Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Polaris to 1.0 #33

Closed
danielpacak opened this issue May 28, 2020 · 1 comment
Closed

Upgrade Polaris to 1.0 #33

danielpacak opened this issue May 28, 2020 · 1 comment
Assignees
@danielsagi
Labels
crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris 🚀 enhancement New feature or request
Milestone
Release v0.3.0

Comments

@danielpacak
Copy link
Contributor

danielpacak commented May 28, 2020
edited
Loading

Describe the problem/challenge you have

Currently we pinned Polaris image to quay.io/fairwinds/polaris:cfc0d213cd603793d8e36eecfb0def1579a34997 and we're running polaris audit --log-level error command as a Kubernetes Job to check all workloads and create configauditreports resources (see an example).

Describe the solution you'd like

We'd like to:

  • Upgrade to the latest and greatest Polaris
  • Review and adopt configauditreports definition to store configuration audits
    • Add OpenAPI Spec to validate configauditreports payload compatible with Polaris 1.0 output
  • Keep the configauditreports definition flexible for other vendors to integrate with Starboard

Anything else you would like to add:

This might be related to #29
@danielpacak danielpacak added 🚀 enhancement New feature or request 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource labels May 28, 2020
@danielpacak danielpacak added this to the Release v0.3.0 milestone Jun 4, 2020
@rbren
Copy link

rbren commented Jun 8, 2020

A few breaking changes in our output format in 1.0:

  • we now support checks at the controller level, as well as at the pod and container levels
  • the list of containers is now an array rather than an object, to match the format of podSpec
  • severity error has been changed to danger
  • the list of checks is now an object keyed by check ID, rather than an array

I think the first three changes would be valuable to bring into the ConfigAuditReports CRD. However, I could see wanting to keep the list of checks as an array, rather than an object keyed by ID, since other implementers of this scanner might have different IDs, and might duplicate an ID. For example, prior to 1.0, we had two different checks named capabilities (one warning, one danger)

@danielsagi danielsagi mentioned this issue Jul 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielsagi danielsagi

Labels
crd/configauditreports This issue is somehow related to the configauditreports.aquasecurity.github.io resource 🔦 plugin/polaris This issue is somehow related to Fairwinds Polaris 🚀 enhancement New feature or request
Projects
None yet
Milestone
Release v0.3.0
Development

No branches or pull requests
3 participants
@danielpacak @rbren @danielsagi