Merge remote-tracking branch 'origin/master' into jd/admission-contro…

…ller-validation-fix
FairwindsOps · Feb 16, 2021 · 4a6f4e9 · 4a6f4e9
2 parents 81f9d51 + 3e49a3a
commit 4a6f4e9
Show file tree

Hide file tree

Showing 109 changed files with 510 additions and 1,099 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -169,6 +169,21 @@ jobs:
       - *update_coverage
       - *test_binary_dashboard
 
+  insights:
+    docker:
+      - image: quay.io/reactiveops/ci-images:v11.0-stretch
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Adjust configs for latest image
+          command: |
+            sed -r "s|'(quay.io/fairwinds/polaris:).+'|'\1${CIRCLE_SHA1}'|" ./deploy/webhook.yaml > ./deploy/dashboard.yaml
+            sed -r "s|'(quay.io/fairwinds/polaris:).+'|'\1${CIRCLE_SHA1}'|" ./deploy/dashboard.yaml > ./deploy/webhook.yaml
+      - run:
+          name: Insights CI
+          command: curl -L https://insights.fairwinds.com/v0/insights-ci.sh | bash
+
   release_binary:
     working_directory: /go/src/github.com/fairwindsops/polaris/
     docker:
@@ -194,6 +209,31 @@ jobs:
       - *set_environment_variables
       - *docker_build_and_push
 
+  publish_docs:
+    docker:
+      - image: cimg/node:15.5.1
+    steps:
+      - checkout
+      - run:
+          name: Build Docs Site
+          command: |
+            set -e
+            cd ./docs
+            npm install
+            npm run check-links
+            npm run build
+      - run:
+          name: Install AWS CLI
+          command: |
+            curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+            unzip awscliv2.zip
+            sudo ./aws/install
+      - run:
+          name: Publish Docs Site to S3
+          command: |
+            cd ./dist
+            aws s3 sync ./ s3://polaris.docs.fairwinds.com --delete
+
 workflows:
   version: 2
 
@@ -210,6 +250,12 @@ workflows:
           filters:
             branches:
               ignore: /pull\/[0-9]+/
+      - insights:
+          requires:
+            - push
+          filters:
+            branches:
+              ignore: /pull\/[0-9]+/
       - test_k8s:
           requires:
             - push
@@ -224,7 +270,6 @@ workflows:
           filters:
             branches:
               ignore: /.*/
-            # Testing tags are reserved for testing circle test + build steps
             tags:
               ignore: /^testing-.*/
       - release_images:
@@ -234,6 +279,11 @@ workflows:
           filters:
             branches:
               ignore: /.*/
-            # Testing tags are reserved for testing circle test + build steps
+            tags:
+              ignore: /^testing-.*/
+      - publish_docs:
+          filters:
+            branches:
+              ignore: /.*/
             tags:
               ignore: /^testing-.*/
diff --git a/.github/actions/setup-polaris/Dockerfile b/.github/actions/setup-polaris/Dockerfile
@@ -0,0 +1,15 @@
+# The action uses an own Dockerfile on purpose because the root Dockerfile takes way too long to build for an action
+
+FROM alpine:3.10
+
+RUN	apk add --no-cache \
+  bash \
+  ca-certificates \
+  curl \
+  wget \
+  tar \
+  jq
+
+COPY get_polaris.sh /get_polaris.sh
+
+ENTRYPOINT ["/get_polaris.sh"]
diff --git a/.github/actions/setup-polaris/action.yaml b/.github/actions/setup-polaris/action.yaml
@@ -0,0 +1,22 @@
+name: 'Install polaris'
+description: 'Download a specific polaris version'
+
+inputs:
+  version:
+    description: 'version of polaris'
+    required: true
+    default: 'latest'
+
+runs:
+  using: 'docker'
+  image: './Dockerfile'
+  args:
+    - ${{ inputs.version }}
+
+outputs:
+  version:
+    description: 'Version of polaris installed'
+
+branding:
+  icon: 'download-cloud'
+  color: 'gray-dark'
diff --git a/.github/actions/setup-polaris/get_polaris.sh b/.github/actions/setup-polaris/get_polaris.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+if [[ -z "$INPUT_VERSION" ]]; then
+  echo "Missing polaris version information"
+  exit 1
+fi
+polaris version | grep "$INPUT_VERSION" &> /dev/null
+if [ $? == 0 ]; then
+   echo "Polaris $INPUT_VERSION is already installed! Exiting gracefully."
+   exit 0
+else
+  echo "Installing polaris to path."
+fi
+TARGET_FILE="polaris.tar.gz"
+curl -LJ -o $TARGET_FILE 'https://github.com/FairwindsOps/polaris/releases/download/'"$INPUT_VERSION"'/polaris_'"$INPUT_VERSION"'_linux_386.tar.gz'
+mkdir polaris
+tar -xzf $TARGET_FILE -C polaris
+rm $TARGET_FILE
+echo "polaris" >> $GITHUB_PATH
+echo "::set-output name=version::$INPUT_VERSION"
diff --git a/.github/workflows/build-site.yml b/.github/workflows/build-site.yml
diff --git a/.github/workflows/test_setup.yml b/.github/workflows/test_setup.yml
@@ -0,0 +1,27 @@
+name: Test setup-polaris
+on:
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build-int:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup polaris
+        uses: ./.github/actions/setup-polaris
+        with:
+          version: 3.0.3
+      - name: Use command
+        run: polaris version
+
+  build-ext:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup polaris
+        uses: fairwindsops/polaris/.github/actions/setup-polaris@master
+        with:
+          version: 3.0.3
+      - name: Use command
+        run: polaris version
diff --git a/.gitignore b/.gitignore
@@ -26,3 +26,4 @@ dist
 *-test.yaml
 
 node_modules
+/dist
diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,7 @@ RUN go get -u github.com/gobuffalo/packr/v2/packr2
 COPY . .
 RUN packr2 build -a -o polaris *.go
 
-FROM alpine:3.10
+FROM alpine:3.13
 WORKDIR /usr/local/bin
 RUN apk --no-cache add ca-certificates
 

diff --git a/README.md b/README.md
@@ -3,19 +3,22 @@
   <br>
   <h3>Best Practices for Kubernetes Workload Configuration</h3>
   <a href="https://github.com/FairwindsOps/polaris">
-    <img src="https://img.shields.io/static/v1.svg?label=Version&message=3.0.0&color=239922">
+    <img src="https://img.shields.io/static/v1.svg?label=Version&message=3.1.3&color=239922">
   </a>
   <a href="https://goreportcard.com/report/github.com/FairwindsOps/polaris">
     <img src="https://goreportcard.com/badge/github.com/FairwindsOps/polaris">
   </a>
   <a href="https://circleci.com/gh/FairwindsOps/polaris.svg">
     <img src="https://circleci.com/gh/FairwindsOps/polaris.svg?style=svg">
   </a>
+  <a href="https://insights.fairwinds.com/gh/FairwindsOps/polaris">
+    <img src="https://insights.fairwinds.com/v0/gh/FairwindsOps/polaris/badge.svg">
+  </a>
 </div>
 
 Fairwinds' Polaris keeps your clusters sailing smoothly. It runs a variety of checks to ensure that
 Kubernetes pods and controllers are configured using best practices, helping you avoid
-problems in the future. Polaris can be run in a few different modes:
+problems in the future.
 
 Polaris can be run in three different modes:
 * As a [dashboard](https://polaris.docs.fairwinds.com/dashboard), so you can audit what's running inside your cluster.

diff --git a/checks/insecureCapabilities.yaml b/checks/insecureCapabilities.yaml
@@ -5,27 +5,53 @@ target: Container
 schema:
   '$schema': http://json-schema.org/draft-07/schema
   type: object
+  required:
+  - securityContext
   properties:
     securityContext:
       type: object
+      required:
+      - capabilities
       properties:
         capabilities:
           type: object
+          required:
+          - drop
           properties:
-            add:
-              enum:
-              - CHOWN
-              - DAC_OVERRIDE
-              - FSETID
-              - FOWNER
-              - MKNOD
-              - NET_RAW
-              - SETGID
-              - SETUID
-              - SETFCAP
-              - SETPCAP
-              - NET_BIND_SERVICE
-              - SYS_CHROOT
-              - KILL
-              - AUDIT_WRITE
+            drop:
+              type: array
+              oneOf:
+              - contains:
+                  const: ALL
+              - allOf:
+                - contains:
+                    const: NET_ADMIN
+                - contains:
+                    const: CHOWN
+                - contains:
+                    const: DAC_OVERRIDE
+                - contains:
+                    const: FSETID
+                - contains:
+                    const: FOWNER
+                - contains:
+                    const: MKNOD
+                - contains:
+                    const: NET_RAW
+                - contains:
+                    const: SETGID
+                - contains:
+                    const: SETUID
+                - contains:
+                    const: SETFCAP
+                - contains:
+                    const: SETPCAP
+                - contains:
+                    const: NET_BIND_SERVICE
+                - contains:
+                    const: SYS_CHROOT
+                - contains:
+                    const: KILL
+                - contains:
+                    const: AUDIT_WRITE
 
diff --git a/checks/privilegeEscalationAllowed.yaml b/checks/privilegeEscalationAllowed.yaml
@@ -5,9 +5,12 @@ target: Container
 schema:
   '$schema': http://json-schema.org/draft-07/schema
   type: object
+  required:
+  - securityContext
   properties:
     securityContext:
+      required:
+      - allowPrivilegeEscalation
       properties:
         allowPrivilegeEscalation:
-          not:
-            const: true
+          const: false
diff --git a/cmd/polaris/dashboard.go b/cmd/polaris/dashboard.go
@@ -27,10 +27,12 @@ import (
 var serverPort int
 var basePath string
 var loadAuditFile string
+var listeningAddress string
 
 func init() {
 	rootCmd.AddCommand(dashboardCmd)
 	dashboardCmd.PersistentFlags().IntVarP(&serverPort, "port", "p", 8080, "Port for the dashboard webserver.")
+	dashboardCmd.PersistentFlags().StringVar(&listeningAddress, "listening-address", "", "Listening Address for the dashboard webserver.")
 	dashboardCmd.PersistentFlags().StringVar(&basePath, "base-path", "/", "Path on which the dashboard is served.")
 	dashboardCmd.PersistentFlags().StringVar(&loadAuditFile, "load-audit-file", "", "Runs the dashboard with data saved from a past audit.")
 	dashboardCmd.PersistentFlags().StringVar(&auditPath, "audit-path", "", "If specified, audits one or more YAML files instead of a cluster.")
@@ -59,6 +61,6 @@ var dashboardCmd = &cobra.Command{
 		http.Handle("/", router)
 
 		logrus.Infof("Starting Polaris dashboard server on port %d", serverPort)
-		logrus.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", serverPort), nil))
+		logrus.Fatal(http.ListenAndServe(fmt.Sprintf("%s:%d", listeningAddress, serverPort), nil))
 	},
 }
diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
@@ -49,7 +49,7 @@ subjects:
     namespace: polaris
 ---
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: polaris
@@ -109,7 +109,7 @@ spec:
       - command:
         - polaris
         - dashboard
-        image: 'quay.io/fairwinds/polaris:3.0'
+        image: 'quay.io/fairwinds/polaris:3.1'
         imagePullPolicy: 'Always'
         name: dashboard
         ports:

diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
@@ -49,7 +49,7 @@ subjects:
     namespace: polaris
 ---
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: polaris
@@ -109,7 +109,7 @@ spec:
           command:
             - polaris
             - webhook
-          image: 'quay.io/fairwinds/polaris:3.0'
+          image: 'quay.io/fairwinds/polaris:3.1'
           imagePullPolicy: 'Always'
           ports:
             - containerPort: 9876