Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run Polaris for the specified workload #29

Closed
danielpacak opened this issue May 26, 2020 · 1 comment · Fixed by #118
Closed

Run Polaris for the specified workload #29

danielpacak opened this issue May 26, 2020 · 1 comment · Fixed by #118
Assignees
@danielsagi
Labels
crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris 🚀 enhancement New feature or request
Milestone
Release v0.3.0

Comments

@danielpacak
Copy link
Contributor

danielpacak commented May 26, 2020
edited
Loading

Describe the problem/challenge you have

Currently, we're running Polaris audit subcommand to scans all workloads in the cluster.

$ starboard polaris
$ starboard get configaudit deploy/nginx -n dev

Describe the solution you'd like

However, we should be able to scan a single workload like we do for vulnerabilities:

$ starboard polaris deploy/nginx -n dev
$ starboard polaris sts/my-app -n staging

Anything else you would like to add:

  • This is mainly required for multi tenant environments and workloads protected by RBAC permissions. Beyond that, scanning all workloads requires running Polaris as Kubernetes Job with ServiceAccount that's not least privileged.
@danielpacak danielpacak added the 🚀 enhancement New feature or request label May 27, 2020
@danielpacak danielpacak mentioned this issue May 28, 2020
Closed
@danielpacak danielpacak added 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource labels Jun 2, 2020
@danielpacak danielpacak added this to the Release v0.3.0 milestone Jun 4, 2020
@rbren
Copy link

rbren commented Jun 8, 2020

Prior to 1.0, we would retrieve a list of deployments across all namespaces, and use that list to generate the report.

In the latest version, we retrieve a list of pods across all namespaces, then walk up the owner refs to find the top-level controller. This makes it easy to support arbitrary controller types.

The first thing to do here would be to create a --namespace option that would restrict polaris to looking at a particular namespace.

After that, we would probably need to reintroduce some logic to retrieve a specific resource, rather than start with pods and walk up. That way we'd only need RBAC to view one thing (e.g. deployments) instead of pods, replicasets, and the thing we're auditing.

@danielpacak danielpacak mentioned this issue Aug 10, 2020
Closed
@danielsagi danielsagi mentioned this issue Aug 13, 2020
Merged
danielpacak added a commit that referenced this issue Sep 8, 2020
@danielsagi @danielpacak
feat: Run Polaris scanner for the specified workload (#118)
c10aa5a 
Resolves: #29 
Resolves: #49 

Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielsagi danielsagi

Labels
crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris 🚀 enhancement New feature or request
Projects
None yet
Milestone
Release v0.3.0
Development

Successfully merging a pull request may close this issue.

Feature: Single workload scanning with polaris aquasecurity/starboard
3 participants
@danielpacak @rbren @danielsagi