a><ul class="sidebar-sub-headers"><li class="sidebar-sub-header"><a href="/customization/exemptions/#annotations" class="sidebar-link">Annotations</a></li><li class="sidebar-sub-header"><a href="/customization/exemptions/#config" class="sidebar-link">Config</a></li></ul></li></ul></section></li><li><section class="sidebar-group depth-0"><p class="sidebar-heading"><span>Checks</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/checks/security/" class="sidebar-link">Security</a></li><li><a href="/checks/efficiency/" class="sidebar-link">Efficiency</a></li><li><a href="/checks/reliability/" class="sidebar-link">Reliability</a></li></ul></section></li></ul> </aside> <main class="page"> <div class="theme-default-content content__default"><h1 id="exemptions"><a href="#exemptions" class="header-anchor">#</a> Exemptions</h1> <p>Sometimes a workload really does need to do things that Polaris considers insecure. For instance,
|
|
many of the <code>kube-system</code> workloads need to run as root, or need access to the host network. In these
|
|
cases, we can add <strong>exemptions</strong> to allow the workload to pass Polaris checks.</p> <p>Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.</p> <h2 id="annotations"><a href="#annotations" class="header-anchor">#</a> Annotations</h2> <p>To exempt a controller from all checks via annotations, use the annotation <code>polaris.fairwinds.com/exempt=true</code>, e.g.</p> <div class="language- extra-class"><pre class="language-text"><code>kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
|
|
</code></pre></div><p>To exempt a controller from a particular check via annotations, use an annotation in the form of <code>polaris.fairwinds.com/<check>-exempt=true</code>, e.g.</p> <div class="language- extra-class"><pre class="language-text"><code>kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true
|
|
</code></pre></div><h2 id="config"><a href="#config" class="header-anchor">#</a> Config</h2> <p>To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g.</p> <div class="language-yaml extra-class"><pre class="language-yaml"><code><span class="token key atrule">exemptions</span><span class="token punctuation">:</span>
|
|
<span class="token comment"># exemption valid for kube-system namespace</span>
|
|
<span class="token punctuation">-</span> <span class="token key atrule">namespace</span><span class="token punctuation">:</span> kube<span class="token punctuation">-</span>system
|
|
<span class="token key atrule">controllerNames</span><span class="token punctuation">:</span>
|
|
<span class="token punctuation">-</span> dns<span class="token punctuation">-</span>controller
|
|
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
|
|
<span class="token punctuation">-</span> hostNetworkSet
|
|
<span class="token comment"># exemption valid in all namespaces</span>
|
|
<span class="token punctuation">-</span> <span class="token key atrule">controllerNames</span><span class="token punctuation">:</span>
|
|
<span class="token punctuation">-</span> dns<span class="token punctuation">-</span>controller
|
|
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
|
|
<span class="token punctuation">-</span> hostNetworkSet
|
|
</code></pre></div></div> <footer class="page-edit"><div class="edit-link"><a href="https://github.com/FairwindsOps/polaris/edit/master/docs-md/customization/exemptions.md" target="_blank" rel="noopener noreferrer">Help us improve this page</a> <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></div> <!----></footer> <div class="page-nav"><p class="inner"><span class="prev">
|
|
←
|
|
<a href="/customization/custom-checks/" class="prev">
|
|
Custom Checks
|
|
</a></span> <span class="next"><a href="/checks/security/">
|
|
Security
|
|
</a>
|
|
→
|
|
</span></p></div> <div class="custom-footer"><div class="left-footer"><a href="https://fairwinds.com" target="_blank">Learn more about Fairwinds</a> <a href="https://fairwinds.com/insights" target="_blank">Try Fairwinds Insights</a></div> <div class="right-footer"><a href="https://www.fairwinds.com/privacy-policy" target="_blank">Privacy Policy</a></div></div></main></div><div class="global-ui"></div></div>
|
|
<script src="/assets/js/app.65b94829.js" defer></script><script src="/assets/js/3.0cb25b42.js" defer></script><script src="/assets/js/2.28adca5d.js" defer></script><script src="/assets/js/20.5bcacf34.js" defer></script>
|
|
</body>
|
|
</html>
|