Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package polaris for openSUSE:Factory checked
in at 2023-06-01 17:19:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/polaris (Old)
and /work/SRC/openSUSE:Factory/.polaris.new.2531 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris"
Thu Jun 1 17:19:43 2023 rev:15 rq:1090133 version:8.0.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2023-05-17
10:53:57.971617168 +0200
+++ /work/SRC/openSUSE:Factory/.polaris.new.2531/polaris.changes
2023-06-01 17:19:53.598293013 +0200
@@ -1,0 +2,6 @@
+Thu Jun 01 05:26:22 UTC 2023 - ka...@b1-systems.de
+
+- Update to version 8.0.0:
+ * Update checks severities (#950)
+
+-------------------------------------------------------------------
Old:
----
polaris-7.4.2.obscpio
New:
----
polaris-8.0.0.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ polaris.spec ++++++
--- /var/tmp/diff_new_pack.XQYMKN/_old 2023-06-01 17:19:54.542298609 +0200
+++ /var/tmp/diff_new_pack.XQYMKN/_new 2023-06-01 17:19:54.546298632 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: polaris
-Version: 7.4.2
+Version: 8.0.0
Release: 0
Summary: Validation of best practices in your Kubernetes clusters
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.XQYMKN/_old 2023-06-01 17:19:54.578298822 +0200
+++ /var/tmp/diff_new_pack.XQYMKN/_new 2023-06-01 17:19:54.586298869 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/FairwindsOps/polaris</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">7.4.2</param>
+ <param name="revision">8.0.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
</service>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.XQYMKN/_old 2023-06-01 17:19:54.602298964 +0200
+++ /var/tmp/diff_new_pack.XQYMKN/_new 2023-06-01 17:19:54.606298988 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/FairwindsOps/polaris</param>
- <param
name="changesrevision">166b39b695128f7c34af25580e073cbf5864671d</param></service></servicedata>
+ <param
name="changesrevision">65c5ff59ca6162d48d0797a02a11c2341ecf529c</param></service></servicedata>
(No newline at EOF)
++++++ polaris-7.4.2.obscpio -> polaris-8.0.0.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.4.2/docs/changelog.md
new/polaris-8.0.0/docs/changelog.md
--- old/polaris-7.4.2/docs/changelog.md 2023-05-17 00:24:13.000000000 +0200
+++ new/polaris-8.0.0/docs/changelog.md 2023-05-31 22:41:18.000000000 +0200
@@ -5,6 +5,25 @@
content: "Fairwinds Polaris | Changelog"
---
+
+## 8.0.0
+* Change default severity from `ignore` to `warning` for
`priorityClassNotSet`, `metadataAndNameMismatched`,
`missingPodDisruptionBudget`, `automountServiceAccountToken`,
`missingNetworkPolicy` checks.
+* Change default severity from `warning` to `danger` for
`sensitiveContainerEnvVar`, `sensitiveConfigmapContent`,
`clusterrolePodExecAttach`, `rolePodExecAttach`,
`clusterrolebindingPodExecAttach`, `rolebindingClusterRolePodExecAttach`,
`rolebindingRolePodExecAttach`,`clusterrolebindingClusterAdmin`,`rolebindingClusterAdminClusterRole`,`rolebindingClusterAdminRole`
checks.
+
+## 7.4.0
+* Skip https certificate verification (#920)
+
+## 7.3.0
+* Add a check for `topologySpreadConstraint` (#879)
+
+## 7.2.0
+* Enable new RBAC / sensitive content / Pod exec checks, add `hasPrefix` and
`hasSuffix` functions to the GO template, exempt `system:` name prefixes for
RBAC checks, sensitive content checks ignore `valueFrom`, (#832)
+
+## 7.1.0
+* Let Polaris modify YAML without losing comments/formatting (#821)
+* Add checks for RBAC allowing exec or attaching to a Pod (#820)
+* Add `clusterrolebindingClusterAdmin`, `rolebindingClusterAdminRole`, and
`rolebindingClusterAdminClusterRole` checks + schema tests (#823)
+
## 7.0.2
* Fixes for pretty CLI output
* Some new checks (disabled by default)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.4.2/docs/checks/reliability.md
new/polaris-8.0.0/docs/checks/reliability.md
--- old/polaris-7.4.2/docs/checks/reliability.md 2023-05-17
00:24:13.000000000 +0200
+++ new/polaris-8.0.0/docs/checks/reliability.md 2023-05-31
22:41:18.000000000 +0200
@@ -14,10 +14,10 @@
`livenessProbeMissing` | `warning` | Fails when a liveness probe is not
configured for a pod.
`tagNotSpecified` | `danger` | Fails when an image tag is either not specified
or `latest`.
`pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not
`always`.
-`priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set
for a pod.
+`priorityClassNotSet` | `warning` | Fails when a priorityClassName is not set
for a pod.
`deploymentMissingReplicas` | `warning` | Fails when there is only one replica
for a deployment.
-`missingPodDisruptionBudget` | `ignore`
-`metadataAndNameMismatched` | `ignore`
+`missingPodDisruptionBudget` | `warning`
+`metadataAndNameMismatched` | `warning`
`topologySpreadConstraint` | `warning` | Fails when there is no topology
spread constraint on the pod
## Background
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.4.2/docs/checks/security.md
new/polaris-8.0.0/docs/checks/security.md
--- old/polaris-7.4.2/docs/checks/security.md 2023-05-17 00:24:13.000000000
+0200
+++ new/polaris-8.0.0/docs/checks/security.md 2023-05-31 22:41:18.000000000
+0200
@@ -24,17 +24,17 @@
`hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is
configured.
`hostPortSet` | `warning` | Fails when `hostPort` attribute is configured.
`tlsSettingsMissing` | `warning` | Fails when an Ingress lacks TLS settings.
-`sensitiveContainerEnvVar` | `warning` | Fails when the container sets
potentially sensitive environment variables.
-`sensitiveConfigmapContent` | `warning` | Fails when potentially sensitive
content is detected in the ConfigMap keys or values.
-`missingNetworkPolicy` | `ignore`
-`clusterrolePodExecAttach` | `warning` | Fails when the ClusterRole allows
Pods/exec or pods/attach.
-`rolePodExecAttach` | `warning` | Fails when the Role allows Pods/exec or
pods/attach.
-`clusterrolebindingPodExecAttach` | `warning` | Fails when the
ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows
pods/attach, or that does not exist.
-`rolebindingRolePodExecAttach` | `warning` | Fails when the RoleBinding
references a Role that allows Pods/exec, allows pods/attach, or that does not
exist.
-`rolebindingClusterRolePodExecAttach` | `warning` | Fails when the RoleBinding
references a ClusterRole that allows Pods/exec, allows pods/attach, or that
does not exist.
-`clusterrolebindingClusterAdmin` | `warning` | Fails when the
ClusterRoleBinding references the default cluster-admin ClusterRole or one with
wildcard permissions.
-`rolebindingClusterAdminClusterRole` | `warning` | Fails when the RoleBinding
references the default cluster-admin ClusterRole or one with wildcard
permissions.
-`rolebindingClusterAdminRole` | `warning` | Fails when the RoleBinding
references a Role with wildcard permissions.
+`sensitiveContainerEnvVar` | `danger` | Fails when the container sets
potentially sensitive environment variables.
+`sensitiveConfigmapContent` | `danger` | Fails when potentially sensitive
content is detected in the ConfigMap keys or values.
+`missingNetworkPolicy` | `warning`
+`clusterrolePodExecAttach` | `danger` | Fails when the ClusterRole allows
Pods/exec or pods/attach.
+`rolePodExecAttach` | `danger` | Fails when the Role allows Pods/exec or
pods/attach.
+`clusterrolebindingPodExecAttach` | `danger` | Fails when the
ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows
pods/attach, or that does not exist.
+`rolebindingRolePodExecAttach` | `danger` | Fails when the RoleBinding
references a Role that allows Pods/exec, allows pods/attach, or that does not
exist.
+`rolebindingClusterRolePodExecAttach` | `danger` | Fails when the RoleBinding
references a ClusterRole that allows Pods/exec, allows pods/attach, or that
does not exist.
+`clusterrolebindingClusterAdmin` | `danger` | Fails when the
ClusterRoleBinding references the default cluster-admin ClusterRole or one with
wildcard permissions.
+`rolebindingClusterAdminClusterRole` | `danger` | Fails when the RoleBinding
references the default cluster-admin ClusterRole or one with wildcard
permissions.
+`rolebindingClusterAdminRole` | `danger` | Fails when the RoleBinding
references a Role with wildcard permissions.
## Background
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.4.2/examples/config-full.yaml
new/polaris-8.0.0/examples/config-full.yaml
--- old/polaris-7.4.2/examples/config-full.yaml 2023-05-17 00:24:13.000000000
+0200
+++ new/polaris-8.0.0/examples/config-full.yaml 2023-05-31 22:41:18.000000000
+0200
@@ -8,8 +8,8 @@
livenessProbeMissing: warning
topologySpreadConstraint: warning
pdbDisruptionsIsZero: warning
- missingPodDisruptionBudget: ignore
- metadataAndNameMismatched: ignore
+ missingPodDisruptionBudget: warning
+ metadataAndNameMismatched: warning
# efficiency
cpuRequestsMissing: warning
@@ -22,7 +22,7 @@
hostIPCSet: danger
hostPIDSet: danger
linuxHardening: danger
- missingNetworkPolicy: ignore
+ missingNetworkPolicy: warning
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/polaris-7.4.2/examples/config.yaml
new/polaris-8.0.0/examples/config.yaml
--- old/polaris-7.4.2/examples/config.yaml 2023-05-17 00:24:13.000000000
+0200
+++ new/polaris-8.0.0/examples/config.yaml 2023-05-31 22:41:18.000000000
+0200
@@ -1,14 +1,14 @@
checks:
# reliability
deploymentMissingReplicas: warning
- priorityClassNotSet: ignore
+ priorityClassNotSet: warning
tagNotSpecified: danger
pullPolicyNotAlways: warning
readinessProbeMissing: warning
livenessProbeMissing: warning
- metadataAndNameMismatched: ignore
+ metadataAndNameMismatched: warning
pdbDisruptionsIsZero: warning
- missingPodDisruptionBudget: ignore
+ missingPodDisruptionBudget: warning
topologySpreadConstraint: warning
# efficiency
@@ -18,11 +18,11 @@
memoryLimitsMissing: warning
# security
- automountServiceAccountToken: ignore
+ automountServiceAccountToken: warning
hostIPCSet: danger
hostPIDSet: danger
linuxHardening: warning
- missingNetworkPolicy: ignore
+ missingNetworkPolicy: warning
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
@@ -32,17 +32,16 @@
hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
- # These are initially warning and will later be promoted to danger.
- sensitiveContainerEnvVar: warning
- sensitiveConfigmapContent: warning
- clusterrolePodExecAttach: warning
- rolePodExecAttach: warning
- clusterrolebindingPodExecAttach: warning
- rolebindingClusterRolePodExecAttach: warning
- rolebindingRolePodExecAttach: warning
- clusterrolebindingClusterAdmin: warning
- rolebindingClusterAdminClusterRole: warning
- rolebindingClusterAdminRole: warning
+ sensitiveContainerEnvVar: danger
+ sensitiveConfigmapContent: danger
+ clusterrolePodExecAttach: danger
+ rolePodExecAttach: danger
+ clusterrolebindingPodExecAttach: danger
+ rolebindingClusterRolePodExecAttach: danger
+ rolebindingRolePodExecAttach: danger
+ clusterrolebindingClusterAdmin: danger
+ rolebindingClusterAdminClusterRole: danger
+ rolebindingClusterAdminRole: danger
mutations:
++++++ polaris.obsinfo ++++++
--- /var/tmp/diff_new_pack.XQYMKN/_old 2023-06-01 17:19:54.926300885 +0200
+++ /var/tmp/diff_new_pack.XQYMKN/_new 2023-06-01 17:19:54.934300933 +0200
@@ -1,5 +1,5 @@
name: polaris
-version: 7.4.2
-mtime: 1684275853
-commit: 166b39b695128f7c34af25580e073cbf5864671d
+version: 8.0.0
+mtime: 1685565678
+commit: 65c5ff59ca6162d48d0797a02a11c2341ecf529c
++++++ vendor.tar.gz ++++++
