andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #842 from FairwindsOps/sudermanjr/fairwinds-polaris 

Add Fairwinds Polaris
pull/843/head
Nefi Munoz 2023-07-25 11:08:01 -06:00 committed by GitHub
parent 596e072f59 852794b6ad
commit e7e7b98691
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 1394 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/fairwinds/polaris-5.11.1.tgz Normal file
View File

Binary file not shown.

69
charts/fairwinds/polaris/CHANGELOG.md Normal file
View File

@ -0,0 +1,69 @@
# Changelog
All notable changes to this Helm chart will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
## 5.11.1
* set kubeVersion in the chart manifest
## 5.9.0
* Update Polaris version to 8.0
## 5.8.2
* Fix webhook annotations reference
## 5.8.1
* Fix cert manager apiVersion override
## 5.7.6
* Patch bump for updating charts CI
## 5.7.4
Added addition exemptions
* https://github.com/FairwindsOps/charts/issues/1059
## 5.5.1
### Added
RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks:
* https://github.com/FairwindsOps/polaris/pull/820
* https://github.com/FairwindsOps/polaris/pull/823
## 5.5.0
### Added
Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles).
## 4.2.1
### Added
Support `ingressClassName` in Ingress object.
## 1.0.0
Updated to Polaris 1.0.
In addition to changes needed for Polaris 1.0, there are some chart changes:
* RBAC has been simplified to remove duplication
* `config` now uses the built-in Polaris config by default
* `ingress` is now attached to the dashboard values
* only a single `image` is specified for the entire chart
## 0.6.0
### Fixed
* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error:
```
UPGRADE FAILED
Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart
```
Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret.
* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed.
### Changed
* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates.
### Added
* This changelog has been added to help track updates to this Helm chart.

15
charts/fairwinds/polaris/Chart.yaml Normal file
View File

@ -0,0 +1,15 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Fairwinds Polaris
catalog.cattle.io/kube-version: '>= 1.22.0-0'
catalog.cattle.io/release-name: polaris
apiVersion: v1
appVersion: "8.4"
description: Validation of best practices in your Kubernetes clusters
icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png
kubeVersion: '>= 1.22.0-0'
maintainers:
- email: robertb@fairwinds.com
name: rbren
name: polaris
version: 5.11.1

105
charts/fairwinds/polaris/README.md Normal file
View File

@ -0,0 +1,105 @@
# Polaris
[Polaris](https://github.com/FairwindsOps/polaris)
is a tool for auditing and enforcing best practices in Kubernetes.
## Installation
We recommend installing polaris in its own namespace.
### Dashboard
```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris
```
### Webhook
A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.
If you don't use cert-manager, you'll need to:
* Supply a CA Bundle with the `webhook.caBundle`
* Create a TLS secret in your cluster with a valid certificate that uses that CA
* Pass the name of that secret with the `webhook.secretName` parameter.
```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false
```
## A Note on Chart Version 0.10.0+
Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's,
the 0.10.0 version of this chart will only work on kubernetes 1.14.0+
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. |
| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml |
| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` |
| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo |
| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion |
| image.pullPolicy | string | `"Always"` | Image pull policy |
| image.pullSecrets | list | `[]` | Image pull secrets |
| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `nil` | The name of the service account to use. |
| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` |
| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` |
| dashboard.enable | bool | `true` | Whether to run the dashboard. |
| dashboard.port | int | `8080` | Port that the dashboard will run from. |
| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. |
| dashboard.replicas | int | `2` | Number of replicas to run. |
| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command |
| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. |
| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard |
| dashboard.extraContainers | list | `[]` | allows injecting additional containers. |
| dashboard.service.type | string | `"ClusterIP"` | Service Type |
| dashboard.service.annotations | object | `{}` | Service annotations |
| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port |
| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values |
| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector |
| dashboard.tolerations | list | `[]` | Dashboard pod tolerations |
| dashboard.affinity | object | `{}` | Dashboard pods affinity |
| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints |
| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard |
| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. |
| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames |
| dashboard.ingress.annotations | object | `{}` | Web ingress annotations |
| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration |
| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case |
| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. |
| dashboard.disallowExemptions | bool | `false` | Disallow any exemption |
| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file |
| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations |
| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container |
| webhook.enable | bool | `false` | Whether to run the webhook |
| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues |
| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues |
| webhook.replicas | int | `2` | Number of replicas |
| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector |
| webhook.tolerations | list | `[]` | Webhook pod tolerations |
| webhook.affinity | object | `{}` | Webhook pods affinity |
| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints |
| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. |
| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager |
| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. |
| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration |
| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration |
| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration |
| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration |
| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration |
| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. |
| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. |
| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. |
| webhook.disallowExemptions | bool | `false` | Disallow any exemption |
| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file |
| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations |
| webhook.mutatingConfigurationAnnotations | object | `{}` | |
| webhook.validatingConfigurationAnnotations | object | `{}` | |
| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. |
| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. |
| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. |

35
charts/fairwinds/polaris/README.md.gotmpl Normal file
View File

@ -0,0 +1,35 @@
# Polaris
[Polaris](https://github.com/FairwindsOps/polaris)
is a tool for auditing and enforcing best practices in Kubernetes.
## Installation
We recommend installing polaris in its own namespace.
### Dashboard
```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris
```
### Webhook
A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.
If you don't use cert-manager, you'll need to:
* Supply a CA Bundle with the `webhook.caBundle`
* Create a TLS secret in your cluster with a valid certificate that uses that CA
* Pass the name of that secret with the `webhook.secretName` parameter.
```
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false
```
## A Note on Chart Version 0.10.0+
Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's,
the 0.10.0 version of this chart will only work on kubernetes 1.14.0+
{{ template "chart.valuesSection" . }}

66
charts/fairwinds/polaris/ci/merge-values.yaml Normal file
View File

@ -0,0 +1,66 @@
# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml
nameOverride: polaris
config:
checks:
# reliability
deploymentMissingReplicas: warning
priorityClassNotSet: ignore
tagNotSpecified: danger
pullPolicyNotAlways: warning
readinessProbeMissing: warning
livenessProbeMissing: warning
metadataAndNameMismatched: ignore
pdbDisruptionsIsZero: warning
missingPodDisruptionBudget: ignore
topologySpreadConstraint: warning
# efficiency
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
# security
automountServiceAccountToken: ignore
hostIPCSet: danger
hostPIDSet: danger
linuxHardening: warning
missingNetworkPolicy: ignore
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
# These are initially warning and will later be promoted to danger.
sensitiveContainerEnvVar: warning
sensitiveConfigmapContent: warning
clusterrolePodExecAttach: warning
rolePodExecAttach: warning
clusterrolebindingPodExecAttach: warning
rolebindingClusterRolePodExecAttach: warning
rolebindingRolePodExecAttach: warning
clusterrolebindingClusterAdmin: warning
rolebindingClusterAdminClusterRole: warning
rolebindingClusterAdminRole: warning
mutations:
- pullPolicyNotAlways
exemptions:
- namespace: kube-system
controllerNames:
- coredns
rules:
- automountServiceAccountToken
- missingNetworkPolicy
additionalExemptions:
- namespace: foo
containerName:
- bar
rules:
- privilegeEscalationAllowed

9
charts/fairwinds/polaris/ci/test-values-2.yaml Normal file
View File

@ -0,0 +1,9 @@
dashboard:
ingress:
enabled: true
ingressClassName: ingress
hosts:
- foo.com
webhook:
enabled: true
mutate: true

15
charts/fairwinds/polaris/ci/test-values.yaml Normal file
View File

@ -0,0 +1,15 @@
dashboard:
ingress:
enabled: true
ingressClassName: ingress
hosts:
- foo.com
webhook:
enabled: true
mutate: true
mutatingConfigurationAnnotations:
test: mutate
validatingConfigurationAnnotations:
test: validate
certManager:
apiVersion: cert-manager.io/v1

6
charts/fairwinds/polaris/templates/0-namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
{{- if .Values.templateOnly -}}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
{{- end -}}

19
charts/fairwinds/polaris/templates/NOTES.txt Normal file
View File

@ -0,0 +1,19 @@
** Please be patient while the chart is being deployed **
Enjoy Polaris and smooth sailing!
{{- if contains "ClusterIP" .Values.dashboard.service.type }}
{{- if .Values.webhook.enable }}
The webhook is now running. Any resources that violate Polaris policy will be rejected.
{{- end }}
{{- if .Values.dashboard.enable }}
To view the dashboard execute this command:
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80
Then open http://localhost:8080 in your browser.
{{- end }}
{{- end }}

70
charts/fairwinds/polaris/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,70 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "polaris.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "polaris.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "polaris.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Standard labels
*/}}
{{- define "polaris.labels" -}}
app: {{ include "polaris.name" . }}
{{- if not .Values.templateOnly }}
app.kubernetes.io/component: dashboard
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ template "polaris.name" . }}
app.kubernetes.io/part-of: {{ template "polaris.name" . }}
app.kubernetes.io/version: "{{ .Chart.Version }}"
helm.sh/chart: {{ include "polaris.chart" . }}
{{- end -}}
{{- end -}}
{{/*
Standard selector
*/}}
{{- define "polaris.selectors" -}}
app: {{ include "polaris.name" . }}
{{- if not .Values.templateOnly }}
app.kubernetes.io/name: {{ include "polaris.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}
{{/*
Name of the service account to use
*/}}
{{- define "polaris.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "polaris.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

80
charts/fairwinds/polaris/templates/audit.job.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- if .Values.audit.enable -}}
apiVersion: batch/v1
kind: Job
metadata:
{{- with .Values.config }}
annotations:
checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
{{- end }}
name: {{ include "polaris.fullname" . }}
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
component: audit
spec:
template:
spec:
serviceAccountName: {{ include "polaris.fullname" . }}
restartPolicy: Never
containers:
- command:
- polaris
- audit
- --output-url
- {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }}
- --output-file
- /tmp/results/done
{{- with .Values.config }}
- --config
- /opt/app/config.yaml
{{- end }}
image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: '{{.Values.image.pullPolicy}}'
name: audit
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
{{- with .Values.config }}
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
{{- end }}
- name: results
mountPath: /tmp/results
{{- if .Values.audit.cleanup }}
- name: cleanup
image: gcr.io/heptio-images/namespace-deleter:v0.0.2
imagePullPolicy: Always
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: results
mountPath: /tmp/results
{{- end }}
volumes:
{{- with .Values.config }}
- name: config
configMap:
name: {{ include "polaris.fullname" . }}
{{- end }}
- name: results
{{- end -}}

38
charts/fairwinds/polaris/templates/audit.rbac.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.audit.cleanup }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "polaris.fullname" . }}-audit-cleanup
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: polaris
rules:
- apiGroups:
- ''
resources:
- namespaces
resourceNames:
- {{ .Release.Namespace }}
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "polaris.fullname" . }}-audit-cleanup
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: polaris
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "polaris.fullname" . }}-audit-cleanup
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

22
charts/fairwinds/polaris/templates/configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if not .Values.configUrl }}
{{- with .Values.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "polaris.fullname" $ }}
{{- if $.Values.templateOnly }}
namespace: {{ $.Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" $ | nindent 4 }}
data:
config.yaml: |
{{- range $key, $value := . }}
{{ $key }}:
{{- toYaml $value | nindent 6 }}
{{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }}
{{- toYaml $.Values.additionalExemptions | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

130
charts/fairwinds/polaris/templates/dashboard.deployment.yaml Normal file
View File

@ -0,0 +1,130 @@
{{- if .Values.dashboard.enable -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
component: dashboard
spec:
replicas: {{.Values.dashboard.replicas}}
selector:
matchLabels:
{{- include "polaris.selectors" . | nindent 6 }}
component: dashboard
template:
metadata:
{{- with .Values.config }}
annotations:
checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}'
{{- end }}
labels:
{{- include "polaris.selectors" . | nindent 8 }}
component: dashboard
{{- with .Values.dashboard.podAdditionalLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.config }}
volumes:
- name: config
configMap:
name: {{ include "polaris.fullname" $ }}
{{- end }}
{{- if .Values.dashboard.priorityClassName }}
priorityClassName: {{ .Values.dashboard.priorityClassName | quote }}
{{- end }}
containers:
- command:
- polaris
- dashboard
{{- if .Values.configUrl }}
- --config
- {{ .Values.configUrl | quote }}
{{- else }}
{{- with .Values.config }}
- --config
- /opt/app/config.yaml
{{- end }}
{{- end }}
{{- with .Values.dashboard.basePath }}
- --base-path
- {{ . }}
{{- end }}
{{- with .Values.dashboard.port }}
- --port
- {{ . | quote }}
{{- end }}
{{- if .Values.dashboard.listeningAddress }}
- --listening-address
- {{ .Values.dashboard.listeningAddress }}
{{- end }}
{{- if .Values.dashboard.disallowExemptions }}
- --disallow-exemptions
{{- end }}
{{- if .Values.dashboard.disallowConfigExemptions }}
- --disallow-config-exemptions
{{- end }}
{{- if .Values.dashboard.disallowAnnotationExemptions }}
- --disallow-annotation-exemptions
{{- end }}
{{- if .Values.dashboard.logLevel }}
- --log-level
- {{ .Values.dashboard.logLevel | quote }}
{{- end }}
image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: '{{.Values.image.pullPolicy}}'
name: dashboard
ports:
- containerPort: {{ .Values.dashboard.port }}
livenessProbe:
httpGet:
path: {{.Values.dashboard.basePath | default "/" }}health
port: {{ .Values.dashboard.port }}
initialDelaySeconds: 5
periodSeconds: 20
readinessProbe:
httpGet:
path: {{.Values.dashboard.basePath | default "/" }}health
port: {{ .Values.dashboard.port }}
initialDelaySeconds: 5
periodSeconds: 20
resources:
{{- toYaml .Values.dashboard.resources | nindent 10 }}
{{- with .Values.dashboard.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if not .Values.configUrl }}
{{- with .Values.config }}
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
{{- end }}
{{- end }}
{{- with .Values.dashboard.extraContainers }}
{{- toYaml . | nindent 6 }}
{{- end }}
serviceAccountName: {{ template "polaris.serviceAccountName" . }}
nodeSelector:
{{- with .Values.dashboard.nodeSelector }}
{{ toYaml . | indent 8 }}
{{- end }}
tolerations:
{{- with .Values.dashboard.tolerations }}
{{ toYaml . | indent 6 }}
{{- end }}
{{- if .Values.dashboard.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }}
{{- end }}
{{- if .Values.dashboard.affinity }}
affinity:
{{ toYaml .Values.dashboard.affinity | indent 8 }}
{{- end }}
{{- end -}}

29
charts/fairwinds/polaris/templates/dashboard.service.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if and .Values.dashboard.enable .Values.dashboard.service -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.dashboard.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
ports:
- name: http-dashboard
port: 80
protocol: TCP
targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }}
selector:
{{- include "polaris.selectors" . | nindent 4 }}
component: dashboard
type: {{ .Values.dashboard.service.type }}
{{- if .Values.dashboard.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end -}}

53
charts/fairwinds/polaris/templates/ingress.yaml Normal file
View File

@ -0,0 +1,53 @@
{{- if .Values.dashboard.ingress.enabled -}}
{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}}
{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: networking.k8s.io/v1
{{- end }}
kind: Ingress
metadata:
annotations:
{{- range $key, $value := .Values.dashboard.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "polaris.name" . }}
helm.sh/chart: {{ include "polaris.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: polaris
spec:
{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }}
{{- end }}
{{- if .Values.dashboard.ingress.defaultBackendEnabled }}
defaultBackend:
service:
name: {{ $serviceName }}
port:
number: 80
{{- end }}
rules:
{{- range .Values.dashboard.ingress.hosts }}
- host: {{ . }}
http:
paths:
{{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
- backend:
serviceName: {{ $serviceName }}
servicePort: 80
{{- else }}
- backend:
service:
name: {{ $serviceName }}
port:
number: 80
path: /
pathType: Prefix
{{- end }}
{{- end -}}
{{- if .Values.dashboard.ingress.tls }}
tls:
{{ toYaml .Values.dashboard.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

37
charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if and .Values.webhook.enable .Values.webhook.mutate -}}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: polaris-mutate-webhook
annotations:
{{- if not .Values.webhook.secretName }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert
{{- end }}
{{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if .Values.webhook.caBundle }}
caBundle: {{ .Values.webhook.caBundle | quote }}
{{- end }}
service:
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
path: /mutate
port: 443
failurePolicy: {{ .Values.webhook.failurePolicy }}
matchPolicy: {{ .Values.webhook.matchPolicy }}
name: polaris.fairwinds.com
namespaceSelector:
{{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }}
objectSelector:
{{ .Values.webhook.objectSelector | toYaml | nindent 4 }}
rules:
{{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }}
sideEffects: None
timeoutSeconds: 10
{{- end -}}

67
charts/fairwinds/polaris/templates/rbac.yaml Normal file
View File

@ -0,0 +1,67 @@
{{- if .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "polaris.fullname" . }}-view
labels:
{{- include "polaris.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "polaris.fullname" . }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
rules:
# required by controller-runtime code doing a cluster wide lookup
# when it seems namespace would suffice
- apiGroups:
- ''
resources:
- 'nodes'
verbs:
- 'get'
- 'list'
- apiGroups:
- 'monitoring.coreos.com'
resources:
- 'prometheuses'
- 'alertmanagers'
verbs:
- 'get'
- 'list'
- apiGroups:
- 'rbac.authorization.k8s.io'
resources:
- 'clusterroles'
- 'clusterrolebindings'
- 'roles'
- 'rolebindings'
verbs:
- 'get'
- 'list'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "polaris.fullname" . }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "polaris.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

17
charts/fairwinds/polaris/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "polaris.fullname" . }}
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end }}

37
charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if and .Values.webhook.enable .Values.webhook.validate -}}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: polaris-validate-webhook
annotations:
{{- if not .Values.webhook.secretName }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert
{{- end }}
{{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if .Values.webhook.caBundle }}
caBundle: {{ .Values.webhook.caBundle | quote }}
{{- end }}
service:
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate
port: 443
failurePolicy: {{ .Values.webhook.failurePolicy }}
matchPolicy: {{ .Values.webhook.matchPolicy }}
name: polaris.fairwinds.com
namespaceSelector:
{{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }}
objectSelector:
{{ .Values.webhook.objectSelector | toYaml | nindent 4 }}
rules:
{{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }}
sideEffects: None
timeoutSeconds: 10
{{- end -}}

48
charts/fairwinds/polaris/templates/webhook.cert.yaml Normal file
View File

@ -0,0 +1,48 @@
{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}}
{{- if .Values.webhook.certManager.apiVersion }}
apiVersion: {{ .Values.webhook.certManager.apiVersion }}
{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
apiVersion: cert-manager.io/v1
{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }}
apiVersion: cert-manager.io/v1alpha2
{{- else }}
apiVersion: cert-manager.io/v1alpha1
{{- end }}
kind: Certificate
metadata:
name: {{ include "polaris.fullname" . }}-cert
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
spec:
commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
dnsNames:
- {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
- {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}
- {{ include "polaris.fullname" . }}-webhook
- {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
issuerRef:
kind: Issuer
name: {{ include "polaris.fullname" . }}-selfsigned
secretName: {{ include "polaris.fullname" . }}
---
{{- if .Values.webhook.certManager.apiVersion }}
apiVersion: {{ .Values.webhook.certManager.apiVersion }}
{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
apiVersion: cert-manager.io/v1
{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }}
apiVersion: cert-manager.io/v1alpha2
{{- else }}
apiVersion: cert-manager.io/v1alpha1
{{- end }}
kind: Issuer
metadata:
name: {{ include "polaris.fullname" . }}-selfsigned
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
selfSigned: {}
{{- end -}}

132
charts/fairwinds/polaris/templates/webhook.deployment.yaml Normal file
View File

@ -0,0 +1,132 @@
{{- if .Values.webhook.enable -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "polaris.fullname" . }}-webhook
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
component: webhook
spec:
replicas: {{ .Values.webhook.replicas }}
selector:
matchLabels:
{{- include "polaris.selectors" . | nindent 6 }}
component: webhook
template:
metadata:
{{- with .Values.config }}
annotations:
checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}'
{{- end }}
labels:
{{- include "polaris.selectors" . | nindent 8 }}
component: webhook
{{- with .Values.webhook.podAdditionalLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- name: webhook
command:
- polaris
- webhook
{{- with .Values.config }}
- --config
- /opt/app/config.yaml
{{- end }}
{{- if .Values.webhook.disallowExemptions }}
- --disallow-exemptions
{{- end }}
{{- if .Values.webhook.disallowConfigExemptions }}
- --disallow-config-exemptions
{{- end }}
{{- if .Values.webhook.disallowAnnotationExemptions }}
- --disallow-annotation-exemptions
{{- end }}
- --validate={{ .Values.webhook.validate }}
- --mutate={{ .Values.webhook.mutate }}
image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: '{{.Values.image.pullPolicy}}'
ports:
- containerPort: 9876
# These are fairly useless readiness/liveness probes for now
# Follow this issue for potential improvements:
# https://github.com/kubernetes-sigs/controller-runtime/issues/356
livenessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
resources:
{{- toYaml .Values.webhook.resources | nindent 12 }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
{{- with .Values.config }}
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
{{- end }}
- name: secret
mountPath: /opt/cert/
readOnly: true
- name: cr-logs
mountPath: /tmp/
readOnly: false
serviceAccountName: {{ include "polaris.fullname" . }}
{{- if .Values.webhook.priorityClassName }}
priorityClassName: {{ .Values.webhook.priorityClassName | quote }}
{{- end }}
nodeSelector:
{{- with .Values.webhook.nodeSelector }}
{{ toYaml . | indent 8 }}
{{- end }}
tolerations:
{{- with .Values.webhook.tolerations }}
{{ toYaml . | indent 6 }}
{{- end }}
{{- if .Values.webhook.affinity }}
affinity:
{{ toYaml .Values.webhook.affinity | indent 8 }}
{{- end }}
{{- if .Values.webhook.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }}
{{- end }}
volumes:
{{- with .Values.config }}
- name: config
configMap:
name: {{ include "polaris.fullname" $ }}
{{- end }}
- name: secret
secret:
{{- with .Values.webhook.secretName }}
secretName: {{ . }}
{{- else }}
secretName: {{ include "polaris.fullname" . }}
{{- end }}
- name: cr-logs
emptyDir: {}
{{- end -}}

21
charts/fairwinds/polaris/templates/webhook.service.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.webhook.enable -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "polaris.fullname" . }}-webhook
{{- if .Values.templateOnly }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 9876
selector:
{{- include "polaris.selectors" . | nindent 4 }}
component: webhook
type: ClusterIP
{{- end -}}

248
charts/fairwinds/polaris/values.yaml Normal file
View File

@ -0,0 +1,248 @@
# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used.
config: null
# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used.
# configUrl: https://example.com/config.yaml
configUrl: null
# additionExemptions -- List of additional exemptions to append to the exemptions given in `config`
additionExemptions: null
image:
# image.repository -- Image repo
repository: quay.io/fairwinds/polaris
# image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion
tag: ""
# image.pullPolicy -- Image pull policy
pullPolicy: Always
# image.pullSecrets -- Image pull secrets
pullSecrets: []
rbac:
# rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
enabled: true
serviceAccount:
# serviceAccount.create -- Specifies whether a service account should be created
create: true
# serviceAccount.name -- The name of the service account to use.
name:
# templateOnly -- Outputs Namespace names, used with `helm template`
templateOnly: false
dashboard:
# dashboard.basePath -- Path on which the dashboard is served. Defaults to `/`
basePath: null
# dashboard.enable -- Whether to run the dashboard.
enable: true
# dashboard.port -- Port that the dashboard will run from.
port: 8080
# dashboard.listeningAddress -- Dashboard listerning address.
listeningAddress:
# dashboard.replicas -- Number of replicas to run.
replicas: 2
# dashboard.logLevel -- Set the logging level for the Dashboard command
logLevel: Info
# dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods.
podAdditionalLabels: {}
# dashboard.resources -- Requests and limits for the dashboard
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 150m
memory: 512Mi
# dashboard.extraContainers -- allows injecting additional containers.
extraContainers: []
# extraContainers:
# - name: oauth-proxy
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
# args:
# - --upstream=http://127.0.0.1:8080
# - --http-address=0.0.0.0:8081
# ports:
# - containerPort: 8081
# name: oauth-proxy
# protocol: TCP
# resources: {}
service:
# dashboard.service.type -- Service Type
type: ClusterIP
# dashboard.service.annotations -- Service annotations
annotations: {}
# dashboard.service.targetPort -- Service targetport, defaults to dashboard.port
targetPort:
# dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values
loadBalancerSourceRanges: []
# dashboard.nodeSelector -- Dashboard pod nodeSelector
nodeSelector: {}
# dashboard.tolerations -- Dashboard pod tolerations
tolerations: []
# dashboard.affinity -- Dashboard pods affinity
affinity: {}
# dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: dashboard
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: dashboard
ingress:
# dashboard.ingress.enabled -- Whether to enable ingress to the dashboard
enabled: false
# dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
ingressClassName:
# dashboard.ingress.hosts -- Web ingress hostnames
hosts: []
# dashboard.ingress.annotations -- Web ingress annotations
annotations: {}
# dashboard.ingress.tls -- Ingress TLS configuration
tls: []
# dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case
defaultBackendEnabled: false
# dashboard.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# dashboard.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
# dashboard.containerSecurityContext -- securityContext to apply to the dashboard container
containerSecurityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
webhook:
# webhook.enable -- Whether to run the webhook
enable: false
# webhook.validate -- Enables the Validating Webhook, to reject resources with issues
validate: true
# webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues
mutate: false
# webhook.replicas -- Number of replicas
replicas: 2
# webhook.nodeSelector -- Webhook pod nodeSelector
nodeSelector: {}
# webhook.tolerations -- Webhook pod tolerations
tolerations: []
# webhook.affinity -- Webhook pods affinity
affinity: {}
# webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: webhook
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: webhook
certManager:
# -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps.
apiVersion: ""
# webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager
caBundle: null
# webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used.
secretName: null
# webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration
failurePolicy: Fail
# webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration
matchPolicy: Exact
# webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
# webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration
objectSelector: {}
# webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
rules: []
# webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
mutatingRules: []
# webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration
defaultRules:
- apiGroups:
- apps
apiVersions:
- v1
- v1beta1
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- deployments
- statefulsets
scope: Namespaced
- apiGroups:
- batch
apiVersions:
- v1
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- jobs
- cronjobs
scope: Namespaced
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
- replicationcontrollers
scope: Namespaced
# webhook.podAdditionalLabels -- Custom additional labels on webhook pods.
podAdditionalLabels: {}
# webhook.resources -- Requests and limits for the webhook.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
# webhook.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# webhook.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
mutatingConfigurationAnnotations: {}
validatingConfigurationAnnotations: {}
audit:
# audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
enable: false
# audit.cleanup -- Whether to delete the namespace once the audit is finished.
cleanup: false
# audit.outputURL -- A URL which will receive a POST request with audit results.
outputURL: ""

20
index.yaml
View File

@ -33796,6 +33796,26 @@ entries:
urls:
- assets/pixie/pixie-operator-chart-0.0.2501.tgz
version: 0.0.2501
polaris:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Fairwinds Polaris
catalog.cattle.io/kube-version: '>= 1.22.0-0'
catalog.cattle.io/release-name: polaris
apiVersion: v1
appVersion: "8.4"
created: "2023-07-25T08:56:35.417073-06:00"
description: Validation of best practices in your Kubernetes clusters
digest: 1ea1c14b24c57507e4a08ee7717dacccbfc62bd12b3107af235cd031cdb30bd3
icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png
kubeVersion: '>= 1.22.0-0'
maintainers:
- email: robertb@fairwinds.com
name: rbren
name: polaris
urls:
- assets/fairwinds/polaris-5.11.1.tgz
version: 5.11.1
portshift-operator:
- annotations:
catalog.cattle.io/certified: partner

6
packages/fairwinds/polaris/upstream.yaml Normal file
View File

@ -0,0 +1,6 @@
HelmRepo: https://charts.fairwinds.com/stable
HelmChart: polaris
Vendor: Fairwinds
DisplayName: Fairwinds Polaris
ChartMetadata:
icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png