mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-14 05:06:59 +00:00
67ab987f7e
* add controllers_to_scan to example config-full * add support for annotation-based exemptions * fix lint errors * add docs
143 lines
2.7 KiB
YAML
143 lines
2.7 KiB
YAML
resources:
|
|
cpuRequestsMissing: warning
|
|
cpuRequestRanges:
|
|
warning:
|
|
below: 50m
|
|
above: 1000m
|
|
error:
|
|
below: 500m
|
|
above: 2000m
|
|
cpuLimitsMissing: warning
|
|
cpuLimitRanges:
|
|
warning:
|
|
below: 50m
|
|
above: 1000m
|
|
error:
|
|
below: 500m
|
|
above: 2000m
|
|
memoryRequestsMissing: warning
|
|
memoryRequestRanges:
|
|
warning:
|
|
below: 50M
|
|
above: 2G
|
|
error:
|
|
below: 100M
|
|
above: 4G
|
|
memoryLimitsMissing: warning
|
|
memoryLimitRanges:
|
|
warning:
|
|
below: 50M
|
|
above: 2G
|
|
error:
|
|
below: 100M
|
|
above: 4G
|
|
images:
|
|
tagNotSpecified: error
|
|
pullPolicyNotAlways: warning
|
|
whitelist:
|
|
error:
|
|
- gcr.io/*
|
|
blacklist:
|
|
warning:
|
|
- docker.io/*
|
|
healthChecks:
|
|
readinessProbeMissing: warning
|
|
livenessProbeMissing: warning
|
|
networking:
|
|
hostNetworkSet: error
|
|
hostPortSet: error
|
|
security:
|
|
hostIPCSet: error
|
|
hostPIDSet: error
|
|
runAsRootAllowed: warning
|
|
runAsPrivileged: error
|
|
notReadOnlyRootFileSystem: warning
|
|
privilegeEscalationAllowed: error
|
|
capabilities:
|
|
error:
|
|
ifAnyAdded:
|
|
- SYS_ADMIN
|
|
- ALL
|
|
ifAnyNotDropped:
|
|
- ALL
|
|
warning:
|
|
ifAnyAddedBeyond:
|
|
- NONE
|
|
controllers_to_scan:
|
|
- Deployments
|
|
- StatefulSets
|
|
- DaemonSets
|
|
- CronJobs
|
|
- Jobs
|
|
- ReplicationControllers
|
|
exemptions:
|
|
- controllerNames:
|
|
- dns-controller
|
|
- datadog-datadog
|
|
- kube-flannel-ds
|
|
- kube2iam
|
|
- aws-iam-authenticator
|
|
- datadog
|
|
- kube2iam
|
|
rules:
|
|
- hostNetworkSet
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- kubernetes-dashboard
|
|
- install-cni
|
|
- kube2iam
|
|
rules:
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-controller
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- runAsRootAllowed
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-controller
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- notReadOnlyRootFileSystem
|
|
- controllerNames:
|
|
- cert-manager
|
|
- dns-controller
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
rules:
|
|
- cpuRequestsMissing
|
|
- cpuLimitsMissing
|
|
- memoryRequestsMissing
|
|
- memoryLimitsMissing
|
|
- controllerNames:
|
|
- kube2iam
|
|
rules:
|
|
- runAsPrivileged
|