Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package polaris for openSUSE:Factory checked in at 2023-01-06 17:05:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polaris (Old) and /work/SRC/openSUSE:Factory/.polaris.new.1563 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris" Fri Jan 6 17:05:42 2023 rev:11 rq:1056275 version:7.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2023-01-04 20:18:23.189555392 +0100 +++ /work/SRC/openSUSE:Factory/.polaris.new.1563/polaris.changes 2023-01-06 17:06:30.976505042 +0100 @@ -1,0 +2,8 @@ +Thu Jan 05 20:31:31 UTC 2023 - [email protected] + +- Update to version 7.3.0: + * sc/rd 71 add plg link (#896) + * Update documentation from template (#899) + * Fix #547 - add a check for topologySpreadConstraint (#879) + +------------------------------------------------------------------- Old: ---- polaris-7.2.1.tar.gz New: ---- polaris-7.3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polaris.spec ++++++ --- /var/tmp/diff_new_pack.D4kxfI/_old 2023-01-06 17:06:31.884510142 +0100 +++ /var/tmp/diff_new_pack.D4kxfI/_new 2023-01-06 17:06:31.888510165 +0100 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: polaris -Version: 7.2.1 +Version: 7.3.0 Release: 0 Summary: Validation of best practices in your Kubernetes clusters License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.D4kxfI/_old 2023-01-06 17:06:31.920510344 +0100 +++ /var/tmp/diff_new_pack.D4kxfI/_new 2023-01-06 17:06:31.924510367 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/FairwindsOps/polaris</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">7.2.1</param> + <param name="revision">7.3.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> </service> @@ -15,7 +15,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="disabled"> - <param name="archive">polaris-7.2.1.tar.gz</param> + <param name="archive">polaris-7.3.0.tar.gz</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.D4kxfI/_old 2023-01-06 17:06:31.964510592 +0100 +++ /var/tmp/diff_new_pack.D4kxfI/_new 2023-01-06 17:06:31.984510704 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/FairwindsOps/polaris</param> - <param name="changesrevision">8af4363672631c97091847d57c02e73a3e0d2b15</param></service></servicedata> + <param name="changesrevision">2d28ea551af19addc8b9d9f40eef773852a68e8b</param></service></servicedata> (No newline at EOF) ++++++ polaris-7.2.1.tar.gz -> polaris-7.3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/README.md new/polaris-7.3.0/README.md --- old/polaris-7.2.1/README.md 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/README.md 2023-01-05 15:33:45.000000000 +0100 @@ -55,9 +55,9 @@ If you're interested in running Polaris in multiple clusters, tracking the results over time, integrating with Slack, Datadog, and Jira, or unlocking other functionality, check out -[Fairwinds Insights](https://www.fairwinds.com/polaris-user-insights-demo?utm_source=polaris&utm_medium=polaris&utm_campaign=polaris), +[Fairwinds Insights](https://fairwinds.com/pricing), a platform for auditing and enforcing policy in Kubernetes clusters. -<a href="https://www.fairwinds.com/polaris-user-insights-demo?utm_source=polaris&utm_medium=ad&utm_campaign=polarisad";> +<a href="https://fairwinds.com/pricing";> <img src="https://www.fairwinds.com/hubfs/Doc_Banners/Fairwinds_Polaris_Ad.png"; alt="Fairwinds Insights" /> </a> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/checks/topologySpreadConstraint.yaml new/polaris-7.3.0/checks/topologySpreadConstraint.yaml --- old/polaris-7.2.1/checks/topologySpreadConstraint.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.3.0/checks/topologySpreadConstraint.yaml 2023-01-05 15:33:45.000000000 +0100 @@ -0,0 +1,21 @@ +successMessage: Pod has a valid topology spread constraint +failureMessage: Pod should be configured with a valid topology spread constraint +category: Reliability +target: PodSpec +schema: + '$schema': http://json-schema.org/draft-07/schema + type: object + required: + - topologySpreadConstraints + properties: + topologySpreadConstraints: + type: array + items: + type: object + properties: + topologyKey: + anyOf: + - type: string + const: "kubernetes.io/hostname" + - type: string + const: "topology.kubernetes.io/zone" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/cmd/polaris/root.go new/polaris-7.3.0/cmd/polaris/root.go --- old/polaris-7.2.1/cmd/polaris/root.go 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/cmd/polaris/root.go 2023-01-05 15:33:45.000000000 +0100 @@ -76,6 +76,9 @@ } os.Exit(1) }, + PersistentPostRun: func(cmd *cobra.Command, args []string) { + os.Stderr.WriteString("\n\nWant more? Automate Polaris for free with Fairwinds Insights!\nð https://fairwinds.com/insights-signup/polaris ð \n") + }, } // Execute the stuff diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/cmd/polaris/version.go new/polaris-7.3.0/cmd/polaris/version.go --- old/polaris-7.2.1/cmd/polaris/version.go 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/cmd/polaris/version.go 2023-01-05 15:33:45.000000000 +0100 @@ -31,4 +31,7 @@ Run: func(cmd *cobra.Command, args []string) { fmt.Println("Polaris version:" + version) }, + PersistentPostRunE: func(cmd *cobra.Command, args []string) error { + return nil + }, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/docs/.vuepress/public/scripts/marketing.js new/polaris-7.3.0/docs/.vuepress/public/scripts/marketing.js --- old/polaris-7.2.1/docs/.vuepress/public/scripts/marketing.js 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/docs/.vuepress/public/scripts/marketing.js 2023-01-05 15:33:45.000000000 +0100 @@ -27,26 +27,3 @@ j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TM95WXQ'); - -!function() { - var t = window.driftt = window.drift = window.driftt || []; - if (!t.init) { - if (t.invoked) return void (window.console && console.error && console.error("Drift snippet included twice.")); - t.invoked = !0, t.methods = [ "identify", "config", "track", "reset", "debug", "show", "ping", "page", "hide", "off", "on" ], - t.factory = function(e) { - return function() { - var n = Array.prototype.slice.call(arguments); - return n.unshift(e), t.push(n), t; - }; - }, t.methods.forEach(function(e) { - t[e] = t.factory(e); - }), t.load = function(t) { - var e = 3e5, n = Math.ceil(new Date() / e) * e, o = document.createElement("script"); - o.type = "text/javascript", o.async = !0, o.crossorigin = "anonymous", o.src = "https://js.driftt.com/include/"; + n + "/" + t + ".js"; - var i = document.getElementsByTagName("script")[0]; - i.parentNode.insertBefore(o, i); - }; - } -}(); -drift.SNIPPET_VERSION = '0.3.1'; -drift.load('dp7v3zbc7xhm'); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/docs/checks/reliability.md new/polaris-7.3.0/docs/checks/reliability.md --- old/polaris-7.2.1/docs/checks/reliability.md 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/docs/checks/reliability.md 2023-01-05 15:33:45.000000000 +0100 @@ -17,19 +17,51 @@ `priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod. `deploymentMissingReplicas` | `warning` | Fails when there is only one replica for a deployment. `missingPodDisruptionBudget` | `ignore` +`topologySpreadConstraint` | `warning` | Fails when there is no topology spread constraint on the pod ## Background +### Liveness and Readiness Probes Readiness and liveness probes can help maintain the health of applications running inside Kubernetes. By default, Kubernetes only knows whether or not a process is running, not if it's healthy. Properly configured readiness and liveness probes will also be able to ensure the health of an application. Readiness probes are designed to ensure that an application has reached a "ready" state. In many cases there is a period of time between when a webserver process starts and when it is ready to receive traffic. A readiness probe can ensure the traffic is not sent to a pod until it is actually ready to receive traffic. Liveness probes are designed to ensure that an application stays in a healthy state. When a liveness probe fails, the pod will be restarted. +### Image Pull Policy Docker's `latest` tag is applied by default to images where a tag hasn't been specified. Not specifying a specific version of an image can lead to a wide variety of problems. The underlying image could include unexpected breaking changes that break your application whenever the latest image is pulled. Reusing the same tag for multiple versions of an image can lead to different nodes in the same cluster having different versions of an image, even if the tag is identical. Related to that, relying on cached versions of a Docker image can become a security vulnerability. By default, an image will be pulled if it isn't already cached on the node attempting to run it. This can result in variations in images that are running per node, or potentially provide a way to gain access to an image without having direct access to the ImagePullSecret. With that in mind, it's often better to ensure the a pod has `pullPolicy: Always` specified, so images are always pulled directly from their source. +### Topology Spread Constraints + +By default, the Kubernetes scheduler uses a bin-packing algorithm to fit as many pods as possible into a cluster. The scheduler prefers a more evenly distributed general node load to app replicas precisely spread across nodes. Therefore, by default, multi-replica is not guaranteed to be spread across multiple availability zones. Kubernetes provides topologySpreadConstraint configuration in order to better ensure pod spread across multiple AZs and/or Hosts. + +Example of a topologySpreadConstraint spreading across zones: + +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demo-basic-demo +spec: + selector: + matchLabels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + template: + metadata: + labels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "topology.kubernetes.io/zone" + whenUnsatisfiable: ScheduleAnyway +``` + + ## Further Reading - [What's Wrong With The Docker :latest Tag?](https://vsupalov.com/docker-latest-tag/) @@ -37,3 +69,4 @@ - [Kubernetes Docs: Configure Liveness and Readiness Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) - [Utilizing Kubernetes Liveness and Readiness Probes to Automatically Recover From Failure](https://medium.com/spire-labs/utilizing-kubernetes-liveness-and-readiness-probes-to-automatically-recover-from-failure-2fe0314f2b2e) - [Kubernetes Liveness and Readiness Probes: How to Avoid Shooting Yourself in the Foot](https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-how-to-avoid-shooting-yourself-in-the-foot/) +- [Topology Spread Cosntraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/examples/config.yaml new/polaris-7.3.0/examples/config.yaml --- old/polaris-7.2.1/examples/config.yaml 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/examples/config.yaml 2023-01-05 15:33:45.000000000 +0100 @@ -9,6 +9,7 @@ metadataAndNameMismatched: ignore pdbDisruptionsIsZero: warning missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning # efficiency cpuRequestsMissing: warning diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/pkg/config/checks.go new/polaris-7.3.0/pkg/config/checks.go --- old/polaris-7.2.1/pkg/config/checks.go 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/pkg/config/checks.go 2023-01-05 15:33:45.000000000 +0100 @@ -33,6 +33,7 @@ "hostPIDSet", "hostNetworkSet", "automountServiceAccountToken", + "topologySpreadConstraint", // Container checks "memoryLimitsMissing", "memoryRequestsMissing", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/pkg/dashboard/templates/navbar.gohtml new/polaris-7.3.0/pkg/dashboard/templates/navbar.gohtml --- old/polaris-7.2.1/pkg/dashboard/templates/navbar.gohtml 2023-01-04 16:10:09.000000000 +0100 +++ new/polaris-7.3.0/pkg/dashboard/templates/navbar.gohtml 2023-01-05 15:33:45.000000000 +0100 @@ -5,6 +5,7 @@ <a href="https://www.fairwinds.com/polaris-user-insights-demo?utm_source=polaris&utm_medium=polaris&utm_campaign=polaris"; target="_blank"> <img class="fw-logo" src="static/images/white_logo_fairwinds.svg" alt="Fairwinds" /> </a> + <div style="color: white;"> Want more? Automate Polaris with <a href="https://www.fairwinds.com/insights-signup/polaris";><strong>Fairwinds Insights</strong></a></div> <div class="right-section p-0 d-flex justify-content-between"> <a href="https://github.com/FairwindsOps"; target="_blank"> <img class="gh-logo" src="static/images/white_icon_github.svg" alt="Github" /> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/test/checks/topologySpreadConstraint/failure.invalidtopologykey.yaml new/polaris-7.3.0/test/checks/topologySpreadConstraint/failure.invalidtopologykey.yaml --- old/polaris-7.2.1/test/checks/topologySpreadConstraint/failure.invalidtopologykey.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.3.0/test/checks/topologySpreadConstraint/failure.invalidtopologykey.yaml 2023-01-05 15:33:45.000000000 +0100 @@ -0,0 +1,65 @@ +# Source: basic-demo/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demo-basic-demo + labels: + app.kubernetes.io/name: basic-demo + helm.sh/chart: basic-demo-0.5.2 + app.kubernetes.io/instance: demo + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + template: + metadata: + labels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: farglebargle + whenUnsatisfiable: ScheduleAnyway + containers: + - name: basic-demo + image: "quay.io/fairwinds/docker-demo:latest" + imagePullPolicy: Always + env: + - name: REFRESH_INTERVAL + value: "500" + - name: TITLE + value: "Kubernetes Demo" + - name: METADATA + value: "" + ports: + - name: http + containerPort: 8080 + protocol: TCP + securityContext: + runAsUser: 1200 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/test/checks/topologySpreadConstraint/failure.nospreadconstraint.yaml new/polaris-7.3.0/test/checks/topologySpreadConstraint/failure.nospreadconstraint.yaml --- old/polaris-7.2.1/test/checks/topologySpreadConstraint/failure.nospreadconstraint.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.3.0/test/checks/topologySpreadConstraint/failure.nospreadconstraint.yaml 2023-01-05 15:33:45.000000000 +0100 @@ -0,0 +1,61 @@ +# Source: basic-demo/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demo-basic-demo + labels: + app.kubernetes.io/name: basic-demo + helm.sh/chart: basic-demo-0.5.2 + app.kubernetes.io/instance: demo + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + template: + metadata: + labels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + spec: + containers: + - name: basic-demo + image: "quay.io/fairwinds/docker-demo:latest" + imagePullPolicy: Always + env: + - name: REFRESH_INTERVAL + value: "500" + - name: TITLE + value: "Kubernetes Demo" + - name: METADATA + value: "" + ports: + - name: http + containerPort: 8080 + protocol: TCP + securityContext: + runAsUser: 1200 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.2.1/test/checks/topologySpreadConstraint/success.yaml new/polaris-7.3.0/test/checks/topologySpreadConstraint/success.yaml --- old/polaris-7.2.1/test/checks/topologySpreadConstraint/success.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/polaris-7.3.0/test/checks/topologySpreadConstraint/success.yaml 2023-01-05 15:33:45.000000000 +0100 @@ -0,0 +1,65 @@ +# Source: basic-demo/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demo-basic-demo + labels: + app.kubernetes.io/name: basic-demo + helm.sh/chart: basic-demo-0.5.2 + app.kubernetes.io/instance: demo + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + template: + metadata: + labels: + app.kubernetes.io/name: basic-demo + app.kubernetes.io/instance: demo + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "topology.kubernetes.io/zone" + whenUnsatisfiable: ScheduleAnyway + containers: + - name: basic-demo + image: "quay.io/fairwinds/docker-demo:latest" + imagePullPolicy: Always + env: + - name: REFRESH_INTERVAL + value: "500" + - name: TITLE + value: "Kubernetes Demo" + - name: METADATA + value: "" + ports: + - name: http + containerPort: 8080 + protocol: TCP + securityContext: + runAsUser: 1200 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1 + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/polaris/vendor.tar.gz /work/SRC/openSUSE:Factory/.polaris.new.1563/vendor.tar.gz differ: char 5, line 1
![https://www.fairwinds.com/hubfs/Doc_Banners/Fairwinds_Polaris_Ad.png"](https://www.fairwinds.com/hubfs/Doc_Banners/Fairwinds_Polaris_Ad.png"){kind=link}