Merge branch 'master' into rb/polaris-rename

FairwindsOps · May 14, 2019 · 85e27b1 · 85e27b1
2 parents 09f0514 + fb3935a
commit 85e27b1
Show file tree

Hide file tree

Showing 10 changed files with 49 additions and 15 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,8 +9,8 @@ FROM alpine:3.9
 WORKDIR /usr/local/bin
 RUN apk --no-cache add ca-certificates
 
-RUN addgroup -S polaris && adduser -S -G polaris polaris
-USER polaris
+RUN addgroup -S polaris && adduser -u 1200 -S polaris -G polaris
+USER 1200
 COPY --from=build-env /go/src/github.com/reactiveops/polaris/polaris .
 
 WORKDIR /opt/app

diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
@@ -176,6 +176,13 @@ spec:
           requests:
             cpu: 100m
             memory: 128Mi
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
         volumeMounts:
         - name: config
           mountPath: /opt/app/config.yaml

diff --git a/deploy/helm/polaris/templates/dashboard.deployment.yaml b/deploy/helm/polaris/templates/dashboard.deployment.yaml
@@ -53,6 +53,13 @@ spec:
           requests:
             cpu: 100m
             memory: 128Mi
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
         volumeMounts:
         - name: config
           mountPath: /opt/app/config.yaml

diff --git a/deploy/helm/polaris/templates/webhook.deployment.yaml b/deploy/helm/polaris/templates/webhook.deployment.yaml
@@ -63,6 +63,13 @@ spec:
           requests:
             cpu: 100m
             memory: 128Mi
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
         volumeMounts:
         - name: config
           mountPath: /opt/app/config.yaml

diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
@@ -216,6 +216,13 @@ spec:
           requests:
             cpu: 100m
             memory: 128Mi
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
         volumeMounts:
         - name: config
           mountPath: /opt/app/config.yaml

diff --git a/docs/resources.md b/docs/resources.md
@@ -8,10 +8,10 @@ To simplify ensure that these values have been set, the following attributes are
 
 key | default | description
 ----|---------|------------
-`resources.cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured.
-`resources.memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured.
-`resources.cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured.
-`resources.memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured.
+`resources.cpuRequestsMissing` | `error` | Fails when `resources.requests.cpu` attribute is not configured.
+`resources.memoryRequestsMissing` | `error` | Fails when `resources.requests.memory` attribute is not configured.
+`resources.cpuLimitsMissing` | `error` | Fails when `resources.limits.cpu` attribute is not configured.
+`resources.memoryLimitsMissing` | `error` | Fails when `resources.limits.memory` attribute is not configured.
 
 ## Range Checks
 

diff --git a/pkg/dashboard/dashboard.go b/pkg/dashboard/dashboard.go
@@ -161,8 +161,8 @@ func EndpointHandler(w http.ResponseWriter, r *http.Request, c conf.Configuratio
 		return
 	}
 
-	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(templateData)
 }
 

diff --git a/pkg/validator/container.go b/pkg/validator/container.go
@@ -97,7 +97,11 @@ func (cv *ContainerValidation) validateResourceRange(resourceName string, rangeC
 	} else if warnBelow != nil && warnBelow.MilliValue() > res.MilliValue() {
 		cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooLowFailure, resourceName, warnBelow.String()), category)
 	} else {
-		cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
+		if warnAbove != nil || warnBelow != nil || errorAbove != nil || errorBelow != nil {
+			cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
+		} else {
+			cv.addSuccess(fmt.Sprintf(messages.ResourcePresentSuccess, resourceName), category)
+		}
 	}
 }
 

diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go
@@ -583,7 +583,7 @@ func TestValidateSecurity(t *testing.T) {
 			securityConf: standardConf,
 			cv:           emptyCV,
 			expectedMessages: []*ResultMessage{{
-				Message:  "Should not be running as root",
+				Message:  "Should not be allowed to run as root",
 				Type:     "warning",
 				Category: "Security",
 			}, {
@@ -625,7 +625,7 @@ func TestValidateSecurity(t *testing.T) {
 				Type:     "warning",
 				Category: "Security",
 			}, {
-				Message:  "Should not be running as root",
+				Message:  "Should not be allowed to run as root",
 				Type:     "warning",
 				Category: "Security",
 			}, {
@@ -639,7 +639,7 @@ func TestValidateSecurity(t *testing.T) {
 			securityConf: standardConf,
 			cv:           goodCV,
 			expectedMessages: []*ResultMessage{{
-				Message:  "Not running as root",
+				Message:  "Is not allowed to run as root",
 				Type:     "success",
 				Category: "Security",
 			}, {
@@ -669,7 +669,7 @@ func TestValidateSecurity(t *testing.T) {
 				Type:     "error",
 				Category: "Security",
 			}, {
-				Message:  "Not running as root",
+				Message:  "Is not allowed to run as root",
 				Type:     "success",
 				Category: "Security",
 			}, {
@@ -691,7 +691,7 @@ func TestValidateSecurity(t *testing.T) {
 			securityConf: strongConf,
 			cv:           strongCV,
 			expectedMessages: []*ResultMessage{{
-				Message:  "Not running as root",
+				Message:  "Is not allowed to run as root",
 				Type:     "success",
 				Category: "Security",
 			}, {

diff --git a/pkg/validator/messages/messages.go b/pkg/validator/messages/messages.go
@@ -35,6 +35,8 @@ const (
 	ResourceAmountTooLowFailure = "%s should be higher than %s"
 	// ResourceAmountSuccess message
 	ResourceAmountSuccess = "%s are within the expected range"
+	// ResourcePresentSuccess message
+	ResourcePresentSuccess = "%s are set"
 	// ReadinessProbeFailure message
 	ReadinessProbeFailure = "Readiness probe should be configured"
 	// ReadinessProbeSuccess message
@@ -56,9 +58,9 @@ const (
 	// HostPortSuccess message
 	HostPortSuccess = "Host port is not configured"
 	// RunAsRootFailure message
-	RunAsRootFailure = "Should not be running as root"
+	RunAsRootFailure = "Should not be allowed to run as root"
 	// RunAsRootSuccess message
-	RunAsRootSuccess = "Not running as root"
+	RunAsRootSuccess = "Is not allowed to run as root"
 	// RunAsPrivilegedFailure message
 	RunAsPrivilegedFailure = "Should not be running as privileged"
 	// RunAsPrivilegedSuccess message