67 lines
1.9 KiB
YAML
67 lines
1.9 KiB
YAML
# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml
|
|
nameOverride: polaris
|
|
|
|
config:
|
|
checks:
|
|
# reliability
|
|
deploymentMissingReplicas: warning
|
|
priorityClassNotSet: ignore
|
|
tagNotSpecified: danger
|
|
pullPolicyNotAlways: warning
|
|
readinessProbeMissing: warning
|
|
livenessProbeMissing: warning
|
|
metadataAndNameMismatched: ignore
|
|
pdbDisruptionsIsZero: warning
|
|
missingPodDisruptionBudget: ignore
|
|
topologySpreadConstraint: warning
|
|
|
|
# efficiency
|
|
cpuRequestsMissing: warning
|
|
cpuLimitsMissing: warning
|
|
memoryRequestsMissing: warning
|
|
memoryLimitsMissing: warning
|
|
# security
|
|
automountServiceAccountToken: ignore
|
|
hostIPCSet: danger
|
|
hostPIDSet: danger
|
|
linuxHardening: warning
|
|
missingNetworkPolicy: ignore
|
|
notReadOnlyRootFilesystem: warning
|
|
privilegeEscalationAllowed: danger
|
|
runAsRootAllowed: danger
|
|
runAsPrivileged: danger
|
|
dangerousCapabilities: danger
|
|
insecureCapabilities: warning
|
|
hostNetworkSet: danger
|
|
hostPortSet: warning
|
|
tlsSettingsMissing: warning
|
|
# These are initially warning and will later be promoted to danger.
|
|
sensitiveContainerEnvVar: warning
|
|
sensitiveConfigmapContent: warning
|
|
clusterrolePodExecAttach: warning
|
|
rolePodExecAttach: warning
|
|
clusterrolebindingPodExecAttach: warning
|
|
rolebindingClusterRolePodExecAttach: warning
|
|
rolebindingRolePodExecAttach: warning
|
|
clusterrolebindingClusterAdmin: warning
|
|
rolebindingClusterAdminClusterRole: warning
|
|
rolebindingClusterAdminRole: warning
|
|
|
|
mutations:
|
|
- pullPolicyNotAlways
|
|
|
|
exemptions:
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- coredns
|
|
rules:
|
|
- automountServiceAccountToken
|
|
- missingNetworkPolicy
|
|
|
|
additionalExemptions:
|
|
- namespace: foo
|
|
containerName:
|
|
- bar
|
|
rules:
|
|
- privilegeEscalationAllowed
|