rancher-partner-charts/charts/fairwinds/polaris/5.12.1
Adam Pickering 745670abe5
Migrate charts directory (vendors starting with F-H) (#1045)
2024-07-08 16:54:26 -06:00
..
ci Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
templates Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
CHANGELOG.md Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
Chart.yaml Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
README.md Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
README.md.gotmpl Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00
values.yaml Migrate charts directory (vendors starting with F-H) (#1045) 2024-07-08 16:54:26 -06:00

README.md

Polaris

Polaris is a tool for auditing and enforcing best practices in Kubernetes.

Installation

We recommend installing polaris in its own namespace.

Dashboard

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris

Webhook

A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.

If you don't use cert-manager, you'll need to:

  • Supply a CA Bundle with the webhook.caBundle
  • Create a TLS secret in your cluster with a valid certificate that uses that CA
  • Pass the name of that secret with the webhook.secretName parameter.
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false

A Note on Chart Version 0.10.0+

Due to the deprecation of various extensions/v1beta1 API's, the 0.10.0 version of this chart will only work on kubernetes 1.14.0+

Values

Key Type Default Description
config string nil The polaris configuration. If not provided then the default config from Polaris is used.
configUrl string nil Use a config from an accessible URL source. NOTE: config & configUrl are mutually exclusive. Setting configURL will take precedence over config. Only one may be used. configUrl: https://example.com/config.yaml
additionalExemptions string nil List of additional exemptions to append to the exemptions given in config
image.repository string "quay.io/fairwinds/polaris" Image repo
image.tag string "" The Polaris Image tag to use. Defaults to the Chart's AppVersion
image.pullPolicy string "Always" Image pull policy
image.pullSecrets list [] Image pull secrets
rbac.enabled bool true Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
serviceAccount.create bool true Specifies whether a service account should be created
serviceAccount.name string nil The name of the service account to use.
templateOnly bool false Outputs Namespace names, used with helm template
dashboard.basePath string nil Path on which the dashboard is served. Defaults to /
dashboard.enable bool true Whether to run the dashboard.
dashboard.port int 8080 Port that the dashboard will run from.
dashboard.listeningAddress string nil Dashboard listerning address.
dashboard.replicas int 2 Number of replicas to run.
dashboard.logLevel string "Info" Set the logging level for the Dashboard command
dashboard.podAdditionalLabels object {} Custom additional labels on dashboard pods.
dashboard.deploymentAnnotations object {} Custom additional annotations on dashboard Deployment.
dashboard.resources object {"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} Requests and limits for the dashboard
dashboard.extraContainers list [] allows injecting additional containers.
dashboard.service.type string "ClusterIP" Service Type
dashboard.service.annotations object {} Service annotations
dashboard.service.targetPort string nil Service targetport, defaults to dashboard.port
dashboard.service.loadBalancerSourceRanges list [] List of allowed CIDR values
dashboard.nodeSelector object {} Dashboard pod nodeSelector
dashboard.tolerations list [] Dashboard pod tolerations
dashboard.affinity object {} Dashboard pods affinity
dashboard.topologySpreadConstraints list [{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}] Dashboard pods topologySpreadConstraints
dashboard.ingress.enabled bool false Whether to enable ingress to the dashboard
dashboard.ingress.ingressClassName string nil From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
dashboard.ingress.hosts list [] Web ingress hostnames
dashboard.ingress.annotations object {} Web ingress annotations
dashboard.ingress.tls list [] Ingress TLS configuration
dashboard.ingress.defaultBackendEnabled bool false DefaultBackend is required by GKE container native load balancer, set to true for this use case
dashboard.priorityClassName string nil Priority Class name to be used in deployment if provided.
dashboard.disallowExemptions bool false Disallow any exemption
dashboard.disallowConfigExemptions bool false Disallow exemptions that are configured in the config file
dashboard.disallowAnnotationExemptions bool false Disallow exemptions that are configured via annotations
dashboard.containerSecurityContext object {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true} securityContext to apply to the dashboard container
webhook.enable bool false Whether to run the webhook
webhook.validate bool true Enables the Validating Webhook, to reject resources with issues
webhook.mutate bool false Enables the Mutating Webhook, to modify resources with issues
webhook.replicas int 2 Number of replicas
webhook.nodeSelector object {} Webhook pod nodeSelector
webhook.tolerations list [] Webhook pod tolerations
webhook.affinity object {} Webhook pods affinity
webhook.topologySpreadConstraints list [{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}] Webhook pods topologySpreadConstraints
webhook.certManager.apiVersion string "" Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps.
webhook.caBundle string nil CA Bundle to use for Validating Webhook instead of cert-manager
webhook.secretName string nil Name of the secret containing a TLS certificate to use if cert-manager is not used.
webhook.failurePolicy string "Fail" failurePolicy for the ValidatingWebhookConfiguration
webhook.matchPolicy string "Exact" matchPolicy for the ValidatingWebhookConfiguration
webhook.namespaceSelector object {"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]} namespaceSelector for the ValidatingWebhookConfiguration
webhook.objectSelector object {} objectSelector for the ValidatingWebhookConfiguration
webhook.rules list [] An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
webhook.mutatingRules list [] An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
webhook.defaultRules list [{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}] An array of rules for common types for the ValidatingWebhookConfiguration
webhook.podAdditionalLabels object {} Custom additional labels on webhook pods.
webhook.deploymentAnnotations object {} Custom additional annotations on webhook Deployment.
webhook.resources object {"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} Requests and limits for the webhook.
webhook.priorityClassName string nil Priority Class name to be used in deployment if provided.
webhook.disallowExemptions bool false Disallow any exemption
webhook.disallowConfigExemptions bool false Disallow exemptions that are configured in the config file
webhook.disallowAnnotationExemptions bool false Disallow exemptions that are configured via annotations
webhook.mutatingConfigurationAnnotations object {}
webhook.validatingConfigurationAnnotations object {}
audit.enable bool false Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
audit.cleanup bool false Whether to delete the namespace once the audit is finished.
audit.outputURL string "" A URL which will receive a POST request with audit results.