diff --git a/assets/fairwinds/polaris-5.11.1.tgz b/assets/fairwinds/polaris-5.11.1.tgz new file mode 100644 index 000000000..ea4af5e46 Binary files /dev/null and b/assets/fairwinds/polaris-5.11.1.tgz differ diff --git a/charts/fairwinds/polaris/CHANGELOG.md b/charts/fairwinds/polaris/CHANGELOG.md new file mode 100644 index 000000000..f9b7fbfc9 --- /dev/null +++ b/charts/fairwinds/polaris/CHANGELOG.md @@ -0,0 +1,69 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/Chart.yaml b/charts/fairwinds/polaris/Chart.yaml new file mode 100644 index 000000000..f99ff6cb4 --- /dev/null +++ b/charts/fairwinds/polaris/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.4" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.11.1 diff --git a/charts/fairwinds/polaris/README.md b/charts/fairwinds/polaris/README.md new file mode 100644 index 000000000..497f7f8ff --- /dev/null +++ b/charts/fairwinds/polaris/README.md @@ -0,0 +1,105 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/README.md.gotmpl b/charts/fairwinds/polaris/README.md.gotmpl new file mode 100644 index 000000000..f932a33c0 --- /dev/null +++ b/charts/fairwinds/polaris/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/ci/merge-values.yaml b/charts/fairwinds/polaris/ci/merge-values.yaml new file mode 100644 index 000000000..221896283 --- /dev/null +++ b/charts/fairwinds/polaris/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/ci/test-values-2.yaml b/charts/fairwinds/polaris/ci/test-values-2.yaml new file mode 100644 index 000000000..b07ed8b09 --- /dev/null +++ b/charts/fairwinds/polaris/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/ci/test-values.yaml b/charts/fairwinds/polaris/ci/test-values.yaml new file mode 100644 index 000000000..cf152ccb7 --- /dev/null +++ b/charts/fairwinds/polaris/ci/test-values.yaml @@ -0,0 +1,15 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 diff --git a/charts/fairwinds/polaris/templates/0-namespace.yaml b/charts/fairwinds/polaris/templates/0-namespace.yaml new file mode 100644 index 000000000..83e3751bb --- /dev/null +++ b/charts/fairwinds/polaris/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/NOTES.txt b/charts/fairwinds/polaris/templates/NOTES.txt new file mode 100644 index 000000000..96560d753 --- /dev/null +++ b/charts/fairwinds/polaris/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/templates/_helpers.tpl b/charts/fairwinds/polaris/templates/_helpers.tpl new file mode 100644 index 000000000..90b62b461 --- /dev/null +++ b/charts/fairwinds/polaris/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/audit.job.yaml b/charts/fairwinds/polaris/templates/audit.job.yaml new file mode 100644 index 000000000..ae6451b25 --- /dev/null +++ b/charts/fairwinds/polaris/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/audit.rbac.yaml b/charts/fairwinds/polaris/templates/audit.rbac.yaml new file mode 100644 index 000000000..4e0987a29 --- /dev/null +++ b/charts/fairwinds/polaris/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/configmap.yaml b/charts/fairwinds/polaris/templates/configmap.yaml new file mode 100644 index 000000000..ba72dec1a --- /dev/null +++ b/charts/fairwinds/polaris/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/templates/dashboard.deployment.yaml new file mode 100644 index 000000000..1742bd563 --- /dev/null +++ b/charts/fairwinds/polaris/templates/dashboard.deployment.yaml @@ -0,0 +1,130 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/dashboard.service.yaml b/charts/fairwinds/polaris/templates/dashboard.service.yaml new file mode 100644 index 000000000..fc9584321 --- /dev/null +++ b/charts/fairwinds/polaris/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/ingress.yaml b/charts/fairwinds/polaris/templates/ingress.yaml new file mode 100644 index 000000000..d0cdd308f --- /dev/null +++ b/charts/fairwinds/polaris/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml new file mode 100644 index 000000000..ba53030fd --- /dev/null +++ b/charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/rbac.yaml b/charts/fairwinds/polaris/templates/rbac.yaml new file mode 100644 index 000000000..56a186183 --- /dev/null +++ b/charts/fairwinds/polaris/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/templates/serviceaccount.yaml b/charts/fairwinds/polaris/templates/serviceaccount.yaml new file mode 100644 index 000000000..b2a242726 --- /dev/null +++ b/charts/fairwinds/polaris/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml new file mode 100644 index 000000000..3b536f432 --- /dev/null +++ b/charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.cert.yaml b/charts/fairwinds/polaris/templates/webhook.cert.yaml new file mode 100644 index 000000000..fc264ad8d --- /dev/null +++ b/charts/fairwinds/polaris/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/templates/webhook.deployment.yaml new file mode 100644 index 000000000..cce1092ab --- /dev/null +++ b/charts/fairwinds/polaris/templates/webhook.deployment.yaml @@ -0,0 +1,132 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.service.yaml b/charts/fairwinds/polaris/templates/webhook.service.yaml new file mode 100644 index 000000000..1e34f5361 --- /dev/null +++ b/charts/fairwinds/polaris/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/values.yaml b/charts/fairwinds/polaris/values.yaml new file mode 100644 index 000000000..3f9b65382 --- /dev/null +++ b/charts/fairwinds/polaris/values.yaml @@ -0,0 +1,248 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/index.yaml b/index.yaml index a6c3a5d6c..08458b199 100644 --- a/index.yaml +++ b/index.yaml @@ -33796,6 +33796,26 @@ entries: urls: - assets/pixie/pixie-operator-chart-0.0.2501.tgz version: 0.0.2501 + polaris: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris + apiVersion: v1 + appVersion: "8.4" + created: "2023-07-25T08:56:35.417073-06:00" + description: Validation of best practices in your Kubernetes clusters + digest: 1ea1c14b24c57507e4a08ee7717dacccbfc62bd12b3107af235cd031cdb30bd3 + icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: robertb@fairwinds.com + name: rbren + name: polaris + urls: + - assets/fairwinds/polaris-5.11.1.tgz + version: 5.11.1 portshift-operator: - annotations: catalog.cattle.io/certified: partner diff --git a/packages/fairwinds/polaris/upstream.yaml b/packages/fairwinds/polaris/upstream.yaml new file mode 100644 index 000000000..9620b0e32 --- /dev/null +++ b/packages/fairwinds/polaris/upstream.yaml @@ -0,0 +1,6 @@ +HelmRepo: https://charts.fairwinds.com/stable +HelmChart: polaris +Vendor: Fairwinds +DisplayName: Fairwinds Polaris +ChartMetadata: + icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png