mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-06 09:16:36 +00:00
4dd3a81bbd
* INSIGHTS-448 Add Two Polaris Checks * Added another chec * Added another chec * Added another chec * Added another chec * Added another chec * Added another chec * Fixing issue * Fixing issue * Added another validation * Added some tests cases * Added some tests cases * Update pkg/config/checks/hostProcess.yaml * Update pkg/validator/pod_test.go --------- Co-authored-by: Andy Suderman <andy@fairwinds.com>
319 lines
7.3 KiB
YAML
319 lines
7.3 KiB
YAML
checks:
|
|
# reliability
|
|
deploymentMissingReplicas: warning
|
|
priorityClassNotSet: warning
|
|
tagNotSpecified: danger
|
|
pullPolicyNotAlways: warning
|
|
readinessProbeMissing: warning
|
|
livenessProbeMissing: warning
|
|
metadataAndInstanceMismatched: warning
|
|
pdbDisruptionsIsZero: warning
|
|
missingPodDisruptionBudget: warning
|
|
topologySpreadConstraint: warning
|
|
hpaMaxAvailability: warning
|
|
hpaMinAvailability: warning
|
|
pdbMinAvailableGreaterThanHPAMinReplicas: warning
|
|
|
|
# efficiency
|
|
cpuRequestsMissing: warning
|
|
cpuLimitsMissing: warning
|
|
memoryRequestsMissing: warning
|
|
memoryLimitsMissing: warning
|
|
|
|
# security
|
|
automountServiceAccountToken: warning
|
|
hostIPCSet: danger
|
|
hostPathSet: warning
|
|
hostProcess: warning
|
|
hostPIDSet: danger
|
|
linuxHardening: warning
|
|
missingNetworkPolicy: warning
|
|
notReadOnlyRootFilesystem: warning
|
|
privilegeEscalationAllowed: danger
|
|
procMount: warning
|
|
runAsRootAllowed: danger
|
|
runAsPrivileged: danger
|
|
dangerousCapabilities: danger
|
|
insecureCapabilities: warning
|
|
hostNetworkSet: danger
|
|
hostPortSet: warning
|
|
tlsSettingsMissing: warning
|
|
sensitiveContainerEnvVar: danger
|
|
sensitiveConfigmapContent: danger
|
|
clusterrolePodExecAttach: danger
|
|
rolePodExecAttach: danger
|
|
clusterrolebindingPodExecAttach: danger
|
|
rolebindingClusterRolePodExecAttach: danger
|
|
rolebindingRolePodExecAttach: danger
|
|
clusterrolebindingClusterAdmin: danger
|
|
rolebindingClusterAdminClusterRole: danger
|
|
rolebindingClusterAdminRole: danger
|
|
|
|
|
|
mutations:
|
|
- pullPolicyNotAlways
|
|
|
|
exemptions:
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- dns-controller
|
|
- ebs-csi-controller
|
|
- ebs-csi-node
|
|
- kindnet
|
|
- kops-controller
|
|
- kube-dns
|
|
- kube-flannel-ds
|
|
- kube-proxy
|
|
- kube-scheduler
|
|
- vpa-recommender
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- coredns
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- missingNetworkPolicy
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- ebs-csi-controller
|
|
rules:
|
|
- sensitiveContainerEnvVar
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- coredns-autoscaler
|
|
rules:
|
|
- linuxHardening
|
|
- namespace: local-path-storage
|
|
controllerNames:
|
|
- local-path-provisioner
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- kube-apiserver
|
|
- kube-proxy
|
|
- kube-scheduler
|
|
- etcd-manager-events
|
|
- kube-controller-manager
|
|
- kube-dns
|
|
- etcd-manager-main
|
|
rules:
|
|
- hostPortSet
|
|
- hostNetworkSet
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- cpuRequestsMissing
|
|
- cpuLimitsMissing
|
|
- memoryRequestsMissing
|
|
- memoryLimitsMissing
|
|
- runAsRootAllowed
|
|
- runAsPrivileged
|
|
- notReadOnlyRootFilesystem
|
|
- hostPIDSet
|
|
- namespace: datadog
|
|
controllerNames:
|
|
- datadogtoken
|
|
rules:
|
|
- sensitiveConfigmapContent
|
|
- namespace: datadog
|
|
controllerNames:
|
|
- datadog-cluster-agent-apiserver
|
|
rules:
|
|
- rolebindingClusterAdminRole
|
|
- rolebindingRolePodExecAttach
|
|
|
|
- controllerNames:
|
|
- ingress-nginx-controller
|
|
rules:
|
|
- sensitiveConfigmapContent
|
|
- controllerNames:
|
|
- ingress-nginx-controller
|
|
- ingress-nginx-default-backend
|
|
- polaris
|
|
- rbac-manager
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- missingNetworkPolicy
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- aws-load-balancer-controller
|
|
- docker-registry
|
|
- external-dns
|
|
- kube2iam
|
|
- metrics-server
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
- controllerNames:
|
|
- oauth2-proxy
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
- sensitiveContainerEnvVar
|
|
- controllerNames:
|
|
- kube-flannel-ds
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- notReadOnlyRootFilesystem
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- cpuLimitsMissing
|
|
|
|
- controllerNames:
|
|
- cert-manager
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
|
|
- controllerNames:
|
|
- cluster-autoscaler
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
|
|
- controllerNames:
|
|
- vpa
|
|
rules:
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- datadog
|
|
rules:
|
|
- runAsRootAllowed
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
- notReadOnlyRootFilesystem
|
|
- automountServiceAccountToken
|
|
- linuxHardening
|
|
- missingNetworkPolicy
|
|
- sensitiveContainerEnvVar
|
|
|
|
- controllerNames:
|
|
- nginx-ingress-controller
|
|
rules:
|
|
- privilegeEscalationAllowed
|
|
- insecureCapabilities
|
|
- runAsRootAllowed
|
|
|
|
- controllerNames:
|
|
- dns-controller
|
|
- datadog-datadog
|
|
- kube-flannel-ds
|
|
- kube2iam
|
|
- aws-iam-authenticator
|
|
- datadog
|
|
- kube2iam
|
|
rules:
|
|
- hostNetworkSet
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- kubernetes-dashboard
|
|
- install-cni
|
|
- kube2iam
|
|
rules:
|
|
- readinessProbeMissing
|
|
- livenessProbeMissing
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- runAsRootAllowed
|
|
|
|
- controllerNames:
|
|
- aws-iam-authenticator
|
|
- nginx-ingress-controller
|
|
- nginx-ingress-default-backend
|
|
- aws-cluster-autoscaler
|
|
- kube-state-metrics
|
|
- dns-controller
|
|
- external-dns
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- tiller
|
|
- kube2iam
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- cert-manager
|
|
- dns-controller
|
|
- kubedns
|
|
- dnsmasq
|
|
- autoscaler
|
|
- insights-agent-goldilocks-vpa-install
|
|
- datadog
|
|
rules:
|
|
- cpuRequestsMissing
|
|
- cpuLimitsMissing
|
|
- memoryRequestsMissing
|
|
- memoryLimitsMissing
|
|
|
|
- controllerNames:
|
|
- kube2iam
|
|
- kube-flannel-ds
|
|
rules:
|
|
- runAsPrivileged
|
|
|
|
- controllerNames:
|
|
- kube-hunter
|
|
rules:
|
|
- hostPIDSet
|
|
|
|
- controllerNames:
|
|
- polaris
|
|
- kube-hunter
|
|
- goldilocks
|
|
- insights-agent-goldilocks-vpa-install
|
|
rules:
|
|
- notReadOnlyRootFilesystem
|
|
|
|
- controllerNames:
|
|
- insights-agent-goldilocks-controller
|
|
rules:
|
|
- livenessProbeMissing
|
|
- readinessProbeMissing
|
|
|
|
- controllerNames:
|
|
- insights-agent-goldilocks-vpa-install
|
|
- kube-hunter
|
|
rules:
|
|
- runAsRootAllowed
|