change input config to simplify things

checks/cpuLimitsMissing.yaml

@@ -1,5 +1,3 @@
-name: CPULimitsMissing
-id: cpuLimitsMissing
 successMessage: CPU limits are set
 failureMessage: CPU limits should be set
 category: Resources

checks/cpuRequestsMissing.yaml

@@ -1,5 +1,3 @@
-name: CPURequestsMissing
-id: cpuRequestsMissing
 successMessage: CPU requests are set
 failureMessage: CPU requests should be set
 category: Resources

checks/dangerousCapabilities.yaml

@@ -1,5 +1,3 @@
-name: DangerousCapabilities
-id: dangerousCapabilities
 successMessage: Container does not have any dangerous capabilities
 failureMessage: Container should not have dangerous capabilities
 category: Security

checks/hostIPC.yaml → checks/hostIPCSet.yaml

@@ -1,5 +1,3 @@
-name: HostIPCSet
-id: hostIPCSet
 successMessage: Host IPC is not configured
 failureMessage: Host IPC should not be configured
 category: Security

checks/hostNetwork.yaml → checks/hostNetworkSet.yaml

@@ -1,5 +1,3 @@
-name: HostNetworkSet
-id: hostNetworkSet
 successMessage: Host network is not configured
 failureMessage: Host network should not be configured
 category: Networking

checks/hostPID.yaml → checks/hostPIDSet.yaml

@@ -1,5 +1,3 @@
-name: HostPIDSet
-id: hostPIDSet
 successMessage: Host PID is not configured
 failureMessage: Host PID should not be configured
 category: Security

checks/hostPortSet.yaml

@@ -1,5 +1,3 @@
-name: HostPortSet
-id: hostPortSet
 successMessage: Host port is not configured
 failureMessage: Host port should not be configured
 category: Networking

checks/insecureCapabilities.yaml

@@ -1,5 +1,3 @@
-name: InsecureCapabilities
-id: insecureCapabilities
 successMessage: Container does not have any insecure capabilities
 failureMessage: Container should not have insecure capabilities
 category: Security

checks/livenessProbe.yaml → checks/livenessProbeMissing.yaml

@@ -1,5 +1,3 @@
-name: LivenessProbeMissing
-id: livenessProbeMissing
 successMessage: Liveness probe is configured
 failureMessage: Liveness probe should be configured
 category: Health Checks

checks/memoryLimitsMissing.yaml

@@ -1,5 +1,3 @@
-name: MemoryLimitsMissing
-id: memoryLimitsMissing
 successMessage: Memory limits are set
 failureMessage: Memory limits should be set
 category: Resources

checks/memoryRequestsMissing.yaml

@@ -1,5 +1,3 @@
-name: MemoryRequestsMissing
-id: memoryRequestsMissing
 successMessage: Memory requests are set
 failureMessage: Memory requests should be set
 category: Resources

checks/notReadOnlyRootFileSystem.yaml

@@ -1,5 +1,3 @@
-name: NotReadOnlyRootFileSystem
-id: notReadOnlyRootFileSystem
 successMessage: Filesystem is read only
 failureMessage: Filesystem should be read only
 category: Security

checks/privilegeEscalationAllowed.yaml

@@ -1,5 +1,3 @@
-name: PrivilegeEscalationAllowed
-id: privilegeEscalationAllowed
 successMessage: Privilege escalation not allowed
 failureMessage: Privilege escalation should not be allowed
 category: Security

checks/pullPolicyNotAlways.yaml

@@ -1,5 +1,3 @@
-name: PullPolicyNotAlways
-id: pullPolicyNotAlways
 successMessage: Image pull policy is "Always"
 failureMessage: Image pull policy should be "Always"
 category: Images

checks/readinessProbe.yaml → checks/readinessProbeMissing.yaml

@@ -1,5 +1,3 @@
-name: ReadinessProbeMissing
-id: readinessProbeMissing
 successMessage: Readiness probe is configured
 failureMessage: Readiness probe should be configured
 category: Health Checks

checks/runAsPrivileged.yaml

@@ -1,5 +1,3 @@
-name: RunAsPrivileged
-id: runAsPrivileged
 successMessage: Not running as privileged
 failureMessage: Should not be running as privileged
 category: Security

checks/runAsRootAllowed.yaml

@@ -1,5 +1,3 @@
-name: RunAsRootAllowed
-id: runAsRootAllowed
 successMessage: Is not allowed to run as root
 failureMessage: Should not be allowed to run as root
 category: Security

checks/tagNotSpecified.yaml

@@ -1,5 +1,3 @@
-name: TagNotSpecified
-id: tagNotSpecified
 successMessage: Image tag is specified
 failureMessage: Image tag should be specified
 category: Images

deploy/dashboard.yaml

@@ -154,6 +154,7 @@ metadata:
   namespace: polaris
   labels:
     app: polaris
+    foo: bar
     component: dashboard
 spec:
   replicas: 1

examples/config.yaml

@@ -1,18 +1,19 @@
-resources:
+checks:
+  # resources
   cpuRequestsMissing: warning
   cpuLimitsMissing: warning
   memoryRequestsMissing: warning
   memoryLimitsMissing: warning
-images:
+  # images
   tagNotSpecified: error
   pullPolicyNotAlways: ignore
-healthChecks:
+  # healthChecks
   readinessProbeMissing: warning
   livenessProbeMissing: warning
-networking:
+  # networking
   hostNetworkSet: warning
   hostPortSet: warning
-security:
+  # security
   hostIPCSet: error
   hostPIDSet: error
   notReadOnlyRootFileSystem: warning
@@ -21,7 +22,7 @@ security:
   runAsPrivileged: error
   dangerousCapabilities: error
   insecureCapabilities: warning
-controllers_to_scan:
+controllersToScan:
   - Deployments
   - StatefulSets
   - DaemonSets

pkg/config/config.go

@@ -29,13 +29,8 @@ import (
 // Configuration contains all of the config for the validation checks.
 type Configuration struct {
 	DisplayName        string                 `json:"displayName"`
-	Resources          Resources              `json:"resources"`
-	HealthChecks       HealthChecks           `json:"healthChecks"`
-	Images             Images                 `json:"images"`
-	Networking         Networking             `json:"networking"`
-	Security           Security               `json:"security"`
 	Checks             map[string]Severity    `json:"checks"`
-	ControllersToScan  []SupportedController  `json:"controllers_to_scan"`
+	ControllersToScan  []SupportedController  `json:"controllersToScan"`
 	CustomChecks       map[string]SchemaCheck `json:"customChecks"`
 	Exemptions         []Exemption            `json:"exemptions"`
 	DisallowExemptions bool                   `json:"disallowExemptions"`

pkg/config/config_test.go

@@ -29,18 +29,18 @@ import (
 var confInvalid = `test`
 
 var confValidYAML = `
-resources:
+checks:
   cpuRequestsMissing: warning
-controllers_to_scan:
+controllersToScan:
   - Deployments
 `
 
 var confValidJSON = `
 {
-  "resources": {
+  "checks": {
     "cpuRequestsMissing": "warning"
   },
-  "controllers_to_scan": ["Deployments"]
+  "controllersToScan": ["Deployments"]
 }
 `
 
@@ -96,7 +96,7 @@ func TestConfigNoServerError(t *testing.T) {
 }
 
 func testParsedConfig(t *testing.T, config *Configuration) {
-	assert.Equal(t, SeverityWarning, config.Resources.CPURequestsMissing)
-	assert.Equal(t, Severity(""), config.Resources.CPULimitsMissing)
+	assert.Equal(t, SeverityWarning, config.Checks["cpuRequestsMissing"])
+	assert.Equal(t, Severity(""), config.Checks["cpuLimitsMissing"])
 	assert.ElementsMatch(t, []SupportedController{Deployments}, config.ControllersToScan)
 }

pkg/config/exemptions.go

@@ -1,19 +1,12 @@
 package config
 
 import (
-	"reflect"
 	"strings"
 )
 
 // IsActionable determines whether a check is actionable given the current configuration
-func (conf Configuration) IsActionable(subConf interface{}, ruleName, controllerName string) bool {
-	if subConfStr, ok := subConf.(string); ok {
-		subConf = conf.GetCategoryConfig(subConfStr)
-	}
-	ruleID := GetIDFromField(subConf, ruleName)
-	subConfRef := reflect.ValueOf(subConf)
-	fieldVal := reflect.Indirect(subConfRef).FieldByName(ruleName).Interface()
-	if severity, ok := fieldVal.(Severity); ok && !severity.IsActionable() {
+func (conf Configuration) IsActionable(ruleID, controllerName string) bool {
+	if severity, ok := conf.Checks[ruleID]; !ok || !severity.IsActionable() {
 		return false
 	}
 	if conf.DisallowExemptions {
@@ -33,31 +26,3 @@ func (conf Configuration) IsActionable(subConf interface{}, ruleName, controller
 	}
 	return true
 }
-
-// GetCategoryConfig returns the configuration for a particular category name
-func (conf Configuration) GetCategoryConfig(category string) interface{} {
-	if category == "Networking" {
-		return conf.Networking
-	} else if category == "Security" {
-		return conf.Security
-	} else if category == "Health Checks" {
-		return conf.HealthChecks
-	} else if category == "Resources" {
-		return conf.Resources
-	} else if category == "Images" {
-		return conf.Images
-	}
-	return nil
-}
-
-// GetSeverity returns the severity configured for a particular check
-func (conf Configuration) GetSeverity(category string, name string) Severity {
-	subConf := conf.GetCategoryConfig(category)
-	subConfRef := reflect.ValueOf(subConf)
-	fieldVal := reflect.Indirect(subConfRef).FieldByName(name).Interface()
-	if severity, ok := fieldVal.(Severity); ok {
-		return severity
-	}
-	// TODO: don't panic
-	panic("Unknown severity: " + category + "/" + name)
-}

pkg/config/schema.go

@@ -95,7 +95,6 @@ const (
 
 // SchemaCheck is a Polaris check that runs using JSON Schema
 type SchemaCheck struct {
-	Name           string                `yaml:"name"`
 	ID             string                `yaml:"id"`
 	Category       string                `yaml:"category"`
 	SuccessMessage string                `yaml:"successMessage"`