Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package polaris for openSUSE:Factory checked
in at 2022-11-15 13:19:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/polaris (Old)
and /work/SRC/openSUSE:Factory/.polaris.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris"
Tue Nov 15 13:19:11 2022 rev:9 rq:1035796 version:7.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2022-09-25
15:36:10.355748587 +0200
+++ /work/SRC/openSUSE:Factory/.polaris.new.1597/polaris.changes
2022-11-15 13:21:52.188938390 +0100
@@ -1,0 +2,11 @@
+Tue Nov 15 09:21:33 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 7.2.0:
+ * FWI-2719: Enable new RBAC / sensitive content / Pod exec checks, add
`hasPrefix` and `hasSuffix` functions to the GO template, exempt `system:` name
prefixes for RBAC checks, sensitive content checks ignore `valueFrom`, (#832)
+ * Managed by Terraform
+ * update dependencies (#867)
+ * Bump k8s.io/api from 0.25.0 to 0.25.3 (#862)
+ * FWI-2912: Add logging to improve debugging of JSON Schema (#859)
+ * Fix CI tag filters and re-enable docs (#852)
+
+-------------------------------------------------------------------
Old:
----
polaris-7.1.5.tar.gz
New:
----
polaris-7.2.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ polaris.spec ++++++
--- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.052942851 +0100
+++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.060942891 +0100
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: polaris
-Version: 7.1.5
+Version: 7.2.0
Release: 0
Summary: Validation of best practices in your Kubernetes clusters
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.100943098 +0100
+++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.104943119 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/FairwindsOps/polaris</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">7.1.5</param>
+ <param name="revision">7.2.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
</service>
@@ -15,7 +15,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">polaris-7.1.5.tar.gz</param>
+ <param name="archive">polaris-7.2.0.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.kMSA2X/_old 2022-11-15 13:21:53.124943222 +0100
+++ /var/tmp/diff_new_pack.kMSA2X/_new 2022-11-15 13:21:53.128943243 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/FairwindsOps/polaris</param>
- <param
name="changesrevision">98d8646c9a4fe27de62d3514e6428bc8c20dcc2d</param></service></servicedata>
+ <param
name="changesrevision">467d06f4dbca2985201efc2c2956b125933b9dd2</param></service></servicedata>
(No newline at EOF)
++++++ polaris-7.1.5.tar.gz -> polaris-7.2.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/CODEOWNERS new/polaris-7.2.0/CODEOWNERS
--- old/polaris-7.1.5/CODEOWNERS 2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/CODEOWNERS 2022-11-14 23:05:02.000000000 +0100
@@ -1,2 +1,2 @@
## DO NOT EDIT - Managed by Terraform
-* @rbren @makoscafee
+* @rbren
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/checks/clusterrolePodExecAttach.yaml
new/polaris-7.2.0/checks/clusterrolePodExecAttach.yaml
--- old/polaris-7.1.5/checks/clusterrolePodExecAttach.yaml 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/clusterrolePodExecAttach.yaml 2022-11-14
23:05:02.000000000 +0100
@@ -18,9 +18,8 @@
- const: 'admin'
- const: "cluster-admin"
- const: "edit"
- - const: "system:aggregate-to-edit"
- - const: "system:controller:generic-garbage-collector"
- - const: "system:controller:namespace-controller"
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- properties:
rules:
type: array
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/clusterrolebindingClusterAdmin.yaml
new/polaris-7.2.0/checks/clusterrolebindingClusterAdmin.yaml
--- old/polaris-7.1.5/checks/clusterrolebindingClusterAdmin.yaml
2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/clusterrolebindingClusterAdmin.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -17,8 +17,8 @@
type: string
anyOf:
- const: "cluster-admin"
- - const: "system:controller:generic-garbage-collector"
- - const: "system:controller:namespace-controller"
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -39,7 +39,7 @@
rbac.authorization.k8s.io/ClusterRole: |
type: object
# Do not alert on default ClusterRoleBindings.
- {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name
"system:controller:generic-garbage-collector") (ne .metadata.name
"system:controller:namespace-controller") }}
+ {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix
.metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/clusterrolebindingPodExecAttach.yaml
new/polaris-7.2.0/checks/clusterrolebindingPodExecAttach.yaml
--- old/polaris-7.1.5/checks/clusterrolebindingPodExecAttach.yaml
2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/clusterrolebindingPodExecAttach.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -17,8 +17,8 @@
type: string
anyOf:
- const: "cluster-admin"
- - const: "system:controller:generic-garbage-collector"
- - const: "system:controller:namespace-controller"
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -37,7 +37,7 @@
rbac.authorization.k8s.io/ClusterRole: |
type: object
# Do not alert on default ClusterRoleBindings.
- {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name
"system:controller:generic-garbage-collector") (ne .metadata.name
"system:controller:namespace-controller") }}
+ {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix
.metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/checks/rolePodExecAttach.yaml
new/polaris-7.2.0/checks/rolePodExecAttach.yaml
--- old/polaris-7.1.5/checks/rolePodExecAttach.yaml 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/rolePodExecAttach.yaml 2022-11-14
23:05:02.000000000 +0100
@@ -6,40 +6,51 @@
'$schema': http://json-schema.org/draft-07/schema
type: object
required: ["metadata", "rules"]
- properties:
- metadata:
- required: ["name"]
- properties:
- name:
- type: string
- rules:
- type: array
- items:
- type: object
- not:
- required: ["apiGroups", "resources", "verbs"]
+ anyOf:
+ # Do not alert on default Roles.
+ - properties:
+ metadata:
+ required: ["name"]
properties:
- apiGroups:
- type: array
- contains:
- type: string
- anyOf:
- - const: ""
- - const: '*'
- resources:
- type: array
- contains:
- type: string
- anyOf:
- - const: '*'
- - const: "pods/exec"
- - const: "pods/attach"
- verbs:
- type: array
- contains:
- type: string
- anyOf:
- - const: '*'
- # An exec is also possible by `get`ing a web socket.
- - const: 'get'
- - const: 'create'
+ name:
+ type: string
+ anyOf:
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
+ - properties:
+ metadata:
+ required: ["name"]
+ properties:
+ name:
+ type: string
+ rules:
+ type: array
+ items:
+ type: object
+ not:
+ required: ["apiGroups", "resources", "verbs"]
+ properties:
+ apiGroups:
+ type: array
+ contains:
+ type: string
+ anyOf:
+ - const: ""
+ - const: '*'
+ resources:
+ type: array
+ contains:
+ type: string
+ anyOf:
+ - const: '*'
+ - const: "pods/exec"
+ - const: "pods/attach"
+ verbs:
+ type: array
+ contains:
+ type: string
+ anyOf:
+ - const: '*'
+ # An exec is also possible by `get`ing a web socket.
+ - const: 'get'
+ - const: 'create'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/rolebindingClusterAdminClusterRole.yaml
new/polaris-7.2.0/checks/rolebindingClusterAdminClusterRole.yaml
--- old/polaris-7.1.5/checks/rolebindingClusterAdminClusterRole.yaml
2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/rolebindingClusterAdminClusterRole.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -15,6 +15,18 @@
kind:
type: string
const: "Role"
+ # Do not alert on default ClusterRoleBindings.
+ - required: ["metadata"]
+ properties:
+ metadata:
+ type: object
+ required: ["name"]
+ properties:
+ name:
+ type: string
+ anyOf:
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -36,6 +48,7 @@
type: object
# This schema is validated for all roleBindings, regardless of their
roleRef.
{{ if eq .roleRef.kind "ClusterRole" }}
+ {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
@@ -82,3 +95,4 @@
- "patch"
- "delete"
{{ end }}
+ {{ end }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/rolebindingClusterAdminRole.yaml
new/polaris-7.2.0/checks/rolebindingClusterAdminRole.yaml
--- old/polaris-7.1.5/checks/rolebindingClusterAdminRole.yaml 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/rolebindingClusterAdminRole.yaml 2022-11-14
23:05:02.000000000 +0100
@@ -15,6 +15,18 @@
kind:
type: string
const: "ClusterRole"
+ # Do not alert on default RoleBindings.
+ - required: ["metadata"]
+ properties:
+ metadata:
+ type: object
+ required: ["name"]
+ properties:
+ name:
+ type: string
+ anyOf:
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -34,6 +46,7 @@
type: object
# This schema is validated for all roleBindings, regardless of their
roleRef.
{{ if eq .roleRef.kind "Role" }}
+ {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
@@ -80,3 +93,4 @@
- "patch"
- "delete"
{{ end }}
+ {{ end }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/rolebindingClusterRolePodExecAttach.yaml
new/polaris-7.2.0/checks/rolebindingClusterRolePodExecAttach.yaml
--- old/polaris-7.1.5/checks/rolebindingClusterRolePodExecAttach.yaml
2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/rolebindingClusterRolePodExecAttach.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -15,6 +15,18 @@
kind:
type: string
const: "Role"
+ # Do not alert on default RoleBindings.
+ - required: ["metadata"]
+ properties:
+ metadata:
+ type: object
+ required: ["name"]
+ properties:
+ name:
+ type: string
+ anyOf:
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -34,6 +46,7 @@
type: object
# This schema is validated for all roleBindings, regardless of their
roleRef.
{{ if eq .roleRef.kind "ClusterRole" }}
+ {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
@@ -76,3 +89,4 @@
- const: 'get'
- const: 'create'
{{ end }}
+ {{ end }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/checks/rolebindingRolePodExecAttach.yaml
new/polaris-7.2.0/checks/rolebindingRolePodExecAttach.yaml
--- old/polaris-7.1.5/checks/rolebindingRolePodExecAttach.yaml 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/rolebindingRolePodExecAttach.yaml 2022-11-14
23:05:02.000000000 +0100
@@ -18,6 +18,18 @@
kind:
type: string
const: "Role"
+ # Do not alert on default RoleBindings.
+ - required: ["metadata"]
+ properties:
+ metadata:
+ type: object
+ required: ["name"]
+ properties:
+ name:
+ type: string
+ anyOf:
+ - pattern: '^system:'
+ - const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
@@ -37,6 +49,7 @@
type: object
# This schema is validated for all roleBindings, regardless of their
roleRef.
{{ if eq .roleRef.kind "Role" }}
+ {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name
"gce:podsecuritypolicy:calico-sa") }}
required: ["metadata", "rules"]
allOf:
- properties:
@@ -79,3 +92,4 @@
- const: 'get'
- const: 'create'
{{ end }}
+ {{ end }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/checks/sensitiveContainerEnvVar.yaml
new/polaris-7.2.0/checks/sensitiveContainerEnvVar.yaml
--- old/polaris-7.1.5/checks/sensitiveContainerEnvVar.yaml 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/checks/sensitiveContainerEnvVar.yaml 2022-11-14
23:05:02.000000000 +0100
@@ -10,34 +10,41 @@
type: array
items:
type: object
- required: ["name"]
- properties:
- name:
- type: string
- '$comment': These environment variable names will be disallowed.
- allOf:
- - not:
- pattern: '(?i)^AWS_SECRET_ACCESS_KEY$'
- - not:
- pattern: '(?i)^GOOGLE_APPLICATION_CREDENTIALS$'
- - not:
- pattern: '(?i)^AZURE_.+KEY$'
- - not:
- pattern: '(?i)^OCI_CLI_KEY_CONTENT$'
- - not:
- pattern: '(?i)password'
- - not:
- pattern: '(?i)token'
- - not:
- pattern: '(?i)bearer'
- - not:
- pattern: '(?i)secret'
- '$comment': This allows variable names not excluded above.
- - pattern: '(?i).*'
- value:
- type: string
- '$comment': These environment variable values will be disallowed.
- allOf:
- - not:
- '$comment': THis matches variations like begin private key,
begin rsa private key ...
- pattern: '(?i)\s*-BEGIN\s+.*PRIVATE KEY-\s*'
+ oneOf:
+ - required: ["name", "value"]
+ properties:
+ name:
+ type: string
+ '$comment': These environment variable names will be
disallowed.
+ allOf:
+ - not:
+ pattern: '(?i)^AWS_SECRET_ACCESS_KEY$'
+ - not:
+ pattern: '(?i)^GOOGLE_APPLICATION_CREDENTIALS$'
+ - not:
+ pattern: '(?i)^AZURE_.+KEY$'
+ - not:
+ pattern: '(?i)^OCI_CLI_KEY_CONTENT$'
+ - not:
+ pattern: '(?i)password'
+ - not:
+ pattern: '(?i)token'
+ - not:
+ pattern: '(?i)bearer'
+ - not:
+ pattern: '(?i)secret'
+ '$comment': This allows variable names not excluded above.
+ - pattern: '(?i).*'
+ value:
+ type: string
+ '$comment': These environment variable values will be
disallowed.
+ allOf:
+ - not:
+ '$comment': THis matches variations like begin private
key, begin rsa private key ...
+ pattern: '(?i)\s*-BEGIN\s+.*PRIVATE KEY-\s*'
+ - required: ["name", "valueFrom"]
+ properties:
+ name:
+ type: string
+ valueFrom:
+ type: object
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/cmd/polaris/root.go
new/polaris-7.2.0/cmd/polaris/root.go
--- old/polaris-7.1.5/cmd/polaris/root.go 2022-09-22 20:06:29.000000000
+0200
+++ new/polaris-7.2.0/cmd/polaris/root.go 2022-11-14 23:05:02.000000000
+0100
@@ -15,13 +15,11 @@
package cmd
import (
- "flag"
"os"
conf "github.com/fairwindsops/polaris/pkg/config"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
- "github.com/spf13/pflag"
)
var configPath string
@@ -42,9 +40,7 @@
rootCmd.PersistentFlags().BoolVarP(&disallowExemptions,
"disallow-exemptions", "", false, "Disallow any configured exemption.")
rootCmd.PersistentFlags().BoolVarP(&disallowConfigExemptions,
"disallow-config-exemptions", "", false, "Disallow exemptions set within the
configuration file.")
rootCmd.PersistentFlags().BoolVarP(&disallowAnnotationExemptions,
"disallow-annotation-exemptions", "", false, "Disallow any exemption defined as
a controller annotation.")
- rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "",
logrus.InfoLevel.String(), "Logrus log level.")
- flag.Parse()
- pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+ rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "",
logrus.InfoLevel.String(), "Logrus log level to be output (trace, debug, info,
warning, error, fatal, panic).")
}
var config conf.Configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/docs/customization/custom-checks.md
new/polaris-7.2.0/docs/customization/custom-checks.md
--- old/polaris-7.1.5/docs/customization/custom-checks.md 2022-09-22
20:06:29.000000000 +0200
+++ new/polaris-7.2.0/docs/customization/custom-checks.md 2022-11-14
23:05:02.000000000 +0100
@@ -167,6 +167,18 @@
{{ end }}
```
+### Additional Go Template Functions
+
+These functions are also available in the GO template.
+
+* [hasPrefix](https://pkg.go.dev/strings#HasPrefix) - for example, `hasPrefix
"string" "prefix"`
+* [hasSuffix](https://pkg.go.dev/strings#HasSuffix) - for example, `hasSuffix
"string" "suffix"`
+
+For example, the `hasPrefix` function can be used in a template to determine
whether a resource name starts with `system:`
+```
+{{ if hasPrefix .metadata.name "system:" }}
+```
+
## Multi-Resource Checks
You can write checks that span multiple resources. This is helpful for
ensuring e.g.
that every Deployment has a PDB or an HPA associated with it.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/examples/config-full.yaml
new/polaris-7.2.0/examples/config-full.yaml
--- old/polaris-7.1.5/examples/config-full.yaml 2022-09-22 20:06:29.000000000
+0200
+++ new/polaris-7.2.0/examples/config-full.yaml 2022-11-14 23:05:02.000000000
+0100
@@ -32,6 +32,9 @@
clusterrolebindingPodExecAttach: danger
rolebindingClusterRolePodExecAttach: danger
rolebindingRolePodExecAttach: danger
+ clusterrolebindingClusterAdmin: danger
+ rolebindingClusterAdminClusterRole: danger
+ rolebindingClusterAdminRole: danger
# custom
resourceLimits: warning
imageRegistry: danger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/examples/config.yaml
new/polaris-7.2.0/examples/config.yaml
--- old/polaris-7.1.5/examples/config.yaml 2022-09-22 20:06:29.000000000
+0200
+++ new/polaris-7.2.0/examples/config.yaml 2022-11-14 23:05:02.000000000
+0100
@@ -16,8 +16,11 @@
memoryRequestsMissing: warning
memoryLimitsMissing: warning
# security
+ automountServiceAccountToken: ignore
hostIPCSet: danger
hostPIDSet: danger
+ linuxHardening: warning
+ missingNetworkPolicy: ignore
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
@@ -27,6 +30,18 @@
hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
+ # These are initially warning and will later be promoted to danger.
+ sensitiveContainerEnvVar: warning
+ sensitiveConfigmapContent: warning
+ clusterrolePodExecAttach: warning
+ rolePodExecAttach: warning
+ clusterrolebindingPodExecAttach: warning
+ rolebindingClusterRolePodExecAttach: warning
+ rolebindingRolePodExecAttach: warning
+ clusterrolebindingClusterAdmin: warning
+ rolebindingClusterAdminClusterRole: warning
+ rolebindingClusterAdminRole: warning
+
mutations:
- pullPolicyNotAlways
@@ -34,6 +49,45 @@
exemptions:
- namespace: kube-system
controllerNames:
+ - dns-controller
+ - ebs-csi-controller
+ - ebs-csi-node
+ - kindnet
+ - kops-controller
+ - kube-dns
+ - kube-flannel-ds
+ - kube-proxy
+ - kube-scheduler
+ - vpa-recommender
+ rules:
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
+ - namespace: kube-system
+ controllerNames:
+ - coredns
+ rules:
+ - automountServiceAccountToken
+ - missingNetworkPolicy
+ - namespace: kube-system
+ controllerNames:
+ - ebs-csi-controller
+ rules:
+ - sensitiveContainerEnvVar
+ - namespace: kube-system
+ controllerNames:
+ - coredns-autoscaler
+ rules:
+ - linuxHardening
+ - namespace: local-path-storage
+ controllerNames:
+ - local-path-provisioner
+ rules:
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
+ - namespace: kube-system
+ controllerNames:
- kube-apiserver
- kube-proxy
- kube-scheduler
@@ -54,8 +108,49 @@
- runAsPrivileged
- notReadOnlyRootFilesystem
- hostPIDSet
+ - namespace: datadog
+ controllerNames:
+ - datadogtoken
+ rules:
+ - sensitiveConfigmapContent
+ - namespace: datadog
+ controllerNames:
+ - datadog-cluster-agent-apiserver
+ rules:
+ - rolebindingClusterAdminRole
+ - rolebindingRolePodExecAttach
- controllerNames:
+ - ingress-nginx-controller
+ rules:
+ - sensitiveConfigmapContent
+ - controllerNames:
+ - ingress-nginx-controller
+ - ingress-nginx-default-backend
+ - polaris
+ - rbac-manager
+ rules:
+ - automountServiceAccountToken
+ - missingNetworkPolicy
+ - controllerNames:
+ - aws-iam-authenticator
+ - aws-load-balancer-controller
+ - docker-registry
+ - external-dns
+ - kube2iam
+ - metrics-server
+ rules:
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
+ - controllerNames:
+ - oauth2-proxy
+ rules:
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
+ - sensitiveContainerEnvVar
+ - controllerNames:
- kube-flannel-ds
rules:
- notReadOnlyRootFilesystem
@@ -72,6 +167,9 @@
- runAsRootAllowed
- readinessProbeMissing
- livenessProbeMissing
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
- controllerNames:
- cluster-autoscaler
@@ -79,6 +177,9 @@
- notReadOnlyRootFilesystem
- runAsRootAllowed
- readinessProbeMissing
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
- controllerNames:
- vpa
@@ -95,6 +196,10 @@
- readinessProbeMissing
- livenessProbeMissing
- notReadOnlyRootFilesystem
+ - automountServiceAccountToken
+ - linuxHardening
+ - missingNetworkPolicy
+ - sensitiveContainerEnvVar
- controllerNames:
- nginx-ingress-controller
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/go.mod new/polaris-7.2.0/go.mod
--- old/polaris-7.1.5/go.mod 2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/go.mod 2022-11-14 23:05:02.000000000 +0100
@@ -8,16 +8,16 @@
github.com/gorilla/mux v1.8.0
github.com/qri-io/jsonschema v0.1.1
github.com/sirupsen/logrus v1.9.0
- github.com/spf13/cobra v1.5.0
- github.com/spf13/pflag v1.0.5
+ github.com/spf13/cobra v1.6.0
+ github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/testify v1.8.0
github.com/thoas/go-funk v0.9.2
- golang.org/x/text v0.3.7 // indirect
+ golang.org/x/text v0.4.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1
- k8s.io/api v0.25.0
- k8s.io/apimachinery v0.25.0
- k8s.io/client-go v0.25.0
+ k8s.io/api v0.25.3
+ k8s.io/apimachinery v0.25.3
+ k8s.io/client-go v0.25.3
sigs.k8s.io/controller-runtime v0.13.0
sigs.k8s.io/yaml v1.3.0
)
@@ -28,7 +28,7 @@
)
require (
- cloud.google.com/go/compute v1.9.0 // indirect
+ cloud.google.com/go/compute v1.10.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.28 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
@@ -41,7 +41,7 @@
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
- github.com/fsnotify/fsnotify v1.5.4 // indirect
+ github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
@@ -67,7 +67,7 @@
github.com/markbates/safe v1.0.1 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.16 // indirect
- github.com/matttproud/golang_protobuf_extensions
v1.0.2-0.20181231171920-c182affec369 // indirect
+ github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd //
indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 //
indirect
@@ -77,19 +77,19 @@
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/qri-io/jsonpointer v0.1.1 // indirect
- golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
- golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
- golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
- golang.org/x/sys v0.0.0-20220913175220-63ea55921009 // indirect
- golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect
- golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
+ golang.org/x/crypto v0.0.0-20221012134737-56aed061732a // indirect
+ golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193 // indirect
+ golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
+ golang.org/x/sys v0.1.0 // indirect
+ golang.org/x/term v0.0.0-20221017184919-83659145692c // indirect
+ golang.org/x/time v0.1.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
- k8s.io/component-base v0.25.0 // indirect
+ k8s.io/component-base v0.25.3 // indirect
k8s.io/klog/v2 v2.80.1 // indirect
- k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect
- k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73 // indirect
+ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
+ k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 // indirect
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/go.sum new/polaris-7.2.0/go.sum
--- old/polaris-7.1.5/go.sum 2022-09-22 20:06:29.000000000 +0200
+++ new/polaris-7.2.0/go.sum 2022-11-14 23:05:02.000000000 +0100
@@ -26,6 +26,8 @@
cloud.google.com/go/bigquery v1.8.0/go.mod
h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
cloud.google.com/go/compute v1.9.0
h1:ED/FP4xv8GJw63v556/ASNc1CeeLUO2Bs8nzaHchkHg=
cloud.google.com/go/compute v1.9.0/go.mod
h1:lWv1h/zUWTm/LozzfTJhBSkd6ShQq8la8VeeuOEGxfY=
+cloud.google.com/go/compute v1.10.0
h1:aoLIYaA1fX3ywihqpBk2APQKOo20nXsp1GEZQbx5Jk4=
+cloud.google.com/go/compute v1.10.0/go.mod
h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
cloud.google.com/go/datastore v1.0.0/go.mod
h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/datastore v1.1.0/go.mod
h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
cloud.google.com/go/firestore v1.1.0/go.mod
h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
@@ -75,6 +77,7 @@
github.com/bketelsen/crypt v0.0.4/go.mod
h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
github.com/buger/jsonparser v1.1.1/go.mod
h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod
h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0
h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
github.com/cespare/xxhash v1.1.0/go.mod
h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.1.1/go.mod
h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.1.2
h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
@@ -117,6 +120,8 @@
github.com/fsnotify/fsnotify v1.4.9/go.mod
h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.5.4
h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
github.com/fsnotify/fsnotify v1.5.4/go.mod
h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
+github.com/fsnotify/fsnotify v1.6.0
h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod
h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
github.com/ghodss/yaml v1.0.0/go.mod
h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod
h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod
h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -314,6 +319,8 @@
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod
h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions
v1.0.2-0.20181231171920-c182affec369
h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
github.com/matttproud/golang_protobuf_extensions
v1.0.2-0.20181231171920-c182affec369/go.mod
h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/matttproud/golang_protobuf_extensions v1.0.2
h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM=
+github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod
h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/miekg/dns v1.0.14/go.mod
h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/mitchellh/cli v1.0.0/go.mod
h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
github.com/mitchellh/go-homedir v1.0.0/go.mod
h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -336,8 +343,8 @@
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod
h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/ginkgo/v2 v2.1.4
h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY=
-github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
+github.com/onsi/ginkgo/v2 v2.1.6
h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod
h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
github.com/pelletier/go-toml v1.9.3/go.mod
h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod
h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -379,6 +386,8 @@
github.com/qri-io/jsonpointer v0.1.1/go.mod
h1:DnJPaYgiKu56EuDp8TU5wFLdZIcAnb/uH9v37ZaMV64=
github.com/qri-io/jsonschema v0.1.1
h1:t//Doa/gvMqJ0bDhG7PGIKfaWGGxRVaffp+bcvBGGEk=
github.com/qri-io/jsonschema v0.1.1/go.mod
h1:QpzJ6gBQ0GYgGmh7mDQ1YsvvhSgE4rYj0k8t5MBOmUY=
+github.com/qri-io/jsonschema v0.2.1
h1:NNFoKms+kut6ABPf6xiKNM5214jzxAhDBrPHCJ97Wg0=
+github.com/qri-io/jsonschema v0.2.1/go.mod
h1:g7DPkiOsK1xv6T/Ao5scXRkd+yTFygcANPBaaqW+VrI=
github.com/rogpeppe/fastuuid v1.2.0/go.mod
h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.3.0/go.mod
h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.8.0
h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
@@ -405,6 +414,8 @@
github.com/spf13/cobra v1.2.1/go.mod
h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
github.com/spf13/cobra v1.5.0/go.mod
h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
+github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI=
+github.com/spf13/cobra v1.6.0/go.mod
h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
github.com/spf13/jwalterweatherman v1.1.0/go.mod
h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod
h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -448,6 +459,7 @@
go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
go.uber.org/atomic v1.7.0/go.mod
h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
go.uber.org/multierr v1.6.0/go.mod
h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
@@ -464,6 +476,8 @@
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
h1:NmSIgad6KjE6VvHciPZuNRTKxGhlPfD6OA87W/PLkqg=
+golang.org/x/crypto v0.0.0-20221012134737-56aed061732a/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod
h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -544,6 +558,8 @@
golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod
h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591
h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod
h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193
h1:3Moaxt4TfzNcQH6DWvlYKraN1ozhBXQHcgvXjRGeim0=
+golang.org/x/net v0.0.0-20221017152216-f25eb7ecb193/go.mod
h1:RpDiru2p0u2F0lLpEoqnP2+7xs0ifAuOcJ442g6GU2s=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod
h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -560,6 +576,8 @@
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod
h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA=
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod
h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783
h1:nt+Q6cXKz4MosCSpnbMtqiQ8Oz0pxTef2B4Vca2lvfk=
+golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod
h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -632,12 +650,18 @@
golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220913175220-63ea55921009
h1:PuvuRMeLWqsf/ZdT1UUZz0syhioyv1mzuFZsXs4fvhw=
golang.org/x/sys v0.0.0-20220913175220-63ea55921009/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod
h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod
h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.0.0-20220722155259-a9ba230a4035
h1:Q5284mrmYTpACcm+eAKjKJH48BBwSyfJqmmGDTtT8Vc=
golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod
h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.0.0-20221017184919-83659145692c
h1:dveknrit5futqEmXAvd2I1BbZIDhxRijsyWHM86NlcA=
+golang.org/x/term v0.0.0-20221017184919-83659145692c/go.mod
h1:VTIZ7TEbF0BS9Sv9lPTvGbtW8i4z6GGbJBCM37uMCzY=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -648,11 +672,15 @@
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9
h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ=
golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
+golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod
h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -851,22 +879,30 @@
honnef.co/go/tools v0.0.1-2019.2.3/go.mod
h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod
h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod
h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.25.0 h1:H+Q4ma2U/ww0iGB78ijZx6DRByPz6/733jIuFpX70e0=
-k8s.io/api v0.25.0/go.mod h1:ttceV1GyV1i1rnmvzT3BST08N6nGt+dudGrquzVQWPk=
+k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ=
+k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI=
k8s.io/apiextensions-apiserver v0.25.0
h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY=
-k8s.io/apimachinery v0.25.0 h1:MlP0r6+3XbkUG2itd6vp3oxbtdQLQI94fD5gCS+gnoU=
-k8s.io/apimachinery v0.25.0/go.mod
h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB0=
+k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc=
+k8s.io/apimachinery v0.25.3/go.mod
h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo=
k8s.io/client-go v0.25.0 h1:CVWIaCETLMBNiTUta3d5nzRbXvY5Hy9Dpl+VvREpu5E=
k8s.io/client-go v0.25.0/go.mod h1:lxykvypVfKilxhTklov0wz1FoaUZ8X4EwbhS6rpRfN8=
+k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0=
+k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA=
k8s.io/component-base v0.25.0 h1:haVKlLkPCFZhkcqB6WCvpVxftrg6+FK5x1ZuaIDaQ5Y=
k8s.io/component-base v0.25.0/go.mod
h1:F2Sumv9CnbBlqrpdf7rKZTmmd2meJq0HizeyY/yAFxk=
+k8s.io/component-base v0.25.3 h1:UrsxciGdrCY03ULT1h/S/gXFCOPnLhUVwSyx+hM/zq4=
+k8s.io/component-base v0.25.3/go.mod
h1:WYoS8L+IlTZgU7rhAl5Ctpw0WdMxDfCC5dkxcEFa/TI=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea
h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg=
k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod
h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
+k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
+k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod
h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73
h1:H9TCJUUx+2VA0ZiD9lvtaX8fthFsMoD+Izn93E/hm8U=
k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73/go.mod
h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85
h1:cTdVh7LYu82xeClmfzGtgyspNh6UxpwLWGi8R4sspNo=
+k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85/go.mod
h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
rsc.io/binaryregexp v0.2.0/go.mod
h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/pkg/config/schema.go
new/polaris-7.2.0/pkg/config/schema.go
--- old/polaris-7.1.5/pkg/config/schema.go 2022-09-22 20:06:29.000000000
+0200
+++ new/polaris-7.2.0/pkg/config/schema.go 2022-11-14 23:05:02.000000000
+0100
@@ -223,7 +223,10 @@
newCheck.AdditionalSchemaStrings = map[string]string{}
for kind, tmplString := range templateStrings {
- tmpl := template.New(newCheck.ID)
+ tmpl := template.New(newCheck.ID).Funcs(template.FuncMap{
+ "hasPrefix": strings.HasPrefix,
+ "hasSuffix": strings.HasSuffix,
+ })
tmpl, err := tmpl.Parse(tmplString)
if err != nil {
return nil, err
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.1.5/pkg/validator/schema.go
new/polaris-7.2.0/pkg/validator/schema.go
--- old/polaris-7.1.5/pkg/validator/schema.go 2022-09-22 20:06:29.000000000
+0200
+++ new/polaris-7.2.0/pkg/validator/schema.go 2022-11-14 23:05:02.000000000
+0100
@@ -40,6 +40,25 @@
ResourceProvider *kube.ResourceProvider
}
+// ShortString supplies some fields of a schemaTestCase suitable for brief
+// output.
+func (s schemaTestCase) ShortString() string {
+ var msg strings.Builder
+ targetStr := s.Target
+ if targetStr != "" {
+ msg.WriteString(fmt.Sprintf("target=%s, ", targetStr))
+ }
+ ns := s.Resource.ObjectMeta.GetNamespace()
+ if ns != "" {
+ msg.WriteString(fmt.Sprintf("namespace=%s, ", ns))
+ }
+ msg.WriteString(fmt.Sprintf("resource=%s/%s", s.Resource.Kind,
s.Resource.ObjectMeta.GetName()))
+ if s.Target == config.TargetContainer {
+ msg.WriteString(fmt.Sprintf(", container=%s", s.Container.Name))
+ }
+ return msg.String()
+}
+
func resolveCheck(conf *config.Configuration, checkID string, test
schemaTestCase) (*config.SchemaCheck, error) {
if !conf.DisallowExemptions &&
!conf.DisallowAnnotationExemptions &&
@@ -110,6 +129,7 @@
}
}
}
+ logrus.Debugf("the go template input for schema test-case %s is: %v",
test.ShortString(), templateInput)
return templateInput, nil
}
@@ -377,6 +397,16 @@
return nil, err
}
}
+ if len(issues) > 0 {
+ issueMessages := make([]string, len(issues))
+ for i, issue := range issues {
+ issueMessages[i] = issue.Message
+ }
+ logrus.Debugf("there were %d issue(s) validating the schema for
test-case %s: %v", len(issueMessages), test.ShortString(), issueMessages)
+ } else {
+ logrus.Debugf("there were no issues validating the schema for
test-case %s", test.ShortString())
+
+ }
result := makeResult(conf, check, passes, issues)
if !passes {
if funk.Contains(conf.Mutations, checkID) &&
len(check.Mutations) > 0 {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml
new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml
---
old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,9 @@
+# This succeeds because the clusterRole is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml
new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml
---
old/polaris-7.1.5/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolePodExecAttach/success.system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,9 @@
+# This succeeds because the clusterRole has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system:test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,35 @@
+# This fails because the clusterRoleBinding references a ClusterRole that uses
all wildcards which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: test-binding-to-system-prefix-clusterrole
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,33 @@
+# This succeeds because the clusterRoleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingClusterAdmin/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,33 @@
+# This succeeds because the clusterRoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system:test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,35 @@
+# This fails because the clusterRoleBinding references a ClusterRole that uses
all wildcards which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: test-binding-to-system-prefix-clusterrole
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,33 @@
+# This succeeds because the clusterRoleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/clusterrolebindingPodExecAttach/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,33 @@
+# This succeeds because the clusterRoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system:test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to
find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: not-used
+ namespace: test
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolePodExecAttach/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,10 @@
+# This succeeds because the role is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+ namespace: kube-system
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolePodExecAttach/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,10 @@
+# This succeeds because the Role has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: system:controller:glbc
+ namespace: kube-system
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,26 @@
+# This fails because the roleBinding references a ClusterRole that uses all
wildcards which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-binding-to-system-prefix-role
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,23 @@
+# This succeeds because the roleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminClusterRole/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,24 @@
+# This succeeds because the RoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: system:test
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,36 @@
+# This fails because the roleBinding references a Role that uses all wildcards
which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-binding-to-system-prefix-role
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This ClusterRole exists so there is at least one ClusterRole for the
additionalSchema to find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: not-used
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,34 @@
+# This succeeds because the roleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This ClusterRole exists so there is at least one ClusterRole for the
additionalSchema to find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: not-used
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterAdminRole/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,34 @@
+# This succeeds because the RoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: system:test
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+---
+# This ClusterRole exists so there is at least one ClusterRole for the
additionalSchema to find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: not-used
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ list ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,26 @@
+# This fails because the roleBinding references a ClusterRole that uses all
wildcards which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-binding-to-system-prefix-role
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,23 @@
+# This succeeds because the roleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingClusterRolePodExecAttach/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,24 @@
+# This succeeds because the RoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: system:test
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml
---
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/failure.binding_to_system_prefix.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,26 @@
+# This fails because the roleBinding references a Role that uses all wildcards
which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ # The system: prefix does not cause this test to fail, but this test
+ # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+ name: system:test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-binding-to-system-prefix-role
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.gce_calico_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,24 @@
+# This succeeds because the roleBinding is an exempt name
`gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: gce:podsecuritypolicy:calico-sa
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml
---
old/polaris-7.1.5/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/rolebindingRolePodExecAttach/success.system_prefix_binding.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,24 @@
+# This succeeds because the RoleBinding has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test
+ namespace: test
+rules:
+ - apiGroups: [ "*" ]
+ resources: [ "*" ]
+ verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: system:test
+ namespace: test
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: testuser
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polaris-7.1.5/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml
new/polaris-7.2.0/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml
---
old/polaris-7.1.5/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/polaris-7.2.0/test/checks/sensitiveContainerEnvVar/success.sensitive_key_uses_valueFrom.yaml
2022-11-14 23:05:02.000000000 +0100
@@ -0,0 +1,17 @@
+# This succeeds because a sensitive environment variable name references an
external value.
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-pod
+spec:
+ containers:
+ - name: nginx
+ env:
+ - name: token
+ valueFrom:
+ secretKeyRef:
+ key: token
+ name: a-secret
+ image: nginx
+ ports:
+ - containerPort: 80
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/polaris/vendor.tar.gz
/work/SRC/openSUSE:Factory/.polaris.new.1597/vendor.tar.gz differ: char 5, line
1
