Additional Pod Controller Scans (#166)

**Changes**

- Refactored the way controllers work to be an interface
- Added configurable controllers to include in scans
- Added daemonsets, jobs and cronjobs in scans
- Added `ReplicationController` type controllers to the supported list
- Adjusted logic for failed YAML parsing to bubble up errors
- Added better logic for calculating summaries on cluster wide results
- Relocated responsibilities for counting types into validators vs spreading it around more packages
- Fixed bug where cronjob parsing was using wrong KIND
- Added fixtures for mocking new controller types
- Added example yamls to test scanning files
- Added functions to NamespacedResult(s) to reduce code complexity deep set iterations
- Refactored how results get added to namespacedresults so adding more later is easier
- Minor signature changes for interface implementing structs for controllers

.circleci/config.yml

@@ -70,6 +70,7 @@ references:
     run:
       name: Test Dashboard
       command: |
+        sed -ri "s|'(quay.io/reactiveops/polaris:).+'|'\1${CIRCLE_SHA1}'|" ./deploy/dashboard.yaml
         kubectl apply -f ./deploy/dashboard.yaml
         sleep 10
         kubectl get pods --namespace polaris
@@ -172,11 +173,6 @@ workflows:
   build:
     jobs:
       - test
-      - test_k8s:
-          # Ignore update-version branch, which changes deploy/ image references before the images are built
-          filters:
-            branches:
-              ignore: /.*\/update-version/
       - build:
           requires:
             - test
@@ -185,6 +181,9 @@ workflows:
           filters:
             tags:
               only: /^testing-.*/
+      - test_k8s:
+          requires:
+            - build
   release:
     jobs:
       - release_binary:

CHANGELOG.md

@@ -1,5 +1,8 @@
 # x.x.x (next release)
 
+# 0.4.0
+* Added additional Pod Controllers to scan PodSpec (`jobs`, `cronjobs`, `daemonsets`, `replicationcontrollers`)
+
 # 0.3.1
 * Changed dashboard branding to refer to new org name Fairwinds
 

README.md

@@ -24,14 +24,17 @@ problems in the future. Polaris can be run in a few different modes:
 
 **Want to learn more?** Fairwinds holds [office hours on Zoom](https://zoom.us/j/242508205) the first Friday of every month, at 12pm Eastern. You can also reach out via email at `opensource@fairwinds.com`
 
-## Quickstart
+# Dashboard Quickstart
 
 ```
 kubectl apply -f https://github.com/FairwindsOps/polaris/releases/latest/download/dashboard.yaml
 kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
 ```
 With the port forwarding in place, you can open http://localhost:8080 in your browser to view the dashboard.
 
+* * *
+
+# Components
 ## Dashboard
 
 The Polaris dashboard is a way to get a simple visual overview of the current state of your Kubernetes deployments as well as a roadmap for what can be improved. The dashboard provides a cluster wide overview as well as breaking out results by category, namespace, and deployment.
@@ -42,162 +45,25 @@ The Polaris dashboard is a way to get a simple visual overview of the current st
 
 Our default standards in Polaris are rather high, so don’t be surprised if your score is lower than you might expect. A key goal for Polaris was to set a high standard and aim for great configuration by default. If the defaults we’ve included are too strict, it’s easy to adjust the configuration as part of the deployment configuration to better suit your workloads.
 
+
 ## Webhook
 
 Polaris includes experimental support for an optional validating webhook. This accepts the same configuration as the dashboard, and can run the same validations. This webhook will reject any deployments that trigger a validation error. This is indicative of the greater goal of Polaris, not just to encourage better configuration through dashboard visibility, but to actually enforce it with this webhook. *Although we are working towards greater stability and better test coverage, we do not currently consider this webhook component production ready.*
 
 Unfortunately we have not found a way to display warnings as part of `kubectl` output unless we are rejecting a deployment altogether. That means that any checks with a severity of `warning` will still pass webhook validation, and the only evidence of that warning will either be in the Polaris dashboard or the Polaris webhook logs.
 
-## Installation and Usage
-Polaris can be installed on your cluster using kubectl or Helm. It can also
-be run as a local binary, which will use your kubeconfig to connect to the cluster
-or run against local YAML files.
-
-### kubectl
-#### Dashboard
-```
-kubectl apply -f https://github.com/FairwindsOps/polaris/releases/latest/download/dashboard.yaml
-kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
-```
-
-#### Webhook
-```
-kubectl apply -f https://github.com/FairwindsOps/polaris/releases/latest/download/webhook.yaml
-```
-
-### Helm
-Start by adding the Fairwinds Helm repo:
-```
-helm repo add fairwinds-stable https://charts.fairwinds.com/stable
-```
-
-#### Dashboard
-```
-helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris
-kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
-```
-
-#### Webhook
-```
-helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris \
-  --set webhook.enable=true --set dashboard.enable=false
-```
-
-### Local Binary
-#### Installation
-Binary releases are available on the [releases page](https://github.com/FairwindsOps/polaris/releases) or can be installed with [Homebrew](https://brew.sh/):
-```
-brew tap FairwindsOps/tap
-brew install FairwindsOps/tap/polaris
-polaris --version
-```
-
-You can run `polaris --help` to see a full list of options.
-
-#### Dashboard
-The dashboard can be run on your local machine, without installing anything on the cluster.
-Polaris will use your local kubeconfig to connect to the cluster.
-
-```
-polaris --dashboard --dashboard-port 8080
-```
-
-#### Audits
-You can also run audits on the command line and see the output as JSON, YAML, or a raw score:
-```
-polaris --audit --output-format yaml > report.yaml
-polaris --audit --output-format score
-# 92
-```
-
-Both the dashboard and audits can run against a local directory or YAML file
-rather than a cluster:
-```
-polaris --audit --audit-path ./deploy/
-```
-
-##### Running with CI/CD
-You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code.
-For example, to fail if polaris detects *any* error-level issues, or if the score drops below 90%:
-```bash
-polaris --audit --audit-path ./deploy/ \
-  --set-exit-code-on-error \
-  --set-exit-code-below-score 90
-```
-
-## Configuration
-
-Polaris supports a wide range of validations covering a number of Kubernetes best practices. Here's a sample configuration file that includes all currently supported checks. The [default configuration](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) contains a number of those checks. This repository also includes a sample [full configuration file](https://github.com/FairwindsOps/polaris/blob/master/examples/config-full.yaml) that enables all available checks.
-
-Each check can be assigned a `severity`. Only checks with a severity of `error` or `warning` will be validated. The results of these validations are visible on the dashboard. In the case of the validating webhook, only failures with a severity of `error` will result in a change being rejected.
-
-Polaris validation checks fall into several different categories:
-
-- [Health Checks](docs/health-checks.md)
-- [Images](docs/images.md)
-- [Networking](docs/networking.md)
-- [Resources](docs/resources.md)
-- [Security](docs/security.md)
-
-## CLI Options
-
-```
-# high-level flags
--version
-      Prints the version of Polaris
--config string
-      Location of Polaris configuration file
--kubeconfig string
-      Path to a kubeconfig. Only required if out-of-cluster.
--log-level string
-      Logrus log level (default "info")
--master string
-      The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.
-
-# dashboard flags
--dashboard
-      Runs the webserver for Polaris dashboard.
--dashboard-base-path string
-      Path on which the dashboard is served (default "/")
--dashboard-port int
-      Port for the dashboard webserver (default 8080)
--display-name string
-      An optional identifier for the audit
-
-# audit flags
--audit
-      Runs a one-time audit.
--audit-path string
-      If specified, audits one or more YAML files instead of a cluster
--output-file string
-      Destination file for audit results
--output-format string
-      Output format for results - json, yaml, or score (default "json")
--output-url string
-      Destination URL to send audit results
--set-exit-code-below-score int
-      When running with --audit, set an exit code of 4 when the score is below this threshold (1-100)
--set-exit-code-on-error
-      When running with --audit, set an exit code of 3 when the audit contains error-level issues.
-
-# webhook flags
--webhook
-      Runs the webhook webserver.
--webhook-port int
-      Port for the webhook webserver (default 9876)
--disable-webhook-config-installer
-      disable the installer in the webhook server, so it won't install webhook configuration resources during bootstrapping
-```
+# Usage Documentation
+See the [Usage Guide](/docs/usage.md) in the docs folder.
 
-## Contributing
+# Contributing
 PRs welcome! Check out the [Contributing Guidelines](CONTRIBUTING.md),
 [Code of Conduct](CODE_OF_CONDUCT.md), and [Roadmap](ROADMAP.md) for more information.
 
-## Further Information
+# Further Information
 A history of changes to this project can be viewed in the [Changelog](CHANGELOG.md)
 
 If you'd like to learn more about Polaris, or if you'd like to speak with
 a Kubernetes expert, you can contact `info@fairwinds.com` or [visit our website](https://fairwinds.com)
 
-## License
+# License
 Apache License 2.0

deploy/dashboard.yaml

@@ -57,6 +57,13 @@ data:
             - SYS_CHROOT
             - KILL
             - AUDIT_WRITE
+    controllers_to_scan:
+      - Deployments
+      - StatefulSets
+      - DaemonSets
+      - Jobs
+      - CronJobs
+      - ReplicationControllers
   
 ---
 # Source: polaris/templates/dashboard.rbac.yaml
@@ -81,6 +88,15 @@ rules:
     resources:
       - 'deployments'
       - 'statefulsets'
+      - 'daemonsets'
+    verbs:
+      - 'get'
+      - 'list'
+  - apiGroups:
+      - 'batch'
+    resources:
+      - 'jobs'
+      - 'cronjobs'
     verbs:
       - 'get'
       - 'list'
@@ -90,6 +106,7 @@ rules:
       - 'nodes'
       - 'namespaces'
       - 'pods'
+      - 'replicationcontrollers'
     verbs:
       - 'get'
       - 'list'
@@ -133,7 +150,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a'
+    checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2'
   name: polaris-dashboard
   namespace: polaris
   labels:
@@ -161,7 +178,7 @@ spec:
         - --dashboard
         - --config
         - /opt/app/config.yaml
-        image: 'quay.io/reactiveops/polaris:0.3'
+        image: 'quay.io/reactiveops/polaris:0.4'
         imagePullPolicy: 'Always'
         name: dashboard
         ports:
@@ -199,6 +216,8 @@ spec:
           subPath: config.yaml
           readOnly: true
       serviceAccountName: polaris-dashboard
+      nodeSelector: {}
+      tolerations: []
 ---
 # Source: polaris/templates/audit.job.yaml
 

deploy/webhook.yaml

@@ -69,6 +69,13 @@ data:
             - SYS_CHROOT
             - KILL
             - AUDIT_WRITE
+    controllers_to_scan:
+      - Deployments
+      - StatefulSets
+      - DaemonSets
+      - Jobs
+      - CronJobs
+      - ReplicationControllers
   
 ---
 # Source: polaris/templates/webhook.rbac.yaml
@@ -87,12 +94,32 @@ metadata:
   labels:
     app: polaris
 rules:
+  # auditor rules rbac
   - apiGroups:
       - 'apps'
       - 'extensions'
     resources:
       - 'deployments'
       - 'statefulsets'
+      - 'daemonsets'
+    verbs:
+      - 'get'
+      - 'list'
+  - apiGroups:
+      - 'batch'
+    resources:
+      - 'jobs'
+      - 'cronjobs'
+    verbs:
+      - 'get'
+      - 'list'
+  - apiGroups:
+      - ''
+    resources:
+      - 'nodes'
+      - 'namespaces'
+      - 'pods'
+      - 'replicationcontrollers'
     verbs:
       - 'get'
       - 'list'
@@ -186,7 +213,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a'
+    checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2'
   name: polaris-webhook
   namespace: polaris
   labels:
@@ -211,7 +238,7 @@ spec:
             - --webhook
             - --config
             - /opt/app/config.yaml
-          image: 'quay.io/reactiveops/polaris:0.3'
+          image: 'quay.io/reactiveops/polaris:0.4'
           imagePullPolicy: 'Always'
           ports:
             - containerPort: 9876
@@ -261,6 +288,8 @@ spec:
               mountPath: /tmp/
               readOnly: false
       serviceAccountName:  polaris-webhook
+      nodeSelector: {}
+      tolerations: []
       volumes:
         - name: config
           configMap:

docs/exit-codes.md

@@ -0,0 +1,13 @@
+# Polaris Exit Codes for Audit Runs
+<dl>
+  <dt>Exit 0</dt>
+  <dd>Successful exit code</dd>
+  <dt>Exit 1</dt>
+  <dd>Could not run audit, or application had a failure while running.</dd>
+  <dt>Exit 2</dt>
+  <dd>Unused</dd>
+  <dt>Exit 3</dt>
+  <dd>Exiting due to `--set-exit-code-on-error` being set and at least one error was found after an audit.</dd>
+  <dt>Edit 4</dd>
+  <dd>Exiting due to `--set-exit-code-below-score` being set and the audit resulted in a score less than the minimum score value.</dd>
+</dl>