chore: Upgrade polaris to 1.1.0 (#86)

Resolves: #33
aquasecurity · Jul 10, 2020 · 44210b1 · 44210b1
1 parent d43faef
commit 44210b1
Show file tree

Hide file tree

Showing 2 changed files with 148 additions and 91 deletions.
diff --git a/pkg/kube/cr_manager.go b/pkg/kube/cr_manager.go
@@ -15,15 +15,17 @@ import (
 )
 
 const (
-	polarisConfigYAML = `---
-checks:
+	polarisConfigYAML = `checks:
+  # reliability
+  multipleReplicasForDeployment: ignore
+  priorityClassNotSet: ignore
   # resources
   cpuRequestsMissing: warning
   cpuLimitsMissing: warning
   memoryRequestsMissing: warning
   memoryLimitsMissing: warning
   # images
-  tagNotSpecified: error
+  tagNotSpecified: danger
   pullPolicyNotAlways: ignore
   # healthChecks
   readinessProbeMissing: warning
@@ -32,114 +34,170 @@ checks:
   hostNetworkSet: warning
   hostPortSet: warning
   # security
-  hostIPCSet: error
-  hostPIDSet: error
-  notReadOnlyRootFileSystem: warning
-  privilegeEscalationAllowed: error
+  hostIPCSet: danger
+  hostPIDSet: danger
+  notReadOnlyRootFilesystem: warning
+  privilegeEscalationAllowed: danger
   runAsRootAllowed: warning
-  runAsPrivileged: error
-  dangerousCapabilities: error
+  runAsPrivileged: danger
+  dangerousCapabilities: danger
   insecureCapabilities: warning
-controllersToScan:
-  - Deployments
-  - StatefulSets
-  - DaemonSets
-  - CronJobs
-  - Jobs
-  - ReplicationControllers
 exemptions:
   - controllerNames:
-      - dns-controller
-      - datadog-datadog
-      - kube-flannel-ds
-      - kube2iam
-      - aws-iam-authenticator
-      - datadog
-      - kube2iam
+    - kube-apiserver
+    - kube-proxy
+    - kube-scheduler
+    - etcd-manager-events
+    - kube-controller-manager
+    - kube-dns
+    - etcd-manager-main
     rules:
-      - hostNetworkSet
+    - hostPortSet
+    - hostNetworkSet
+    - readinessProbeMissing
+    - livenessProbeMissing
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+    - runAsRootAllowed
+    - runAsPrivileged
+    - notReadOnlyRootFilesystem
+    - hostPIDSet
   - controllerNames:
-      - aws-iam-authenticator
-      - aws-cluster-autoscaler
-      - kube-state-metrics
-      - dns-controller
-      - external-dns
-      - dnsmasq
-      - autoscaler
-      - kubernetes-dashboard
-      - install-cni
-      - kube2iam
+    - kube-flannel-ds
     rules:
-      - readinessProbeMissing
-      - livenessProbeMissing
+    - notReadOnlyRootFilesystem
+    - runAsRootAllowed
+    - notReadOnlyRootFilesystem
+    - readinessProbeMissing
+    - livenessProbeMissing
+    - cpuLimitsMissing
   - controllerNames:
-      - aws-iam-authenticator
-      - nginx-ingress-controller
-      - nginx-ingress-default-backend
-      - aws-cluster-autoscaler
-      - kube-state-metrics
-      - dns-controller
-      - external-dns
-      - kubedns
-      - dnsmasq
-      - autoscaler
-      - tiller
-      - kube2iam
+    - cert-manager
     rules:
-      - runAsRootAllowed
+    - notReadOnlyRootFilesystem
+    - runAsRootAllowed
+    - readinessProbeMissing
+    - livenessProbeMissing
   - controllerNames:
-      - aws-iam-authenticator
-      - nginx-ingress-controller
-      - nginx-ingress-default-backend
-      - aws-cluster-autoscaler
-      - kube-state-metrics
-      - dns-controller
-      - external-dns
-      - kubedns
-      - dnsmasq
-      - autoscaler
-      - tiller
-      - kube2iam
+    - cluster-autoscaler
     rules:
-      - notReadOnlyRootFileSystem
+    - notReadOnlyRootFilesystem
+    - runAsRootAllowed
+    - readinessProbeMissing
   - controllerNames:
-      - cert-manager
-      - dns-controller
-      - kubedns
-      - dnsmasq
-      - autoscaler
-      - insights-agent-goldilocks-vpa-install
+    - vpa
     rules:
-      - cpuRequestsMissing
-      - cpuLimitsMissing
-      - memoryRequestsMissing
-      - memoryLimitsMissing
+    - runAsRootAllowed
+    - readinessProbeMissing
+    - livenessProbeMissing
+    - notReadOnlyRootFilesystem
   - controllerNames:
-      - kube2iam
-      - kube-flannel-ds
+    - datadog
     rules:
-      - runAsPrivileged
+    - runAsRootAllowed
+    - readinessProbeMissing
+    - livenessProbeMissing
+    - notReadOnlyRootFilesystem
   - controllerNames:
-      - kube-hunter
+    - nginx-ingress-controller
     rules:
-      - hostPIDSet
+    - privilegeEscalationAllowed
+    - insecureCapabilities
+    - runAsRootAllowed
   - controllerNames:
-      - polaris
-      - kube-hunter
-      - goldilocks
-      - insights-agent-goldilocks-vpa-install
+    - dns-controller
+    - datadog-datadog
+    - kube-flannel-ds
+    - kube2iam
+    - aws-iam-authenticator
+    - datadog
+    - kube2iam
     rules:
-      - notReadOnlyRootFileSystem
+    - hostNetworkSet
   - controllerNames:
-      - insights-agent-goldilocks-controller
+    - aws-iam-authenticator
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - dnsmasq
+    - autoscaler
+    - kubernetes-dashboard
+    - install-cni
+    - kube2iam
     rules:
-      - livenessProbeMissing
-      - readinessProbeMissing
+    - readinessProbeMissing
+    - livenessProbeMissing
   - controllerNames:
-      - insights-agent-goldilocks-vpa-install
-      - kube-hunter
+    - aws-iam-authenticator
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
     rules:
-      - runAsRootAllowed
+    - runAsRootAllowed
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - notReadOnlyRootFilesystem
+  - controllerNames:
+    - cert-manager
+    - dns-controller
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - insights-agent-goldilocks-vpa-install
+    - datadog
+    rules:
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+  - controllerNames:
+    - kube2iam
+    - kube-flannel-ds
+    rules:
+    - runAsPrivileged
+  - controllerNames:
+    - kube-hunter
+    rules:
+    - hostPIDSet
+  - controllerNames:
+    - polaris
+    - kube-hunter
+    - goldilocks
+    - insights-agent-goldilocks-vpa-install
+    rules:
+    - notReadOnlyRootFilesystem
+  - controllerNames:
+    - insights-agent-goldilocks-controller
+    rules:
+    - livenessProbeMissing
+    - readinessProbeMissing
+  - controllerNames:
+    - insights-agent-goldilocks-vpa-install
+    - kube-hunter
+    rules:
+    - runAsRootAllowed
 `
 )
 

diff --git a/pkg/polaris/scanner.go b/pkg/polaris/scanner.go
@@ -24,8 +24,7 @@ import (
 
 const (
 	polarisContainerName = "polaris"
-	// TODO: The latest semver tagged image 0.6.0 doesn't return audit checks ?!
-	polarisContainerImage = "quay.io/fairwinds/polaris:cfc0d213cd603793d8e36eecfb0def1579a34997"
+	polarisContainerImage = "quay.io/fairwinds/polaris:1.1.0"
 	polarisConfigVolume   = "config-volume"
 	polarisConfigMap      = "polaris"
 )
@@ -141,7 +140,7 @@ func (s *Scanner) preparePolarisJob() *batch.Job {
 								},
 							},
 							Command: []string{"polaris"},
-							Args:    []string{"audit", "--log-level", "error"},
+							Args:    []string{"audit", "--log-level", "error", "--config", "/examples/config.yaml"},
 						},
 					},
 				},