Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package polaris for openSUSE:Factory checked in at 2022-11-15 13:19:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polaris (Old) and /work/SRC/openSUSE:Factory/.polaris.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris" Tue Nov 15 13:19:11 2022 rev:9 rq:1035796 version:7.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2022-09-25 15:36:10.355748587 +0200 +++ /work/SRC/openSUSE:Factory/.polaris.new.1597/polaris.changes 2022-11-15 13:21:52.188938390 +0100 @@ -1,0 +2,11 @@ +Tue Nov 15 09:21:33 UTC 2022 - ka...@b1-systems.de + +- Update to version 7.2.0: + * FWI-2719: Enable new RBAC / sensitive content / Pod exec checks, add `hasPrefix` and `hasSuffix` functions to the GO template, exempt `system:` name prefixes for RBAC checks, sensitive content checks ignore `valueFrom`, (#832) + * Managed by Terraform + * update dependencies (#867) + * Bump k8s.io/api from 0.25.0 to 0.25.3 (#862) + * FWI-2912: Add logging to improve debugging of JSON Schema (#859) + * Fix CI tag filters and re-enable docs (#852) + +------------------------------------------------------------------- Old: ---- polaris-7.1.5.tar.gz New: ---- polaris-7.2.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polaris.spec ++++++ --- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.052942851 +0100 +++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.060942891 +0100 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: polaris -Version: 7.1.5 +Version: 7.2.0 Release: 0 Summary: Validation of best practices in your Kubernetes clusters License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.100943098 +0100 +++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.104943119 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/FairwindsOps/polaris</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">7.1.5</param> + <param name="revision">7.2.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> </service> @@ -15,7 +15,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="disabled"> - <param name="archive">polaris-7.1.5.tar.gz</param> + <param name="archive">polaris-7.2.0.tar.gz</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.124943222 +0100 +++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.128943243 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/FairwindsOps/polaris</param> - <param name="changesrevision">98d8646c9a4fe27de62d3514e6428bc8c20dcc2d</param></service></servicedata> + <param name="changesrevision">467d06f4dbca2985201efc2c2956b125933b9dd2</param></service></servicedata> (No newline at EOF) ++++++ polaris-7.1.5.tar.gz -> polaris-7.2.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/CODEOWNERS new/polaris-7.2.0/CODEOWNERS --- old/polaris-7.1.5/CODEOWNERS 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/CODEOWNERS 2022-11-14 23:05:02.000000000 +0100 @@ -1,2 +1,2 @@ ## DO NOT EDIT - Managed by Terraform -* @rbren @makoscafee +* @rbren diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/clusterrolePodExecAttach.yaml new/polaris-7.2.0/checks/clusterrolePodExecAttach.yaml --- old/polaris-7.1.5/checks/clusterrolePodExecAttach.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/clusterrolePodExecAttach.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -18,9 +18,8 @@ - const: 'admin' - const: "cluster-admin" - const: "edit" - - const: "system:aggregate-to-edit" - - const: "system:controller:generic-garbage-collector" - - const: "system:controller:namespace-controller" + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - properties: rules: type: array diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/clusterrolebindingClusterAdmin.yaml new/polaris-7.2.0/checks/clusterrolebindingClusterAdmin.yaml --- old/polaris-7.1.5/checks/clusterrolebindingClusterAdmin.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/clusterrolebindingClusterAdmin.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -17,8 +17,8 @@ type: string anyOf: - const: "cluster-admin" - - const: "system:controller:generic-garbage-collector" - - const: "system:controller:namespace-controller" + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -39,7 +39,7 @@ rbac.authorization.k8s.io/ClusterRole: | type: object # Do not alert on default ClusterRoleBindings. - {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name "system:controller:generic-garbage-collector") (ne .metadata.name "system:controller:namespace-controller") }} + {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/clusterrolebindingPodExecAttach.yaml new/polaris-7.2.0/checks/clusterrolebindingPodExecAttach.yaml --- old/polaris-7.1.5/checks/clusterrolebindingPodExecAttach.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/clusterrolebindingPodExecAttach.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -17,8 +17,8 @@ type: string anyOf: - const: "cluster-admin" - - const: "system:controller:generic-garbage-collector" - - const: "system:controller:namespace-controller" + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -37,7 +37,7 @@ rbac.authorization.k8s.io/ClusterRole: | type: object # Do not alert on default ClusterRoleBindings. - {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name "system:controller:generic-garbage-collector") (ne .metadata.name "system:controller:namespace-controller") }} + {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/rolePodExecAttach.yaml new/polaris-7.2.0/checks/rolePodExecAttach.yaml --- old/polaris-7.1.5/checks/rolePodExecAttach.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/rolePodExecAttach.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -6,40 +6,51 @@ '$schema': http://json-schema.org/draft-07/schema type: object required: ["metadata", "rules"] - properties: - metadata: - required: ["name"] - properties: - name: - type: string - rules: - type: array - items: - type: object - not: - required: ["apiGroups", "resources", "verbs"] + anyOf: + # Do not alert on default Roles. + - properties: + metadata: + required: ["name"] properties: - apiGroups: - type: array - contains: - type: string - anyOf: - - const: "" - - const: '*' - resources: - type: array - contains: - type: string - anyOf: - - const: '*' - - const: "pods/exec" - - const: "pods/attach" - verbs: - type: array - contains: - type: string - anyOf: - - const: '*' - # An exec is also possible by `get`ing a web socket. - - const: 'get' - - const: 'create' + name: + type: string + anyOf: + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" + - properties: + metadata: + required: ["name"] + properties: + name: + type: string + rules: + type: array + items: + type: object + not: + required: ["apiGroups", "resources", "verbs"] + properties: + apiGroups: + type: array + contains: + type: string + anyOf: + - const: "" + - const: '*' + resources: + type: array + contains: + type: string + anyOf: + - const: '*' + - const: "pods/exec" + - const: "pods/attach" + verbs: + type: array + contains: + type: string + anyOf: + - const: '*' + # An exec is also possible by `get`ing a web socket. + - const: 'get' + - const: 'create' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/rolebindingClusterAdminClusterRole.yaml new/polaris-7.2.0/checks/rolebindingClusterAdminClusterRole.yaml --- old/polaris-7.1.5/checks/rolebindingClusterAdminClusterRole.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/rolebindingClusterAdminClusterRole.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -15,6 +15,18 @@ kind: type: string const: "Role" + # Do not alert on default ClusterRoleBindings. + - required: ["metadata"] + properties: + metadata: + type: object + required: ["name"] + properties: + name: + type: string + anyOf: + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -36,6 +48,7 @@ type: object # This schema is validated for all roleBindings, regardless of their roleRef. {{ if eq .roleRef.kind "ClusterRole" }} + {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: @@ -82,3 +95,4 @@ - "patch" - "delete" {{ end }} + {{ end }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/rolebindingClusterAdminRole.yaml new/polaris-7.2.0/checks/rolebindingClusterAdminRole.yaml --- old/polaris-7.1.5/checks/rolebindingClusterAdminRole.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/rolebindingClusterAdminRole.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -15,6 +15,18 @@ kind: type: string const: "ClusterRole" + # Do not alert on default RoleBindings. + - required: ["metadata"] + properties: + metadata: + type: object + required: ["name"] + properties: + name: + type: string + anyOf: + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -34,6 +46,7 @@ type: object # This schema is validated for all roleBindings, regardless of their roleRef. {{ if eq .roleRef.kind "Role" }} + {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: @@ -80,3 +93,4 @@ - "patch" - "delete" {{ end }} + {{ end }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/rolebindingClusterRolePodExecAttach.yaml new/polaris-7.2.0/checks/rolebindingClusterRolePodExecAttach.yaml --- old/polaris-7.1.5/checks/rolebindingClusterRolePodExecAttach.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/rolebindingClusterRolePodExecAttach.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -15,6 +15,18 @@ kind: type: string const: "Role" + # Do not alert on default RoleBindings. + - required: ["metadata"] + properties: + metadata: + type: object + required: ["name"] + properties: + name: + type: string + anyOf: + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -34,6 +46,7 @@ type: object # This schema is validated for all roleBindings, regardless of their roleRef. {{ if eq .roleRef.kind "ClusterRole" }} + {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: @@ -76,3 +89,4 @@ - const: 'get' - const: 'create' {{ end }} + {{ end }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/rolebindingRolePodExecAttach.yaml new/polaris-7.2.0/checks/rolebindingRolePodExecAttach.yaml --- old/polaris-7.1.5/checks/rolebindingRolePodExecAttach.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/rolebindingRolePodExecAttach.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -18,6 +18,18 @@ kind: type: string const: "Role" + # Do not alert on default RoleBindings. + - required: ["metadata"] + properties: + metadata: + type: object + required: ["name"] + properties: + name: + type: string + anyOf: + - pattern: '^system:' + - const: "gce:podsecuritypolicy:calico-sa" - required: ["roleRef"] properties: roleRef: @@ -37,6 +49,7 @@ type: object # This schema is validated for all roleBindings, regardless of their roleRef. {{ if eq .roleRef.kind "Role" }} + {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }} required: ["metadata", "rules"] allOf: - properties: @@ -79,3 +92,4 @@ - const: 'get' - const: 'create' {{ end }} + {{ end }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/checks/sensitiveContainerEnvVar.yaml new/polaris-7.2.0/checks/sensitiveContainerEnvVar.yaml --- old/polaris-7.1.5/checks/sensitiveContainerEnvVar.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/checks/sensitiveContainerEnvVar.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -10,34 +10,41 @@ type: array items: type: object - required: ["name"] - properties: - name: - type: string - '$comment': These environment variable names will be disallowed. - allOf: - - not: - pattern: '(?i)^AWS_SECRET_ACCESS_KEY$' - - not: - pattern: '(?i)^GOOGLE_APPLICATION_CREDENTIALS$' - - not: - pattern: '(?i)^AZURE_.+KEY$' - - not: - pattern: '(?i)^OCI_CLI_KEY_CONTENT$' - - not: - pattern: '(?i)password' - - not: - pattern: '(?i)token' - - not: - pattern: '(?i)bearer' - - not: - pattern: '(?i)secret' - '$comment': This allows variable names not excluded above. - - pattern: '(?i).*' - value: - type: string - '$comment': These environment variable values will be disallowed. - allOf: - - not: - '$comment': THis matches variations like begin private key, begin rsa private key ... - pattern: '(?i)\s*-BEGIN\s+.*PRIVATE KEY-\s*' + oneOf: + - required: ["name", "value"] + properties: + name: + type: string + '$comment': These environment variable names will be disallowed. + allOf: + - not: + pattern: '(?i)^AWS_SECRET_ACCESS_KEY$' + - not: + pattern: '(?i)^GOOGLE_APPLICATION_CREDENTIALS$' + - not: + pattern: '(?i)^AZURE_.+KEY$' + - not: + pattern: '(?i)^OCI_CLI_KEY_CONTENT$' + - not: + pattern: '(?i)password' + - not: + pattern: '(?i)token' + - not: + pattern: '(?i)bearer' + - not: + pattern: '(?i)secret' + '$comment': This allows variable names not excluded above. + - pattern: '(?i).*' + value: + type: string + '$comment': These environment variable values will be disallowed. + allOf: + - not: + '$comment': THis matches variations like begin private key, begin rsa private key ... + pattern: '(?i)\s*-BEGIN\s+.*PRIVATE KEY-\s*' + - required: ["name", "valueFrom"] + properties: + name: + type: string + valueFrom: + type: object diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/cmd/polaris/root.go new/polaris-7.2.0/cmd/polaris/root.go --- old/polaris-7.1.5/cmd/polaris/root.go 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/cmd/polaris/root.go 2022-11-14 23:05:02.000000000 +0100 @@ -15,13 +15,11 @@ package cmd import ( - "flag" "os" conf "github.com/fairwindsops/polaris/pkg/config" "github.com/sirupsen/logrus" "github.com/spf13/cobra" - "github.com/spf13/pflag" ) var configPath string @@ -42,9 +40,7 @@ rootCmd.PersistentFlags().BoolVarP(&disallowExemptions, "disallow-exemptions", "", false, "Disallow any configured exemption.") rootCmd.PersistentFlags().BoolVarP(&disallowConfigExemptions, "disallow-config-exemptions", "", false, "Disallow exemptions set within the configuration file.") rootCmd.PersistentFlags().BoolVarP(&disallowAnnotationExemptions, "disallow-annotation-exemptions", "", false, "Disallow any exemption defined as a controller annotation.") - rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "", logrus.InfoLevel.String(), "Logrus log level.") - flag.Parse() - pflag.CommandLine.AddGoFlagSet(flag.CommandLine) + rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "", logrus.InfoLevel.String(), "Logrus log level to be output (trace, debug, info, warning, error, fatal, panic).") } var config conf.Configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/docs/customization/custom-checks.md new/polaris-7.2.0/docs/customization/custom-checks.md --- old/polaris-7.1.5/docs/customization/custom-checks.md 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/docs/customization/custom-checks.md 2022-11-14 23:05:02.000000000 +0100 @@ -167,6 +167,18 @@ {{ end }} ``` +### Additional Go Template Functions + +These functions are also available in the GO template. + +* [hasPrefix](https://pkg.go.dev/strings#HasPrefix) - for example, `hasPrefix "string" "prefix"` +* [hasSuffix](https://pkg.go.dev/strings#HasSuffix) - for example, `hasSuffix "string" "suffix"` + +For example, the `hasPrefix` function can be used in a template to determine whether a resource name starts with `system:` +``` +{{ if hasPrefix .metadata.name "system:" }} +``` + ## Multi-Resource Checks You can write checks that span multiple resources. This is helpful for ensuring e.g. that every Deployment has a PDB or an HPA associated with it. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/examples/config-full.yaml new/polaris-7.2.0/examples/config-full.yaml --- old/polaris-7.1.5/examples/config-full.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/examples/config-full.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -32,6 +32,9 @@ clusterrolebindingPodExecAttach: danger rolebindingClusterRolePodExecAttach: danger rolebindingRolePodExecAttach: danger + clusterrolebindingClusterAdmin: danger + rolebindingClusterAdminClusterRole: danger + rolebindingClusterAdminRole: danger # custom resourceLimits: warning imageRegistry: danger diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/examples/config.yaml new/polaris-7.2.0/examples/config.yaml --- old/polaris-7.1.5/examples/config.yaml 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/examples/config.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -16,8 +16,11 @@ memoryRequestsMissing: warning memoryLimitsMissing: warning # security + automountServiceAccountToken: ignore hostIPCSet: danger hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: danger runAsRootAllowed: danger @@ -27,6 +30,18 @@ hostNetworkSet: danger hostPortSet: warning tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + mutations: - pullPolicyNotAlways @@ -34,6 +49,45 @@ exemptions: - namespace: kube-system controllerNames: + - dns-controller + - ebs-csi-controller + - ebs-csi-node + - kindnet + - kops-controller + - kube-dns + - kube-flannel-ds + - kube-proxy + - kube-scheduler + - vpa-recommender + rules: + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + - namespace: kube-system + controllerNames: + - ebs-csi-controller + rules: + - sensitiveContainerEnvVar + - namespace: kube-system + controllerNames: + - coredns-autoscaler + rules: + - linuxHardening + - namespace: local-path-storage + controllerNames: + - local-path-provisioner + rules: + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy + - namespace: kube-system + controllerNames: - kube-apiserver - kube-proxy - kube-scheduler @@ -54,8 +108,49 @@ - runAsPrivileged - notReadOnlyRootFilesystem - hostPIDSet + - namespace: datadog + controllerNames: + - datadogtoken + rules: + - sensitiveConfigmapContent + - namespace: datadog + controllerNames: + - datadog-cluster-agent-apiserver + rules: + - rolebindingClusterAdminRole + - rolebindingRolePodExecAttach - controllerNames: + - ingress-nginx-controller + rules: + - sensitiveConfigmapContent + - controllerNames: + - ingress-nginx-controller + - ingress-nginx-default-backend + - polaris + - rbac-manager + rules: + - automountServiceAccountToken + - missingNetworkPolicy + - controllerNames: + - aws-iam-authenticator + - aws-load-balancer-controller + - docker-registry + - external-dns + - kube2iam + - metrics-server + rules: + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy + - controllerNames: + - oauth2-proxy + rules: + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy + - sensitiveContainerEnvVar + - controllerNames: - kube-flannel-ds rules: - notReadOnlyRootFilesystem @@ -72,6 +167,9 @@ - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy - controllerNames: - cluster-autoscaler @@ -79,6 +177,9 @@ - notReadOnlyRootFilesystem - runAsRootAllowed - readinessProbeMissing + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy - controllerNames: - vpa @@ -95,6 +196,10 @@ - readinessProbeMissing - livenessProbeMissing - notReadOnlyRootFilesystem + - automountServiceAccountToken + - linuxHardening + - missingNetworkPolicy + - sensitiveContainerEnvVar - controllerNames: - nginx-ingress-controller diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/go.mod new/polaris-7.2.0/go.mod --- old/polaris-7.1.5/go.mod 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/go.mod 2022-11-14 23:05:02.000000000 +0100 @@ -8,16 +8,16 @@ github.com/gorilla/mux v1.8.0 github.com/qri-io/jsonschema v0.1.1 github.com/sirupsen/logrus v1.9.0 - github.com/spf13/cobra v1.5.0 - github.com/spf13/pflag v1.0.5 + github.com/spf13/cobra v1.6.0 + github.com/spf13/pflag v1.0.5 // indirect github.com/stretchr/testify v1.8.0 github.com/thoas/go-funk v0.9.2 - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.4.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.25.0 - k8s.io/apimachinery v0.25.0 - k8s.io/client-go v0.25.0 + k8s.io/api v0.25.3 + k8s.io/apimachinery v0.25.3 + k8s.io/client-go v0.25.3 sigs.k8s.io/controller-runtime v0.13.0 sigs.k8s.io/yaml v1.3.0 ) @@ -28,7 +28,7 @@ ) require ( - cloud.google.com/go/compute v1.9.0 // indirect + cloud.google.com/go/compute v1.10.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.28 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect @@ -41,7 +41,7 @@ github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fsnotify/fsnotify v1.5.4 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.20.0 // indirect @@ -67,7 +67,7 @@ github.com/markbates/safe v1.0.1 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.16 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect @@ -77,19 +77,19 @@ github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/qri-io/jsonpointer v0.1.1 // indirect - golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect - golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect - golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect - golang.org/x/sys v0.0.0-20220913175220-63ea55921009 // indirect - golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect - golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect + golang.org/x/crypto v0.0.0-20221012134737-56aed061732a // indirect + golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193 // indirect + golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/term v0.0.0-20221017184919-83659145692c // indirect + golang.org/x/time v0.1.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - k8s.io/component-base v0.25.0 // indirect + k8s.io/component-base v0.25.3 // indirect k8s.io/klog/v2 v2.80.1 // indirect - k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect - k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73 // indirect + k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect + k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/go.sum new/polaris-7.2.0/go.sum --- old/polaris-7.1.5/go.sum 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/go.sum 2022-11-14 23:05:02.000000000 +0100 @@ -26,6 +26,8 @@ cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/compute v1.9.0 h1:ED/FP4xv8GJw63v556/ASNc1CeeLUO2Bs8nzaHchkHg= cloud.google.com/go/compute v1.9.0/go.mod h1:lWv1h/zUWTm/LozzfTJhBSkd6ShQq8la8VeeuOEGxfY= +cloud.google.com/go/compute v1.10.0 h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5Jk4= +cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= @@ -75,6 +77,7 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= @@ -117,6 +120,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -314,6 +319,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM= +github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= @@ -336,8 +343,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY= -github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= +github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= +github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -379,6 +386,8 @@ github.com/qri-io/jsonpointer v0.1.1/go.mod h1:DnJPaYgiKu56EuDp8TU5wFLdZIcAnb/uH9v37ZaMV64= github.com/qri-io/jsonschema v0.1.1 h1:t//Doa/gvMqJ0bDhG7PGIKfaWGGxRVaffp+bcvBGGEk= github.com/qri-io/jsonschema v0.1.1/go.mod h1:QpzJ6gBQ0GYgGmh7mDQ1YsvvhSgE4rYj0k8t5MBOmUY= +github.com/qri-io/jsonschema v0.2.1 h1:NNFoKms+kut6ABPf6xiKNM5214jzxAhDBrPHCJ97Wg0= +github.com/qri-io/jsonschema v0.2.1/go.mod h1:g7DPkiOsK1xv6T/Ao5scXRkd+yTFygcANPBaaqW+VrI= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= @@ -405,6 +414,8 @@ github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= +github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI= +github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -448,6 +459,7 @@ go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= @@ -464,6 +476,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20221012134737-56aed061732a h1:NmSIgad6KjE6VvHciPZuNRTKxGhlPfD6OA87W/PLkqg= +golang.org/x/crypto v0.0.0-20221012134737-56aed061732a/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -544,6 +558,8 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193 h1:3Moaxt4TfzNcQH6DWvlYKraN1ozhBXQHcgvXjRGeim0= +golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193/go.mod h1:RpDiru2p0u2F0lLpEoqnP2+7xs0ifAuOcJ442g6GU2s= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -560,6 +576,8 @@ golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -632,12 +650,18 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220913175220-63ea55921009 h1:PuvuRMeLWqsf/ZdT1UUZz0syhioyv1mzuFZsXs4fvhw= golang.org/x/sys v0.0.0-20220913175220-63ea55921009/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 h1:Q5284mrmYTpACcm+eAKjKJH48BBwSyfJqmmGDTtT8Vc= golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20221017184919-83659145692c h1:dveknrit5futqEmXAvd2I1BbZIDhxRijsyWHM86NlcA= +golang.org/x/term v0.0.0-20221017184919-83659145692c/go.mod h1:VTIZ7TEbF0BS9Sv9lPTvGbtW8i4z6GGbJBCM37uMCzY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -648,11 +672,15 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= +golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -851,22 +879,30 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.0 h1:H+Q4ma2U/ww0iGB78ijZx6DRByPz6/733jIuFpX70e0= -k8s.io/api v0.25.0/go.mod h1:ttceV1GyV1i1rnmvzT3BST08N6nGt+dudGrquzVQWPk= +k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ= +k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI= k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= -k8s.io/apimachinery v0.25.0 h1:MlP0r6+3XbkUG2itd6vp3oxbtdQLQI94fD5gCS+gnoU= -k8s.io/apimachinery v0.25.0/go.mod h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB0= +k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc= +k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= k8s.io/client-go v0.25.0 h1:CVWIaCETLMBNiTUta3d5nzRbXvY5Hy9Dpl+VvREpu5E= k8s.io/client-go v0.25.0/go.mod h1:lxykvypVfKilxhTklov0wz1FoaUZ8X4EwbhS6rpRfN8= +k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0= +k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA= k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y= k8s.io/component-base v0.25.0/go.mod h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk= +k8s.io/component-base v0.25.3 h1:UrsxciGdrCY03ULT1h/S/gXFCOPnLhUVwSyx+hM/zq4= +k8s.io/component-base v0.25.3/go.mod h1:WYoS8L+IlTZgU7rhAl5Ctpw0WdMxDfCC5dkxcEFa/TI= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg= k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73 h1:H9TCJUUx+2VA0ZiD9lvtaX8fthFsMoD+Izn93E/hm8U= k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 h1:cTdVh7LYu82xeClmfzGtgyspNh6UxpwLWGi8R4sspNo= +k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/pkg/config/schema.go new/polaris-7.2.0/pkg/config/schema.go --- old/polaris-7.1.5/pkg/config/schema.go 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/pkg/config/schema.go 2022-11-14 23:05:02.000000000 +0100 @@ -223,7 +223,10 @@ newCheck.AdditionalSchemaStrings = map[string]string{} for kind, tmplString := range templateStrings { - tmpl := template.New(newCheck.ID) + tmpl := template.New(newCheck.ID).Funcs(template.FuncMap{ + "hasPrefix": strings.HasPrefix, + "hasSuffix": strings.HasSuffix, + }) tmpl, err := tmpl.Parse(tmplString) if err != nil { return nil, err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/pkg/validator/schema.go new/polaris-7.2.0/pkg/validator/schema.go --- old/polaris-7.1.5/pkg/validator/schema.go 2022-09-22 20:06:29.000000000 +0200 +++ new/polaris-7.2.0/pkg/validator/schema.go 2022-11-14 23:05:02.000000000 +0100 @@ -40,6 +40,25 @@ ResourceProvider *kube.ResourceProvider } +// ShortString supplies some fields of a schemaTestCase suitable for brief +// output. +func (s schemaTestCase) ShortString() string { + var msg strings.Builder + targetStr := s.Target + if targetStr != "" { + msg.WriteString(fmt.Sprintf("target=%s, ", targetStr)) + } + ns := s.Resource.ObjectMeta.GetNamespace() + if ns != "" { + msg.WriteString(fmt.Sprintf("namespace=%s, ", ns)) + } + msg.WriteString(fmt.Sprintf("resource=%s/%s", s.Resource.Kind, s.Resource.ObjectMeta.GetName())) + if s.Target == config.TargetContainer { + msg.WriteString(fmt.Sprintf(", container=%s", s.Container.Name)) + } + return msg.String() +} + func resolveCheck(conf *config.Configuration, checkID string, test schemaTestCase) (*config.SchemaCheck, error) { if !conf.DisallowExemptions && !conf.DisallowAnnotationExemptions && @@ -110,6 +129,7 @@ } } } + logrus.Debugf("the go template input for schema test-case %s is: %v", test.ShortString(), templateInput) return templateInput, nil } @@ -377,6 +397,16 @@ return nil, err } } + if len(issues) > 0 { + issueMessages := make([]string, len(issues)) + for i, issue := range issues { + issueMessages[i] = issue.Message + } + logrus.Debugf("there were %d issue(s) validating the schema for test-case %s: %v", len(issueMessages), test.ShortString(), issueMessages) + } else { + logrus.Debugf("there were no issues validating the schema for test-case %s", test.ShortString()) + + } result := makeResult(conf, check, passes, issues) if !passes { if funk.Contains(conf.Mutations, checkID) && len(check.Mutations) > 0 { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml --- old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,9 @@ +# This succeeds because the clusterRole is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gce:podsecuritypolicy:calico-sa +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml --- old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,9 @@ +# This succeeds because the clusterRole has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,35 @@ +# This fails because the clusterRoleBinding references a ClusterRole that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-binding-to-system-prefix-clusterrole +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,33 @@ +# This succeeds because the clusterRoleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,33 @@ +# This succeeds because the clusterRoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,35 @@ +# This fails because the clusterRoleBinding references a ClusterRole that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-binding-to-system-prefix-clusterrole +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,33 @@ +# This succeeds because the clusterRoleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,33 @@ +# This succeeds because the clusterRoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This Role exists so there is at least one Role for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: not-used + namespace: test +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,10 @@ +# This succeeds because the role is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gce:podsecuritypolicy:calico-sa + namespace: kube-system +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,10 @@ +# This succeeds because the Role has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: system:controller:glbc + namespace: kube-system +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,26 @@ +# This fails because the roleBinding references a ClusterRole that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-binding-to-system-prefix-role + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,23 @@ +# This succeeds because the roleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,24 @@ +# This succeeds because the RoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:test + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,36 @@ +# This fails because the roleBinding references a Role that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-binding-to-system-prefix-role + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This ClusterRole exists so there is at least one ClusterRole for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: not-used +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,34 @@ +# This succeeds because the roleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This ClusterRole exists so there is at least one ClusterRole for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: not-used +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,34 @@ +# This succeeds because the RoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:test + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser +--- +# This ClusterRole exists so there is at least one ClusterRole for the additionalSchema to find. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: not-used +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ list ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,26 @@ +# This fails because the roleBinding references a ClusterRole that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-binding-to-system-prefix-role + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,23 @@ +# This succeeds because the roleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,24 @@ +# This succeeds because the RoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:test + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml --- old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,26 @@ +# This fails because the roleBinding references a Role that uses all wildcards which happens to have a `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + # The system: prefix does not cause this test to fail, but this test + # avoids incorectly ignoring user-created bindings to system ClusterRoles. + name: system:test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-binding-to-system-prefix-role + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,24 @@ +# This succeeds because the roleBinding is an exempt name `gce:podsecuritypolicy:calico-sa` +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:calico-sa + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml --- old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,24 @@ +# This succeeds because the RoleBinding has an exempt `system:` prefix. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test + namespace: test +rules: + - apiGroups: [ "*" ] + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:test + namespace: test +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.1.5/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml new/polaris-7.2.0/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml --- old/polaris-7.1.5/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.2.0/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml 2022-11-14 23:05:02.000000000 +0100 @@ -0,0 +1,17 @@ +# This succeeds because a sensitive environment variable name references an external value. +apiVersion: v1 +kind: Pod +metadata: + name: test-pod +spec: + containers: + - name: nginx + env: + - name: token + valueFrom: + secretKeyRef: + key: token + name: a-secret + image: nginx + ports: + - containerPort: 80 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/polaris/vendor.tar.gz /work/SRC/openSUSE:Factory/.polaris.new.1597/vendor.tar.gz differ: char 5, line 1