Unreleased Change metadataAndNameMismatched to metadataAndInstanceMismatched 8.1.1 Add category for metadataAndNameMismatched. Fix category for priorityClassNotSet. 8.1.0 Add insights-host global flag to configure Fairwinds Insights host (defaults to https://insights.fairwinds.com). Add new auth sub-commands be able to authenticate on Polaris using Fairwinds Insights credentials
login - login using Fairwinds Insights credentials via the web interface or provide a tokenlogout - logout from Fairwinds Insightsstatus - show relevant information regarding login statetoken - prints the token from local storage Add new audit flags to be able to upload Workloads and Polaris results to Fairwinds Insights
upload-insights - indicates that the results should be uploaded to Fairwinds Insights. (defaults to false)cluster-name - cluster name that the results belongs to. Creates the cluster if it does not exist. (required if upload-insights is used) 8.0.0 Change default severity from ignore to warning for priorityClassNotSet, metadataAndNameMismatched, missingPodDisruptionBudget, automountServiceAccountToken, missingNetworkPolicy checks. Change default severity from warning to danger for sensitiveContainerEnvVar, sensitiveConfigmapContent, clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, rolebindingRolePodExecAttach,clusterrolebindingClusterAdmin,rolebindingClusterAdminClusterRole,rolebindingClusterAdminRole checks. 7.4.0 Skip https certificate verification (#920) 7.3.0 Add a check for topologySpreadConstraint (#879) 7.2.0 Enable new RBAC / sensitive content / Pod exec checks, add hasPrefix and hasSuffix functions to the GO template, exempt system: name prefixes for RBAC checks, sensitive content checks ignore valueFrom, (#832) 7.1.0 Let Polaris modify YAML without losing comments/formatting (#821) Add checks for RBAC allowing exec or attaching to a Pod (#820) Add clusterrolebindingClusterAdmin, rolebindingClusterAdminRole, and rolebindingClusterAdminClusterRole checks + schema tests (#823) 7.0.2 Fixes for pretty CLI output Some new checks (disabled by default) Some additional features in templating engine 7.0.1 7.0.0 Better support for polaris fix target: Pod is now target: PodSpec (to differentiate naked Pods from Controllers) 6.0.0 Preliminary support for polaris fix command Changes to how Pod owners are determined Removed YAML manifests from the deploy/ directory - Helm is now the default install mechanism 5.1.0 Support --context flag for kubecontext Treat core Kubernetes controllers (Deployments, StatefulSets, DaemonSets, CronJobs) as top-level objects, instead of following owner refs 5.0.0 Renamed multipleReplicasForDeployment to deploymentMissingReplicas Changed RunAsRootAllowed and hostNetworkSet default severity to danger Changed deploymentMissingReplicas default severity to warning 4.2.0 New flags --disallow-(config|annotation)-exemptions Kubernetes dependency updates Documentation updates 4.1.0 Handle case-insentitivity in capabilities checks Change test for PDB disruptions to better handle IaC 4.0.9 4.0.8 Fix support for namespace checks 4.0.7 4.0.6 Change goreleaser format Fix --helm-values flag 4.0.5 Bugfix for repeated objects on the dashboard 4.0.4 Bugfix for validating webhook and non-pod checks 4.0.3 Fixed bad interaction between --set-exit-score-below and --only-show-failed-tests Dependency updates Support for Helm chart scanning 4.0.2 4.0.1 4.0.0 Add support for arbitrary resources, like Ingress or PodDisruptionBudget Add support check templating (see docs) Add support for multi-resource checks (see docs) Breaking Changes In custom checks, jsonSchema is now schemaString Check pdbDisruptionsAllowedGreaterThanZero is now called pdbDisruptionsIsZero 3.2.0 Add --format=pretty option for CLI output 3.1.6 Fix nil pointer issue with --only-output-failed-tests 3.1.5 Fix UI display of Ingress checks 3.1.4 Fixes for exemption annotations for the admission controller 3.1.3 Fixes for privilegeEscalationAllowed and insecureCapabilities checks to take Kubernetes defaults into account 3.1.2 Start checking deployment configuration using Fairwinds Insights 3.1.1 3.1.0 Added support for Ingress objects Fixes for exemptions, including support for exempting entire namespaces 3.0.0 Breaking - fixed inconsistency in how controller-level checks are handled
Custom checks with target: Controller should remove Object from the top-level of the
JSON schema (see changes to ./checks/multipleReplicasForDeployment.yaml) 2.0.1 Fixed Polaris deployment process 2.0.0 Standardize categories of checks into Security, Reliability, and Efficiency Changes to the dashboard UI Update controller-runtime 1.2.1 Update date on dashboard footer 1.2.0 Add ability to audit a single workload Enable pullPolicyAlways by default Fix for finding parent resources 1.1.1 Show controller checks on dashboard Fix for orphaned pods w/ controller checks 1.1.0 Add namespace filter in UI Add priorityClass check Support reading from STDIN Ensure severity is set for all custom checks Support audit files which use \r or \r\n as newline character Add option to exempt an entire controller from checks via config file Fixed case where parent resources trigger error Fixed UI zero-state 1.0.3 Fixed case where parent resources trigger error Fixed dashboard link when --base-path is set 1.0.2 Fixed case where custom CRDs are not covered by RBAC 1.0.1 Added ARM binaries to releases 1.0.0 New Features Added support for custom checks using JSON Schema Added support for arbitrary controllers, rather than a pre-configured set
removed support for controllers_to_scan in config Added the ability to exempt a particular controller from a particular check. Docker image now includes the default config Breaking Changes Breaking changes in both input and output formats. See Examples(opens new window) for examples of the new formats.
removed config-level configuration for checks like max/min memory settings changed severity error to danger Breaking changes to the CLI
CLI flag --set-exit-code-on-error is now --set-exit-code-on-danger Flags --version, --dashboard, --webhook, and --audit are now arguments Port flags are now just --port 0.6.0 Fixed webhook support in Kubernetes 1.16
this also removes support for 1.8 Added support for exemptions via controller annotations 0.5.2 Fixed missing success messages for resource requests/limits 0.5.1 Added a few more exemptions Started checking exemptions based on controller name prefix runAsUser != 0 now passes the runAsNonRoot check 0.5.0 Added --load-audit-file flag to run the dashboard from an existing audit Added an ID field to each check in the output Skip health checks for jobs, cronjobs, initcontainers Added support for exemptions Fixed dashboard base path option 0.4.0 Added additional Pod Controllers to scan PodSpec (jobs, cronjobs, daemonsets, replicationcontrollers) 0.3.1 Changed dashboard branding to refer to new org name Fairwinds 0.3.0 Added --set-exit-code-on-error and --set-exit-code-below-score flags to better support CI/CD 0.2.1 0.2.0 Added --output-format flag for better CI/CD support Added --display-name flag Added support for StatefulSets Show error message if no kubeconfig is set 0.1.5 0.1.4 0.1.3 0.1.2 Stored all third-party assets (e.g. Charts.js) to local files to support offline dashboard viewing Fix: custom configs in ConfigMap not respected 0.1.1 Fix(opens new window) : missing config.yaml and dashboard assets in binary releasesAdded some tests and better error handling 0.1.0 Dashboard fully functional Validating webhook functional, but still considered beta Checks:
Health
readiness probe missing liveness probe missing Images
tag not specified pull policy not always Networking
host network set host port set Resources
cpu/memory requests missing cpu/memory limits missing cpu/memory ranges exceeded Security
security capabilities host IPC set host PID set not read-only fs privilege escalation allowed run as root allowed run as privileged
