add script for generating deploy files

FairwindsOps · Jan 3, 2020 · e7baeac · e7baeac
1 parent 051319f
commit e7baeac
Show file tree

Hide file tree

Showing 4 changed files with 231 additions and 65 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -94,9 +94,8 @@ The steps are:
     2. Bump the version number in:
         1. main.go
         2. README.md
-    3. Regenerate the deployment files. Assuming you've cloned the charts repo to `./charts`:
-        1. `helm template ./charts/stable/polaris/ --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml`
-        2. `helm template ./charts/stable/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml`
+    3. Regenerate the deployment files. Assuming you've cloned the charts repo to `~/git/charts`:
+        1. `CHARTS_DIR=~/git/charts ./scripts/generate-deployment-files.sh`
     4. Update CHANGELOG.md
     5. Merge your PR
 3. Tag the latest branch for this repo

diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
@@ -14,56 +14,131 @@ metadata:
   labels:
     app: polaris
 data:
-  config.yaml:  |
-    resources:
+  config.yaml:  |-
+    checks:
+      # resources
       cpuRequestsMissing: warning
       cpuLimitsMissing: warning
       memoryRequestsMissing: warning
       memoryLimitsMissing: warning
-    images:
+      # images
       tagNotSpecified: error
-    healthChecks:
+      pullPolicyNotAlways: ignore
+      # healthChecks
       readinessProbeMissing: warning
       livenessProbeMissing: warning
-    networking:
+      # networking
       hostNetworkSet: warning
       hostPortSet: warning
-    security:
+      # security
       hostIPCSet: error
       hostPIDSet: error
       notReadOnlyRootFileSystem: warning
       privilegeEscalationAllowed: error
       runAsRootAllowed: warning
       runAsPrivileged: error
-      capabilities:
-        error:
-          ifAnyAdded:
-            - SYS_ADMIN
-            - NET_ADMIN
-            - ALL
-        warning:
-          ifAnyAddedBeyond:
-            - CHOWN
-            - DAC_OVERRIDE
-            - FSETID
-            - FOWNER
-            - MKNOD
-            - NET_RAW
-            - SETGID
-            - SETUID
-            - SETFCAP
-            - SETPCAP
-            - NET_BIND_SERVICE
-            - SYS_CHROOT
-            - KILL
-            - AUDIT_WRITE
-    controllers_to_scan:
+      dangerousCapabilities: error
+      insecureCapabilities: warning
+    controllersToScan:
       - Deployments
       - StatefulSets
       - DaemonSets
-      - Jobs
       - CronJobs
+      - Jobs
       - ReplicationControllers
+    exemptions:
+      - controllerNames:
+          - dns-controller
+          - datadog-datadog
+          - kube-flannel-ds
+          - kube2iam
+          - aws-iam-authenticator
+          - datadog
+          - kube2iam
+        rules:
+          - hostNetworkSet
+      - controllerNames:
+          - aws-iam-authenticator
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - dnsmasq
+          - autoscaler
+          - kubernetes-dashboard
+          - install-cni
+          - kube2iam
+        rules:
+          - readinessProbeMissing
+          - livenessProbeMissing
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - runAsRootAllowed
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - cert-manager
+          - dns-controller
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - cpuRequestsMissing
+          - cpuLimitsMissing
+          - memoryRequestsMissing
+          - memoryLimitsMissing
+      - controllerNames:
+          - kube2iam
+          - kube-flannel-ds
+        rules:
+          - runAsPrivileged
+      - controllerNames:
+          - kube-hunter
+        rules:
+          - hostPIDSet
+      - controllerNames:
+          - polaris
+          - kube-hunter
+          - goldilocks
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - insights-agent-goldilocks-controller
+        rules:
+          - livenessProbeMissing
+          - readinessProbeMissing
+      - controllerNames:
+          - insights-agent-goldilocks-vpa-install
+          - kube-hunter
+        rules:
+          - runAsRootAllowed
   
 ---
 # Source: polaris/templates/dashboard.rbac.yaml
@@ -164,7 +239,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2'
+        checksum/config: 'eb6d6b194c6786d62400fc0578dd5ea5158212b5b29d93d3cde3fa14da8ac501'
       labels:
         app: polaris
         component: dashboard

diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
@@ -27,56 +27,131 @@ metadata:
   labels:
     app: polaris
 data:
-  config.yaml:  |
-    resources:
+  config.yaml:  |-
+    checks:
+      # resources
       cpuRequestsMissing: warning
       cpuLimitsMissing: warning
       memoryRequestsMissing: warning
       memoryLimitsMissing: warning
-    images:
+      # images
       tagNotSpecified: error
-    healthChecks:
+      pullPolicyNotAlways: ignore
+      # healthChecks
       readinessProbeMissing: warning
       livenessProbeMissing: warning
-    networking:
+      # networking
       hostNetworkSet: warning
       hostPortSet: warning
-    security:
+      # security
       hostIPCSet: error
       hostPIDSet: error
       notReadOnlyRootFileSystem: warning
       privilegeEscalationAllowed: error
       runAsRootAllowed: warning
       runAsPrivileged: error
-      capabilities:
-        error:
-          ifAnyAdded:
-            - SYS_ADMIN
-            - NET_ADMIN
-            - ALL
-        warning:
-          ifAnyAddedBeyond:
-            - CHOWN
-            - DAC_OVERRIDE
-            - FSETID
-            - FOWNER
-            - MKNOD
-            - NET_RAW
-            - SETGID
-            - SETUID
-            - SETFCAP
-            - SETPCAP
-            - NET_BIND_SERVICE
-            - SYS_CHROOT
-            - KILL
-            - AUDIT_WRITE
-    controllers_to_scan:
+      dangerousCapabilities: error
+      insecureCapabilities: warning
+    controllersToScan:
       - Deployments
       - StatefulSets
       - DaemonSets
-      - Jobs
       - CronJobs
+      - Jobs
       - ReplicationControllers
+    exemptions:
+      - controllerNames:
+          - dns-controller
+          - datadog-datadog
+          - kube-flannel-ds
+          - kube2iam
+          - aws-iam-authenticator
+          - datadog
+          - kube2iam
+        rules:
+          - hostNetworkSet
+      - controllerNames:
+          - aws-iam-authenticator
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - dnsmasq
+          - autoscaler
+          - kubernetes-dashboard
+          - install-cni
+          - kube2iam
+        rules:
+          - readinessProbeMissing
+          - livenessProbeMissing
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - runAsRootAllowed
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - cert-manager
+          - dns-controller
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - cpuRequestsMissing
+          - cpuLimitsMissing
+          - memoryRequestsMissing
+          - memoryLimitsMissing
+      - controllerNames:
+          - kube2iam
+          - kube-flannel-ds
+        rules:
+          - runAsPrivileged
+      - controllerNames:
+          - kube-hunter
+        rules:
+          - hostPIDSet
+      - controllerNames:
+          - polaris
+          - kube-hunter
+          - goldilocks
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - insights-agent-goldilocks-controller
+        rules:
+          - livenessProbeMissing
+          - readinessProbeMissing
+      - controllerNames:
+          - insights-agent-goldilocks-vpa-install
+          - kube-hunter
+        rules:
+          - runAsRootAllowed
   
 ---
 # Source: polaris/templates/webhook.rbac.yaml
@@ -227,7 +302,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2'
+        checksum/config: 'eb6d6b194c6786d62400fc0578dd5ea5158212b5b29d93d3cde3fa14da8ac501'
       labels:
         app: polaris
         component: webhook

diff --git a/scripts/generate-deployment-files.sh b/scripts/generate-deployment-files.sh
@@ -0,0 +1,17 @@
+# /bin/bash
+
+set -eo pipefail
+
+helm template $CHARTS_DIR/stable/polaris/ \
+  --name polaris --namespace polaris \
+  --set templateOnly=true \
+  --set config="$(cat ./examples/config.yaml)" \
+  > deploy/dashboard.yaml
+
+helm template $CHARTS_DIR/stable/polaris/ \
+  --name polaris --namespace polaris \
+  --set templateOnly=true \
+  --set webhook.enable=true \
+  --set dashboard.enable=false \
+  --set config="$(cat ./examples/config.yaml)" \
+  > deploy/webhook.yaml