Unverified Commit 85e27b1b authored by Bobby Brennan's avatar Bobby Brennan Committed by GitHub
Browse files

Merge branch 'master' into rb/polaris-rename

parents 09f05143 fb3935a3
Showing with 49 additions and 15 deletions
+49 -15
......@@ -9,8 +9,8 @@ FROM alpine:3.9
WORKDIR /usr/local/bin
RUN apk --no-cache add ca-certificates
RUN addgroup -S polaris && adduser -S -G polaris polaris
USER polaris
RUN addgroup -S polaris && adduser -u 1200 -S polaris -G polaris
USER 1200
COPY --from=build-env /go/src/github.com/reactiveops/polaris/polaris .
WORKDIR /opt/app
......
......@@ -176,6 +176,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
......
......@@ -53,6 +53,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
......
......@@ -63,6 +63,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
......
......@@ -216,6 +216,13 @@ spec:
requests:
cpu: 100m
memory: 128Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
......
......@@ -8,10 +8,10 @@ To simplify ensure that these values have been set, the following attributes are
key | default | description
----|---------|------------
`resources.cpuRequestsMissing` | `warning` | Fails when `resources.requests.cpu` attribute is not configured.
`resources.memoryRequestsMissing` | `warning` | Fails when `resources.requests.memory` attribute is not configured.
`resources.cpuLimitsMissing` | `warning` | Fails when `resources.limits.cpu` attribute is not configured.
`resources.memoryLimitsMissing` | `warning` | Fails when `resources.limits.memory` attribute is not configured.
`resources.cpuRequestsMissing` | `error` | Fails when `resources.requests.cpu` attribute is not configured.
`resources.memoryRequestsMissing` | `error` | Fails when `resources.requests.memory` attribute is not configured.
`resources.cpuLimitsMissing` | `error` | Fails when `resources.limits.cpu` attribute is not configured.
`resources.memoryLimitsMissing` | `error` | Fails when `resources.limits.memory` attribute is not configured.
## Range Checks
......
......@@ -161,8 +161,8 @@ func EndpointHandler(w http.ResponseWriter, r *http.Request, c conf.Configuratio
return
}
w.WriteHeader(http.StatusOK)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(templateData)
}
......
......@@ -97,7 +97,11 @@ func (cv *ContainerValidation) validateResourceRange(resourceName string, rangeC
} else if warnBelow != nil && warnBelow.MilliValue() > res.MilliValue() {
cv.addWarning(fmt.Sprintf(messages.ResourceAmountTooLowFailure, resourceName, warnBelow.String()), category)
} else {
cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
if warnAbove != nil || warnBelow != nil || errorAbove != nil || errorBelow != nil {
cv.addSuccess(fmt.Sprintf(messages.ResourceAmountSuccess, resourceName), category)
} else {
cv.addSuccess(fmt.Sprintf(messages.ResourcePresentSuccess, resourceName), category)
}
}
}
......
......@@ -583,7 +583,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: standardConf,
cv: emptyCV,
expectedMessages: []*ResultMessage{{
Message: "Should not be running as root",
Message: "Should not be allowed to run as root",
Type: "warning",
Category: "Security",
}, {
......@@ -625,7 +625,7 @@ func TestValidateSecurity(t *testing.T) {
Type: "warning",
Category: "Security",
}, {
Message: "Should not be running as root",
Message: "Should not be allowed to run as root",
Type: "warning",
Category: "Security",
}, {
......@@ -639,7 +639,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: standardConf,
cv: goodCV,
expectedMessages: []*ResultMessage{{
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {
......@@ -669,7 +669,7 @@ func TestValidateSecurity(t *testing.T) {
Type: "error",
Category: "Security",
}, {
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {
......@@ -691,7 +691,7 @@ func TestValidateSecurity(t *testing.T) {
securityConf: strongConf,
cv: strongCV,
expectedMessages: []*ResultMessage{{
Message: "Not running as root",
Message: "Is not allowed to run as root",
Type: "success",
Category: "Security",
}, {
......
......@@ -35,6 +35,8 @@ const (
ResourceAmountTooLowFailure = "%s should be higher than %s"
// ResourceAmountSuccess message
ResourceAmountSuccess = "%s are within the expected range"
// ResourcePresentSuccess message
ResourcePresentSuccess = "%s are set"
// ReadinessProbeFailure message
ReadinessProbeFailure = "Readiness probe should be configured"
// ReadinessProbeSuccess message
......@@ -56,9 +58,9 @@ const (
// HostPortSuccess message
HostPortSuccess = "Host port is not configured"
// RunAsRootFailure message
RunAsRootFailure = "Should not be running as root"
RunAsRootFailure = "Should not be allowed to run as root"
// RunAsRootSuccess message
RunAsRootSuccess = "Not running as root"
RunAsRootSuccess = "Is not allowed to run as root"
// RunAsPrivilegedFailure message
RunAsPrivilegedFailure = "Should not be running as privileged"
// RunAsPrivilegedSuccess message
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment