polaris/examples/config-full.yaml

checks:
  # reliability
  deploymentMissingReplicas: warning
  priorityClassNotSet: warning
  tagNotSpecified: danger
  pullPolicyNotAlways: warning
  readinessProbeMissing: warning
  livenessProbeMissing: warning
  # efficiency
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  memoryRequestsMissing: warning
  memoryLimitsMissing: warning
  # security
  automountServiceAccountToken: warning
  hostIPCSet: danger
  hostPIDSet: danger
  linuxHardening: danger
  missingNetworkPolicy: warning
  notReadOnlyRootFilesystem: warning
  privilegeEscalationAllowed: danger
  runAsRootAllowed: danger
  runAsPrivileged: danger
  dangerousCapabilities: danger
  insecureCapabilities: warning
  hostNetworkSet: danger
  hostPortSet: warning
  sensitiveContainerEnvVar: danger
  sensitiveConfigmapContent: danger
  # custom
  resourceLimits: warning
  imageRegistry: danger

  
exemptions:
  - controllerNames:
    - my-network-controller
    rules:
    - hostNetworkSet
    - hostPortSet
  - namespace: kube-system
    controllerNames:
      - my-network-controller
    rules:
      - hostNetworkSet
      - hostPortSet

customChecks:
  resourceLimits:
    containers:
      exclude:
      - initContainer
    successMessage: Resource limits are within the required range
    failureMessage: Resource limits should be within the required range
    category: Resources
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      required:
      - resources
      properties:
        resources:
          type: object
          required:
          - limits
          properties:
            limits:
              type: object
              required:
              - memory
              - cpu
              properties:
                memory:
                  type: string
                  resourceMinimum: 100M
                  resourceMaximum: 6G
                cpu:
                  type: string
                  resourceMinimum: 100m
                  resourceMaximum: "2"
  imageRegistry:
    successMessage: Image comes from allowed registries
    failureMessage: Image should not be from disallowed registry
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          not:
            pattern: ^quay.io