745670abe5
|
||
|---|---|---|
| .. | ||
| ci | ||
| templates | ||
| CHANGELOG.md | ||
| Chart.yaml | ||
| README.md | ||
| README.md.gotmpl | ||
| values.yaml | ||
README.md
Polaris
Polaris is a tool for auditing and enforcing best practices in Kubernetes.
Installation
We recommend installing polaris in its own namespace.
Dashboard
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris
Webhook
A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.
If you don't use cert-manager, you'll need to:
- Supply a CA Bundle with the
webhook.caBundle - Create a TLS secret in your cluster with a valid certificate that uses that CA
- Pass the name of that secret with the
webhook.secretNameparameter.
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false
A Note on Chart Version 0.10.0+
Due to the deprecation of various extensions/v1beta1 API's,
the 0.10.0 version of this chart will only work on kubernetes 1.14.0+
Values
| Key | Type | Default | Description |
|---|---|---|---|
| config | string | nil |
The polaris configuration. If not provided then the default config from Polaris is used. |
| configUrl | string | nil |
Use a config from an accessible URL source. NOTE: config & configUrl are mutually exclusive. Setting configURL will take precedence over config. Only one may be used. configUrl: https://example.com/config.yaml |
| additionExemptions | string | nil |
List of additional exemptions to append to the exemptions given in config |
| image.repository | string | "quay.io/fairwinds/polaris" |
Image repo |
| image.tag | string | "" |
The Polaris Image tag to use. Defaults to the Chart's AppVersion |
| image.pullPolicy | string | "Always" |
Image pull policy |
| image.pullSecrets | list | [] |
Image pull secrets |
| rbac.enabled | bool | true |
Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created |
| serviceAccount.create | bool | true |
Specifies whether a service account should be created |
| serviceAccount.name | string | nil |
The name of the service account to use. |
| templateOnly | bool | false |
Outputs Namespace names, used with helm template |
| dashboard.basePath | string | nil |
Path on which the dashboard is served. Defaults to / |
| dashboard.enable | bool | true |
Whether to run the dashboard. |
| dashboard.port | int | 8080 |
Port that the dashboard will run from. |
| dashboard.listeningAddress | string | nil |
Dashboard listerning address. |
| dashboard.replicas | int | 2 |
Number of replicas to run. |
| dashboard.logLevel | string | "Info" |
Set the logging level for the Dashboard command |
| dashboard.podAdditionalLabels | object | {} |
Custom additional labels on dashboard pods. |
| dashboard.deploymentAnnotations | object | {} |
Custom additional annotations on dashboard Deployment. |
| dashboard.resources | object | {"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} |
Requests and limits for the dashboard |
| dashboard.extraContainers | list | [] |
allows injecting additional containers. |
| dashboard.service.type | string | "ClusterIP" |
Service Type |
| dashboard.service.annotations | object | {} |
Service annotations |
| dashboard.service.targetPort | string | nil |
Service targetport, defaults to dashboard.port |
| dashboard.service.loadBalancerSourceRanges | list | [] |
List of allowed CIDR values |
| dashboard.nodeSelector | object | {} |
Dashboard pod nodeSelector |
| dashboard.tolerations | list | [] |
Dashboard pod tolerations |
| dashboard.affinity | object | {} |
Dashboard pods affinity |
| dashboard.topologySpreadConstraints | list | [{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}] |
Dashboard pods topologySpreadConstraints |
| dashboard.ingress.enabled | bool | false |
Whether to enable ingress to the dashboard |
| dashboard.ingress.ingressClassName | string | nil |
From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. |
| dashboard.ingress.hosts | list | [] |
Web ingress hostnames |
| dashboard.ingress.annotations | object | {} |
Web ingress annotations |
| dashboard.ingress.tls | list | [] |
Ingress TLS configuration |
| dashboard.ingress.defaultBackendEnabled | bool | false |
DefaultBackend is required by GKE container native load balancer, set to true for this use case |
| dashboard.priorityClassName | string | nil |
Priority Class name to be used in deployment if provided. |
| dashboard.disallowExemptions | bool | false |
Disallow any exemption |
| dashboard.disallowConfigExemptions | bool | false |
Disallow exemptions that are configured in the config file |
| dashboard.disallowAnnotationExemptions | bool | false |
Disallow exemptions that are configured via annotations |
| dashboard.containerSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true} |
securityContext to apply to the dashboard container |
| webhook.enable | bool | false |
Whether to run the webhook |
| webhook.validate | bool | true |
Enables the Validating Webhook, to reject resources with issues |
| webhook.mutate | bool | false |
Enables the Mutating Webhook, to modify resources with issues |
| webhook.replicas | int | 2 |
Number of replicas |
| webhook.nodeSelector | object | {} |
Webhook pod nodeSelector |
| webhook.tolerations | list | [] |
Webhook pod tolerations |
| webhook.affinity | object | {} |
Webhook pods affinity |
| webhook.topologySpreadConstraints | list | [{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}] |
Webhook pods topologySpreadConstraints |
| webhook.certManager.apiVersion | string | "" |
Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. |
| webhook.caBundle | string | nil |
CA Bundle to use for Validating Webhook instead of cert-manager |
| webhook.secretName | string | nil |
Name of the secret containing a TLS certificate to use if cert-manager is not used. |
| webhook.failurePolicy | string | "Fail" |
failurePolicy for the ValidatingWebhookConfiguration |
| webhook.matchPolicy | string | "Exact" |
matchPolicy for the ValidatingWebhookConfiguration |
| webhook.namespaceSelector | object | {"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]} |
namespaceSelector for the ValidatingWebhookConfiguration |
| webhook.objectSelector | object | {} |
objectSelector for the ValidatingWebhookConfiguration |
| webhook.rules | list | [] |
An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.mutatingRules | list | [] |
An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. |
| webhook.defaultRules | list | [{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}] |
An array of rules for common types for the ValidatingWebhookConfiguration |
| webhook.podAdditionalLabels | object | {} |
Custom additional labels on webhook pods. |
| webhook.deploymentAnnotations | object | {} |
Custom additional annotations on webhook Deployment. |
| webhook.resources | object | {"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} |
Requests and limits for the webhook. |
| webhook.priorityClassName | string | nil |
Priority Class name to be used in deployment if provided. |
| webhook.disallowExemptions | bool | false |
Disallow any exemption |
| webhook.disallowConfigExemptions | bool | false |
Disallow exemptions that are configured in the config file |
| webhook.disallowAnnotationExemptions | bool | false |
Disallow exemptions that are configured via annotations |
| webhook.mutatingConfigurationAnnotations | object | {} |
|
| webhook.validatingConfigurationAnnotations | object | {} |
|
| audit.enable | bool | false |
Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. |
| audit.cleanup | bool | false |
Whether to delete the namespace once the audit is finished. |
| audit.outputURL | string | "" |
A URL which will receive a POST request with audit results. |