add option to fail audit below a certain score (#157)

update README
FairwindsOps · Jun 27, 2019 · 20a6028 · 20a6028
1 parent f784c48
commit 20a6028
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -14,10 +14,13 @@
 [circleci-image]: https://circleci.com/gh/reactiveops/polaris.svg?style=svg
 [circleci-link]: https://circleci.com/gh/reactiveops/polaris.svg
 
-Polaris helps keep your cluster healthy. It runs a variety of checks to ensure that Kubernetes deployments are configured using best practices that will avoid potential problems in the future. The project includes two primary components:
+Polaris helps keep your cluster healthy. It runs a variety of checks to ensure that
+Kubernetes deployments are configured using best practices, helping you avoid
+problems in the future. Polaris can be run in a few different modes:
 
 - A dashboard that provides an overview of how well current deployments are configured within a cluster.
 - An experimental validating webhook that can prevent any future deployments that do not live up to a configured standard.
+- A command-line audit that can be incorporated into your CI/CD pipeline
 
 **Want to learn more?** ReactiveOps holds [office hours on Zoom](https://zoom.us/j/242508205) the first Friday of every month, at 12pm Eastern. You can also reach out via email at `[email protected]`
 
@@ -115,14 +118,11 @@ polaris --audit --audit-path ./deploy/
 
 ##### Running with CI/CD
 You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code.
-For example, to fail whenever the Polaris score drops below 90%:
+For example, to fail if polaris detects *any* error-level issues, or if the score drops below 90%:
 ```bash
-score=`polaris --audit --audit-path ./deploy/ --output-format score`
-if [[ $score -lt 90 ]]; then
-  exit 1
-else
-  exit 0
-fi
+polaris --audit --audit-path ./deploy/ \
+  --set-exit-code-on-error \
+  --set-exit-code-below-score 90
 ```
 
 ## Configuration

diff --git a/main.go b/main.go
@@ -50,7 +50,8 @@ func main() {
 	webhook := flag.Bool("webhook", false, "Runs the webhook webserver.")
 	audit := flag.Bool("audit", false, "Runs a one-time audit.")
 	auditPath := flag.String("audit-path", "", "If specified, audits one or more YAML files instead of a cluster")
-	setExitCode := flag.Bool("set-exit-code-on-error", false, "set an exit code of 2 when the audit contains error-level issues.")
+	setExitCode := flag.Bool("set-exit-code-on-error", false, "When running with --audit, set an exit code of 3 when the audit contains error-level issues.")
+	minScore := flag.Int("set-exit-code-below-score", 0, "When running with --audit, set an exit code of 4 when the score is below this threshold (1-100)")
 	dashboardPort := flag.Int("dashboard-port", 8080, "Port for the dashboard webserver")
 	dashboardBasePath := flag.String("dashboard-base-path", "/", "Path on which the dashboard is served")
 	webhookPort := flag.Int("webhook-port", 9876, "Port for the webhook webserver")
@@ -96,7 +97,14 @@ func main() {
 	} else if *dashboard {
 		startDashboardServer(c, *auditPath, *dashboardPort, *dashboardBasePath)
 	} else if *audit {
-		runAudit(c, *auditPath, *setExitCode, *auditOutputFile, *auditOutputURL, *auditOutputFormat)
+		auditData := runAndReportAudit(c, *auditPath, *auditOutputFile, *auditOutputURL, *auditOutputFormat)
+		if *setExitCode && auditData.ClusterSummary.Results.Totals.Errors > 0 {
+			logrus.Infof("%d errors found in audit", auditData.ClusterSummary.Results.Totals.Errors)
+			os.Exit(3)
+		} else if *minScore != 0 && auditData.ClusterSummary.Score < uint(*minScore) {
+			logrus.Infof("Audit score of %d is less than the provided minimum of %d", auditData.ClusterSummary.Score, *minScore)
+			os.Exit(4)
+		}
 	}
 }
 
@@ -181,7 +189,7 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool
 	}
 }
 
-func runAudit(c conf.Configuration, auditPath string, setExitCode bool, outputFile string, outputURL string, outputFormat string) {
+func runAndReportAudit(c conf.Configuration, auditPath string, outputFile string, outputURL string, outputFormat string) validator.AuditData {
 	k, err := kube.CreateResourceProvider(auditPath)
 	if err != nil {
 		logrus.Errorf("Error fetching Kubernetes resources %v", err)
@@ -195,7 +203,7 @@ func runAudit(c conf.Configuration, auditPath string, setExitCode bool, outputFi
 
 	var outputBytes []byte
 	if outputFormat == "score" {
-		outputBytes = []byte(fmt.Sprint(auditData.ClusterSummary.Score))
+		outputBytes = []byte(fmt.Sprintf("%d\n", auditData.ClusterSummary.Score))
 	} else if outputFormat == "yaml" {
 		jsonBytes, err := json.Marshal(auditData)
 		if err == nil {
@@ -254,9 +262,5 @@ func runAudit(c conf.Configuration, auditPath string, setExitCode bool, outputFi
 			}
 		}
 	}
-
-	if setExitCode && auditData.ClusterSummary.Results.Totals.Errors > 0 {
-		logrus.Infof("Error found. Exiting audit.")
-		os.Exit(3)
-	}
+	return auditData
 }