-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JSON schema checks #234
Merged
Merged
JSON schema checks #234
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
20257cd
swap out host_network for a schema-based check
rbren b4e3f78
move rest of pod checks over to schema
rbren d4e3258
simplify GetSupportedControllerFromString
rbren 8b20fd9
migrate health checks to schemas
rbren 0f2e5e0
implement image checks using json schema
rbren 95c04b1
move networking checks over to json schema
rbren ddf815d
move runAsRootAllowed over to jsonschema
rbren 25be9e4
fix up exclusions
rbren 02252c6
move more security checks to jsonschema
rbren df48615
Merge branch 'master' into rb/custom-checks
d80d326
swap out host_network for a schema-based check
rbren 3304285
move rest of pod checks over to schema
rbren d0dc7f4
simplify GetSupportedControllerFromString
rbren f2c5752
migrate health checks to schemas
rbren 30b49c4
implement image checks using json schema
rbren 3fa627a
move networking checks over to json schema
rbren ad3a8e6
move runAsRootAllowed over to jsonschema
rbren 6c58884
fix up exclusions
rbren f7dccc0
move more security checks to jsonschema
rbren 7070eb7
Merge branch 'rb/custom-checks' of ssh://github.com/fairwindsops/pola…
rbren b003515
fix lint errors
rbren 7cc0be4
remove unused function
rbren File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
move runAsRootAllowed over to jsonschema
- Loading branch information
commit ad3a8e674897a1c3d7c826211e15910e27a1e440
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: RunAsRootAllowed | ||
id: runAsRootAllowed | ||
successMessage: Is not allowed to run as root | ||
failureMessage: Should not be allowed to run as root | ||
category: Security | ||
controllers: | ||
exclude: [] | ||
target: Container | ||
schemaTarget: Pod | ||
schema: | ||
'$schema': http://json-schema.org/draft-07/schema | ||
definitions: | ||
goodSecurityContext: | ||
type: object | ||
anyOf: | ||
- required: | ||
- runAsUser | ||
properties: | ||
runAsUser: | ||
minimum: 1 | ||
- required: | ||
- runAsNonRoot | ||
properties: | ||
runAsNonRoot: | ||
const: true | ||
notBadSecurityContext: | ||
type: object | ||
properties: | ||
runAsUser: | ||
minimum: 1 | ||
runAsNonRoot: | ||
const: true | ||
type: object | ||
anyOf: | ||
# non-root specified at pod-level, and not overridden at container level | ||
- required: | ||
- securityContext | ||
properties: | ||
securityContext: | ||
$ref: "#/definitions/goodSecurityContext" | ||
containers: | ||
type: array | ||
items: | ||
properties: | ||
securityContext: | ||
$ref: "#/definitions/notBadSecurityContext" | ||
# non-root specified at container level | ||
- properties: | ||
containers: | ||
type: array | ||
items: | ||
required: | ||
- securityContext | ||
properties: | ||
securityContext: | ||
$ref: "#/definitions/goodSecurityContext" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming this was left on purpose to be fixed in separate PR right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup - I've got another PR coming in after this one, and probably one more refactor after that.