rancher-partner-charts/charts/fairwinds/polaris/README.md

# Polaris

[Polaris](https://github.com/FairwindsOps/polaris)
is a tool for auditing and enforcing best practices in Kubernetes.

## Installation
We recommend installing polaris in its own namespace.

### Dashboard
```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris
```

### Webhook

A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.

If you don't use cert-manager, you'll need to:
* Supply a CA Bundle with the `webhook.caBundle`
* Create a TLS secret in your cluster with a valid certificate that uses that CA
* Pass the name of that secret with the `webhook.secretName` parameter.

```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false
```

## A Note on Chart Version 0.10.0+

Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's,
the 0.10.0 version of this chart will only work on kubernetes 1.14.0+

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. |
| configUrl | string | `nil` | Use a config from an accessible URL source.  NOTE: `config` & `configUrl` are mutually exclusive.  Setting `configURL` will take precedence over `config`.  Only one may be used. configUrl: https://example.com/config.yaml |
| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` |
| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo |
| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion |
| image.pullPolicy | string | `"Always"` | Image pull policy |
| image.pullSecrets | list | `[]` | Image pull secrets |
| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `nil` | The name of the service account to use. |
| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` |
| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` |
| dashboard.enable | bool | `true` | Whether to run the dashboard. |
| dashboard.port | int | `8080` | Port that the dashboard will run from. |
| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. |
| dashboard.replicas | int | `2` | Number of replicas to run. |
| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command |
| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. |
| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. |
| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard |
| dashboard.extraContainers | list | `[]` | allows injecting additional containers. |
| dashboard.service.type | string | `"ClusterIP"` | Service Type |
| dashboard.service.annotations | object | `{}` | Service annotations |
| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port |
| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values |
| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector |
| dashboard.tolerations | list | `[]` | Dashboard pod tolerations |
| dashboard.affinity | object | `{}` | Dashboard pods affinity |
| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints |
| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard |
| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. |
| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames |
| dashboard.ingress.annotations | object | `{}` | Web ingress annotations |
| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration |
| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case |
| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. |
| dashboard.disallowExemptions | bool | `false` | Disallow any exemption |
| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file |
| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations |
| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container |
| webhook.enable | bool | `false` | Whether to run the webhook |
| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues |
| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues |
| webhook.replicas | int | `2` | Number of replicas |
| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector |
| webhook.tolerations | list | `[]` | Webhook pod tolerations |
| webhook.affinity | object | `{}` | Webhook pods affinity |
| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints |
| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. |
| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager |
| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. |
| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration |
| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration |
| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration |
| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration |
| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration |
| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. |
| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. |
| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. |
| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. |
| webhook.disallowExemptions | bool | `false` | Disallow any exemption |
| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file |
| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations |
| webhook.mutatingConfigurationAnnotations | object | `{}` |  |
| webhook.validatingConfigurationAnnotations | object | `{}` |  |
| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. |
| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. |
| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. |