diff --git a/.circleci/config.yml b/.circleci/config.yml index 9ad80226e..52b7f89e4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -194,6 +194,31 @@ jobs: - *set_environment_variables - *docker_build_and_push + publish_docs: + docker: + - image: cimg/node:15.5.1 + steps: + - checkout + - run: + name: Build Docs Site + command: | + set -e + cd ./docs + npm install + npm run check-links + npm run build + - run: + name: Install AWS CLI + command: | + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip awscliv2.zip + sudo ./aws/install + - run: + name: Publish Docs Site to S3 + command: | + cd ./dist + aws s3 sync ./ s3://polaris.docs.fairwinds.com --delete + workflows: version: 2 @@ -224,7 +249,6 @@ workflows: filters: branches: ignore: /.*/ - # Testing tags are reserved for testing circle test + build steps tags: ignore: /^testing-.*/ - release_images: @@ -234,6 +258,11 @@ workflows: filters: branches: ignore: /.*/ - # Testing tags are reserved for testing circle test + build steps + tags: + ignore: /^testing-.*/ + - publish_docs: + filters: + branches: + ignore: /.*/ tags: ignore: /^testing-.*/ diff --git a/.gitignore b/.gitignore index 6f7630cfe..a53eaed39 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ dist *-test.yaml node_modules +/dist diff --git a/docs-md/.vuepress/public/scripts/leadlander.js b/docs-md/.vuepress/public/scripts/leadlander.js deleted file mode 100644 index e85b54edd..000000000 --- a/docs-md/.vuepress/public/scripts/leadlander.js +++ /dev/null @@ -1,12 +0,0 @@ -/* - * This file is generated from FairwindsOps/documentation-template - * DO NOT EDIT MANUALLY - */ - -var llcookieless = true; -var sf14gv = 32793; -(function() { - var sf14g = document.createElement('script'); - sf14g.src = 'https://lltrck.com/lt-v2.min.js'; - var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(sf14g, s); -})(); diff --git a/docs-md/.vuepress/config-extras.js b/docs/.vuepress/config-extras.js similarity index 100% rename from docs-md/.vuepress/config-extras.js rename to docs/.vuepress/config-extras.js diff --git a/docs-md/.vuepress/config.js b/docs/.vuepress/config.js similarity index 97% rename from docs-md/.vuepress/config.js rename to docs/.vuepress/config.js index 5e6ece147..166ddb206 100644 --- a/docs-md/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -38,7 +38,7 @@ const baseConfig = { head: [ ['link', { rel: 'icon', href: '/favicon.png' }], ['script', { src: '/scripts/modify.js' }], - ['script', { src: '/scripts/leadlander.js' }], + ['script', { src: '/scripts/marketing.js' }], ], themeConfig: { docsRepo: "", diff --git a/docs-md/.vuepress/public/favicon.png b/docs/.vuepress/public/favicon.png similarity index 100% rename from docs-md/.vuepress/public/favicon.png rename to docs/.vuepress/public/favicon.png diff --git a/docs-md/.vuepress/public/img/FW_Insights_Polaris.svg b/docs/.vuepress/public/img/FW_Insights_Polaris.svg similarity index 100% rename from docs-md/.vuepress/public/img/FW_Insights_Polaris.svg rename to docs/.vuepress/public/img/FW_Insights_Polaris.svg diff --git a/docs-md/.vuepress/public/img/architecture.svg b/docs/.vuepress/public/img/architecture.svg similarity index 100% rename from docs-md/.vuepress/public/img/architecture.svg rename to docs/.vuepress/public/img/architecture.svg diff --git a/docs-md/.vuepress/public/img/dashboard-screenshot.png b/docs/.vuepress/public/img/dashboard-screenshot.png similarity index 100% rename from docs-md/.vuepress/public/img/dashboard-screenshot.png rename to docs/.vuepress/public/img/dashboard-screenshot.png diff --git a/docs-md/.vuepress/public/img/fairwinds-logo.svg b/docs/.vuepress/public/img/fairwinds-logo.svg similarity index 100% rename from docs-md/.vuepress/public/img/fairwinds-logo.svg rename to docs/.vuepress/public/img/fairwinds-logo.svg diff --git a/docs-md/.vuepress/public/img/polaris-logo.png b/docs/.vuepress/public/img/polaris-logo.png similarity index 100% rename from docs-md/.vuepress/public/img/polaris-logo.png rename to docs/.vuepress/public/img/polaris-logo.png diff --git a/docs/.vuepress/public/scripts/marketing.js b/docs/.vuepress/public/scripts/marketing.js new file mode 100644 index 000000000..e480cc63f --- /dev/null +++ b/docs/.vuepress/public/scripts/marketing.js @@ -0,0 +1,29 @@ +/* + * This file is generated from FairwindsOps/documentation-template + * DO NOT EDIT MANUALLY + */ + +var llcookieless = true; +var sf14gv = 32793; +(function() { + var sf14g = document.createElement('script'); + sf14g.src = 'https://lltrck.com/lt-v2.min.js'; + var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(sf14g, s); +})(); + +!function(f,b,e,v,n,t,s) +{if(f.fbq)return;n=f.fbq=function(){n.callMethod? +n.callMethod.apply(n,arguments):n.queue.push(arguments)}; +if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=‘2.0’; +n.queue=[];t=b.createElement(e);t.async=!0; +t.src=v;s=b.getElementsByTagName(e)[0]; +s.parentNode.insertBefore(t,s)}(window, document,‘script’, +‘https://connect.facebook.net/en_US/fbevents.js’); +fbq(‘init’, ‘159554595936922’); +fbq(‘track’, ‘PageView’); + +(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({‘gtm.start’: +new Date().getTime(),event:‘gtm.js’});var f=d.getElementsByTagName(s)[0], +j=d.createElement(s),dl=l!=‘dataLayer’?‘&l=‘+l:‘’;j.async=true;j.src= +’https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); +})(window,document,‘script’,‘dataLayer’,‘GTM-K5KK5H3’); diff --git a/docs-md/.vuepress/public/scripts/modify.js b/docs/.vuepress/public/scripts/modify.js similarity index 100% rename from docs-md/.vuepress/public/scripts/modify.js rename to docs/.vuepress/public/scripts/modify.js diff --git a/docs-md/.vuepress/styles/index.styl b/docs/.vuepress/styles/index.styl similarity index 100% rename from docs-md/.vuepress/styles/index.styl rename to docs/.vuepress/styles/index.styl diff --git a/docs-md/.vuepress/styles/palette.styl b/docs/.vuepress/styles/palette.styl similarity index 100% rename from docs-md/.vuepress/styles/palette.styl rename to docs/.vuepress/styles/palette.styl diff --git a/docs-md/.vuepress/theme/index.js b/docs/.vuepress/theme/index.js similarity index 100% rename from docs-md/.vuepress/theme/index.js rename to docs/.vuepress/theme/index.js diff --git a/docs-md/.vuepress/theme/layouts/Layout.vue b/docs/.vuepress/theme/layouts/Layout.vue similarity index 100% rename from docs-md/.vuepress/theme/layouts/Layout.vue rename to docs/.vuepress/theme/layouts/Layout.vue diff --git a/docs/404.html b/docs/404.html deleted file mode 100644 index f3d8e4a8a..000000000 --- a/docs/404.html +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - Fairwinds Polaris Documentation - - - - - - - - - - -

404

Looks like we've got some broken links.
- Take me home. -
- - - diff --git a/docs/CNAME b/docs/CNAME deleted file mode 100644 index 14bb158f9..000000000 --- a/docs/CNAME +++ /dev/null @@ -1 +0,0 @@ -polaris.docs.fairwinds.com \ No newline at end of file diff --git a/docs-md/README.md b/docs/README.md similarity index 95% rename from docs-md/README.md rename to docs/README.md index f4826a72f..66418d88a 100644 --- a/docs-md/README.md +++ b/docs/README.md @@ -35,7 +35,7 @@ Polaris can be run in three different modes: Fairwinds Insights

-[Fairwinds Insights](https://www.fairwinds.com/insights?utm_campaign=Hosted%20Polaris%20&utm_source=polaris&utm_term=polaris&utm_content=polaris) +[Fairwinds Insights](https://www.fairwinds.com/fairwinds-polaris-upgrade) is a platform for auditing Kubernetes clusters and enforcing policy. If you'd like to: * manage Polaris across a fleet of clusters * track findings over time diff --git a/docs-md/admission-controller.md b/docs/admission-controller.md similarity index 92% rename from docs-md/admission-controller.md rename to docs/admission-controller.md index c1aaf2cbf..4fd1a9503 100644 --- a/docs-md/admission-controller.md +++ b/docs/admission-controller.md @@ -1,4 +1,7 @@ # Admission Controller +> Want to manage the Admission Controller across multiple clusters? Check out +> [Fairwinds Insights](https://www.fairwinds.com/fairwinds-polaris-upgrade) + Polaris can be run as an admission controller that acts as a validating webhook. This accepts the same configuration as the dashboard, and can run the same validations. diff --git a/docs/admission-controller/index.html b/docs/admission-controller/index.html deleted file mode 100644 index 0a853776c..000000000 --- a/docs/admission-controller/index.html +++ /dev/null @@ -1,45 +0,0 @@ - - - - - - Admission Controller | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Admission Controller

Polaris can be run as an admission controller that acts as a validating webhook. -This accepts the same configuration as the dashboard, and can run the same validations.

The webhook will reject any workloads that trigger a danger-level check. -This is indicative of the greater goal of Polaris, not just to encourage better -configuration through dashboard visibility, but to actually enforce it with this webhook.

Note that Polaris will not alter your workloads, only block workloads that don't conform to the configured policies.

# Installation

# kubectl

kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/webhook.yaml
-

# Helm

helm repo add fairwindsops-stable https://charts.fairwindsops.com/stable
-helm upgrade --install polaris fairwindsops-stable/polaris --namespace polaris \
-  --set webhook.enable=true --set dashboard.enable=false
-

# Workload Types

The webhook comes with built-in support for a handful of known controller types, -such as Deployments, Jobs, and DaemonSets. To add new controller types, -you can set webhook.rules in the -Helm chart (opens new window)

# Warnings

Unfortunately we have not found a way to display warnings as part of kubectl -output unless we are rejecting a workload altogether.

This means that any checks with a severity of warning will still pass webhook validation, -and the only evidence of that warning will either be in the Polaris dashboard or the -Polaris webhook logs. This will change in a future version of Kubernetes.

- ← - - Infrastructure as Code - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs/assets/css/0.styles.db69974e.css b/docs/assets/css/0.styles.db69974e.css deleted file mode 100644 index c8ef8c008..000000000 --- a/docs/assets/css/0.styles.db69974e.css +++ /dev/null @@ -1 +0,0 @@ -code[class*=language-],pre[class*=language-]{color:#ccc;background:none;font-family:Consolas,Monaco,Andale Mono,Ubuntu Mono,monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*=language-],pre[class*=language-]{background:#2d2d2d}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.block-comment,.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#999}.token.punctuation{color:#ccc}.token.attr-name,.token.deleted,.token.namespace,.token.tag{color:#e2777a}.token.function-name{color:#6196cc}.token.boolean,.token.function,.token.number{color:#f08d49}.token.class-name,.token.constant,.token.property,.token.symbol{color:#f8c555}.token.atrule,.token.builtin,.token.important,.token.keyword,.token.selector{color:#cc99cd}.token.attr-value,.token.char,.token.regex,.token.string,.token.variable{color:#7ec699}.token.entity,.token.operator,.token.url{color:#67cdcc}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help}.token.inserted{color:green}.theme-default-content code{color:#476582;padding:.25rem .5rem;margin:0;font-size:.85em;background-color:rgba(27,31,35,.05);border-radius:3px}.theme-default-content code .token.deleted{color:#ec5975}.theme-default-content code .token.inserted{color:#ff6c00}.theme-default-content pre,.theme-default-content pre[class*=language-]{line-height:1.4;padding:1.25rem 1.5rem;margin:.85rem 0;background-color:#282c34;border-radius:6px;overflow:auto}.theme-default-content pre[class*=language-] code,.theme-default-content pre code{color:#fff;padding:0;background-color:transparent;border-radius:0}div[class*=language-]{position:relative;background-color:#282c34;border-radius:6px}div[class*=language-] .highlight-lines{-webkit-user-select:none;-ms-user-select:none;user-select:none;padding-top:1.3rem;position:absolute;top:0;left:0;width:100%;line-height:1.4}div[class*=language-] .highlight-lines .highlighted{background-color:rgba(0,0,0,.66)}div[class*=language-] pre,div[class*=language-] pre[class*=language-]{background:transparent;position:relative;z-index:1}div[class*=language-]:before{position:absolute;z-index:3;top:.8em;right:1em;font-size:.75rem;color:hsla(0,0%,100%,.4)}div[class*=language-]:not(.line-numbers-mode) .line-numbers-wrapper{display:none}div[class*=language-].line-numbers-mode .highlight-lines .highlighted{position:relative}div[class*=language-].line-numbers-mode .highlight-lines .highlighted:before{content:" ";position:absolute;z-index:3;left:0;top:0;display:block;width:3.5rem;height:100%;background-color:rgba(0,0,0,.66)}div[class*=language-].line-numbers-mode pre{padding-left:4.5rem;vertical-align:middle}div[class*=language-].line-numbers-mode .line-numbers-wrapper{position:absolute;top:0;width:3.5rem;text-align:center;color:hsla(0,0%,100%,.3);padding:1.25rem 0;line-height:1.4}div[class*=language-].line-numbers-mode .line-numbers-wrapper br{-webkit-user-select:none;-ms-user-select:none;user-select:none}div[class*=language-].line-numbers-mode .line-numbers-wrapper .line-number{position:relative;z-index:4;-webkit-user-select:none;-ms-user-select:none;user-select:none;font-size:.85em}div[class*=language-].line-numbers-mode:after{content:"";position:absolute;z-index:2;top:0;left:0;width:3.5rem;height:100%;border-radius:6px 0 0 6px;border-right:1px solid rgba(0,0,0,.66);background-color:#282c34}div[class~=language-js]:before{content:"js"}div[class~=language-ts]:before{content:"ts"}div[class~=language-html]:before{content:"html"}div[class~=language-md]:before{content:"md"}div[class~=language-vue]:before{content:"vue"}div[class~=language-css]:before{content:"css"}div[class~=language-sass]:before{content:"sass"}div[class~=language-scss]:before{content:"scss"}div[class~=language-less]:before{content:"less"}div[class~=language-stylus]:before{content:"stylus"}div[class~=language-go]:before{content:"go"}div[class~=language-java]:before{content:"java"}div[class~=language-c]:before{content:"c"}div[class~=language-sh]:before{content:"sh"}div[class~=language-yaml]:before{content:"yaml"}div[class~=language-py]:before{content:"py"}div[class~=language-docker]:before{content:"docker"}div[class~=language-dockerfile]:before{content:"dockerfile"}div[class~=language-makefile]:before{content:"makefile"}div[class~=language-javascript]:before{content:"js"}div[class~=language-typescript]:before{content:"ts"}div[class~=language-markup]:before{content:"html"}div[class~=language-markdown]:before{content:"md"}div[class~=language-json]:before{content:"json"}div[class~=language-ruby]:before{content:"rb"}div[class~=language-python]:before{content:"py"}div[class~=language-bash]:before{content:"sh"}div[class~=language-php]:before{content:"php"}.custom-block .custom-block-title{font-weight:600;margin-bottom:-.4rem}.custom-block.danger,.custom-block.tip,.custom-block.warning{padding:.1rem 1.5rem;border-left-width:.5rem;border-left-style:solid;margin:1rem 0}.custom-block.tip{background-color:#f3f5f7;border-color:#42b983}.custom-block.warning{background-color:rgba(255,229,100,.3);border-color:#e7c000;color:#6b5900}.custom-block.warning .custom-block-title{color:#b29400}.custom-block.warning a{color:#2c3e50}.custom-block.danger{background-color:#ffe6e6;border-color:#c00;color:#4d0000}.custom-block.danger .custom-block-title{color:#900}.custom-block.danger a{color:#2c3e50}.custom-block.details{display:block;position:relative;border-radius:2px;margin:1.6em 0;padding:1.6em;background-color:#eee}.custom-block.details h4{margin-top:0}.custom-block.details figure:last-child,.custom-block.details p:last-child{margin-bottom:0;padding-bottom:0}.custom-block.details summary{outline:none;cursor:pointer}.arrow{display:inline-block;width:0;height:0}.arrow.up{border-bottom:6px solid #ccc}.arrow.down,.arrow.up{border-left:4px solid transparent;border-right:4px solid transparent}.arrow.down{border-top:6px solid #ccc}.arrow.right{border-left:6px solid #ccc}.arrow.left,.arrow.right{border-top:4px solid transparent;border-bottom:4px solid transparent}.arrow.left{border-right:6px solid #ccc}.theme-default-content:not(.custom){max-width:740px;margin:0 auto;padding:2rem 2.5rem}@media (max-width:959px){.theme-default-content:not(.custom){padding:2rem}}@media (max-width:419px){.theme-default-content:not(.custom){padding:1.5rem}}.table-of-contents .badge{vertical-align:middle}body,html{padding:0;margin:0;background-color:#fff}body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;font-size:16px;color:#2c3e50}.page{padding-left:20rem}.navbar{z-index:20;right:0;height:3.6rem;background-color:#fff;box-sizing:border-box;border-bottom:1px solid #eaecef}.navbar,.sidebar-mask{position:fixed;top:0;left:0}.sidebar-mask{z-index:9;width:100vw;height:100vh;display:none}.sidebar{font-size:16px;background-color:#fff;width:20rem;position:fixed;z-index:10;margin:0;top:3.6rem;left:0;bottom:0;box-sizing:border-box;border-right:1px solid #eaecef;overflow-y:auto}.theme-default-content:not(.custom)>:first-child{margin-top:3.6rem}.theme-default-content:not(.custom) a:hover{text-decoration:underline}.theme-default-content:not(.custom) p.demo{padding:1rem 1.5rem;border:1px solid #ddd;border-radius:4px}.theme-default-content:not(.custom) img{max-width:100%}.theme-default-content.custom{padding:0;margin:0}.theme-default-content.custom img{max-width:100%}a{font-weight:500;text-decoration:none}a,p a code{color:#ff6c00}p a code{font-weight:400}kbd{background:#eee;border:.15rem solid #ddd;border-bottom:.25rem solid #ddd;border-radius:.15rem;padding:0 .15em}blockquote{font-size:1rem;color:#999;border-left:.2rem solid #dfe2e5;margin:1rem 0;padding:.25rem 0 .25rem 1rem}blockquote>p{margin:0}ol,ul{padding-left:1.2em}strong{font-weight:600}h1,h2,h3,h4,h5,h6{font-weight:600;line-height:1.25}.theme-default-content:not(.custom)>h1,.theme-default-content:not(.custom)>h2,.theme-default-content:not(.custom)>h3,.theme-default-content:not(.custom)>h4,.theme-default-content:not(.custom)>h5,.theme-default-content:not(.custom)>h6{margin-top:-3.1rem;padding-top:4.6rem;margin-bottom:0}.theme-default-content:not(.custom)>h1:first-child,.theme-default-content:not(.custom)>h2:first-child,.theme-default-content:not(.custom)>h3:first-child,.theme-default-content:not(.custom)>h4:first-child,.theme-default-content:not(.custom)>h5:first-child,.theme-default-content:not(.custom)>h6:first-child{margin-top:-1.5rem;margin-bottom:1rem}.theme-default-content:not(.custom)>h1:first-child+.custom-block,.theme-default-content:not(.custom)>h1:first-child+p,.theme-default-content:not(.custom)>h1:first-child+pre,.theme-default-content:not(.custom)>h2:first-child+.custom-block,.theme-default-content:not(.custom)>h2:first-child+p,.theme-default-content:not(.custom)>h2:first-child+pre,.theme-default-content:not(.custom)>h3:first-child+.custom-block,.theme-default-content:not(.custom)>h3:first-child+p,.theme-default-content:not(.custom)>h3:first-child+pre,.theme-default-content:not(.custom)>h4:first-child+.custom-block,.theme-default-content:not(.custom)>h4:first-child+p,.theme-default-content:not(.custom)>h4:first-child+pre,.theme-default-content:not(.custom)>h5:first-child+.custom-block,.theme-default-content:not(.custom)>h5:first-child+p,.theme-default-content:not(.custom)>h5:first-child+pre,.theme-default-content:not(.custom)>h6:first-child+.custom-block,.theme-default-content:not(.custom)>h6:first-child+p,.theme-default-content:not(.custom)>h6:first-child+pre{margin-top:2rem}h1:hover .header-anchor,h2:hover .header-anchor,h3:hover .header-anchor,h4:hover .header-anchor,h5:hover .header-anchor,h6:hover .header-anchor{opacity:1}h1{font-size:2.2rem}h2{font-size:1.65rem;padding-bottom:.3rem;border-bottom:1px solid #eaecef}h3{font-size:1.35rem}a.header-anchor{font-size:.85em;float:left;margin-left:-.87em;padding-right:.23em;margin-top:.125em;opacity:0}a.header-anchor:hover{text-decoration:none}.line-number,code,kbd{font-family:source-code-pro,Menlo,Monaco,Consolas,Courier New,monospace}ol,p,ul{line-height:1.7}hr{border:0;border-top:1px solid #eaecef}table{border-collapse:collapse;margin:1rem 0;display:block;overflow-x:auto}tr{border-top:1px solid #dfe2e5}tr:nth-child(2n){background-color:#f6f8fa}td,th{border:1px solid #dfe2e5;padding:.6em 1em}.theme-container.sidebar-open .sidebar-mask{display:block}.theme-container.no-navbar .theme-default-content:not(.custom)>h1,.theme-container.no-navbar h2,.theme-container.no-navbar h3,.theme-container.no-navbar h4,.theme-container.no-navbar h5,.theme-container.no-navbar h6{margin-top:1.5rem;padding-top:0}.theme-container.no-navbar .sidebar{top:0}@media (min-width:720px){.theme-container.no-sidebar .sidebar{display:none}.theme-container.no-sidebar .page{padding-left:0}}@media (max-width:959px){.sidebar{font-size:15px;width:16.4rem}.page{padding-left:16.4rem}}@media (max-width:719px){.sidebar{top:0;padding-top:3.6rem;transform:translateX(-100%);transition:transform .2s ease}.page{padding-left:0}.theme-container.sidebar-open .sidebar{transform:translateX(0)}.theme-container.no-navbar .sidebar{padding-top:0}}@media (max-width:419px){h1{font-size:1.9rem}.theme-default-content div[class*=language-]{margin:.85rem -1.5rem;border-radius:0}}.github-only{display:none}.text-primary{color:#23103a}.text-danger{color:#a0204c}.text-warning{color:#ff6c00}.text-info{color:#8bd2dc}.text-success{color:#28a745}.page-edit,.page-nav,.theme-default-content:not(.custom),footer{margin:0!important}.theme-default-content:not(.custom)>h2{padding-top:7rem}.navbar .site-name{display:none}.navbar,.navbar .links{background-color:#23103a!important}.navbar .links a{color:#fff}.navbar .links a svg{display:none}img{border:5px solid #f7f7f7}.no-border img,header img,img.no-border{border:none}.mini-img{text-align:center}.theme-default-content:not(.custom) .mini-img img{max-width:300px}.page{padding-bottom:0!important}#nprogress{pointer-events:none}#nprogress .bar{background:#ff6c00;position:fixed;z-index:1031;top:0;left:0;width:100%;height:2px}#nprogress .peg{display:block;position:absolute;right:0;width:100px;height:100%;box-shadow:0 0 10px #ff6c00,0 0 5px #ff6c00;opacity:1;transform:rotate(3deg) translateY(-4px)}#nprogress .spinner{display:block;position:fixed;z-index:1031;top:15px;right:15px}#nprogress .spinner-icon{width:18px;height:18px;box-sizing:border-box;border-color:#ff6c00 transparent transparent #ff6c00;border-style:solid;border-width:2px;border-radius:50%;-webkit-animation:nprogress-spinner .4s linear infinite;animation:nprogress-spinner .4s linear infinite}.nprogress-custom-parent{overflow:hidden;position:relative}.nprogress-custom-parent #nprogress .bar,.nprogress-custom-parent #nprogress .spinner{position:absolute}@-webkit-keyframes nprogress-spinner{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}@keyframes nprogress-spinner{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}.icon.outbound{color:#aaa;display:inline-block;vertical-align:middle;position:relative;top:-1px}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border-width:0}.home{padding:3.6rem 2rem 0;max-width:960px;margin:0 auto;display:block}.home .hero{text-align:center}.home .hero img{max-width:100%;max-height:280px;display:block;margin:3rem auto 1.5rem}.home .hero h1{font-size:3rem}.home .hero .action,.home .hero .description,.home .hero h1{margin:1.8rem auto}.home .hero .description{max-width:35rem;font-size:1.6rem;line-height:1.3;color:#6a8bad}.home .hero .action-button{display:inline-block;font-size:1.2rem;color:#fff;background-color:#ff6c00;padding:.8rem 1.6rem;border-radius:4px;transition:background-color .1s ease;box-sizing:border-box;border-bottom:1px solid #e66100}.home .hero .action-button:hover{background-color:#ff7b1a}.home .features{border-top:1px solid #eaecef;padding:1.2rem 0;margin-top:2.5rem;display:flex;flex-wrap:wrap;align-items:flex-start;align-content:stretch;justify-content:space-between}.home .feature{flex-grow:1;flex-basis:30%;max-width:30%}.home .feature h2{font-size:1.4rem;font-weight:500;border-bottom:none;padding-bottom:0;color:#3a5169}.home .feature p{color:#4e6e8e}.home .footer{padding:2.5rem;border-top:1px solid #eaecef;text-align:center;color:#4e6e8e}@media (max-width:719px){.home .features{flex-direction:column}.home .feature{max-width:100%;padding:0 2.5rem}}@media (max-width:419px){.home{padding-left:1.5rem;padding-right:1.5rem}.home .hero img{max-height:210px;margin:2rem auto 1.2rem}.home .hero h1{font-size:2rem}.home .hero .action,.home .hero .description,.home .hero h1{margin:1.2rem auto}.home .hero .description{font-size:1.2rem}.home .hero .action-button{font-size:1rem;padding:.6rem 1.2rem}.home .feature h2{font-size:1.25rem}}.search-box{display:inline-block;position:relative;margin-right:1rem}.search-box input{cursor:text;width:10rem;height:2rem;color:#4e6e8e;display:inline-block;border:1px solid #cfd4db;border-radius:2rem;font-size:.9rem;line-height:2rem;padding:0 .5rem 0 2rem;outline:none;transition:all .2s ease;background:#fff url(/assets/img/search.83621669.svg) .6rem .5rem no-repeat;background-size:1rem}.search-box input:focus{cursor:auto;border-color:#ff6c00}.search-box .suggestions{background:#fff;width:20rem;position:absolute;top:2rem;border:1px solid #cfd4db;border-radius:6px;padding:.4rem;list-style-type:none}.search-box .suggestions.align-right{right:0}.search-box .suggestion{line-height:1.4;padding:.4rem .6rem;border-radius:4px;cursor:pointer}.search-box .suggestion a{white-space:normal;color:#5d82a6}.search-box .suggestion a .page-title{font-weight:600}.search-box .suggestion a .header{font-size:.9em;margin-left:.25em}.search-box .suggestion.focused{background-color:#f3f4f5}.search-box .suggestion.focused a{color:#ff6c00}@media (max-width:959px){.search-box input{cursor:pointer;width:0;border-color:transparent;position:relative}.search-box input:focus{cursor:text;left:0;width:10rem}}@media (-ms-high-contrast:none){.search-box input{height:2rem}}@media (max-width:959px) and (min-width:719px){.search-box .suggestions{left:0}}@media (max-width:719px){.search-box{margin-right:0}.search-box input{left:1rem}.search-box .suggestions{right:0}}@media (max-width:419px){.search-box .suggestions{width:calc(100vw - 4rem)}.search-box input:focus{width:8rem}}.sidebar-button{cursor:pointer;display:none;width:1.25rem;height:1.25rem;position:absolute;padding:.6rem;top:.6rem;left:1rem}.sidebar-button .icon{display:block;width:1.25rem;height:1.25rem}@media (max-width:719px){.sidebar-button{display:block}}.dropdown-enter,.dropdown-leave-to{height:0!important}.dropdown-wrapper{cursor:pointer}.dropdown-wrapper .dropdown-title,.dropdown-wrapper .mobile-dropdown-title{display:block;font-size:.9rem;font-family:inherit;cursor:inherit;padding:inherit;line-height:1.4rem;background:transparent;border:none;font-weight:500;color:#2c3e50}.dropdown-wrapper .dropdown-title:hover,.dropdown-wrapper .mobile-dropdown-title:hover{border-color:transparent}.dropdown-wrapper .dropdown-title .arrow,.dropdown-wrapper .mobile-dropdown-title .arrow{vertical-align:middle;margin-top:-1px;margin-left:.4rem}.dropdown-wrapper .mobile-dropdown-title{display:none;font-weight:600}.dropdown-wrapper .mobile-dropdown-title font-size inherit:hover{color:#ff6c00}.dropdown-wrapper .nav-dropdown .dropdown-item{color:inherit;line-height:1.7rem}.dropdown-wrapper .nav-dropdown .dropdown-item h4{margin:.45rem 0 0;border-top:1px solid #eee;padding:1rem 1.5rem .45rem 1.25rem}.dropdown-wrapper .nav-dropdown .dropdown-item .dropdown-subitem-wrapper{padding:0;list-style:none}.dropdown-wrapper .nav-dropdown .dropdown-item .dropdown-subitem-wrapper .dropdown-subitem{font-size:.9em}.dropdown-wrapper .nav-dropdown .dropdown-item a{display:block;line-height:1.7rem;position:relative;border-bottom:none;font-weight:400;margin-bottom:0;padding:0 1.5rem 0 1.25rem}.dropdown-wrapper .nav-dropdown .dropdown-item a.router-link-active,.dropdown-wrapper .nav-dropdown .dropdown-item a:hover{color:#ff6c00}.dropdown-wrapper .nav-dropdown .dropdown-item a.router-link-active:after{content:"";width:0;height:0;border-left:5px solid #ff6c00;border-top:3px solid transparent;border-bottom:3px solid transparent;position:absolute;top:calc(50% - 2px);left:9px}.dropdown-wrapper .nav-dropdown .dropdown-item:first-child h4{margin-top:0;padding-top:0;border-top:0}@media (max-width:719px){.dropdown-wrapper.open .dropdown-title{margin-bottom:.5rem}.dropdown-wrapper .dropdown-title{display:none}.dropdown-wrapper .mobile-dropdown-title{display:block}.dropdown-wrapper .nav-dropdown{transition:height .1s ease-out;overflow:hidden}.dropdown-wrapper .nav-dropdown .dropdown-item h4{border-top:0;margin-top:0;padding-top:0}.dropdown-wrapper .nav-dropdown .dropdown-item>a,.dropdown-wrapper .nav-dropdown .dropdown-item h4{font-size:15px;line-height:2rem}.dropdown-wrapper .nav-dropdown .dropdown-item .dropdown-subitem{font-size:14px;padding-left:1rem}}@media (min-width:719px){.dropdown-wrapper{height:1.8rem}.dropdown-wrapper.open .nav-dropdown,.dropdown-wrapper:hover .nav-dropdown{display:block!important}.dropdown-wrapper.open:blur{display:none}.dropdown-wrapper .nav-dropdown{display:none;height:auto!important;box-sizing:border-box;max-height:calc(100vh - 2.7rem);overflow-y:auto;position:absolute;top:100%;right:0;background-color:#fff;padding:.6rem 0;border:1px solid;border-color:#ddd #ddd #ccc;text-align:left;border-radius:.25rem;white-space:nowrap;margin:0}}.nav-links{display:inline-block}.nav-links a{line-height:1.4rem;color:inherit}.nav-links a.router-link-active,.nav-links a:hover{color:#ff6c00}.nav-links .nav-item{position:relative;display:inline-block;margin-left:1.5rem;line-height:2rem}.nav-links .nav-item:first-child{margin-left:0}.nav-links .repo-link{margin-left:1.5rem}@media (max-width:719px){.nav-links .nav-item,.nav-links .repo-link{margin-left:0}}@media (min-width:719px){.nav-links a.router-link-active,.nav-links a:hover{color:#2c3e50}.nav-item>a:not(.external).router-link-active,.nav-item>a:not(.external):hover{margin-bottom:-2px;border-bottom:2px solid #ff7814}}.navbar{padding:.7rem 1.5rem;line-height:2.2rem}.navbar a,.navbar img,.navbar span{display:inline-block}.navbar .logo{height:2.2rem;min-width:2.2rem;margin-right:.8rem;vertical-align:top}.navbar .site-name{font-size:1.3rem;font-weight:600;color:#2c3e50;position:relative}.navbar .links{padding-left:1.5rem;box-sizing:border-box;background-color:#fff;white-space:nowrap;font-size:.9rem;position:absolute;right:1.5rem;top:.7rem;display:flex}.navbar .links .search-box{flex:0 0 auto;vertical-align:top}@media (max-width:719px){.navbar{padding-left:4rem}.navbar .can-hide{display:none}.navbar .links{padding-left:1.5rem}.navbar .site-name{width:calc(100vw - 9.4rem);overflow:hidden;white-space:nowrap;text-overflow:ellipsis}}.page-edit{max-width:740px;margin:0 auto;padding:2rem 2.5rem}@media (max-width:959px){.page-edit{padding:2rem}}@media (max-width:419px){.page-edit{padding:1.5rem}}.page-edit{padding-top:1rem;padding-bottom:1rem;overflow:auto}.page-edit .edit-link{display:inline-block}.page-edit .edit-link a{color:#4e6e8e;margin-right:.25rem}.page-edit .last-updated{float:right;font-size:.9em}.page-edit .last-updated .prefix{font-weight:500;color:#4e6e8e}.page-edit .last-updated .time{font-weight:400;color:#767676}@media (max-width:719px){.page-edit .edit-link{margin-bottom:.5rem}.page-edit .last-updated{font-size:.8em;float:none;text-align:left}}.page-nav{max-width:740px;margin:0 auto;padding:2rem 2.5rem}@media (max-width:959px){.page-nav{padding:2rem}}@media (max-width:419px){.page-nav{padding:1.5rem}}.page-nav{padding-top:1rem;padding-bottom:0}.page-nav .inner{min-height:2rem;margin-top:0;border-top:1px solid #eaecef;padding-top:1rem;overflow:auto}.page-nav .next{float:right}.page{padding-bottom:2rem;display:block}.sidebar-group .sidebar-group{padding-left:.5em}.sidebar-group:not(.collapsable) .sidebar-heading:not(.clickable){cursor:auto;color:inherit}.sidebar-group.is-sub-group{padding-left:0}.sidebar-group.is-sub-group>.sidebar-heading{font-size:.95em;line-height:1.4;font-weight:400;padding-left:2rem}.sidebar-group.is-sub-group>.sidebar-heading:not(.clickable){opacity:.5}.sidebar-group.is-sub-group>.sidebar-group-items{padding-left:1rem}.sidebar-group.is-sub-group>.sidebar-group-items>li>.sidebar-link{font-size:.95em;border-left:none}.sidebar-group.depth-2>.sidebar-heading{border-left:none}.sidebar-heading{color:#2c3e50;transition:color .15s ease;cursor:pointer;font-size:1.1em;font-weight:700;padding:.35rem 1.5rem .35rem 1.25rem;width:100%;box-sizing:border-box;margin:0;border-left:.25rem solid transparent}.sidebar-heading.open,.sidebar-heading:hover{color:inherit}.sidebar-heading .arrow{position:relative;top:-.12em;left:.5em}.sidebar-heading.clickable.active{font-weight:600;color:#ff6c00;border-left-color:#ff6c00}.sidebar-heading.clickable:hover{color:#ff6c00}.sidebar-group-items{transition:height .1s ease-out;font-size:.95em;overflow:hidden}.sidebar .sidebar-sub-headers{padding-left:1rem;font-size:.95em}a.sidebar-link{font-size:1em;font-weight:400;display:inline-block;color:#2c3e50;border-left:.25rem solid transparent;padding:.35rem 1rem .35rem 1.25rem;line-height:1.4;width:100%;box-sizing:border-box}a.sidebar-link:hover{color:#ff6c00}a.sidebar-link.active{font-weight:600;color:#ff6c00;border-left-color:#ff6c00}.sidebar-group a.sidebar-link{padding-left:2rem}.sidebar-sub-headers a.sidebar-link{padding-top:.25rem;padding-bottom:.25rem;border-left:none}.sidebar-sub-headers a.sidebar-link.active{font-weight:500}.sidebar ul{padding:0;margin:0;list-style-type:none}.sidebar a{display:inline-block}.sidebar .nav-links{display:none;border-bottom:1px solid #eaecef;padding:.5rem 0 .75rem}.sidebar .nav-links a{font-weight:600}.sidebar .nav-links .nav-item,.sidebar .nav-links .repo-link{display:block;line-height:1.25rem;font-size:1.1em;padding:.5rem 0 .5rem 1.5rem}.sidebar>.sidebar-links{padding:1.5rem 0}.sidebar>.sidebar-links>li>a.sidebar-link{font-size:1.1em;line-height:1.7;font-weight:700}.sidebar>.sidebar-links>li:not(:first-child){margin-top:.75rem}@media (max-width:719px){.sidebar .nav-links{display:block}.sidebar .nav-links .dropdown-wrapper .nav-dropdown .dropdown-item a.router-link-active:after{top:calc(1rem - 2px)}.sidebar>.sidebar-links{padding:1rem 0}}div.custom-footer{display:flex;justify-content:space-between;border-top:1px solid #eaecef;padding:2rem 2.5rem}.custom-footer .left-footer{margin-top:0!important}.custom-footer .left-footer a:first-of-type{margin-right:1.5rem}.custom-footer a{color:#4e6e8e}.badge[data-v-15b7b770]{display:inline-block;font-size:14px;height:18px;line-height:18px;border-radius:3px;padding:0 6px;color:#fff}.badge.green[data-v-15b7b770],.badge.tip[data-v-15b7b770],.badge[data-v-15b7b770]{background-color:#42b983}.badge.error[data-v-15b7b770]{background-color:#da5961}.badge.warn[data-v-15b7b770],.badge.warning[data-v-15b7b770],.badge.yellow[data-v-15b7b770]{background-color:#e7c000}.badge+.badge[data-v-15b7b770]{margin-left:5px}.theme-code-block[data-v-6d04095e]{display:none}.theme-code-block__active[data-v-6d04095e]{display:block}.theme-code-block>pre[data-v-6d04095e]{background-color:orange}.theme-code-group__nav[data-v-32c2d7ed]{margin-bottom:-35px;background-color:#282c34;padding-bottom:22px;border-top-left-radius:6px;border-top-right-radius:6px;padding-left:10px;padding-top:10px}.theme-code-group__ul[data-v-32c2d7ed]{margin:auto 0;padding-left:0;display:inline-flex;list-style:none}.theme-code-group__nav-tab[data-v-32c2d7ed]{border:0;padding:5px;cursor:pointer;background-color:transparent;font-size:.85em;line-height:1.4;color:hsla(0,0%,100%,.9);font-weight:600}.theme-code-group__nav-tab-active[data-v-32c2d7ed]{border-bottom:1px solid #42b983}.pre-blank[data-v-32c2d7ed]{color:#42b983} \ No newline at end of file diff --git a/docs/assets/img/search.83621669.svg b/docs/assets/img/search.83621669.svg deleted file mode 100644 index 03d83913e..000000000 --- a/docs/assets/img/search.83621669.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/docs/assets/js/10.9d1a1701.js b/docs/assets/js/10.9d1a1701.js deleted file mode 100644 index 17d816ea2..000000000 --- a/docs/assets/js/10.9d1a1701.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[10],{370:function(e,r,t){"use strict";t.r(r);var a=t(42),s=Object(a.a)({},(function(){var e=this,r=e.$createElement,t=e._self._c||r;return t("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[t("h2",{attrs:{id:"upcoming"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#upcoming"}},[e._v("#")]),e._v(" Upcoming")]),e._v(" "),t("ul",[t("li",[e._v("Standardize categories of checks into Security, Reliability, and Efficiency")])]),e._v(" "),t("h2",{attrs:{id:"_1-2-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-2-1"}},[e._v("#")]),e._v(" 1.2.1")]),e._v(" "),t("ul",[t("li",[e._v("Update date on dashboard footer")])]),e._v(" "),t("h2",{attrs:{id:"_1-2-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-2-0"}},[e._v("#")]),e._v(" 1.2.0")]),e._v(" "),t("ul",[t("li",[e._v("Add ability to audit a single workload")]),e._v(" "),t("li",[e._v("Enable "),t("code",[e._v("pullPolicyAlways")]),e._v(" by default")]),e._v(" "),t("li",[e._v("Fix for finding parent resources")])]),e._v(" "),t("h2",{attrs:{id:"_1-1-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-1-1"}},[e._v("#")]),e._v(" 1.1.1")]),e._v(" "),t("ul",[t("li",[e._v("Show controller checks on dashboard")]),e._v(" "),t("li",[e._v("Fix for orphaned pods w/ controller checks")])]),e._v(" "),t("h2",{attrs:{id:"_1-1-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-1-0"}},[e._v("#")]),e._v(" 1.1.0")]),e._v(" "),t("ul",[t("li",[e._v("Add namespace filter in UI")]),e._v(" "),t("li",[e._v("Add priorityClass check")]),e._v(" "),t("li",[e._v("Support reading from STDIN")]),e._v(" "),t("li",[e._v("Ensure severity is set for all custom checks")]),e._v(" "),t("li",[e._v("Support audit files which use \\r or \\r\\n as newline character")]),e._v(" "),t("li",[e._v("Add option to exempt an entire controller from checks via config file")]),e._v(" "),t("li",[e._v("Fixed case where parent resources trigger error")]),e._v(" "),t("li",[e._v("Fixed UI zero-state")])]),e._v(" "),t("h2",{attrs:{id:"_1-0-3"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-0-3"}},[e._v("#")]),e._v(" 1.0.3")]),e._v(" "),t("ul",[t("li",[e._v("Fixed case where parent resources trigger error")]),e._v(" "),t("li",[e._v("Fixed dashboard link when "),t("code",[e._v("--base-path")]),e._v(" is set")])]),e._v(" "),t("h2",{attrs:{id:"_1-0-2"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-0-2"}},[e._v("#")]),e._v(" 1.0.2")]),e._v(" "),t("ul",[t("li",[e._v("Fixed case where custom CRDs are not covered by RBAC")])]),e._v(" "),t("h2",{attrs:{id:"_1-0-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-0-1"}},[e._v("#")]),e._v(" 1.0.1")]),e._v(" "),t("ul",[t("li",[e._v("Added ARM binaries to releases")])]),e._v(" "),t("h2",{attrs:{id:"_1-0-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_1-0-0"}},[e._v("#")]),e._v(" 1.0.0")]),e._v(" "),t("h3",{attrs:{id:"new-features"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#new-features"}},[e._v("#")]),e._v(" New Features")]),e._v(" "),t("ul",[t("li",[e._v("Added support for custom checks using JSON Schema")]),e._v(" "),t("li",[e._v("Added support for arbitrary controllers, rather than a pre-configured set\n"),t("ul",[t("li",[e._v("removed support for "),t("code",[e._v("controllers_to_scan")]),e._v(" in config")])])]),e._v(" "),t("li",[e._v("Added the ability to exempt a particular controller from a particular check.")]),e._v(" "),t("li",[e._v("Docker image now includes the default config")])]),e._v(" "),t("h3",{attrs:{id:"breaking-changes"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#breaking-changes"}},[e._v("#")]),e._v(" Breaking Changes")]),e._v(" "),t("ul",[t("li",[e._v("Breaking changes in both input and output formats. See "),t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/tree/master/examples",target:"_blank",rel:"noopener noreferrer"}},[e._v("Examples"),t("OutboundLink")],1),e._v(" for examples of the new formats.\n"),t("ul",[t("li",[e._v("removed config-level configuration for checks like max/min memory settings")]),e._v(" "),t("li",[e._v("changed severity "),t("code",[e._v("error")]),e._v(" to "),t("code",[e._v("danger")])])])]),e._v(" "),t("li",[e._v("Breaking changes to the CLI\n"),t("ul",[t("li",[e._v("CLI flag "),t("code",[e._v("--set-exit-code-on-error")]),e._v(" is now "),t("code",[e._v("--set-exit-code-on-danger")])]),e._v(" "),t("li",[e._v("Flags "),t("code",[e._v("--version")]),e._v(", "),t("code",[e._v("--dashboard")]),e._v(", "),t("code",[e._v("--webhook")]),e._v(", and "),t("code",[e._v("--audit")]),e._v(" are now arguments")]),e._v(" "),t("li",[e._v("Port flags are now just "),t("code",[e._v("--port")])])])])]),e._v(" "),t("h2",{attrs:{id:"_0-6-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-6-0"}},[e._v("#")]),e._v(" 0.6.0")]),e._v(" "),t("ul",[t("li",[e._v("Fixed webhook support in Kubernetes 1.16\n"),t("ul",[t("li",[e._v("this also removes support for 1.8")])])]),e._v(" "),t("li",[e._v("Added support for exemptions via controller annotations")])]),e._v(" "),t("h2",{attrs:{id:"_0-5-2"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-5-2"}},[e._v("#")]),e._v(" 0.5.2")]),e._v(" "),t("ul",[t("li",[e._v("Fixed missing success messages for resource requests/limits")])]),e._v(" "),t("h2",{attrs:{id:"_0-5-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-5-1"}},[e._v("#")]),e._v(" 0.5.1")]),e._v(" "),t("ul",[t("li",[e._v("Added a few more exemptions")]),e._v(" "),t("li",[e._v("Started checking exemptions based on controller name prefix")]),e._v(" "),t("li",[t("code",[e._v("runAsUser != 0")]),e._v(" now passes the "),t("code",[e._v("runAsNonRoot")]),e._v(" check")])]),e._v(" "),t("h2",{attrs:{id:"_0-5-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-5-0"}},[e._v("#")]),e._v(" 0.5.0")]),e._v(" "),t("ul",[t("li",[e._v("Added "),t("code",[e._v("--load-audit-file")]),e._v(" flag to run the dashboard from an existing audit")]),e._v(" "),t("li",[e._v("Added an "),t("code",[e._v("ID")]),e._v(" field to each check in the output")]),e._v(" "),t("li",[e._v("Skip health checks for jobs, cronjobs, initcontainers")]),e._v(" "),t("li",[e._v("Added support for exemptions")]),e._v(" "),t("li",[e._v("Fixed dashboard base path option")])]),e._v(" "),t("h2",{attrs:{id:"_0-4-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-4-0"}},[e._v("#")]),e._v(" 0.4.0")]),e._v(" "),t("ul",[t("li",[e._v("Added additional Pod Controllers to scan PodSpec ("),t("code",[e._v("jobs")]),e._v(", "),t("code",[e._v("cronjobs")]),e._v(", "),t("code",[e._v("daemonsets")]),e._v(", "),t("code",[e._v("replicationcontrollers")]),e._v(")")])]),e._v(" "),t("h2",{attrs:{id:"_0-3-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-3-1"}},[e._v("#")]),e._v(" 0.3.1")]),e._v(" "),t("ul",[t("li",[e._v("Changed dashboard branding to refer to new org name Fairwinds")])]),e._v(" "),t("h2",{attrs:{id:"_0-3-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-3-0"}},[e._v("#")]),e._v(" 0.3.0")]),e._v(" "),t("ul",[t("li",[e._v("Added "),t("code",[e._v("--set-exit-code-on-error")]),e._v(" and "),t("code",[e._v("--set-exit-code-below-score")]),e._v(" flags to better support CI/CD")])]),e._v(" "),t("h2",{attrs:{id:"_0-2-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-2-1"}},[e._v("#")]),e._v(" 0.2.1")]),e._v(" "),t("ul",[t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/146",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": Fixed logic on RunAsNonRoot check to incorporate settings in podSpec")])]),e._v(" "),t("h2",{attrs:{id:"_0-2-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-2-0"}},[e._v("#")]),e._v(" 0.2.0")]),e._v(" "),t("ul",[t("li",[e._v("Added "),t("code",[e._v("--output-format")]),e._v(" flag for better CI/CD support")]),e._v(" "),t("li",[e._v("Added "),t("code",[e._v("--display-name")]),e._v(" flag")]),e._v(" "),t("li",[e._v("Added support for StatefulSets")]),e._v(" "),t("li",[e._v("Show error message if no kubeconfig is set")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-5"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-5"}},[e._v("#")]),e._v(" 0.1.5")]),e._v(" "),t("ul",[t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/125",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": ignore limits/requests for initContainers")]),e._v(" "),t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/132",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": support custom base path")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-4"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-4"}},[e._v("#")]),e._v(" 0.1.4")]),e._v(" "),t("ul",[t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/116",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": details pages getting template errors")]),e._v(" "),t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/114",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": support all auth providers")]),e._v(" "),t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/112",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": Ignore readiness probe for initContainers")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-3"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-3"}},[e._v("#")]),e._v(" 0.1.3")]),e._v(" "),t("ul",[t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/109",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": dashboard not updating when running persistently")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-2"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-2"}},[e._v("#")]),e._v(" 0.1.2")]),e._v(" "),t("ul",[t("li",[e._v("Stored all third-party assets (e.g. Charts.js) to local files to support offline dashboard viewing")]),e._v(" "),t("li",[e._v("Fix: custom configs in "),t("code",[e._v("ConfigMap")]),e._v(" not respected")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-1"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-1"}},[e._v("#")]),e._v(" 0.1.1")]),e._v(" "),t("ul",[t("li",[t("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues/93",target:"_blank",rel:"noopener noreferrer"}},[e._v("Fix"),t("OutboundLink")],1),e._v(": missing "),t("code",[e._v("config.yaml")]),e._v(" and dashboard assets in binary releases")]),e._v(" "),t("li",[e._v("Added some tests and better error handling")])]),e._v(" "),t("h2",{attrs:{id:"_0-1-0"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#_0-1-0"}},[e._v("#")]),e._v(" 0.1.0")]),e._v(" "),t("ul",[t("li",[e._v("Dashboard fully functional")]),e._v(" "),t("li",[e._v("Validating webhook functional, but still considered beta")]),e._v(" "),t("li",[e._v("Checks:\n"),t("ul",[t("li",[e._v("Health\n"),t("ul",[t("li",[e._v("readiness probe missing")]),e._v(" "),t("li",[e._v("liveness probe missing")])])]),e._v(" "),t("li",[e._v("Images\n"),t("ul",[t("li",[e._v("tag not specified")]),e._v(" "),t("li",[e._v("pull policy not always")])])]),e._v(" "),t("li",[e._v("Networking\n"),t("ul",[t("li",[e._v("host network set")]),e._v(" "),t("li",[e._v("host port set")])])]),e._v(" "),t("li",[e._v("Resources\n"),t("ul",[t("li",[e._v("cpu/memory requests missing")]),e._v(" "),t("li",[e._v("cpu/memory limits missing")]),e._v(" "),t("li",[e._v("cpu/memory ranges exceeded")])])]),e._v(" "),t("li",[e._v("Security\n"),t("ul",[t("li",[e._v("security capabilities")]),e._v(" "),t("li",[e._v("host IPC set")]),e._v(" "),t("li",[e._v("host PID set")]),e._v(" "),t("li",[e._v("not read-only fs")]),e._v(" "),t("li",[e._v("privilege escalation allowed")]),e._v(" "),t("li",[e._v("run as root allowed")]),e._v(" "),t("li",[e._v("run as privileged")])])])])])])])}),[],!1,null,null,null);r.default=s.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/11.d7eadcf0.js b/docs/assets/js/11.d7eadcf0.js deleted file mode 100644 index 7f8f954e6..000000000 --- a/docs/assets/js/11.d7eadcf0.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[11],{373:function(e,t,r){"use strict";r.r(t);var s=r(42),o=Object(s.a)({},(function(){var e=this,t=e.$createElement,r=e._self._c||t;return r("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[r("h1",{attrs:{id:"efficiency"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#efficiency"}},[e._v("#")]),e._v(" Efficiency")]),e._v(" "),r("p",[e._v("These checks ensure that CPU and memory settings are configured, so that\nKubernetes can schedule your workload effectively.")]),e._v(" "),r("h2",{attrs:{id:"presence-checks"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#presence-checks"}},[e._v("#")]),e._v(" Presence Checks")]),e._v(" "),r("p",[e._v("To simplify ensure that these values have been set, the following attributes are available:")]),e._v(" "),r("table",[r("thead",[r("tr",[r("th",[e._v("key")]),e._v(" "),r("th",[e._v("default")]),e._v(" "),r("th",[e._v("description")])])]),e._v(" "),r("tbody",[r("tr",[r("td",[r("code",[e._v("resources.cpuRequestsMissing")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("resources.requests.cpu")]),e._v(" attribute is not configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("resources.memoryRequestsMissing")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("resources.requests.memory")]),e._v(" attribute is not configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("resources.cpuLimitsMissing")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("resources.limits.cpu")]),e._v(" attribute is not configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("resources.memoryLimitsMissing")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("resources.limits.memory")]),e._v(" attribute is not configured.")])])])]),e._v(" "),r("h2",{attrs:{id:"background"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#background"}},[e._v("#")]),e._v(" Background")]),e._v(" "),r("p",[e._v("Configuring resource requests and limits for containers running in Kubernetes is an important best practice to follow. Setting appropriate resource requests will ensure that all your applications have sufficient compute resources. Setting appropriate resource limits will ensure that your applications do not consume too many resources.")]),e._v(" "),r("p",[e._v("Having these values appropriately configured ensures that:")]),e._v(" "),r("ul",[r("li",[r("p",[e._v("Cluster autoscaling can function as intended. New nodes are scheduled once pods are unable to be scheduled on an existing node due to insufficient resources. This will not happen if resource requests are not configured.")])]),e._v(" "),r("li",[r("p",[e._v("Each container has sufficient access to compute resources. Without resource requests, a pod may be scheduled on a node that is already overutilized. Without resource limits, a single poorly behaving pod could utilize the majority of resources on a node, significantly impacting the performance of other pods on the same node.")])])]),e._v(" "),r("h2",{attrs:{id:"further-reading"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#further-reading"}},[e._v("#")]),e._v(" Further Reading")]),e._v(" "),r("ul",[r("li",[r("a",{attrs:{href:"https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Docs: Managing Compute Resources for Containers"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-resource-requests-and-limits",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes best practices: Resource requests and limits"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vertical Pod Autoscaler (can automatically set resource requests and limits)"),r("OutboundLink")],1)])])])}),[],!1,null,null,null);t.default=o.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/12.85c0eab0.js b/docs/assets/js/12.85c0eab0.js deleted file mode 100644 index fbb4b8c50..000000000 --- a/docs/assets/js/12.85c0eab0.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[12],{366:function(e,t,a){"use strict";a.r(t);var i=a(42),r=Object(i.a)({},(function(){var e=this,t=e.$createElement,a=e._self._c||t;return a("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[a("h1",{attrs:{id:"reliability"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#reliability"}},[e._v("#")]),e._v(" Reliability")]),e._v(" "),a("p",[e._v("These checks help to make sure your workloads are always available,\nand are running the correct image.")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th",[e._v("key")]),e._v(" "),a("th",[e._v("default")]),e._v(" "),a("th",[e._v("description")])])]),e._v(" "),a("tbody",[a("tr",[a("td",[a("code",[e._v("reliability.readinessProbeMissing")])]),e._v(" "),a("td",[a("code",[e._v("warning")])]),e._v(" "),a("td",[e._v("Fails when a readiness probe is not configured for a pod.")])]),e._v(" "),a("tr",[a("td",[a("code",[e._v("reliability.livenessProbeMissing")])]),e._v(" "),a("td",[a("code",[e._v("warning")])]),e._v(" "),a("td",[e._v("Fails when a liveness probe is not configured for a pod.")])]),e._v(" "),a("tr",[a("td",[a("code",[e._v("reliability.tagNotSpecified")])]),e._v(" "),a("td",[a("code",[e._v("danger")])]),e._v(" "),a("td",[e._v("Fails when an image tag is either not specified or "),a("code",[e._v("latest")]),e._v(".")])]),e._v(" "),a("tr",[a("td",[a("code",[e._v("reliability.pullPolicyNotAlways")])]),e._v(" "),a("td",[a("code",[e._v("warning")])]),e._v(" "),a("td",[e._v("Fails when an image pull policy is not "),a("code",[e._v("always")]),e._v(".")])]),e._v(" "),a("tr",[a("td",[a("code",[e._v("reliability.priorityClassNotSet")])]),e._v(" "),a("td",[a("code",[e._v("ignore")])]),e._v(" "),a("td",[e._v("Fails when a priorityClassName is not set for a pod.")])]),e._v(" "),a("tr",[a("td",[a("code",[e._v("reliability.multipleReplicasForDeployment")])]),e._v(" "),a("td",[a("code",[e._v("ignore")])]),e._v(" "),a("td",[e._v("Fails when there is only one replica for a deployment.")])])])]),e._v(" "),a("h2",{attrs:{id:"background"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#background"}},[e._v("#")]),e._v(" Background")]),e._v(" "),a("p",[e._v("Readiness and liveness probes can help maintain the health of applications running inside Kubernetes. By default, Kubernetes only knows whether or not a process is running, not if it's healthy. Properly configured readiness and liveness probes will also be able to ensure the health of an application.")]),e._v(" "),a("p",[e._v('Readiness probes are designed to ensure that an application has reached a "ready" state. In many cases there is a period of time between when a webserver process starts and when it is ready to receive traffic. A readiness probe can ensure the traffic is not sent to a pod until it is actually ready to receive traffic.')]),e._v(" "),a("p",[e._v("Liveness probes are designed to ensure that an application stays in a healthy state. When a liveness probe fails, the pod will be restarted.")]),e._v(" "),a("p",[e._v("Docker's "),a("code",[e._v("latest")]),e._v(" tag is applied by default to images where a tag hasn't been specified. Not specifying a specific version of an image can lead to a wide variety of problems. The underlying image could include unexpected breaking changes that break your application whenever the latest image is pulled. Reusing the same tag for multiple versions of an image can lead to different nodes in the same cluster having different versions of an image, even if the tag is identical.")]),e._v(" "),a("p",[e._v("Related to that, relying on cached versions of a Docker image can become a security vulnerability. By default, an image will be pulled if it isn't already cached on the node attempting to run it. This can result in variations in images that are running per node, or potentially provide a way to gain access to an image without having direct access to the ImagePullSecret. With that in mind, it's often better to ensure the a pod has "),a("code",[e._v("pullPolicy: Always")]),e._v(" specified, so images are always pulled directly from their source.")]),e._v(" "),a("h2",{attrs:{id:"further-reading"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#further-reading"}},[e._v("#")]),e._v(" Further Reading")]),e._v(" "),a("ul",[a("li",[a("a",{attrs:{href:"https://vsupalov.com/docker-latest-tag/",target:"_blank",rel:"noopener noreferrer"}},[e._v("What's Wrong With The Docker :latest Tag?"),a("OutboundLink")],1)]),e._v(" "),a("li",[a("a",{attrs:{href:"https://medium.com/@trstringer/kubernetes-alwayspullimages-admission-control-the-importance-implementation-and-security-d83ff3815840",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes’ AlwaysPullImages Admission Control — the Importance, Implementation, and Security Vulnerability in its Absence"),a("OutboundLink")],1)]),e._v(" "),a("li",[a("a",{attrs:{href:"https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Docs: Configure Liveness and Readiness Probes"),a("OutboundLink")],1)]),e._v(" "),a("li",[a("a",{attrs:{href:"https://medium.com/spire-labs/utilizing-kubernetes-liveness-and-readiness-probes-to-automatically-recover-from-failure-2fe0314f2b2e",target:"_blank",rel:"noopener noreferrer"}},[e._v("Utilizing Kubernetes Liveness and Readiness Probes to Automatically Recover From Failure"),a("OutboundLink")],1)]),e._v(" "),a("li",[a("a",{attrs:{href:"https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-how-to-avoid-shooting-yourself-in-the-foot/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Liveness and Readiness Probes: How to Avoid Shooting Yourself in the Foot"),a("OutboundLink")],1)])])])}),[],!1,null,null,null);t.default=r.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/13.0487faf0.js b/docs/assets/js/13.0487faf0.js deleted file mode 100644 index d9219525f..000000000 --- a/docs/assets/js/13.0487faf0.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[13],{367:function(e,t,r){"use strict";r.r(t);var o=r(42),i=Object(o.a)({},(function(){var e=this,t=e.$createElement,r=e._self._c||t;return r("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[r("h1",{attrs:{id:"security"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#security"}},[e._v("#")]),e._v(" Security")]),e._v(" "),r("p",[e._v("These checks are related to security concerns. Workloads that fail these\nchecks may make your cluster more vulnerable, often by introducing a path\nfor privilege escalation.")]),e._v(" "),r("table",[r("thead",[r("tr",[r("th",[e._v("key")]),e._v(" "),r("th",[e._v("default")]),e._v(" "),r("th",[e._v("description")])])]),e._v(" "),r("tbody",[r("tr",[r("td",[r("code",[e._v("security.hostIPCSet")])]),e._v(" "),r("td",[r("code",[e._v("danger")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("hostIPC")]),e._v(" attribute is configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.hostPIDSet")])]),e._v(" "),r("td",[r("code",[e._v("danger")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("hostPID")]),e._v(" attribute is configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.notReadOnlyRootFilesystem")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.readOnlyRootFilesystem")]),e._v(" is not true.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.privilegeEscalationAllowed")])]),e._v(" "),r("td",[r("code",[e._v("danger")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.allowPrivilegeEscalation")]),e._v(" is true.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.runAsRootAllowed")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.runAsNonRoot")]),e._v(" is not true.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.runAsPrivileged")])]),e._v(" "),r("td",[r("code",[e._v("danger")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.privileged")]),e._v(" is true.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.insecureCapabilities")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.capabilities")]),e._v(" includes one of the capabilities "),r("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/tree/master/checks/insecureCapabilities.yaml",target:"_blank",rel:"noopener noreferrer"}},[e._v("listed here"),r("OutboundLink")],1)])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.dangerousCapabilities")])]),e._v(" "),r("td",[r("code",[e._v("danger")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("securityContext.capabilities")]),e._v(" includes one of the capabilities "),r("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/tree/master/checks/dangerousCapabilities.yaml",target:"_blank",rel:"noopener noreferrer"}},[e._v("listed here"),r("OutboundLink")],1)])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.hostNetworkSet")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("hostNetwork")]),e._v(" attribute is configured.")])]),e._v(" "),r("tr",[r("td",[r("code",[e._v("security.hostPortSet")])]),e._v(" "),r("td",[r("code",[e._v("warning")])]),e._v(" "),r("td",[e._v("Fails when "),r("code",[e._v("hostPort")]),e._v(" attribute is configured.")])])])]),e._v(" "),r("h2",{attrs:{id:"background"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#background"}},[e._v("#")]),e._v(" Background")]),e._v(" "),r("p",[e._v("Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, not giving excessive access to the host network, and using read only file systems wherever possible.")]),e._v(" "),r("p",[e._v("A pod running with the "),r("code",[e._v("hostNetwork")]),e._v(" attribute enabled will have access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. There are certain examples where setting "),r("code",[e._v("hostNetwork")]),e._v(" to true is required, such as deploying a networking plugin like Flannel.")]),e._v(" "),r("p",[e._v("Setting the "),r("code",[e._v("hostPort")]),e._v(" attribute on a container will ensure that it is accessible on that specific port on each node it is deployed to. Unfortunately when this is specified, it limits where a pod can actually be scheduled in a cluster.")]),e._v(" "),r("p",[e._v("Much of this configuration can be found in the "),r("code",[e._v("securityContext")]),e._v(" attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.")]),e._v(" "),r("h2",{attrs:{id:"further-reading"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#further-reading"}},[e._v("#")]),e._v(" Further Reading")]),e._v(" "),r("ul",[r("li",[r("a",{attrs:{href:"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Docs: Configure a Security Context for a Pod or Container"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://www.youtube.com/watch?v=ltrV-Qmh3oY",target:"_blank",rel:"noopener noreferrer"}},[e._v("KubeCon 2018 Keynote: Running with Scissors"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://kubernetes-security.info/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Security Book"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Docs: Set capabilities for a Container"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"http://man7.org/linux/man-pages/man7/capabilities.7.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Linux Programmer's Manual: Capabilities"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"https://kubernetes.io/docs/concepts/configuration/overview/#services",target:"_blank",rel:"noopener noreferrer"}},[e._v("Kubernetes Docs: Configuration Best Practices"),r("OutboundLink")],1)]),e._v(" "),r("li",[r("a",{attrs:{href:"http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Accessing Kubernetes Pods from Outside of the Cluster"),r("OutboundLink")],1)])])])}),[],!1,null,null,null);t.default=i.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/14.60ea393e.js b/docs/assets/js/14.60ea393e.js deleted file mode 100644 index 5533b03fa..000000000 --- a/docs/assets/js/14.60ea393e.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[14],{371:function(e,n,t){"use strict";t.r(n);var s=t(42),i=Object(s.a)({},(function(){var e=this.$createElement,n=this._self._c||e;return n("ContentSlotsDistributor",{attrs:{"slot-key":this.$parent.slotKey}},[n("h4",{attrs:{id:"cli-options"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#cli-options"}},[this._v("#")]),this._v(" CLI Options")]),this._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[this._v('# top-level commands\naudit\n Runs a one-time audit.\ndashboard\n Runs the webserver for Polaris dashboard.\nhelp\n Prints help, if you give it a command then it will print help for that command. Same as -h\nversion\n Prints the version of Polaris\nwebhook\n Runs the webhook webserver\n\n# high-level flags\n-c, --config string\n Location of Polaris configuration file\n--disallow-exemptions\n Disallow any exemptions from configuration file.\n-h, --help\n Help for Polaris (same as help command)\n--kubeconfig string\n Path to a kubeconfig. Only required if out-of-cluster.\n--log-level string\n Logrus log level (default "info")\n--master string\n The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.\n\n# dashboard flags\n--audit-path string\n If specified, audits one or more YAML files instead of a cluster\n--base-path string\n Path on which the dashboard is served (default "/")\n--display-name string\n An optional identifier for the audit\n--load-audit-file string\n Runs the dashboard with data saved from a past audit.\n-p, --port int\n Port for the dashboard webserver (default 8080)\n\n# audit flags\n--audit-path string\n If specified, audits one or more YAML files instead of a cluster\n--resource string\n If specified, audit a specific resource, in the format namespace/kind/version/name, e.g. nginx-ingress/Deployment.apps/v1/default-backend\n--display-name string\n An optional identifier for the audit\n--format string\n Output format for results - json, yaml, or score (default "json")\n--output-file string\n Destination file for audit results\n--output-url string\n Destination URL to send audit results\n--set-exit-code-below-score int\n Set an exit code of 4 when the score is below this threshold (1-100)\n--set-exit-code-on-danger\n Set an exit code of 3 when the audit contains danger-level issues.\n\n# webhook flags\n--disable-webhook-config-installer\n disable the installer in the webhook server, so it won\'t install webhook configuration resources during bootstrapping\n-p, --port int\n Port for the webhook webserver (default 9876)\n')])])])])}),[],!1,null,null,null);n.default=i.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/15.00f25aaa.js b/docs/assets/js/15.00f25aaa.js deleted file mode 100644 index acaf0fb32..000000000 --- a/docs/assets/js/15.00f25aaa.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[15],{365:function(e,t,n){"use strict";n.r(t);var a=n(42),r=Object(a.a)({},(function(){var e=this,t=e.$createElement,n=e._self._c||t;return n("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[n("h1",{attrs:{id:"code-of-conduct"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#code-of-conduct"}},[e._v("#")]),e._v(" Code of Conduct")]),e._v(" "),n("h2",{attrs:{id:"our-pledge"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#our-pledge"}},[e._v("#")]),e._v(" Our Pledge")]),e._v(" "),n("p",[e._v("In the interest of fostering an open and welcoming environment, we as\ncontributors and maintainers pledge to making participation in our project and\nour community a harassment-free experience for everyone, regardless of age, body\nsize, disability, ethnicity, gender identity and expression, level of experience,\nnationality, personal appearance, race, religion, or sexual identity and\norientation.")]),e._v(" "),n("h2",{attrs:{id:"our-standards"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#our-standards"}},[e._v("#")]),e._v(" Our Standards")]),e._v(" "),n("p",[e._v("Examples of behavior that contributes to creating a positive environment\ninclude:")]),e._v(" "),n("ul",[n("li",[e._v("Using welcoming and inclusive language")]),e._v(" "),n("li",[e._v("Being respectful of differing viewpoints and experiences")]),e._v(" "),n("li",[e._v("Gracefully accepting constructive criticism")]),e._v(" "),n("li",[e._v("Focusing on what is best for the community")]),e._v(" "),n("li",[e._v("Showing empathy towards other community members")])]),e._v(" "),n("p",[e._v("Examples of unacceptable behavior by participants include:")]),e._v(" "),n("ul",[n("li",[e._v("The use of sexualized language or imagery and unwelcome sexual attention or\nadvances")]),e._v(" "),n("li",[e._v("Trolling, insulting/derogatory comments, and personal or political attacks")]),e._v(" "),n("li",[e._v("Public or private harassment")]),e._v(" "),n("li",[e._v("Publishing others' private information, such as a physical or electronic\naddress, without explicit permission")]),e._v(" "),n("li",[e._v("Other conduct which could reasonably be considered inappropriate in a\nprofessional setting")])]),e._v(" "),n("h2",{attrs:{id:"our-responsibilities"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#our-responsibilities"}},[e._v("#")]),e._v(" Our Responsibilities")]),e._v(" "),n("p",[e._v("Project maintainers are responsible for clarifying the standards of acceptable\nbehavior and are expected to take appropriate and fair corrective action in\nresponse to any instances of unacceptable behavior.")]),e._v(" "),n("p",[e._v("Project maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct, or to ban temporarily or\npermanently any contributor for other behaviors that they deem inappropriate,\nthreatening, offensive, or harmful.")]),e._v(" "),n("h2",{attrs:{id:"scope"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#scope"}},[e._v("#")]),e._v(" Scope")]),e._v(" "),n("p",[e._v("This Code of Conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community. Examples of\nrepresenting a project or community include using an official project e-mail\naddress, posting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event. Representation of a project may be\nfurther defined and clarified by project maintainers.")]),e._v(" "),n("h2",{attrs:{id:"enforcement"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#enforcement"}},[e._v("#")]),e._v(" Enforcement")]),e._v(" "),n("p",[e._v("Instances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting the project team at [INSERT EMAIL ADDRESS]. All\ncomplaints will be reviewed and investigated and will result in a response that\nis deemed necessary and appropriate to the circumstances. The project team is\nobligated to maintain confidentiality with regard to the reporter of an incident.\nFurther details of specific enforcement policies may be posted separately.")]),e._v(" "),n("p",[e._v("Project maintainers who do not follow or enforce the Code of Conduct in good\nfaith may face temporary or permanent repercussions as determined by other\nmembers of the project's leadership.")]),e._v(" "),n("h2",{attrs:{id:"attribution"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#attribution"}},[e._v("#")]),e._v(" Attribution")]),e._v(" "),n("p",[e._v("This Code of Conduct is adapted from the "),n("a",{attrs:{href:"http://contributor-covenant.org",target:"_blank",rel:"noopener noreferrer"}},[e._v("Contributor Covenant"),n("OutboundLink")],1),e._v(", version 1.4,\navailable at "),n("a",{attrs:{href:"http://contributor-covenant.org/version/1/4/",target:"_blank",rel:"noopener noreferrer"}},[e._v("http://contributor-covenant.org/version/1/4"),n("OutboundLink")],1)])])}),[],!1,null,null,null);t.default=r.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/16.cb0515ce.js b/docs/assets/js/16.cb0515ce.js deleted file mode 100644 index b0905eb41..000000000 --- a/docs/assets/js/16.cb0515ce.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[16],{379:function(e,t,a){"use strict";a.r(t);var r=a(42),s=Object(r.a)({},(function(){var e=this,t=e.$createElement,a=e._self._c||t;return a("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[a("h1",{attrs:{id:"contributing"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#contributing"}},[e._v("#")]),e._v(" Contributing")]),e._v(" "),a("p",[e._v("Issues, whether bugs, tasks, or feature requests are essential for keeping Polaris great. We believe it should be as easy as possible to contribute changes that get things working in your environment. There are a few guidelines that we need contributors to follow so that we can keep on top of things.")]),e._v(" "),a("h2",{attrs:{id:"code-of-conduct"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#code-of-conduct"}},[e._v("#")]),e._v(" Code of Conduct")]),e._v(" "),a("p",[e._v("This project adheres to a "),a("RouterLink",{attrs:{to:"/code-of-conduct.html"}},[e._v("code of conduct")]),e._v(". Please review this document before contributing to this project.")],1),e._v(" "),a("h2",{attrs:{id:"sign-the-cla"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#sign-the-cla"}},[e._v("#")]),e._v(" Sign the CLA")]),e._v(" "),a("p",[e._v("Before you can contribute, you will need to sign the "),a("a",{attrs:{href:"https://cla-assistant.io/fairwindsops/polaris",target:"_blank",rel:"noopener noreferrer"}},[e._v("Contributor License Agreement"),a("OutboundLink")],1),e._v(".")]),e._v(" "),a("h2",{attrs:{id:"project-structure"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#project-structure"}},[e._v("#")]),e._v(" Project Structure")]),e._v(" "),a("p",[e._v("Polaris is built on top of "),a("a",{attrs:{href:"https://github.com/kubernetes-sigs/controller-runtime",target:"_blank",rel:"noopener noreferrer"}},[e._v("controller-runtime"),a("OutboundLink")],1),e._v(". It can run in 3 different modes, a dashboard, a webhook, or a reporter that prints or exports validation results. All of these modes make use of the shared "),a("code",[e._v("validator")]),e._v(" and "),a("code",[e._v("config")]),e._v(" packages. Adding new validations is possible by only making additions to those packages.")]),e._v(" "),a("h2",{attrs:{id:"getting-started"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#getting-started"}},[e._v("#")]),e._v(" Getting Started")]),e._v(" "),a("p",[e._v("We label issues with the "),a("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22",target:"_blank",rel:"noopener noreferrer"}},[e._v('"good first issue" tag'),a("OutboundLink")],1),e._v(" if we believe they'll be a good starting point for new contributors. If you're interested in working on an issue, please start a conversation on that issue, and we can help answer any questions as they come up.")]),e._v(" "),a("h2",{attrs:{id:"setting-up-your-development-environment"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#setting-up-your-development-environment"}},[e._v("#")]),e._v(" Setting Up Your Development Environment")]),e._v(" "),a("h3",{attrs:{id:"prerequisites"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#prerequisites"}},[e._v("#")]),e._v(" Prerequisites")]),e._v(" "),a("ul",[a("li",[e._v("A properly configured Golang environment with Go 1.11 or higher")]),e._v(" "),a("li",[e._v("If you want to see the local changes you make on a Polaris dashboard, you will need access to a Kubernetes cluster defined in "),a("code",[e._v("~/.kube/config")])])]),e._v(" "),a("h3",{attrs:{id:"installation"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#installation"}},[e._v("#")]),e._v(" Installation")]),e._v(" "),a("ul",[a("li",[e._v("Install the project with "),a("code",[e._v("go get github.com/fairwindsops/polaris")])]),e._v(" "),a("li",[e._v("Change into the polaris directory which is installed at "),a("code",[e._v("$GOPATH/src/github.com/fairwindsops/polaris")])]),e._v(" "),a("li",[e._v("See the dashboard with "),a("code",[e._v("go run main.go dashboard")]),e._v(", then open http://localhost:8080/")]),e._v(" "),a("li",[e._v("See the audit data "),a("code",[e._v("go run main.go audit")]),e._v(". This command shows the audit information on the command line.")])]),e._v(" "),a("h2",{attrs:{id:"running-tests"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#running-tests"}},[e._v("#")]),e._v(" Running Tests")]),e._v(" "),a("p",[e._v("The following commands are all required to pass as part of Polaris testing:")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("go list ./... | grep -v vendor | xargs golint -set_exit_status\ngo list ./... | grep -v vendor | xargs go vet\ngo test ./pkg/... -v -coverprofile cover.out\n")])])]),a("h2",{attrs:{id:"creating-a-new-issue"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#creating-a-new-issue"}},[e._v("#")]),e._v(" Creating a New Issue")]),e._v(" "),a("p",[e._v("If you've encountered an issue that is not already reported, please create a "),a("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/issues",target:"_blank",rel:"noopener noreferrer"}},[e._v("new issue"),a("OutboundLink")],1),e._v(", choose "),a("code",[e._v("Bug Report")]),e._v(", "),a("code",[e._v("Feature Request")]),e._v(" or "),a("code",[e._v("Misc.")]),e._v(" and follow the instructions in the template.")]),e._v(" "),a("h2",{attrs:{id:"creating-a-pull-request"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#creating-a-pull-request"}},[e._v("#")]),e._v(" Creating a Pull Request")]),e._v(" "),a("p",[e._v("Each new pull request should:")]),e._v(" "),a("ul",[a("li",[e._v("Reference any related issues")]),e._v(" "),a("li",[e._v("Add tests that show the issues have been solved")]),e._v(" "),a("li",[e._v("Pass existing tests and linting")]),e._v(" "),a("li",[e._v("Contain a clear indication of if they're ready for review or a work in progress")]),e._v(" "),a("li",[e._v("Be up to date and/or rebased on the master branch")])]),e._v(" "),a("h2",{attrs:{id:"creating-a-new-release"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#creating-a-new-release"}},[e._v("#")]),e._v(" Creating a new release")]),e._v(" "),a("h3",{attrs:{id:"patch-releases"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#patch-releases"}},[e._v("#")]),e._v(" Patch releases")]),e._v(" "),a("p",[e._v("Patch releases only need to change this repo. The Helm chart and deploy scripts\nwill automatically pull in the latest changes.")]),e._v(" "),a("p",[e._v("If the release involves changes to anything in the "),a("code",[e._v("deploy/")]),e._v(" folder (e.g. new RBAC permissions),\nit needs to be a minor or major release in order to prevent breaking the Helm chart.")]),e._v(" "),a("ol",[a("li",[e._v("Create a PR for this repo\n"),a("ol",[a("li",[e._v("Bump the version number in:\n"),a("ol",[a("li",[e._v("main.go")]),e._v(" "),a("li",[e._v("README.md")])])]),e._v(" "),a("li",[e._v("Update CHANGELOG.md")]),e._v(" "),a("li",[e._v("Merge your PR")])])]),e._v(" "),a("li",[e._v("Tag the latest branch for this repo\n"),a("ol",[a("li",[e._v("Pull the latest commit for the "),a("code",[e._v("master")]),e._v(" branch (which you just merged in your PR)")]),e._v(" "),a("li",[e._v("Run "),a("code",[e._v("git tag $VERSION && git push --tags")])]),e._v(" "),a("li",[e._v("Make sure CircleCI runs successfully for the new tag - this will push images to quay.io and create a release in GitHub\n"),a("ol",[a("li",[e._v("If CircleCI fails, check with Codeowners ASAP")])])])])])]),e._v(" "),a("h3",{attrs:{id:"minor-major-releases"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#minor-major-releases"}},[e._v("#")]),e._v(" Minor/Major releases")]),e._v(" "),a("p",[e._v("Minor and major releases need to change both this repository and the\n"),a("a",{attrs:{href:"https://github.com/FairwindsOps/charts/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Helm chart repo"),a("OutboundLink")],1),e._v(".")]),e._v(" "),a("p",[e._v("The steps are:")]),e._v(" "),a("ol",[a("li",[e._v("Modify the "),a("a",{attrs:{href:"https://github.com/FairwindsOps/charts/stable/polaris",target:"_blank",rel:"noopener noreferrer"}},[e._v("Helm chart"),a("OutboundLink")],1),e._v(" "),a("ol",[a("li",[e._v("Clone the helm charts repo\n"),a("ol",[a("li",[a("code",[e._v("git clone https://github.com/FairwindsOps/charts")])]),e._v(" "),a("li",[a("code",[e._v("git checkout -b yourname/update-polaris")])])])]),e._v(" "),a("li",[e._v("Bump the version number in:\n"),a("ol",[a("li",[e._v("stable/polaris/README.md")]),e._v(" "),a("li",[e._v("stable/polaris/Chart.yaml")]),e._v(" "),a("li",[e._v("stable/polaris/values.yaml")])])]),e._v(" "),a("li",[e._v("Make any necessary changes to the chart to support the new version of Polaris (e.g. new RBAC permissions)")]),e._v(" "),a("li",[a("strong",[e._v("Don't merge yet!")])])])]),e._v(" "),a("li",[e._v("Create a PR for this repo\n"),a("ol",[a("li",[e._v("Create a new branch named "),a("code",[e._v("yourname/update-version")])]),e._v(" "),a("li",[e._v("Bump the version number in:\n"),a("ol",[a("li",[e._v("main.go")]),e._v(" "),a("li",[e._v("README.md")])])]),e._v(" "),a("li",[e._v("Regenerate the deployment files. Assuming you've cloned the charts repo to "),a("code",[e._v("~/git/charts")]),e._v(":\n"),a("ol",[a("li",[a("code",[e._v("CHARTS_DIR=~/git/charts ./scripts/generate-deployment-files.sh")])])])]),e._v(" "),a("li",[e._v("Update CHANGELOG.md")]),e._v(" "),a("li",[e._v("Merge your PR")])])]),e._v(" "),a("li",[e._v("Tag the latest branch for this repo\n"),a("ol",[a("li",[e._v("Pull the latest for the "),a("code",[e._v("master")]),e._v(" branch")]),e._v(" "),a("li",[e._v("Run "),a("code",[e._v("git tag $VERSION && git push --tags")])]),e._v(" "),a("li",[e._v("Make sure CircleCI runs successfully for the new tag - this will push images to quay.io and create a release in GitHub\n"),a("ol",[a("li",[e._v("If CircleCI fails, check with Codeowners ASAP")])])])])]),e._v(" "),a("li",[e._v("Create and merge a PR for your changes to the Helm chart")])])])}),[],!1,null,null,null);t.default=s.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/17.013e9969.js b/docs/assets/js/17.013e9969.js deleted file mode 100644 index 75ec5cc94..000000000 --- a/docs/assets/js/17.013e9969.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[17],{368:function(e,t,a){"use strict";a.r(t);var s=a(42),n=Object(s.a)({},(function(){var e=this,t=e.$createElement,a=e._self._c||t;return a("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[a("h1",{attrs:{id:"check-settings"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#check-settings"}},[e._v("#")]),e._v(" Check Settings")]),e._v(" "),a("p",[e._v("Each check can be assigned a "),a("code",[e._v("severity")]),e._v(". Only checks with a severity of "),a("code",[e._v("danger")]),e._v(" or "),a("code",[e._v("warning")]),e._v(" will be validated. The results of these validations are visible on the dashboard. In the case of the validating webhook, only failures with a severity of "),a("code",[e._v("danger")]),e._v(" will result in a change being rejected.")]),e._v(" "),a("p",[e._v("Polaris validation checks fall into several different categories:")]),e._v(" "),a("ul",[a("li",[a("RouterLink",{attrs:{to:"/checks/security.html"}},[e._v("Security")])],1),e._v(" "),a("li",[a("RouterLink",{attrs:{to:"/checks/reliability.html"}},[e._v("Reliability")])],1),e._v(" "),a("li",[a("RouterLink",{attrs:{to:"/checks/efficiency.html"}},[e._v("Efficiency")])],1)]),e._v(" "),a("p",[e._v("To change the default severity levels, or to turn checks on or off, you can create your own "),a("code",[e._v("config.yaml")]),e._v(":")]),e._v(" "),a("div",{staticClass:"language-yaml extra-class"},[a("pre",{pre:!0,attrs:{class:"language-yaml"}},[a("code",[a("span",{pre:!0,attrs:{class:"token key atrule"}},[e._v("checks")]),a("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v(":")]),e._v("\n "),a("span",{pre:!0,attrs:{class:"token key atrule"}},[e._v("tagNotSpecified")]),a("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v(":")]),e._v(" ignore\n "),a("span",{pre:!0,attrs:{class:"token key atrule"}},[e._v("runAsRootAllowed")]),a("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v(":")]),e._v(" danger\n "),a("span",{pre:!0,attrs:{class:"token key atrule"}},[e._v("pullPolicyNotAlways")]),a("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v(":")]),e._v(" warning\n")])])])])}),[],!1,null,null,null);t.default=n.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/18.a0fcb2d2.js b/docs/assets/js/18.a0fcb2d2.js deleted file mode 100644 index 11e6b2070..000000000 --- a/docs/assets/js/18.a0fcb2d2.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[18],{369:function(t,o,e){"use strict";e.r(o);var n=e(42),i=Object(n.a)({},(function(){var t=this,o=t.$createElement,e=t._self._c||o;return e("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[e("h1",{attrs:{id:"configuration"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#configuration"}},[t._v("#")]),t._v(" Configuration")]),t._v(" "),e("p",[t._v("The default Polaris configuration can be "),e("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml",target:"_blank",rel:"noopener noreferrer"}},[t._v("seen here"),e("OutboundLink")],1),t._v(".")]),t._v(" "),e("p",[t._v("You can customize the configuration to do things like:")]),t._v(" "),e("ul",[e("li",[t._v("Turn checks "),e("RouterLink",{attrs:{to:"/customization/checks.html"}},[t._v("on and off")])],1),t._v(" "),e("li",[t._v("Change the "),e("RouterLink",{attrs:{to:"/customization/checks.html"}},[t._v("severity level")]),t._v(" of checks")],1),t._v(" "),e("li",[t._v("Add new "),e("RouterLink",{attrs:{to:"/customization/custom-checks.html"}},[t._v("custom checks")])],1),t._v(" "),e("li",[t._v("Add "),e("RouterLink",{attrs:{to:"/customization/exemptions.html"}},[t._v("exemptions")]),t._v(" for particular workloads or namespaces")],1)]),t._v(" "),e("p",[t._v("To pass in your custom configuration, follow the instructions for your environment:")]),t._v(" "),e("ul",[e("li",[t._v("CLI - set the "),e("code",[t._v("--config")]),t._v(" argument to point to your "),e("code",[t._v("config.yaml")])]),t._v(" "),e("li",[t._v("Helm - set the "),e("code",[t._v("config")]),t._v(" variable in your values file")]),t._v(" "),e("li",[t._v("kubectl - create a ConfigMap with your "),e("code",[t._v("config.yaml")]),t._v(", mount it as a volume, and use the "),e("code",[t._v("--config")]),t._v(" argument in your Deployment")])])])}),[],!1,null,null,null);o.default=i.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/19.9fe045af.js b/docs/assets/js/19.9fe045af.js deleted file mode 100644 index f4c52a8c6..000000000 --- a/docs/assets/js/19.9fe045af.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[19],{375:function(t,a,e){"use strict";e.r(a);var s=e(42),n=Object(s.a)({},(function(){var t=this,a=t.$createElement,e=t._self._c||a;return e("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[e("h1",{attrs:{id:"custom-checks"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#custom-checks"}},[t._v("#")]),t._v(" Custom Checks")]),t._v(" "),e("p",[t._v("If you'd like to create your own checks, you can use "),e("a",{attrs:{href:"https://json-schema.org/",target:"_blank",rel:"noopener noreferrer"}},[t._v("JSON Schema"),e("OutboundLink")],1),t._v(". For example,\nto disallow images from quay.io:")]),t._v(" "),e("div",{staticClass:"language-yaml extra-class"},[e("pre",{pre:!0,attrs:{class:"language-yaml"}},[e("code",[e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("checks")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("imageRegistry")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" warning\n"),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("customChecks")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("imageRegistry")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("successMessage")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Image comes from allowed registries\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("failureMessage")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Image should not be from disallowed registry\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("category")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Images\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("target")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Container "),e("span",{pre:!0,attrs:{class:"token comment"}},[t._v('# target can be "Container" or "Pod"')]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("schema")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("'$schema'")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" http"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("//json"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v("schema.org/draft"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v("07/schema\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("type")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" object\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("properties")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("image")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("type")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" string\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("not")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("pattern")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" ^quay.io\n")])])]),e("p",[t._v("Schemas can also be specified as JSON strings instead of YAML, for easier copy/pasting:")]),t._v(" "),e("div",{staticClass:"language-yaml extra-class"},[e("pre",{pre:!0,attrs:{class:"language-yaml"}},[e("code",[e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("customChecks")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("foo")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("jsonSchema")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("|")]),e("span",{pre:!0,attrs:{class:"token scalar string"}},[t._v('\n {\n "$schema": "http://json-schema.org/draft-07/schema",\n "type": "object"\n }')]),t._v("\n")])])]),e("p",[t._v("We extend JSON Schema with "),e("code",[t._v("resourceMinimum")]),t._v(" and "),e("code",[t._v("resourceMaximum")]),t._v(" fields to help compare memory and CPU resource\nstrings like "),e("code",[t._v("1000m")]),t._v(" and "),e("code",[t._v("1G")]),t._v(". You can see an example in "),e("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/tree/master/examples/config-full.yaml",target:"_blank",rel:"noopener noreferrer"}},[t._v("the extended config"),e("OutboundLink")],1)]),t._v(" "),e("p",[t._v("There are additional examples in the "),e("a",{attrs:{href:"https://github.com/FairwindsOps/polaris/tree/master/checks",target:"_blank",rel:"noopener noreferrer"}},[t._v("checks folder"),e("OutboundLink")],1),t._v(".")])])}),[],!1,null,null,null);a.default=n.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/2.28adca5d.js b/docs/assets/js/2.28adca5d.js deleted file mode 100644 index 9c7d2b93d..000000000 --- a/docs/assets/js/2.28adca5d.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[2],{305:function(t,e,n){"use strict";n.d(e,"d",(function(){return i})),n.d(e,"a",(function(){return a})),n.d(e,"i",(function(){return s})),n.d(e,"f",(function(){return u})),n.d(e,"g",(function(){return l})),n.d(e,"h",(function(){return c})),n.d(e,"b",(function(){return h})),n.d(e,"e",(function(){return p})),n.d(e,"k",(function(){return f})),n.d(e,"l",(function(){return d})),n.d(e,"c",(function(){return v})),n.d(e,"j",(function(){return m}));n(23),n(92),n(167),n(95),n(172),n(65),n(43),n(306),n(66),n(308),n(94);var i=/#.*$/,r=/\.(md|html)$/,a=/\/$/,s=/^[a-z]+:/i;function o(t){return decodeURI(t).replace(i,"").replace(r,"")}function u(t){return s.test(t)}function l(t){return/^mailto:/.test(t)}function c(t){return/^tel:/.test(t)}function h(t){if(u(t))return t;var e=t.match(i),n=e?e[0]:"",r=o(t);return a.test(r)?t:r+".html"+n}function p(t,e){var n=decodeURIComponent(t.hash),r=function(t){var e=t.match(i);if(e)return e[0]}(e);return(!r||n===r)&&o(t.path)===o(e)}function f(t,e,n){if(u(e))return{type:"external",path:e};n&&(e=function(t,e,n){var i=t.charAt(0);if("/"===i)return t;if("?"===i||"#"===i)return e+t;var r=e.split("/");n&&r[r.length-1]||r.pop();for(var a=t.replace(/^\//,"").split("/"),s=0;s3&&void 0!==arguments[3]?arguments[3]:1;if("string"==typeof e)return f(n,e,i);if(Array.isArray(e))return Object.assign(f(n,e[0],i),{title:e[1]});var a=e.children||[];return 0===a.length&&e.path?Object.assign(f(n,e.path,i),{title:e.title}):{type:"group",path:e.path,title:e.title,sidebarDepth:e.sidebarDepth,initialOpenGroupIndex:e.initialOpenGroupIndex,children:a.map((function(e){return t(e,n,i,r+1)})),collapsable:!1!==e.collapsable}}(t,r,l)})):[]}return[]}function g(t){var e=v(t.headers||[]);return[{type:"group",collapsable:!1,title:t.title,path:null,children:e.map((function(e){return{type:"auto",title:e.title,basePath:t.path,path:t.path+"#"+e.slug,children:e.children||[]}}))}]}function v(t){var e;return(t=t.map((function(t){return Object.assign({},t)}))).forEach((function(t){2===t.level?e=t:e&&(e.children||(e.children=[])).push(t)})),t.filter((function(t){return 2===t.level}))}function m(t){return Object.assign(t,{type:t.items&&t.items.length?"links":"link"})}},306:function(t,e,n){"use strict";var i=n(169),r=n(5),a=n(13),s=n(22),o=n(170),u=n(171);i("match",1,(function(t,e,n){return[function(e){var n=s(this),i=null==e?void 0:e[t];return void 0!==i?i.call(e,n):new RegExp(e)[t](String(n))},function(t){var i=n(e,t,this);if(i.done)return i.value;var s=r(t),l=String(this);if(!s.global)return u(s,l);var c=s.unicode;s.lastIndex=0;for(var h,p=[],f=0;null!==(h=u(s,l));){var d=String(h[0]);p[f]=d,""===d&&(s.lastIndex=o(l,a(s.lastIndex),c)),f++}return 0===f?null:p}]}))},307:function(t,e){t.exports="\t\n\v\f\r                 \u2028\u2029\ufeff"},308:function(t,e,n){"use strict";var i=n(169),r=n(168),a=n(5),s=n(22),o=n(100),u=n(170),l=n(13),c=n(171),h=n(68),p=n(1),f=[].push,d=Math.min,g=!p((function(){return!RegExp(4294967295,"y")}));i("split",2,(function(t,e,n){var i;return i="c"=="abbc".split(/(b)*/)[1]||4!="test".split(/(?:)/,-1).length||2!="ab".split(/(?:ab)*/).length||4!=".".split(/(.?)(.?)/).length||".".split(/()()/).length>1||"".split(/.?/).length?function(t,n){var i=String(s(this)),a=void 0===n?4294967295:n>>>0;if(0===a)return[];if(void 0===t)return[i];if(!r(t))return e.call(i,t,a);for(var o,u,l,c=[],p=(t.ignoreCase?"i":"")+(t.multiline?"m":"")+(t.unicode?"u":"")+(t.sticky?"y":""),d=0,g=new RegExp(t.source,p+"g");(o=h.call(g,i))&&!((u=g.lastIndex)>d&&(c.push(i.slice(d,o.index)),o.length>1&&o.index=a));)g.lastIndex===o.index&&g.lastIndex++;return d===i.length?!l&&g.test("")||c.push(""):c.push(i.slice(d)),c.length>a?c.slice(0,a):c}:"0".split(void 0,0).length?function(t,n){return void 0===t&&0===n?[]:e.call(this,t,n)}:e,[function(e,n){var r=s(this),a=null==e?void 0:e[t];return void 0!==a?a.call(e,r,n):i.call(String(r),e,n)},function(t,r){var s=n(i,t,this,r,i!==e);if(s.done)return s.value;var h=a(t),p=String(this),f=o(h,RegExp),v=h.unicode,m=(h.ignoreCase?"i":"")+(h.multiline?"m":"")+(h.unicode?"u":"")+(g?"y":"g"),b=new f(g?h:"^(?:"+h.source+")",m),k=void 0===r?4294967295:r>>>0;if(0===k)return[];if(0===p.length)return null===c(b,p)?[p]:[];for(var _=0,x=0,C=[];x-1)&&(e=e.replace(/y/g,""));var o=s(x?new m(t,e):m(t,e),i?this:b,$);return C&&n&&d(o,{sticky:n}),o},y=function(t){t in $||o($,t,{configurable:!0,get:function(){return m[t]},set:function(e){m[t]=e}})},L=u(m),w=0;L.length>w;)y(L[w++]);b.constructor=$,$.prototype=b,p(r,"RegExp",$)}g("RegExp")},313:function(t,e,n){},314:function(t,e,n){},315:function(t,e,n){},316:function(t,e,n){},317:function(t,e,n){},318:function(t,e,n){},319:function(t,e){t.exports=function(t){return null==t}},320:function(t,e,n){},321:function(t,e,n){},322:function(t,e,n){},323:function(t,e,n){},324:function(t,e,n){},325:function(t,e,n){},330:function(t,e,n){"use strict";n.r(e);n(166);var i=n(305),r={name:"SidebarGroup",components:{DropdownTransition:n(331).a},props:["item","open","collapsable","depth"],beforeCreate:function(){this.$options.components.SidebarLinks=n(330).default},methods:{isActive:i.e}},a=(n(351),n(42)),s=Object(a.a)(r,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("section",{staticClass:"sidebar-group",class:[{collapsable:t.collapsable,"is-sub-group":0!==t.depth},"depth-"+t.depth]},[t.item.path?n("RouterLink",{staticClass:"sidebar-heading clickable",class:{open:t.open,active:t.isActive(t.$route,t.item.path)},attrs:{to:t.item.path},nativeOn:{click:function(e){return t.$emit("toggle")}}},[n("span",[t._v(t._s(t.item.title))]),t._v(" "),t.collapsable?n("span",{staticClass:"arrow",class:t.open?"down":"right"}):t._e()]):n("p",{staticClass:"sidebar-heading",class:{open:t.open},on:{click:function(e){return t.$emit("toggle")}}},[n("span",[t._v(t._s(t.item.title))]),t._v(" "),t.collapsable?n("span",{staticClass:"arrow",class:t.open?"down":"right"}):t._e()]),t._v(" "),n("DropdownTransition",[t.open||!t.collapsable?n("SidebarLinks",{staticClass:"sidebar-group-items",attrs:{items:t.item.children,"sidebar-depth":t.item.sidebarDepth,"initial-open-group-index":t.item.initialOpenGroupIndex,depth:t.depth+1}}):t._e()],1)],1)}),[],!1,null,null,null).exports;n(352),n(65);function o(t,e,n,i,r){var a={props:{to:e,activeClass:"",exactActiveClass:""},class:{active:i,"sidebar-link":!0}};return r>2&&(a.style={"padding-left":r+"rem"}),t("RouterLink",a,n)}function u(t,e,n,r,a){var s=arguments.length>5&&void 0!==arguments[5]?arguments[5]:1;return!e||s>a?null:t("ul",{class:"sidebar-sub-headers"},e.map((function(e){var l=Object(i.e)(r,n+"#"+e.slug);return t("li",{class:"sidebar-sub-header"},[o(t,n+"#"+e.slug,e.title,l,e.level-1),u(t,e.children,n,r,a,s+1)])})))}var l={functional:!0,props:["item","sidebarDepth"],render:function(t,e){var n=e.parent,r=n.$page,a=(n.$site,n.$route),s=n.$themeConfig,l=n.$themeLocaleConfig,c=e.props,h=c.item,p=c.sidebarDepth,f=Object(i.e)(a,h.path),d="auto"===h.type?f||h.children.some((function(t){return Object(i.e)(a,h.basePath+"#"+t.slug)})):f,g="external"===h.type?function(t,e,n){return t("a",{attrs:{href:e,target:"_blank",rel:"noopener noreferrer"},class:{"sidebar-link":!0}},[n,t("OutboundLink")])}(t,h.path,h.title||h.path):o(t,h.path,h.title||h.path,d),v=[r.frontmatter.sidebarDepth,p,l.sidebarDepth,s.sidebarDepth,1].find((function(t){return void 0!==t})),m=l.displayAllHeaders||s.displayAllHeaders;return"auto"===h.type?[g,u(t,h.children,h.basePath,a,v)]:(d||m)&&h.headers&&!i.d.test(h.path)?[g,u(t,Object(i.c)(h.headers),h.path,a,v)]:g}};n(353);function c(t,e){return"group"===e.type&&e.children.some((function(e){return"group"===e.type?c(t,e):"page"===e.type&&Object(i.e)(t,e.path)}))}var h={name:"SidebarLinks",components:{SidebarGroup:s,SidebarLink:Object(a.a)(l,void 0,void 0,!1,null,null,null).exports},props:["items","depth","sidebarDepth","initialOpenGroupIndex"],data:function(){return{openGroupIndex:this.initialOpenGroupIndex||0}},watch:{$route:function(){this.refreshIndex()}},created:function(){this.refreshIndex()},methods:{refreshIndex:function(){var t=function(t,e){for(var n=0;n-1&&(this.openGroupIndex=t)},toggleGroup:function(t){this.openGroupIndex=t===this.openGroupIndex?-1:t},isActive:function(t){return Object(i.e)(this.$route,t.regularPath)}}},p=Object(a.a)(h,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return t.items.length?n("ul",{staticClass:"sidebar-links"},t._l(t.items,(function(e,i){return n("li",{key:i},["group"===e.type?n("SidebarGroup",{attrs:{item:e,open:i===t.openGroupIndex,collapsable:e.collapsable||e.collapsible,depth:t.depth},on:{toggle:function(e){return t.toggleGroup(i)}}}):n("SidebarLink",{attrs:{"sidebar-depth":t.sidebarDepth,item:e}})],1)})),0):t._e()}),[],!1,null,null,null);e.default=p.exports},331:function(t,e,n){"use strict";var i={name:"DropdownTransition",methods:{setHeight:function(t){t.style.height=t.scrollHeight+"px"},unsetHeight:function(t){t.style.height=""}}},r=(n(343),n(42)),a=Object(r.a)(i,(function(){var t=this.$createElement;return(this._self._c||t)("transition",{attrs:{name:"dropdown"},on:{enter:this.setHeight,"after-enter":this.unsetHeight,"before-leave":this.setHeight}},[this._t("default")],2)}),[],!1,null,null,null);e.a=a.exports},332:function(t,e,n){"use strict";var i=n(0),r=n(333);i({target:"String",proto:!0,forced:n(334)("link")},{link:function(t){return r(this,"a","href",t)}})},333:function(t,e,n){var i=n(22),r=/"/g;t.exports=function(t,e,n,a){var s=String(i(t)),o="<"+e;return""!==n&&(o+=" "+n+'="'+String(a).replace(r,""")+'"'),o+">"+s+""}},334:function(t,e,n){var i=n(1);t.exports=function(t){return i((function(){var e=""[t]('"');return e!==e.toLowerCase()||e.split('"').length>3}))}},335:function(t,e,n){"use strict";n(309)},336:function(t,e,n){var i=n(0),r=n(337);i({global:!0,forced:parseInt!=r},{parseInt:r})},337:function(t,e,n){var i=n(3),r=n(310).trim,a=n(307),s=i.parseInt,o=/^[+-]?0[Xx]/,u=8!==s(a+"08")||22!==s(a+"0x16");t.exports=u?function(t,e){var n=r(String(t));return s(n,e>>>0||(o.test(n)?16:10))}:s},338:function(t,e,n){var i=n(1),r=n(307);t.exports=function(t){return i((function(){return!!r[t]()||"​…᠎"!="​…᠎"[t]()||r[t].name!==t}))}},339:function(t,e,n){var i=n(4),r=n(99);t.exports=function(t,e,n){var a,s;return r&&"function"==typeof(a=e.constructor)&&a!==n&&i(s=a.prototype)&&s!==n.prototype&&r(t,s),t}},340:function(t,e,n){"use strict";var i,r=n(0),a=n(24).f,s=n(13),o=n(101),u=n(22),l=n(102),c=n(19),h="".endsWith,p=Math.min,f=l("endsWith");r({target:"String",proto:!0,forced:!!(c||f||(i=a(String.prototype,"endsWith"),!i||i.writable))&&!f},{endsWith:function(t){var e=String(u(this));o(t);var n=arguments.length>1?arguments[1]:void 0,i=s(e.length),r=void 0===n?i:p(s(n),i),a=String(t);return h?h.call(e,a,r):e.slice(r-a.length,r)===a}})},341:function(t,e,n){"use strict";n(313)},342:function(t,e,n){"use strict";n(314)},343:function(t,e,n){"use strict";n(315)},344:function(t,e,n){"use strict";n(316)},345:function(t,e,n){"use strict";n(317)},346:function(t,e,n){"use strict";n(318)},347:function(t,e,n){"use strict";n(320)},348:function(t,e,n){var i=n(30),r=n(14),a=n(25);t.exports=function(t){return"string"==typeof t||!r(t)&&a(t)&&"[object String]"==i(t)}},349:function(t,e,n){"use strict";n(321)},350:function(t,e,n){"use strict";n(322)},351:function(t,e,n){"use strict";n(323)},352:function(t,e,n){"use strict";var i=n(0),r=n(29).find,a=n(97),s=n(17),o=!0,u=s("find");"find"in[]&&Array(1).find((function(){o=!1})),i({target:"Array",proto:!0,forced:o||!u},{find:function(t){return r(this,t,arguments.length>1?arguments[1]:void 0)}}),a("find")},353:function(t,e,n){"use strict";n(324)},354:function(t,e,n){"use strict";n(325)},359:function(t,e,n){"use strict";n(166),n(93),n(332);var i=n(305),r={name:"NavLink",props:{item:{required:!0}},computed:{link:function(){return Object(i.b)(this.item.link)},exact:function(){var t=this;return this.$site.locales?Object.keys(this.$site.locales).some((function(e){return e===t.link})):"/"===this.link},isNonHttpURI:function(){return Object(i.g)(this.link)||Object(i.h)(this.link)},isBlankTarget:function(){return"_blank"===this.target},isInternal:function(){return!Object(i.f)(this.link)&&!this.isBlankTarget},target:function(){return this.isNonHttpURI?null:this.item.target?this.item.target:Object(i.f)(this.link)?"_blank":""},rel:function(){return this.isNonHttpURI||!1===this.item.rel?null:this.item.rel?this.item.rel:this.isBlankTarget?"noopener noreferrer":null}},methods:{focusoutAction:function(){this.$emit("focusout")}}},a=n(42),s=Object(a.a)(r,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return t.isInternal?n("RouterLink",{staticClass:"nav-link",attrs:{to:t.link,exact:t.exact},nativeOn:{focusout:function(e){return t.focusoutAction(e)}}},[t._v("\n "+t._s(t.item.text)+"\n")]):n("a",{staticClass:"nav-link external",attrs:{href:t.link,target:t.target,rel:t.rel},on:{focusout:t.focusoutAction}},[t._v("\n "+t._s(t.item.text)+"\n "),t.isBlankTarget?n("OutboundLink"):t._e()],1)}),[],!1,null,null,null).exports,o={name:"Home",components:{NavLink:s},computed:{data:function(){return this.$page.frontmatter},actionLink:function(){return{link:this.data.actionLink,text:this.data.actionText}}}},u=(n(335),Object(a.a)(o,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("main",{staticClass:"home",attrs:{"aria-labelledby":null!==t.data.heroText?"main-title":null}},[n("header",{staticClass:"hero"},[t.data.heroImage?n("img",{attrs:{src:t.$withBase(t.data.heroImage),alt:t.data.heroAlt||"hero"}}):t._e(),t._v(" "),null!==t.data.heroText?n("h1",{attrs:{id:"main-title"}},[t._v("\n "+t._s(t.data.heroText||t.$title||"Hello")+"\n ")]):t._e(),t._v(" "),null!==t.data.tagline?n("p",{staticClass:"description"},[t._v("\n "+t._s(t.data.tagline||t.$description||"Welcome to your VuePress site")+"\n ")]):t._e(),t._v(" "),t.data.actionText&&t.data.actionLink?n("p",{staticClass:"action"},[n("NavLink",{staticClass:"action-button",attrs:{item:t.actionLink}})],1):t._e()]),t._v(" "),t.data.features&&t.data.features.length?n("div",{staticClass:"features"},t._l(t.data.features,(function(e,i){return n("div",{key:i,staticClass:"feature"},[n("h2",[t._v(t._s(e.title))]),t._v(" "),n("p",[t._v(t._s(e.details))])])})),0):t._e(),t._v(" "),n("Content",{staticClass:"theme-default-content custom"}),t._v(" "),t.data.footer?n("div",{staticClass:"footer"},[t._v("\n "+t._s(t.data.footer)+"\n ")]):t._e()],1)}),[],!1,null,null,null).exports),l=(n(336),n(23),n(174),n(167),n(95),n(43),n(176),n(306),n(311),n(172),n(65),n(312),n(96),n(340),n(66),n(308),n(178)),c=n.n(l),h=function(t,e){var n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:null,i=c()(e,"title","");return c()(e,"frontmatter.tags")&&(i+=" ".concat(e.frontmatter.tags.join(" "))),n&&(i+=" ".concat(n)),p(t,i)},p=function(t,e){var n=function(t){return t.replace(/[-/\\^$*+?.()|[\]{}]/g,"\\$&")},i=new RegExp("[^\0-]"),r=t.split(/\s+/g).map((function(t){return t.trim()})).filter((function(t){return!!t}));if(i.test(t))return r.some((function(t){return e.toLowerCase().indexOf(t)>-1}));var a=t.endsWith(" ");return new RegExp(r.map((function(t,e){return r.length!==e+1||a?"(?=.*\\b".concat(n(t),"\\b)"):"(?=.*\\b".concat(n(t),")")})).join("")+".+","gi").test(e)},f={name:"SearchBox",data:function(){return{query:"",focused:!1,focusIndex:0,placeholder:void 0}},computed:{showSuggestions:function(){return this.focused&&this.suggestions&&this.suggestions.length},suggestions:function(){var t=this.query.trim().toLowerCase();if(t){for(var e=this.$site.pages,n=this.$site.themeConfig.searchMaxSuggestions||5,i=this.$localePath,r=[],a=0;a=n);a++){var s=e[a];if(this.getPageLocalePath(s)===i&&this.isSearchable(s))if(h(t,s))r.push(s);else if(s.headers)for(var o=0;o=n);o++){var u=s.headers[o];u.title&&h(t,s,u.title)&&r.push(Object.assign({},s,{path:s.path+"#"+u.slug,header:u}))}}return r}},alignRight:function(){return(this.$site.themeConfig.nav||[]).length+(this.$site.repo?1:0)<=2}},mounted:function(){this.placeholder=this.$site.themeConfig.searchPlaceholder||"",document.addEventListener("keydown",this.onHotkey)},beforeDestroy:function(){document.removeEventListener("keydown",this.onHotkey)},methods:{getPageLocalePath:function(t){for(var e in this.$site.locales||{})if("/"!==e&&0===t.path.indexOf(e))return e;return"/"},isSearchable:function(t){var e=null;return null===e||(e=Array.isArray(e)?e:new Array(e)).filter((function(e){return t.path.match(e)})).length>0},onHotkey:function(t){t.srcElement===document.body&&["s","/"].includes(t.key)&&(this.$refs.input.focus(),t.preventDefault())},onUp:function(){this.showSuggestions&&(this.focusIndex>0?this.focusIndex--:this.focusIndex=this.suggestions.length-1)},onDown:function(){this.showSuggestions&&(this.focusIndex "+t._s(e.header.title))]):t._e()])])})),0):t._e()])}),[],!1,null,null,null).exports),g=(n(342),Object(a.a)({},(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("div",{staticClass:"sidebar-button",on:{click:function(e){return t.$emit("toggle-sidebar")}}},[n("svg",{staticClass:"icon",attrs:{xmlns:"http://www.w3.org/2000/svg","aria-hidden":"true",role:"img",viewBox:"0 0 448 512"}},[n("path",{attrs:{fill:"currentColor",d:"M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"}})])])}),[],!1,null,null,null).exports),v=(n(177),n(40)),m=n(331),b=n(179),k=n.n(b),_={name:"DropdownLink",components:{NavLink:s,DropdownTransition:m.a},props:{item:{required:!0}},data:function(){return{open:!1}},computed:{dropdownAriaLabel:function(){return this.item.ariaLabel||this.item.text}},watch:{$route:function(){this.open=!1}},methods:{setOpen:function(t){this.open=t},isLastItemOfArray:function(t,e){return k()(e)===t},handleDropdown:function(){0===event.detail&&this.setOpen(!this.open)}}},x=(n(344),{name:"NavLinks",components:{NavLink:s,DropdownLink:Object(a.a)(_,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("div",{staticClass:"dropdown-wrapper",class:{open:t.open}},[n("button",{staticClass:"dropdown-title",attrs:{type:"button","aria-label":t.dropdownAriaLabel},on:{click:t.handleDropdown}},[n("span",{staticClass:"title"},[t._v(t._s(t.item.text))]),t._v(" "),n("span",{staticClass:"arrow down"})]),t._v(" "),n("button",{staticClass:"mobile-dropdown-title",attrs:{type:"button","aria-label":t.dropdownAriaLabel},on:{click:function(e){return t.setOpen(!t.open)}}},[n("span",{staticClass:"title"},[t._v(t._s(t.item.text))]),t._v(" "),n("span",{staticClass:"arrow",class:t.open?"down":"right"})]),t._v(" "),n("DropdownTransition",[n("ul",{directives:[{name:"show",rawName:"v-show",value:t.open,expression:"open"}],staticClass:"nav-dropdown"},t._l(t.item.items,(function(e,i){return n("li",{key:e.link||i,staticClass:"dropdown-item"},["links"===e.type?n("h4",[t._v("\n "+t._s(e.text)+"\n ")]):t._e(),t._v(" "),"links"===e.type?n("ul",{staticClass:"dropdown-subitem-wrapper"},t._l(e.items,(function(i){return n("li",{key:i.link,staticClass:"dropdown-subitem"},[n("NavLink",{attrs:{item:i},on:{focusout:function(n){t.isLastItemOfArray(i,e.items)&&t.isLastItemOfArray(e,t.item.items)&&t.setOpen(!1)}}})],1)})),0):n("NavLink",{attrs:{item:e},on:{focusout:function(n){t.isLastItemOfArray(e,t.item.items)&&t.setOpen(!1)}}})],1)})),0)])],1)}),[],!1,null,null,null).exports},computed:{userNav:function(){return this.$themeLocaleConfig.nav||this.$site.themeConfig.nav||[]},nav:function(){var t=this,e=this.$site.locales;if(e&&Object.keys(e).length>1){var n=this.$page.path,i=this.$router.options.routes,r=this.$site.themeConfig.locales||{},a={text:this.$themeLocaleConfig.selectText||"Languages",ariaLabel:this.$themeLocaleConfig.ariaLabel||"Select language",items:Object.keys(e).map((function(a){var s,o=e[a],u=r[a]&&r[a].label||o.lang;return o.lang===t.$lang?s=n:(s=n.replace(t.$localeConfig.path,a),i.some((function(t){return t.path===s}))||(s=a)),{text:u,link:s}}))};return[].concat(Object(v.a)(this.userNav),[a])}return this.userNav},userLinks:function(){return(this.nav||[]).map((function(t){return Object.assign(Object(i.j)(t),{items:(t.items||[]).map(i.j)})}))},repoLink:function(){var t=this.$site.themeConfig.repo;return t?/^https?:/.test(t)?t:"https://github.com/".concat(t):null},repoLabel:function(){if(this.repoLink){if(this.$site.themeConfig.repoLabel)return this.$site.themeConfig.repoLabel;for(var t=this.repoLink.match(/^https?:\/\/[^/]+/)[0],e=["GitHub","GitLab","Bitbucket"],n=0;nMath.abs(n)&&Math.abs(e)>40&&(e>0&&this.touchStart.x<=80?this.toggleSidebar(!0):this.toggleSidebar(!1))}}}),G=Object(a.a)(W,(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("div",{staticClass:"theme-container",class:t.pageClasses,on:{touchstart:t.onTouchStart,touchend:t.onTouchEnd}},[t.shouldShowNavbar?n("Navbar",{on:{"toggle-sidebar":t.toggleSidebar}}):t._e(),t._v(" "),n("div",{staticClass:"sidebar-mask",on:{click:function(e){return t.toggleSidebar(!1)}}}),t._v(" "),n("Sidebar",{attrs:{items:t.sidebarItems},on:{"toggle-sidebar":t.toggleSidebar},scopedSlots:t._u([{key:"top",fn:function(){return[t._t("sidebar-top")]},proxy:!0},{key:"bottom",fn:function(){return[t._t("sidebar-bottom")]},proxy:!0}],null,!0)}),t._v(" "),t.$page.frontmatter.home?n("Home"):n("Page",{attrs:{"sidebar-items":t.sidebarItems},scopedSlots:t._u([{key:"top",fn:function(){return[t._t("page-top")]},proxy:!0},{key:"bottom",fn:function(){return[t._t("page-bottom")]},proxy:!0}],null,!0)})],1)}),[],!1,null,null,null);e.a=G.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/20.5bcacf34.js b/docs/assets/js/20.5bcacf34.js deleted file mode 100644 index f80cd6224..000000000 --- a/docs/assets/js/20.5bcacf34.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[20],{376:function(t,a,e){"use strict";e.r(a);var s=e(42),n=Object(s.a)({},(function(){var t=this,a=t.$createElement,e=t._self._c||a;return e("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[e("h1",{attrs:{id:"exemptions"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#exemptions"}},[t._v("#")]),t._v(" Exemptions")]),t._v(" "),e("p",[t._v("Sometimes a workload really does need to do things that Polaris considers insecure. For instance,\nmany of the "),e("code",[t._v("kube-system")]),t._v(" workloads need to run as root, or need access to the host network. In these\ncases, we can add "),e("strong",[t._v("exemptions")]),t._v(" to allow the workload to pass Polaris checks.")]),t._v(" "),e("p",[t._v("Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.")]),t._v(" "),e("h2",{attrs:{id:"annotations"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#annotations"}},[t._v("#")]),t._v(" Annotations")]),t._v(" "),e("p",[t._v("To exempt a controller from all checks via annotations, use the annotation "),e("code",[t._v("polaris.fairwinds.com/exempt=true")]),t._v(", e.g.")]),t._v(" "),e("div",{staticClass:"language- extra-class"},[e("pre",{pre:!0,attrs:{class:"language-text"}},[e("code",[t._v("kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true\n")])])]),e("p",[t._v("To exempt a controller from a particular check via annotations, use an annotation in the form of "),e("code",[t._v("polaris.fairwinds.com/-exempt=true")]),t._v(", e.g.")]),t._v(" "),e("div",{staticClass:"language- extra-class"},[e("pre",{pre:!0,attrs:{class:"language-text"}},[e("code",[t._v("kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true\n")])])]),e("h2",{attrs:{id:"config"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#config"}},[t._v("#")]),t._v(" Config")]),t._v(" "),e("p",[t._v("To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g.")]),t._v(" "),e("div",{staticClass:"language-yaml extra-class"},[e("pre",{pre:!0,attrs:{class:"language-yaml"}},[e("code",[e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("exemptions")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token comment"}},[t._v("# exemption valid for kube-system namespace")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("namespace")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" kube"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v("system\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("controllerNames")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" dns"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v("controller\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("rules")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" hostNetworkSet\n "),e("span",{pre:!0,attrs:{class:"token comment"}},[t._v("# exemption valid in all namespaces")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("controllerNames")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" dns"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v("controller\n "),e("span",{pre:!0,attrs:{class:"token key atrule"}},[t._v("rules")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v("\n "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("-")]),t._v(" hostNetworkSet\n")])])])])}),[],!1,null,null,null);a.default=n.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/21.2f58615f.js b/docs/assets/js/21.2f58615f.js deleted file mode 100644 index 876457479..000000000 --- a/docs/assets/js/21.2f58615f.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[21],{364:function(a,s,t){"use strict";t.r(s);var e=t(42),r=Object(e.a)({},(function(){var a=this,s=a.$createElement,t=a._self._c||s;return t("ContentSlotsDistributor",{attrs:{"slot-key":a.$parent.slotKey}},[t("h1",{attrs:{id:"dashboard"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#dashboard"}},[a._v("#")]),a._v(" Dashboard")]),a._v(" "),t("p",[a._v("The Polaris dashboard can be installed on a cluster using kubectl or Helm. It\ncan also be run locally, connecting to your cluster using the credentials stored in your "),t("code",[a._v("KUBECONFIG")]),a._v(".")]),a._v(" "),t("p",[a._v("The dashboard is a good way to understand what workloads inside your cluster or Infrastructure as Code\ndon't conform to best practices.")]),a._v(" "),t("h2",{attrs:{id:"installation"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#installation"}},[a._v("#")]),a._v(" Installation")]),a._v(" "),t("h3",{attrs:{id:"kubectl"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#kubectl"}},[a._v("#")]),a._v(" kubectl")]),a._v(" "),t("div",{staticClass:"language-bash extra-class"},[t("pre",{pre:!0,attrs:{class:"language-bash"}},[t("code",[a._v("kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/dashboard.yaml\nkubectl port-forward --namespace polaris svc/polaris-dashboard "),t("span",{pre:!0,attrs:{class:"token number"}},[a._v("8080")]),a._v(":80\n")])])]),t("h3",{attrs:{id:"helm"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#helm"}},[a._v("#")]),a._v(" Helm")]),a._v(" "),t("div",{staticClass:"language-bash extra-class"},[t("pre",{pre:!0,attrs:{class:"language-bash"}},[t("code",[a._v("helm repo "),t("span",{pre:!0,attrs:{class:"token function"}},[a._v("add")]),a._v(" fairwinds-stable https://charts.fairwinds.com/stable\nhelm upgrade --install polaris fairwinds-stable/polaris --namespace polaris\nkubectl port-forward --namespace polaris svc/polaris-dashboard "),t("span",{pre:!0,attrs:{class:"token number"}},[a._v("8080")]),a._v(":80\n")])])]),t("h3",{attrs:{id:"local-binary"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#local-binary"}},[a._v("#")]),a._v(" Local Binary")]),a._v(" "),t("p",[a._v("You'll need a valid "),t("code",[a._v("KUBECONFIG")]),a._v(" set up for the dashboard to connect to your cluster.")]),a._v(" "),t("p",[a._v("Binary releases can be dowloaded from the "),t("a",{attrs:{href:"https://github.com/fairwindsops/polaris/releases",target:"_blank",rel:"noopener noreferrer"}},[a._v("releases page"),t("OutboundLink")],1),a._v("\nor can be installed with "),t("a",{attrs:{href:"https://brew.sh/",target:"_blank",rel:"noopener noreferrer"}},[a._v("Homebrew"),t("OutboundLink")],1),a._v(":")]),a._v(" "),t("div",{staticClass:"language-bash extra-class"},[t("pre",{pre:!0,attrs:{class:"language-bash"}},[t("code",[a._v("brew tap reactiveops/tap\nbrew "),t("span",{pre:!0,attrs:{class:"token function"}},[a._v("install")]),a._v(" reactiveops/tap/polaris\npolaris dashboard --port "),t("span",{pre:!0,attrs:{class:"token number"}},[a._v("8080")]),a._v("\n")])])]),t("p",[a._v("You can also point the dashboard to the local filesystem, instead of a live cluster:")]),a._v(" "),t("div",{staticClass:"language-bash extra-class"},[t("pre",{pre:!0,attrs:{class:"language-bash"}},[t("code",[a._v("polaris dashboard --port "),t("span",{pre:!0,attrs:{class:"token number"}},[a._v("8080")]),a._v(" --audit-path"),t("span",{pre:!0,attrs:{class:"token operator"}},[a._v("=")]),a._v("./deploy/\n")])])]),t("h3",{attrs:{id:"local-docker-container"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#local-docker-container"}},[a._v("#")]),a._v(" Local Docker container")]),a._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[a._v("docker run -d -p8080:8080 -v ~/.kube/config:/opt/app/config:ro quay.io/fairwinds/polaris:1.2 polaris dashboard --kubeconfig /opt/app/config\n")])])]),t("h2",{attrs:{id:"using-the-dashboard"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#using-the-dashboard"}},[a._v("#")]),a._v(" Using the Dashboard")]),a._v(" "),t("p",[a._v("The Polaris dashboard is a way to get a simple visual overview of the current state of your Kubernetes workloads as well as a roadmap for what can be improved. The dashboard provides a cluster wide overview as well as breaking out results by category, namespace, and workload.")]),a._v(" "),t("p",{attrs:{align:"center"}},[t("img",{attrs:{src:"/img/dashboard-screenshot.png",alt:"Polaris Dashboard",width:"550"}})]),a._v(" "),t("p",[a._v("Our default standards in Polaris are rather high, so don’t be surprised if your score is lower than you might expect. A key goal for Polaris was to set a high standard and aim for great configuration by default. If the defaults we’ve included are too strict, it’s easy to adjust the configuration as part of the deployment configuration to better suit your workloads.")])])}),[],!1,null,null,null);s.default=r.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/22.90ebc6b9.js b/docs/assets/js/22.90ebc6b9.js deleted file mode 100644 index 2ff600973..000000000 --- a/docs/assets/js/22.90ebc6b9.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[22],{372:function(e,a,s){"use strict";s.r(a);var t=s(42),n=Object(t.a)({},(function(){var e=this,a=e.$createElement,s=e._self._c||a;return s("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[s("h1",{attrs:{id:"infrastructure-as-code"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#infrastructure-as-code"}},[e._v("#")]),e._v(" Infrastructure as Code")]),e._v(" "),s("p",[e._v("Polaris can be used on the command line to audit local Kubernetes manifests stored in YAML files.\nThis is particularly helpful for running Polaris against your infrastructure-as-code as part of a\nCI/CD pipeline. Use the available "),s("a",{attrs:{href:"#running-in-a-ci-pipeline"}},[e._v("command line flags")]),e._v("\nto cause CI/CD to fail if your Polaris score drops below a certain threshold, or if any danger-level issues arise.")]),e._v(" "),s("h2",{attrs:{id:"install-the-cli"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#install-the-cli"}},[e._v("#")]),e._v(" Install the CLI")]),e._v(" "),s("p",[e._v("To run Polaris against your YAML manifests, e.g. as part of a Continuous Integration process,\nyou'll need to install the CLI.")]),e._v(" "),s("p",[e._v("Binary releases can be downloaded from the "),s("a",{attrs:{href:"https://github.com/fairwindsops/polaris/releases",target:"_blank",rel:"noopener noreferrer"}},[e._v("releases page"),s("OutboundLink")],1),e._v("\nor can be installed with "),s("a",{attrs:{href:"https://brew.sh/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Homebrew"),s("OutboundLink")],1),e._v(":")]),e._v(" "),s("div",{staticClass:"language-bash extra-class"},[s("pre",{pre:!0,attrs:{class:"language-bash"}},[s("code",[e._v("brew tap FairwindsOps/tap\nbrew "),s("span",{pre:!0,attrs:{class:"token function"}},[e._v("install")]),e._v(" FairwindsOps/tap/polaris\npolaris version\n")])])]),s("h2",{attrs:{id:"running-in-a-ci-pipeline"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#running-in-a-ci-pipeline"}},[e._v("#")]),e._v(" Running in a CI pipeline")]),e._v(" "),s("p",[e._v("You can tell the CLI to set an exit code if it detects certain issues with your\nYAML files.\nFor example, to fail if polaris detects "),s("em",[e._v("any")]),e._v(" danger-level issues, or if the score drops below 90%:")]),e._v(" "),s("div",{staticClass:"language-bash extra-class"},[s("pre",{pre:!0,attrs:{class:"language-bash"}},[s("code",[e._v("polaris audit --audit-path ./deploy/ "),s("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v("\\")]),e._v("\n --set-exit-code-on-danger "),s("span",{pre:!0,attrs:{class:"token punctuation"}},[e._v("\\")]),e._v("\n --set-exit-code-below-score "),s("span",{pre:!0,attrs:{class:"token number"}},[e._v("90")]),e._v("\n")])])])])}),[],!1,null,null,null);a.default=n.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/3.0cb25b42.js b/docs/assets/js/3.0cb25b42.js deleted file mode 100644 index ed0b6f492..000000000 --- a/docs/assets/js/3.0cb25b42.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[3],{326:function(t,a,s){},355:function(t,a,s){"use strict";s(326)},362:function(t,a,s){"use strict";s.r(a);var n={name:"Layout",components:{ParentLayout:s(359).a}},r=(s(355),s(42)),i=Object(r.a)(n,(function(){var t=this,a=t.$createElement,s=t._self._c||a;return s("ParentLayout",{scopedSlots:t._u([{key:"page-bottom",fn:function(){return[s("div",{staticClass:"custom-footer"},[s("div",{staticClass:"left-footer"},[s("a",{attrs:{href:"https://fairwinds.com",target:"_blank"}},[t._v("Learn more about Fairwinds")]),t._v(" "),s("a",{attrs:{href:"https://fairwinds.com/insights",target:"_blank"}},[t._v("Try Fairwinds Insights")])]),t._v(" "),s("div",{staticClass:"right-footer"},[s("a",{attrs:{href:"https://www.fairwinds.com/privacy-policy",target:"_blank"}},[t._v("Privacy Policy")])])])]},proxy:!0}])})}),[],!1,null,null,null);a.default=i.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/4.be9896b6.js b/docs/assets/js/4.be9896b6.js deleted file mode 100644 index 842eeed18..000000000 --- a/docs/assets/js/4.be9896b6.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[4],{327:function(t,e,n){},356:function(t,e,n){"use strict";n(327)},374:function(t,e,n){"use strict";n.r(e);var i={functional:!0,props:{type:{type:String,default:"tip"},text:String,vertical:{type:String,default:"top"}},render:function(t,e){var n=e.props,i=e.slots;return t("span",{class:["badge",n.type],style:{verticalAlign:n.vertical}},n.text||i().default)}},r=(n(356),n(42)),p=Object(r.a)(i,void 0,void 0,!1,null,"15b7b770",null);e.default=p.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/5.665b3e6a.js b/docs/assets/js/5.665b3e6a.js deleted file mode 100644 index 859c9349c..000000000 --- a/docs/assets/js/5.665b3e6a.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[5],{328:function(e,t,c){},357:function(e,t,c){"use strict";c(328)},360:function(e,t,c){"use strict";c.r(t);var i={name:"CodeBlock",props:{title:{type:String,required:!0},active:{type:Boolean,default:!1}}},n=(c(357),c(42)),s=Object(n.a)(i,(function(){var e=this.$createElement;return(this._self._c||e)("div",{staticClass:"theme-code-block",class:{"theme-code-block__active":this.active}},[this._t("default")],2)}),[],!1,null,"6d04095e",null);t.default=s.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/6.a5e340ed.js b/docs/assets/js/6.a5e340ed.js deleted file mode 100644 index c96208305..000000000 --- a/docs/assets/js/6.a5e340ed.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[6],{329:function(e,t,o){},358:function(e,t,o){"use strict";o(329)},361:function(e,t,o){"use strict";o.r(t);o(23),o(92),o(65),o(94);var a={name:"CodeGroup",data:function(){return{codeTabs:[],activeCodeTabIndex:-1}},watch:{activeCodeTabIndex:function(e){this.codeTabs.forEach((function(e){e.elm.classList.remove("theme-code-block__active")})),this.codeTabs[e].elm.classList.add("theme-code-block__active")}},mounted:function(){var e=this;this.codeTabs=(this.$slots.default||[]).filter((function(e){return Boolean(e.componentOptions)})).map((function(t,o){return""===t.componentOptions.propsData.active&&(e.activeCodeTabIndex=o),{title:t.componentOptions.propsData.title,elm:t.elm}})),-1===this.activeCodeTabIndex&&this.codeTabs.length>0&&(this.activeCodeTabIndex=0)},methods:{changeCodeTab:function(e){this.activeCodeTabIndex=e}}},c=(o(358),o(42)),n=Object(c.a)(a,(function(){var e=this,t=e.$createElement,o=e._self._c||t;return o("div",{staticClass:"theme-code-group"},[o("div",{staticClass:"theme-code-group__nav"},[o("ul",{staticClass:"theme-code-group__ul"},e._l(e.codeTabs,(function(t,a){return o("li",{key:t.title,staticClass:"theme-code-group__li"},[o("button",{staticClass:"theme-code-group__nav-tab",class:{"theme-code-group__nav-tab-active":a===e.activeCodeTabIndex},on:{click:function(t){return e.changeCodeTab(a)}}},[e._v("\n "+e._s(t.title)+"\n ")])])})),0)]),e._v(" "),e._t("default"),e._v(" "),e.codeTabs.length<1?o("pre",{staticClass:"pre-blank"},[e._v("// Make sure to add code blocks to your code group")]):e._e()],2)}),[],!1,null,"32c2d7ed",null);t.default=n.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/7.dbd47d64.js b/docs/assets/js/7.dbd47d64.js deleted file mode 100644 index 189fd0295..000000000 --- a/docs/assets/js/7.dbd47d64.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[7],{363:function(t,e,s){"use strict";s.r(e);var n=["There's nothing here.","How did we get here?","That's a Four-Oh-Four.","Looks like we've got some broken links."],o={methods:{getMsg:function(){return n[Math.floor(Math.random()*n.length)]}}},i=s(42),h=Object(i.a)(o,(function(){var t=this.$createElement,e=this._self._c||t;return e("div",{staticClass:"theme-container"},[e("div",{staticClass:"theme-default-content"},[e("h1",[this._v("404")]),this._v(" "),e("blockquote",[this._v(this._s(this.getMsg()))]),this._v(" "),e("RouterLink",{attrs:{to:"/"}},[this._v("\n Take me home.\n ")])],1)])}),[],!1,null,null,null);e.default=h.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/8.5a82b7c2.js b/docs/assets/js/8.5a82b7c2.js deleted file mode 100644 index 18e4a65f3..000000000 --- a/docs/assets/js/8.5a82b7c2.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[8],{378:function(r,t,e){"use strict";e.r(t);var o=e(42),a=Object(o.a)({},(function(){var r=this,t=r.$createElement,e=r._self._c||t;return e("ContentSlotsDistributor",{attrs:{"slot-key":r.$parent.slotKey}},[e("div",{staticClass:"no-border",attrs:{align:"center"}},[e("img",{attrs:{src:"/img/polaris-logo.png",alt:"Polaris Logo"}}),r._v(" "),e("br"),r._v(" "),e("h3",[r._v("Best Practices for Kubernetes Workload Configuration")]),r._v(" "),e("a",{attrs:{href:"https://github.com/FairwindsOps/polaris"}},[e("img",{attrs:{src:"https://img.shields.io/static/v1.svg?label=Version&message=1.2.0&color=239922"}})]),r._v(" "),e("a",{attrs:{href:"https://goreportcard.com/report/github.com/FairwindsOps/polaris"}},[e("img",{attrs:{src:"https://goreportcard.com/badge/github.com/FairwindsOps/polaris"}})]),r._v(" "),e("a",{attrs:{href:"https://circleci.com/gh/FairwindsOps/polaris.svg"}},[e("img",{attrs:{src:"https://circleci.com/gh/FairwindsOps/polaris.svg?style=svg"}})])]),r._v(" "),e("p",[r._v("Fairwinds' Polaris keeps your clusters sailing smoothly. It runs a variety of checks to ensure that\nKubernetes pods and controllers are configured using best practices, helping you avoid\nproblems in the future. Polaris can be run in a few different modes:")]),r._v(" "),e("p",[r._v("Polaris can be run in three different modes:")]),r._v(" "),e("ul",[e("li",[r._v("As a "),e("a",{attrs:{href:"/dashboard"}},[r._v("dashboard")]),r._v(", so you can audit what's running inside your cluster.")]),r._v(" "),e("li",[r._v("As an "),e("a",{attrs:{href:"/admission-controller"}},[r._v("admission controller")]),r._v(", so you can automatically reject workloads that don't adhere to your organization's policies.")]),r._v(" "),e("li",[r._v("As a "),e("a",{attrs:{href:"/infrastructure-as-code"}},[r._v("command-line tool")]),r._v(", so you can test local YAML files, e.g. as part of a CI/CD process.")])]),r._v(" "),e("p",[e("strong",[r._v("Want to learn more?")]),r._v(" Reach out on "),e("a",{attrs:{href:"https://fairwindscommunity.slack.com/messages/polaris",target:"_blank",rel:"noopener noreferrer"}},[r._v("the Slack channel"),e("OutboundLink")],1),r._v(" ("),e("a",{attrs:{href:"https://join.slack.com/t/fairwindscommunity/shared_invite/zt-e3c6vj4l-3lIH6dvKqzWII5fSSFDi1g",target:"_blank",rel:"noopener noreferrer"}},[r._v("request invite"),e("OutboundLink")],1),r._v("), send an email to "),e("code",[r._v("opensource@fairwinds.com")]),r._v(", or join us for "),e("a",{attrs:{href:"https://fairwindscommunity.slack.com/messages/office-hours",target:"_blank",rel:"noopener noreferrer"}},[r._v("office hours on Zoom"),e("OutboundLink")],1)]),r._v(" "),e("h2",{attrs:{id:"integration-with-fairwinds-insights"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#integration-with-fairwinds-insights"}},[r._v("#")]),r._v(" Integration with Fairwinds Insights")]),r._v(" "),e("p",[e("a",{attrs:{href:"https://www.fairwinds.com/insights?utm_campaign=Hosted%20Polaris%20&utm_source=polaris&utm_term=polaris&utm_content=polaris",target:"_blank",rel:"noopener noreferrer"}},[r._v("Fairwinds Insights"),e("OutboundLink")],1),r._v("\nis a platform for auditing Kubernetes clusters and enforcing policy. If you'd like to:")]),r._v(" "),e("ul",[e("li",[r._v("manage Polaris across a fleet of clusters")]),r._v(" "),e("li",[r._v("track findings over time")]),r._v(" "),e("li",[r._v("send results to services like Slack and Datadog")]),r._v(" "),e("li",[r._v("add additional checks from tools like\n"),e("a",{attrs:{href:"https://github.com/aquasecurity/trivy",target:"_blank",rel:"noopener noreferrer"}},[r._v("Trivy"),e("OutboundLink")],1),r._v(",\n"),e("a",{attrs:{href:"https://github.com/FairwindsOps/goldilocks/",target:"_blank",rel:"noopener noreferrer"}},[r._v("Goldilocks"),e("OutboundLink")],1),r._v(", and\n"),e("a",{attrs:{href:"https://www.openpolicyagent.org",target:"_blank",rel:"noopener noreferrer"}},[r._v("OPA"),e("OutboundLink")],1)])]),r._v(" "),e("p",[r._v("you can sign up for a "),e("a",{attrs:{href:"https://insights.fairwinds.com?source=polaris",target:"_blank",rel:"noopener noreferrer"}},[r._v("free account here"),e("OutboundLink")],1),r._v(".")]),r._v(" "),e("h2",{attrs:{id:"contributing"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#contributing"}},[r._v("#")]),r._v(" Contributing")]),r._v(" "),e("p",[r._v("PRs welcome! Check out the "),e("RouterLink",{attrs:{to:"/contributing/"}},[r._v("Contributing Guidelines")]),r._v(" and "),e("a",{attrs:{href:"/code-of-conduct"}},[r._v("Code of Conduct")]),r._v(" for more information.")],1),r._v(" "),e("h2",{attrs:{id:"further-information"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#further-information"}},[r._v("#")]),r._v(" Further Information")]),r._v(" "),e("p",[r._v("A history of changes to this project can be viewed in the "),e("RouterLink",{attrs:{to:"/changelog/"}},[r._v("Changelog")])],1),r._v(" "),e("p",[r._v("If you'd like to learn more about Polaris, or if you'd like to speak with\na Kubernetes expert, you can contact "),e("code",[r._v("info@fairwinds.com")]),r._v(" or "),e("a",{attrs:{href:"https://fairwinds.com",target:"_blank",rel:"noopener noreferrer"}},[r._v("visit our website"),e("OutboundLink")],1)]),r._v(" "),e("hr"),r._v(" "),e("p",{attrs:{align:"center"}},[e("img",{attrs:{src:"/img/dashboard-screenshot.png",alt:"Polaris Dashboard",width:"550"}})])])}),[],!1,null,null,null);t.default=a.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/9.4f55b6b3.js b/docs/assets/js/9.4f55b6b3.js deleted file mode 100644 index 08ad9be3c..000000000 --- a/docs/assets/js/9.4f55b6b3.js +++ /dev/null @@ -1 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[9],{377:function(a,t,e){"use strict";e.r(t);var s=e(42),o=Object(s.a)({},(function(){var a=this,t=a.$createElement,e=a._self._c||t;return e("ContentSlotsDistributor",{attrs:{"slot-key":a.$parent.slotKey}},[e("h1",{attrs:{id:"admission-controller"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#admission-controller"}},[a._v("#")]),a._v(" Admission Controller")]),a._v(" "),e("p",[a._v("Polaris can be run as an admission controller that acts as a validating webhook.\nThis accepts the same configuration as the dashboard, and can run the same validations.")]),a._v(" "),e("p",[a._v("The webhook will reject any workloads that trigger a danger-level check.\nThis is indicative of the greater goal of Polaris, not just to encourage better\nconfiguration through dashboard visibility, but to actually enforce it with this webhook.")]),a._v(" "),e("p",[a._v("Note that Polaris will not alter your workloads, only block workloads that don't conform to the configured policies.")]),a._v(" "),e("h2",{attrs:{id:"installation"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#installation"}},[a._v("#")]),a._v(" Installation")]),a._v(" "),e("h3",{attrs:{id:"kubectl"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#kubectl"}},[a._v("#")]),a._v(" kubectl")]),a._v(" "),e("div",{staticClass:"language-bash extra-class"},[e("pre",{pre:!0,attrs:{class:"language-bash"}},[e("code",[a._v("kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/webhook.yaml\n")])])]),e("h3",{attrs:{id:"helm"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#helm"}},[a._v("#")]),a._v(" Helm")]),a._v(" "),e("div",{staticClass:"language-bash extra-class"},[e("pre",{pre:!0,attrs:{class:"language-bash"}},[e("code",[a._v("helm repo "),e("span",{pre:!0,attrs:{class:"token function"}},[a._v("add")]),a._v(" fairwindsops-stable https://charts.fairwindsops.com/stable\nhelm upgrade --install polaris fairwindsops-stable/polaris --namespace polaris "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[a._v("\\")]),a._v("\n --set webhook.enable"),e("span",{pre:!0,attrs:{class:"token operator"}},[a._v("=")]),a._v("true --set dashboard.enable"),e("span",{pre:!0,attrs:{class:"token operator"}},[a._v("=")]),a._v("false\n")])])]),e("h2",{attrs:{id:"workload-types"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#workload-types"}},[a._v("#")]),a._v(" Workload Types")]),a._v(" "),e("p",[a._v("The webhook comes with built-in support for a handful of known controller types,\nsuch as Deployments, Jobs, and DaemonSets. To add new controller types,\nyou can set "),e("code",[a._v("webhook.rules")]),a._v(" in the\n"),e("a",{attrs:{href:"https://github.com/FairwindsOps/charts/tree/master/stable/polaris",target:"_blank",rel:"noopener noreferrer"}},[a._v("Helm chart"),e("OutboundLink")],1)]),a._v(" "),e("h2",{attrs:{id:"warnings"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#warnings"}},[a._v("#")]),a._v(" Warnings")]),a._v(" "),e("p",[a._v("Unfortunately we have not found a way to display warnings as part of "),e("code",[a._v("kubectl")]),a._v("\noutput unless we are rejecting a workload altogether.")]),a._v(" "),e("p",[a._v("This means that any checks with a severity of "),e("code",[a._v("warning")]),a._v(" will still pass webhook validation,\nand the only evidence of that warning will either be in the Polaris dashboard or the\nPolaris webhook logs. This will change in a future version of Kubernetes.")])])}),[],!1,null,null,null);t.default=o.exports}}]); \ No newline at end of file diff --git a/docs/assets/js/app.65b94829.js b/docs/assets/js/app.65b94829.js deleted file mode 100644 index ef9baba41..000000000 --- a/docs/assets/js/app.65b94829.js +++ /dev/null @@ -1,13 +0,0 @@ -(window.webpackJsonp=window.webpackJsonp||[]).push([[0],[]]);!function(t){function e(e){for(var r,a,c=e[0],u=e[1],s=e[2],l=0,p=[];l0?o(r(t),9007199254740991):0}},function(t,e){var n=Array.isArray;t.exports=n},function(t,e,n){var r=n(31),o=n(22);t.exports=function(t){return r(o(t))}},function(t,e,n){var r=n(140),o="object"==typeof self&&self&&self.Object===Object&&self,i=r||o||Function("return this")();t.exports=i},function(t,e,n){var r=n(6),o=n(1),i=n(7),a=Object.defineProperty,c={},u=function(t){throw t};t.exports=function(t,e){if(i(c,t))return c[t];e||(e={});var n=[][t],s=!!i(e,"ACCESSORS")&&e.ACCESSORS,f=i(e,0)?e[0]:u,l=i(e,1)?e[1]:void 0;return c[t]=!!n&&!o((function(){if(s&&!r)return!0;var t={length:-1};s?a(t,1,{enumerable:!0,get:u}):t[1]=1,n.call(t,f,l)}))}},function(t,e,n){var r=n(110),o=n(3),i=function(t){return"function"==typeof t?t:void 0};t.exports=function(t,e){return arguments.length<2?i(r[t])||i(o[t]):r[t]&&r[t][e]||o[t]&&o[t][e]}},function(t,e){t.exports=!1},function(t,e){t.exports=function(t){if("function"!=typeof t)throw TypeError(String(t)+" is not a function");return t}},function(t,e,n){var r=n(223),o=n(226);t.exports=function(t,e){var n=o(t,e);return r(n)?n:void 0}},function(t,e){t.exports=function(t){if(null==t)throw TypeError("Can't call method on "+t);return t}},function(t,e,n){"use strict";var r=n(0),o=n(29).filter,i=n(53),a=n(17),c=i("filter"),u=a("filter");r({target:"Array",proto:!0,forced:!c||!u},{filter:function(t){return o(this,t,arguments.length>1?arguments[1]:void 0)}})},function(t,e,n){var r=n(6),o=n(77),i=n(32),a=n(15),c=n(44),u=n(7),s=n(105),f=Object.getOwnPropertyDescriptor;e.f=r?f:function(t,e){if(t=a(t),e=c(e,!0),s)try{return f(t,e)}catch(t){}if(u(t,e))return i(!o.f.call(t,e),t[e])}},function(t,e){t.exports=function(t){return null!=t&&"object"==typeof t}},function(t,e){var n={}.toString;t.exports=function(t){return n.call(t).slice(8,-1)}},function(t,e,n){"use strict";var r=n(128).charAt,o=n(28),i=n(111),a=o.set,c=o.getterFor("String Iterator");i(String,"String",(function(t){a(this,{type:"String Iterator",string:String(t),index:0})}),(function(){var t,e=c(this),n=e.string,o=e.index;return o>=n.length?{value:void 0,done:!0}:(t=r(n,o),e.index+=t.length,{value:t,done:!1})}))},function(t,e,n){var r,o,i,a=n(182),c=n(3),u=n(4),s=n(11),f=n(7),l=n(70),p=n(48),h=n(34),d=c.WeakMap;if(a){var v=l.state||(l.state=new d),y=v.get,m=v.has,g=v.set;r=function(t,e){return e.facade=t,g.call(v,t,e),e},o=function(t){return y.call(v,t)||{}},i=function(t){return m.call(v,t)}}else{var b=p("state");h[b]=!0,r=function(t,e){return e.facade=t,s(t,b,e),e},o=function(t){return f(t,b)?t[b]:{}},i=function(t){return f(t,b)}}t.exports={set:r,get:o,has:i,enforce:function(t){return i(t)?o(t):r(t,{})},getterFor:function(t){return function(e){var n;if(!u(e)||(n=o(e)).type!==t)throw TypeError("Incompatible receiver, "+t+" required");return n}}}},function(t,e,n){var r=n(50),o=n(31),i=n(12),a=n(13),c=n(127),u=[].push,s=function(t){var e=1==t,n=2==t,s=3==t,f=4==t,l=6==t,p=5==t||l;return function(h,d,v,y){for(var m,g,b=i(h),_=o(b),x=r(d,v,3),w=a(_.length),O=0,S=y||c,k=e?S(h,w):n?S(h,0):void 0;w>O;O++)if((p||O in _)&&(g=x(m=_[O],O,b),t))if(e)k[O]=g;else if(g)switch(t){case 3:return!0;case 5:return m;case 6:return O;case 2:u.call(k,m)}else if(f)return!1;return l?-1:s||f?f:k}};t.exports={forEach:s(0),map:s(1),filter:s(2),some:s(3),every:s(4),find:s(5),findIndex:s(6)}},function(t,e,n){var r=n(39),o=n(208),i=n(209),a=r?r.toStringTag:void 0;t.exports=function(t){return null==t?void 0===t?"[object Undefined]":"[object Null]":a&&a in Object(t)?o(t):i(t)}},function(t,e,n){var r=n(1),o=n(26),i="".split;t.exports=r((function(){return!Object("z").propertyIsEnumerable(0)}))?function(t){return"String"==o(t)?i.call(t,""):Object(t)}:Object},function(t,e){t.exports=function(t,e){return{enumerable:!(1&t),configurable:!(2&t),writable:!(4&t),value:e}}},function(t,e,n){var r,o=n(5),i=n(181),a=n(75),c=n(34),u=n(109),s=n(72),f=n(48),l=f("IE_PROTO"),p=function(){},h=function(t){return" - - - - - - - -
Fairwinds Polaris Documentation

# Upcoming

  • Standardize categories of checks into Security, Reliability, and Efficiency

# 1.2.1

  • Update date on dashboard footer

# 1.2.0

  • Add ability to audit a single workload
  • Enable pullPolicyAlways by default
  • Fix for finding parent resources

# 1.1.1

  • Show controller checks on dashboard
  • Fix for orphaned pods w/ controller checks

# 1.1.0

  • Add namespace filter in UI
  • Add priorityClass check
  • Support reading from STDIN
  • Ensure severity is set for all custom checks
  • Support audit files which use \r or \r\n as newline character
  • Add option to exempt an entire controller from checks via config file
  • Fixed case where parent resources trigger error
  • Fixed UI zero-state

# 1.0.3

  • Fixed case where parent resources trigger error
  • Fixed dashboard link when --base-path is set

# 1.0.2

  • Fixed case where custom CRDs are not covered by RBAC

# 1.0.1

  • Added ARM binaries to releases

# 1.0.0

# New Features

  • Added support for custom checks using JSON Schema
  • Added support for arbitrary controllers, rather than a pre-configured set -
    • removed support for controllers_to_scan in config
  • Added the ability to exempt a particular controller from a particular check.
  • Docker image now includes the default config

# Breaking Changes

  • Breaking changes in both input and output formats. See Examples (opens new window) for examples of the new formats. -
    • removed config-level configuration for checks like max/min memory settings
    • changed severity error to danger
  • Breaking changes to the CLI -
    • CLI flag --set-exit-code-on-error is now --set-exit-code-on-danger
    • Flags --version, --dashboard, --webhook, and --audit are now arguments
    • Port flags are now just --port

# 0.6.0

  • Fixed webhook support in Kubernetes 1.16 -
    • this also removes support for 1.8
  • Added support for exemptions via controller annotations

# 0.5.2

  • Fixed missing success messages for resource requests/limits

# 0.5.1

  • Added a few more exemptions
  • Started checking exemptions based on controller name prefix
  • runAsUser != 0 now passes the runAsNonRoot check

# 0.5.0

  • Added --load-audit-file flag to run the dashboard from an existing audit
  • Added an ID field to each check in the output
  • Skip health checks for jobs, cronjobs, initcontainers
  • Added support for exemptions
  • Fixed dashboard base path option

# 0.4.0

  • Added additional Pod Controllers to scan PodSpec (jobs, cronjobs, daemonsets, replicationcontrollers)

# 0.3.1

  • Changed dashboard branding to refer to new org name Fairwinds

# 0.3.0

  • Added --set-exit-code-on-error and --set-exit-code-below-score flags to better support CI/CD

# 0.2.1

# 0.2.0

  • Added --output-format flag for better CI/CD support
  • Added --display-name flag
  • Added support for StatefulSets
  • Show error message if no kubeconfig is set

# 0.1.5

# 0.1.4

# 0.1.3

# 0.1.2

  • Stored all third-party assets (e.g. Charts.js) to local files to support offline dashboard viewing
  • Fix: custom configs in ConfigMap not respected

# 0.1.1

  • Fix (opens new window): missing config.yaml and dashboard assets in binary releases
  • Added some tests and better error handling

# 0.1.0

  • Dashboard fully functional
  • Validating webhook functional, but still considered beta
  • Checks: -
    • Health -
      • readiness probe missing
      • liveness probe missing
    • Images -
      • tag not specified
      • pull policy not always
    • Networking -
      • host network set
      • host port set
    • Resources -
      • cpu/memory requests missing
      • cpu/memory limits missing
      • cpu/memory ranges exceeded
    • Security -
      • security capabilities
      • host IPC set
      • host PID set
      • not read-only fs
      • privilege escalation allowed
      • run as root allowed
      • run as privileged

- Code of Conduct - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/checks/efficiency.md b/docs/checks/efficiency.md similarity index 79% rename from docs-md/checks/efficiency.md rename to docs/checks/efficiency.md index 7903b3cda..ff41f9b53 100644 --- a/docs-md/checks/efficiency.md +++ b/docs/checks/efficiency.md @@ -9,10 +9,10 @@ To simplify ensure that these values have been set, the following attributes are key | default | description ----|---------|------------ -`resources.cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured. -`resources.memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured. -`resources.cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured. -`resources.memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured. +`cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured. +`memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured. +`cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured. +`memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured. ## Background diff --git a/docs/checks/efficiency/index.html b/docs/checks/efficiency/index.html deleted file mode 100644 index 2b40906d8..000000000 --- a/docs/checks/efficiency/index.html +++ /dev/null @@ -1,33 +0,0 @@ - - - - - - Efficiency | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Efficiency

These checks ensure that CPU and memory settings are configured, so that -Kubernetes can schedule your workload effectively.

# Presence Checks

To simplify ensure that these values have been set, the following attributes are available:

key default description
resources.cpuRequestsMissing warning Fails when resources.requests.cpu attribute is not configured.
resources.memoryRequestsMissing warning Fails when resources.requests.memory attribute is not configured.
resources.cpuLimitsMissing warning Fails when resources.limits.cpu attribute is not configured.
resources.memoryLimitsMissing warning Fails when resources.limits.memory attribute is not configured.

# Background

Configuring resource requests and limits for containers running in Kubernetes is an important best practice to follow. Setting appropriate resource requests will ensure that all your applications have sufficient compute resources. Setting appropriate resource limits will ensure that your applications do not consume too many resources.

Having these values appropriately configured ensures that:

  • Cluster autoscaling can function as intended. New nodes are scheduled once pods are unable to be scheduled on an existing node due to insufficient resources. This will not happen if resource requests are not configured.

  • Each container has sufficient access to compute resources. Without resource requests, a pod may be scheduled on a node that is already overutilized. Without resource limits, a single poorly behaving pod could utilize the majority of resources on a node, significantly impacting the performance of other pods on the same node.

# Further Reading

- ← - - Reliability - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/checks/reliability.md b/docs/checks/reliability.md similarity index 82% rename from docs-md/checks/reliability.md rename to docs/checks/reliability.md index 460c19cf6..4578a3683 100644 --- a/docs-md/checks/reliability.md +++ b/docs/checks/reliability.md @@ -5,12 +5,12 @@ and are running the correct image. key | default | description ----|---------|------------ -`reliability.readinessProbeMissing` | `warning` | Fails when a readiness probe is not configured for a pod. -`reliability.livenessProbeMissing` | `warning` | Fails when a liveness probe is not configured for a pod. -`reliability.tagNotSpecified` | `danger` | Fails when an image tag is either not specified or `latest`. -`reliability.pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`. -`reliability.priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod. -`reliability.multipleReplicasForDeployment` | `ignore` | Fails when there is only one replica for a deployment. +`readinessProbeMissing` | `warning` | Fails when a readiness probe is not configured for a pod. +`livenessProbeMissing` | `warning` | Fails when a liveness probe is not configured for a pod. +`tagNotSpecified` | `danger` | Fails when an image tag is either not specified or `latest`. +`pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`. +`priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod. +`multipleReplicasForDeployment` | `ignore` | Fails when there is only one replica for a deployment. ## Background diff --git a/docs/checks/reliability/index.html b/docs/checks/reliability/index.html deleted file mode 100644 index 60ce04cd3..000000000 --- a/docs/checks/reliability/index.html +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - Reliability | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Reliability

These checks help to make sure your workloads are always available, -and are running the correct image.

key default description
reliability.readinessProbeMissing warning Fails when a readiness probe is not configured for a pod.
reliability.livenessProbeMissing warning Fails when a liveness probe is not configured for a pod.
reliability.tagNotSpecified danger Fails when an image tag is either not specified or latest.
reliability.pullPolicyNotAlways warning Fails when an image pull policy is not always.
reliability.priorityClassNotSet ignore Fails when a priorityClassName is not set for a pod.
reliability.multipleReplicasForDeployment ignore Fails when there is only one replica for a deployment.

# Background

Readiness and liveness probes can help maintain the health of applications running inside Kubernetes. By default, Kubernetes only knows whether or not a process is running, not if it's healthy. Properly configured readiness and liveness probes will also be able to ensure the health of an application.

Readiness probes are designed to ensure that an application has reached a "ready" state. In many cases there is a period of time between when a webserver process starts and when it is ready to receive traffic. A readiness probe can ensure the traffic is not sent to a pod until it is actually ready to receive traffic.

Liveness probes are designed to ensure that an application stays in a healthy state. When a liveness probe fails, the pod will be restarted.

Docker's latest tag is applied by default to images where a tag hasn't been specified. Not specifying a specific version of an image can lead to a wide variety of problems. The underlying image could include unexpected breaking changes that break your application whenever the latest image is pulled. Reusing the same tag for multiple versions of an image can lead to different nodes in the same cluster having different versions of an image, even if the tag is identical.

Related to that, relying on cached versions of a Docker image can become a security vulnerability. By default, an image will be pulled if it isn't already cached on the node attempting to run it. This can result in variations in images that are running per node, or potentially provide a way to gain access to an image without having direct access to the ImagePullSecret. With that in mind, it's often better to ensure the a pod has pullPolicy: Always specified, so images are always pulled directly from their source.

# Further Reading

- ← -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/checks/security.md b/docs/checks/security.md similarity index 66% rename from docs-md/checks/security.md rename to docs/checks/security.md index 64d872a82..9e4bd7932 100644 --- a/docs-md/checks/security.md +++ b/docs/checks/security.md @@ -6,16 +6,17 @@ for privilege escalation. key | default | description ----|---------|------------ -`security.hostIPCSet` | `danger` | Fails when `hostIPC` attribute is configured. -`security.hostPIDSet` | `danger` | Fails when `hostPID` attribute is configured. -`security.notReadOnlyRootFilesystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true. -`security.privilegeEscalationAllowed` | `danger` | Fails when `securityContext.allowPrivilegeEscalation` is true. -`security.runAsRootAllowed` | `warning` | Fails when `securityContext.runAsNonRoot` is not true. -`security.runAsPrivileged` | `danger` | Fails when `securityContext.privileged` is true. -`security.insecureCapabilities` | `warning` | Fails when `securityContext.capabilities` includes one of the capabilities [listed here](https://github.com/FairwindsOps/polaris/tree/master/checks/insecureCapabilities.yaml) -`security.dangerousCapabilities` | `danger` | Fails when `securityContext.capabilities` includes one of the capabilities [listed here](https://github.com/FairwindsOps/polaris/tree/master/checks/dangerousCapabilities.yaml) -`security.hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is configured. -`security.hostPortSet` | `warning` | Fails when `hostPort` attribute is configured. +`hostIPCSet` | `danger` | Fails when `hostIPC` attribute is configured. +`hostPIDSet` | `danger` | Fails when `hostPID` attribute is configured. +`notReadOnlyRootFilesystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true. +`privilegeEscalationAllowed` | `danger` | Fails when `securityContext.allowPrivilegeEscalation` is true. +`runAsRootAllowed` | `warning` | Fails when `securityContext.runAsNonRoot` is not true. +`runAsPrivileged` | `danger` | Fails when `securityContext.privileged` is true. +`insecureCapabilities` | `warning` | Fails when `securityContext.capabilities` includes one of the capabilities [listed here](https://github.com/FairwindsOps/polaris/tree/master/checks/insecureCapabilities.yaml) +`dangerousCapabilities` | `danger` | Fails when `securityContext.capabilities` includes one of the capabilities [listed here](https://github.com/FairwindsOps/polaris/tree/master/checks/dangerousCapabilities.yaml) +`hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is configured. +`hostPortSet` | `warning` | Fails when `hostPort` attribute is configured. +`tlsSettingsMissing` | `warning` | Fails when an Ingress lacks TLS settings. ## Background diff --git a/docs/checks/security/index.html b/docs/checks/security/index.html deleted file mode 100644 index 2e42a9f35..000000000 --- a/docs/checks/security/index.html +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - Security | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Security

These checks are related to security concerns. Workloads that fail these -checks may make your cluster more vulnerable, often by introducing a path -for privilege escalation.

key default description
security.hostIPCSet danger Fails when hostIPC attribute is configured.
security.hostPIDSet danger Fails when hostPID attribute is configured.
security.notReadOnlyRootFilesystem warning Fails when securityContext.readOnlyRootFilesystem is not true.
security.privilegeEscalationAllowed danger Fails when securityContext.allowPrivilegeEscalation is true.
security.runAsRootAllowed warning Fails when securityContext.runAsNonRoot is not true.
security.runAsPrivileged danger Fails when securityContext.privileged is true.
security.insecureCapabilities warning Fails when securityContext.capabilities includes one of the capabilities listed here (opens new window)
security.dangerousCapabilities danger Fails when securityContext.capabilities includes one of the capabilities listed here (opens new window)
security.hostNetworkSet warning Fails when hostNetwork attribute is configured.
security.hostPortSet warning Fails when hostPort attribute is configured.

# Background

Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, not giving excessive access to the host network, and using read only file systems wherever possible.

A pod running with the hostNetwork attribute enabled will have access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. There are certain examples where setting hostNetwork to true is required, such as deploying a networking plugin like Flannel.

Setting the hostPort attribute on a container will ensure that it is accessible on that specific port on each node it is deployed to. Unfortunately when this is specified, it limits where a pod can actually be scheduled in a cluster.

Much of this configuration can be found in the securityContext attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.

# Further Reading

- ← - - Efficiency - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/cli/options.md b/docs/cli/options.md similarity index 100% rename from docs-md/cli/options.md rename to docs/cli/options.md diff --git a/docs/cli/options/index.html b/docs/cli/options/index.html deleted file mode 100644 index 3cf21ad28..000000000 --- a/docs/cli/options/index.html +++ /dev/null @@ -1,85 +0,0 @@ - - - - - - CLI Options | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# CLI Options

# top-level commands
-audit
-      Runs a one-time audit.
-dashboard
-      Runs the webserver for Polaris dashboard.
-help
-      Prints help, if you give it a command then it will print help for that command. Same as -h
-version
-      Prints the version of Polaris
-webhook
-      Runs the webhook webserver
-
-# high-level flags
--c, --config string
-      Location of Polaris configuration file
---disallow-exemptions
-      Disallow any exemptions from configuration file.
--h, --help
-      Help for Polaris (same as help command)
---kubeconfig string
-      Path to a kubeconfig. Only required if out-of-cluster.
---log-level string
-      Logrus log level (default "info")
---master string
-      The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.
-
-# dashboard flags
---audit-path string
-      If specified, audits one or more YAML files instead of a cluster
---base-path string
-      Path on which the dashboard is served (default "/")
---display-name string
-      An optional identifier for the audit
---load-audit-file string
-      Runs the dashboard with data saved from a past audit.
--p, --port int
-      Port for the dashboard webserver (default 8080)
-
-# audit flags
---audit-path string
-      If specified, audits one or more YAML files instead of a cluster
---resource string
-      If specified, audit a specific resource, in the format namespace/kind/version/name, e.g. nginx-ingress/Deployment.apps/v1/default-backend
---display-name string
-      An optional identifier for the audit
---format string
-      Output format for results - json, yaml, or score (default "json")
---output-file string
-      Destination file for audit results
---output-url string
-      Destination URL to send audit results
---set-exit-code-below-score int
-      Set an exit code of 4 when the score is below this threshold (1-100)
---set-exit-code-on-danger
-      Set an exit code of 3 when the audit contains danger-level issues.
-
-# webhook flags
---disable-webhook-config-installer
-      disable the installer in the webhook server, so it won't install webhook configuration resources during bootstrapping
--p, --port int
-      Port for the webhook webserver (default 9876)
-
Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/code-of-conduct.md b/docs/code-of-conduct.md similarity index 100% rename from docs-md/code-of-conduct.md rename to docs/code-of-conduct.md diff --git a/docs/code-of-conduct/index.html b/docs/code-of-conduct/index.html deleted file mode 100644 index c334f8be7..000000000 --- a/docs/code-of-conduct/index.html +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - Code of Conduct | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Code of Conduct

# Our Pledge

In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of experience, -nationality, personal appearance, race, religion, or sexual identity and -orientation.

# Our Standards

Examples of behavior that contributes to creating a positive environment -include:

  • Using welcoming and inclusive language
  • Being respectful of differing viewpoints and experiences
  • Gracefully accepting constructive criticism
  • Focusing on what is best for the community
  • Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

  • The use of sexualized language or imagery and unwelcome sexual attention or -advances
  • Trolling, insulting/derogatory comments, and personal or political attacks
  • Public or private harassment
  • Publishing others' private information, such as a physical or electronic -address, without explicit permission
  • Other conduct which could reasonably be considered inappropriate in a -professional setting

# Our Responsibilities

Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful.

# Scope

This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers.

# Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at [INSERT EMAIL ADDRESS]. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately.

Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership.

# Attribution

This Code of Conduct is adapted from the Contributor Covenant (opens new window), version 1.4, -available at http://contributor-covenant.org/version/1/4 (opens new window)

- ← - - Contributing - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/contributing.md b/docs/contributing.md similarity index 100% rename from docs-md/contributing.md rename to docs/contributing.md diff --git a/docs/contributing/index.html b/docs/contributing/index.html deleted file mode 100644 index d386898c0..000000000 --- a/docs/contributing/index.html +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - Contributing | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Contributing

Issues, whether bugs, tasks, or feature requests are essential for keeping Polaris great. We believe it should be as easy as possible to contribute changes that get things working in your environment. There are a few guidelines that we need contributors to follow so that we can keep on top of things.

# Code of Conduct

This project adheres to a code of conduct. Please review this document before contributing to this project.

# Sign the CLA

Before you can contribute, you will need to sign the Contributor License Agreement (opens new window).

# Project Structure

Polaris is built on top of controller-runtime (opens new window). It can run in 3 different modes, a dashboard, a webhook, or a reporter that prints or exports validation results. All of these modes make use of the shared validator and config packages. Adding new validations is possible by only making additions to those packages.

# Getting Started

We label issues with the "good first issue" tag (opens new window) if we believe they'll be a good starting point for new contributors. If you're interested in working on an issue, please start a conversation on that issue, and we can help answer any questions as they come up.

# Setting Up Your Development Environment

# Prerequisites

  • A properly configured Golang environment with Go 1.11 or higher
  • If you want to see the local changes you make on a Polaris dashboard, you will need access to a Kubernetes cluster defined in ~/.kube/config

# Installation

  • Install the project with go get github.com/fairwindsops/polaris
  • Change into the polaris directory which is installed at $GOPATH/src/github.com/fairwindsops/polaris
  • See the dashboard with go run main.go dashboard, then open http://localhost:8080/
  • See the audit data go run main.go audit. This command shows the audit information on the command line.

# Running Tests

The following commands are all required to pass as part of Polaris testing:

go list ./... | grep -v vendor | xargs golint -set_exit_status
-go list ./... | grep -v vendor | xargs go vet
-go test ./pkg/... -v -coverprofile cover.out
-

# Creating a New Issue

If you've encountered an issue that is not already reported, please create a new issue (opens new window), choose Bug Report, Feature Request or Misc. and follow the instructions in the template.

# Creating a Pull Request

Each new pull request should:

  • Reference any related issues
  • Add tests that show the issues have been solved
  • Pass existing tests and linting
  • Contain a clear indication of if they're ready for review or a work in progress
  • Be up to date and/or rebased on the master branch

# Creating a new release

# Patch releases

Patch releases only need to change this repo. The Helm chart and deploy scripts -will automatically pull in the latest changes.

If the release involves changes to anything in the deploy/ folder (e.g. new RBAC permissions), -it needs to be a minor or major release in order to prevent breaking the Helm chart.

  1. Create a PR for this repo -
    1. Bump the version number in: -
      1. main.go
      2. README.md
    2. Update CHANGELOG.md
    3. Merge your PR
  2. Tag the latest branch for this repo -
    1. Pull the latest commit for the master branch (which you just merged in your PR)
    2. Run git tag $VERSION && git push --tags
    3. Make sure CircleCI runs successfully for the new tag - this will push images to quay.io and create a release in GitHub -
      1. If CircleCI fails, check with Codeowners ASAP

# Minor/Major releases

Minor and major releases need to change both this repository and the -Helm chart repo (opens new window).

The steps are:

  1. Modify the Helm chart (opens new window)
    1. Clone the helm charts repo -
      1. git clone https://github.com/FairwindsOps/charts
      2. git checkout -b yourname/update-polaris
    2. Bump the version number in: -
      1. stable/polaris/README.md
      2. stable/polaris/Chart.yaml
      3. stable/polaris/values.yaml
    3. Make any necessary changes to the chart to support the new version of Polaris (e.g. new RBAC permissions)
    4. Don't merge yet!
  2. Create a PR for this repo -
    1. Create a new branch named yourname/update-version
    2. Bump the version number in: -
      1. main.go
      2. README.md
    3. Regenerate the deployment files. Assuming you've cloned the charts repo to ~/git/charts: -
      1. CHARTS_DIR=~/git/charts ./scripts/generate-deployment-files.sh
    4. Update CHANGELOG.md
    5. Merge your PR
  3. Tag the latest branch for this repo -
    1. Pull the latest for the master branch
    2. Run git tag $VERSION && git push --tags
    3. Make sure CircleCI runs successfully for the new tag - this will push images to quay.io and create a release in GitHub -
      1. If CircleCI fails, check with Codeowners ASAP
  4. Create and merge a PR for your changes to the Helm chart

- ← - - Dashboard - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/customization/checks.md b/docs/customization/checks.md similarity index 100% rename from docs-md/customization/checks.md rename to docs/customization/checks.md diff --git a/docs/customization/checks/index.html b/docs/customization/checks/index.html deleted file mode 100644 index 97f08e950..000000000 --- a/docs/customization/checks/index.html +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - Check Settings | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Check Settings

Each check can be assigned a severity. Only checks with a severity of danger or warning will be validated. The results of these validations are visible on the dashboard. In the case of the validating webhook, only failures with a severity of danger will result in a change being rejected.

Polaris validation checks fall into several different categories:

To change the default severity levels, or to turn checks on or off, you can create your own config.yaml:

checks:
-  tagNotSpecified: ignore
-  runAsRootAllowed: danger
-  pullPolicyNotAlways: warning
-

- ← - - Custom Checks - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/customization/configuration.md b/docs/customization/configuration.md similarity index 100% rename from docs-md/customization/configuration.md rename to docs/customization/configuration.md diff --git a/docs/customization/configuration/index.html b/docs/customization/configuration/index.html deleted file mode 100644 index 73bba98a8..000000000 --- a/docs/customization/configuration/index.html +++ /dev/null @@ -1,32 +0,0 @@ - - - - - - Configuration | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Configuration

The default Polaris configuration can be seen here (opens new window).

You can customize the configuration to do things like:

To pass in your custom configuration, follow the instructions for your environment:

  • CLI - set the --config argument to point to your config.yaml
  • Helm - set the config variable in your values file
  • kubectl - create a ConfigMap with your config.yaml, mount it as a volume, and use the --config argument in your Deployment

- ← - - Check Settings - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/customization/custom-checks.md b/docs/customization/custom-checks.md similarity index 100% rename from docs-md/customization/custom-checks.md rename to docs/customization/custom-checks.md diff --git a/docs/customization/custom-checks/index.html b/docs/customization/custom-checks/index.html deleted file mode 100644 index 29bbf20cc..000000000 --- a/docs/customization/custom-checks/index.html +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - Custom Checks | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Custom Checks

If you'd like to create your own checks, you can use JSON Schema (opens new window). For example, -to disallow images from quay.io:

checks:
-  imageRegistry: warning
-customChecks:
-  imageRegistry:
-    successMessage: Image comes from allowed registries
-    failureMessage: Image should not be from disallowed registry
-    category: Images
-    target: Container # target can be "Container" or "Pod"
-    schema:
-      '$schema': http://json-schema.org/draft-07/schema
-      type: object
-      properties:
-        image:
-          type: string
-          not:
-            pattern: ^quay.io
-

Schemas can also be specified as JSON strings instead of YAML, for easier copy/pasting:

customChecks:
-  foo:
-    jsonSchema: |
-      {
-        "$schema": "http://json-schema.org/draft-07/schema",
-        "type": "object"
-      }
-

We extend JSON Schema with resourceMinimum and resourceMaximum fields to help compare memory and CPU resource -strings like 1000m and 1G. You can see an example in the extended config (opens new window)

There are additional examples in the checks folder (opens new window).

- ← - - Exemptions - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/customization/exemptions.md b/docs/customization/exemptions.md similarity index 100% rename from docs-md/customization/exemptions.md rename to docs/customization/exemptions.md diff --git a/docs/customization/exemptions/index.html b/docs/customization/exemptions/index.html deleted file mode 100644 index f6cd17d03..000000000 --- a/docs/customization/exemptions/index.html +++ /dev/null @@ -1,48 +0,0 @@ - - - - - - Exemptions | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Exemptions

Sometimes a workload really does need to do things that Polaris considers insecure. For instance, -many of the kube-system workloads need to run as root, or need access to the host network. In these -cases, we can add exemptions to allow the workload to pass Polaris checks.

Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.

# Annotations

To exempt a controller from all checks via annotations, use the annotation polaris.fairwinds.com/exempt=true, e.g.

kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
-

To exempt a controller from a particular check via annotations, use an annotation in the form of polaris.fairwinds.com/<check>-exempt=true, e.g.

kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true
-

# Config

To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g.

exemptions:
-  # exemption valid for kube-system namespace
-  - namespace: kube-system
-    controllerNames:
-      - dns-controller
-    rules:
-      - hostNetworkSet
-  # exemption valid in all namespaces
-  - controllerNames:
-      - dns-controller
-    rules:
-      - hostNetworkSet
-

- ← - - Security - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/dashboard.md b/docs/dashboard.md similarity index 93% rename from docs-md/dashboard.md rename to docs/dashboard.md index c41734b3a..ed8c664dc 100644 --- a/docs-md/dashboard.md +++ b/docs/dashboard.md @@ -1,5 +1,8 @@ # Dashboard +> Want to see Polaris results for all your clusters in a single dashboard? Check out +> [Fairwinds Insights](https://www.fairwinds.com/fairwinds-polaris-upgrade) + The Polaris dashboard can be installed on a cluster using kubectl or Helm. It can also be run locally, connecting to your cluster using the credentials stored in your `KUBECONFIG`. diff --git a/docs/dashboard/index.html b/docs/dashboard/index.html deleted file mode 100644 index ef8e74e3f..000000000 --- a/docs/dashboard/index.html +++ /dev/null @@ -1,45 +0,0 @@ - - - - - - Dashboard | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Dashboard

The Polaris dashboard can be installed on a cluster using kubectl or Helm. It -can also be run locally, connecting to your cluster using the credentials stored in your KUBECONFIG.

The dashboard is a good way to understand what workloads inside your cluster or Infrastructure as Code -don't conform to best practices.

# Installation

# kubectl

kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/dashboard.yaml
-kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
-

# Helm

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
-helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris
-kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
-

# Local Binary

You'll need a valid KUBECONFIG set up for the dashboard to connect to your cluster.

Binary releases can be dowloaded from the releases page (opens new window) -or can be installed with Homebrew (opens new window):

brew tap reactiveops/tap
-brew install reactiveops/tap/polaris
-polaris dashboard --port 8080
-

You can also point the dashboard to the local filesystem, instead of a live cluster:

polaris dashboard --port 8080 --audit-path=./deploy/
-

# Local Docker container

docker run -d -p8080:8080 -v ~/.kube/config:/opt/app/config:ro  quay.io/fairwinds/polaris:1.2 polaris dashboard --kubeconfig /opt/app/config
-

# Using the Dashboard

The Polaris dashboard is a way to get a simple visual overview of the current state of your Kubernetes workloads as well as a roadmap for what can be improved. The dashboard provides a cluster wide overview as well as breaking out results by category, namespace, and workload.

Polaris Dashboard

Our default standards in Polaris are rather high, so don’t be surprised if your score is lower than you might expect. A key goal for Polaris was to set a high standard and aim for great configuration by default. If the defaults we’ve included are too strict, it’s easy to adjust the configuration as part of the deployment configuration to better suit your workloads.

- ← - - Admission Controller - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs/favicon.png b/docs/favicon.png deleted file mode 100644 index 5f4efc0f0..000000000 Binary files a/docs/favicon.png and /dev/null differ diff --git a/docs/img/dashboard-screenshot.png b/docs/img/dashboard-screenshot.png deleted file mode 100644 index 4ddc6e77e..000000000 Binary files a/docs/img/dashboard-screenshot.png and /dev/null differ diff --git a/docs/img/fairwinds-logo.svg b/docs/img/fairwinds-logo.svg deleted file mode 100644 index 1595e1bad..000000000 --- a/docs/img/fairwinds-logo.svg +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/img/polaris-logo.png b/docs/img/polaris-logo.png deleted file mode 100644 index 66b1876f5..000000000 Binary files a/docs/img/polaris-logo.png and /dev/null differ diff --git a/docs/index.html b/docs/index.html deleted file mode 100644 index 35a22e023..000000000 --- a/docs/index.html +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation
Polaris Logo

Best Practices for Kubernetes Workload Configuration

Fairwinds' Polaris keeps your clusters sailing smoothly. It runs a variety of checks to ensure that -Kubernetes pods and controllers are configured using best practices, helping you avoid -problems in the future. Polaris can be run in a few different modes:

Polaris can be run in three different modes:

  • As a dashboard, so you can audit what's running inside your cluster.
  • As an admission controller, so you can automatically reject workloads that don't adhere to your organization's policies.
  • As a command-line tool, so you can test local YAML files, e.g. as part of a CI/CD process.

Want to learn more? Reach out on the Slack channel (opens new window) (request invite (opens new window)), send an email to opensource@fairwinds.com, or join us for office hours on Zoom (opens new window)

# Integration with Fairwinds Insights

Fairwinds Insights (opens new window) -is a platform for auditing Kubernetes clusters and enforcing policy. If you'd like to:

you can sign up for a free account here (opens new window).

# Contributing

PRs welcome! Check out the Contributing Guidelines and Code of Conduct for more information.

# Further Information

A history of changes to this project can be viewed in the Changelog

If you'd like to learn more about Polaris, or if you'd like to speak with -a Kubernetes expert, you can contact info@fairwinds.com or visit our website (opens new window)

Polaris Dashboard

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/infrastructure-as-code.md b/docs/infrastructure-as-code.md similarity index 88% rename from docs-md/infrastructure-as-code.md rename to docs/infrastructure-as-code.md index 100c41ee3..825458856 100644 --- a/docs-md/infrastructure-as-code.md +++ b/docs/infrastructure-as-code.md @@ -1,4 +1,7 @@ # Infrastructure as Code +> Want to see results for all your IaC repos in one place? Check out +> [Fairwinds Insights](https://www.fairwinds.com/fairwinds-polaris-upgrade) + Polaris can be used on the command line to audit local Kubernetes manifests stored in YAML files. This is particularly helpful for running Polaris against your infrastructure-as-code as part of a CI/CD pipeline. Use the available [command line flags](#running-in-a-ci-pipeline) diff --git a/docs/infrastructure-as-code/index.html b/docs/infrastructure-as-code/index.html deleted file mode 100644 index 83fbf3c44..000000000 --- a/docs/infrastructure-as-code/index.html +++ /dev/null @@ -1,45 +0,0 @@ - - - - - - Infrastructure as Code | Fairwinds Polaris Documentation - - - - - - - - - - -
Fairwinds Polaris Documentation

# Infrastructure as Code

Polaris can be used on the command line to audit local Kubernetes manifests stored in YAML files. -This is particularly helpful for running Polaris against your infrastructure-as-code as part of a -CI/CD pipeline. Use the available command line flags -to cause CI/CD to fail if your Polaris score drops below a certain threshold, or if any danger-level issues arise.

# Install the CLI

To run Polaris against your YAML manifests, e.g. as part of a Continuous Integration process, -you'll need to install the CLI.

Binary releases can be downloaded from the releases page (opens new window) -or can be installed with Homebrew (opens new window):

brew tap FairwindsOps/tap
-brew install FairwindsOps/tap/polaris
-polaris version
-

# Running in a CI pipeline

You can tell the CLI to set an exit code if it detects certain issues with your -YAML files. -For example, to fail if polaris detects any danger-level issues, or if the score drops below 90%:

polaris audit --audit-path ./deploy/ \
-  --set-exit-code-on-danger \
-  --set-exit-code-below-score 90
-

- ← - - Configuration - - → -

Learn more about Fairwinds Try Fairwinds Insights
Privacy Policy
- - - diff --git a/docs-md/package-lock.json b/docs/package-lock.json similarity index 100% rename from docs-md/package-lock.json rename to docs/package-lock.json diff --git a/docs-md/package.json b/docs/package.json similarity index 73% rename from docs-md/package.json rename to docs/package.json index 6ba0132d8..ce670ae4d 100644 --- a/docs-md/package.json +++ b/docs/package.json @@ -1,36 +1,35 @@ { - "name": "fairwinds-docs-template", - "version": "0.0.1", - "description": "A repository with a Vuepress template for Fairwinds projects", - "main": "index.js", - "directories": { - "doc": "docs" - }, - "scripts": { - "check-links": "vuepress check-md", - "build": "npm run build:readme && npm run build:docs && npm run reset-cname", - "build:readme": "cat ../README.md | grep -v 'ocumentation' | sed \"s/https:\\/\\/\\w\\+.docs.fairwinds.com//g\" > README.md", - "build:docs": "vuepress build -d ../docs/ && touch ../docs/CNAME && git checkout -- ../docs/CNAME", - "reset-cname": "touch ../docs/CNAME && git checkout -- ../docs/CNAME", - "serve": "vuepress dev --port 3003", - "vuepress": "vuepress" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/FairwindsOps/insights-docs.git" - }, "author": "", - "license": "MIT", "bugs": { "url": "https://github.com/FairwindsOps/insights-docs/issues" }, - "homepage": "https://github.com/FairwindsOps/insights-docs#readme", + "dependencies": { + "vuepress-plugin-check-md": "0.0.2" + }, + "description": "A repository with a Vuepress template for Fairwinds projects", "devDependencies": { "vuepress": "^1.4.0", "vuepress-plugin-clean-urls": "^1.1.1", "vuepress-plugin-redirect": "^1.2.3" }, - "dependencies": { - "vuepress-plugin-check-md": "0.0.2" - } + "directories": { + "doc": "docs" + }, + "homepage": "https://github.com/FairwindsOps/insights-docs#readme", + "license": "MIT", + "main": "index.js", + "name": "fairwinds-docs-template", + "repository": { + "type": "git", + "url": "git+https://github.com/FairwindsOps/insights-docs.git" + }, + "scripts": { + "build": "npm run build:readme && npm run build:docs", + "build:docs": "vuepress build -d ../dist/", + "build:readme": "cat ../README.md | grep -v 'ocumentation' | sed \"s/https:\\/\\/\\w\\+.docs.fairwinds.com//g\" > README.md", + "check-links": "vuepress check-md", + "serve": "npm run build:readme && vuepress dev --port 3003", + "vuepress": "vuepress" + }, + "version": "0.0.1" } diff --git a/docs/scripts/leadlander.js b/docs/scripts/leadlander.js deleted file mode 100644 index e85b54edd..000000000 --- a/docs/scripts/leadlander.js +++ /dev/null @@ -1,12 +0,0 @@ -/* - * This file is generated from FairwindsOps/documentation-template - * DO NOT EDIT MANUALLY - */ - -var llcookieless = true; -var sf14gv = 32793; -(function() { - var sf14g = document.createElement('script'); - sf14g.src = 'https://lltrck.com/lt-v2.min.js'; - var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(sf14g, s); -})(); diff --git a/docs/scripts/modify.js b/docs/scripts/modify.js deleted file mode 100644 index e72a2179a..000000000 --- a/docs/scripts/modify.js +++ /dev/null @@ -1,15 +0,0 @@ -/* - * This file is generated from FairwindsOps/documentation-template - * DO NOT EDIT MANUALLY - */ - -document.addEventListener("DOMContentLoaded", function(){ - setTimeout(function() { - var link = document.getElementsByClassName('home-link')[0]; - linkClone = link.cloneNode(true); - linkClone.href = "https://fairwinds.com"; - link.setAttribute('target', '_blank'); - link.parentNode.replaceChild(linkClone, link); - }, 1000); -}); -