Add support for annotation-based exemptions

docs/usage.md

@@ -4,9 +4,12 @@ be run as a local binary, which will use your kubeconfig to connect to the clust
 or run against local YAML files.
 
 ## Configuration
+Polaris supports a wide range of validations covering a number of Kubernetes best practices.
+Here's a [sample configuration file](/examples/config-full.yaml) that includes all currently supported checks.
+The [default configuration](/examples/config.yaml) contains a number of those checks.
 
-Polaris supports a wide range of validations covering a number of Kubernetes best practices. Here's a sample configuration file that includes all currently supported checks. The [default configuration](https://github.com/fairwindsops/polaris/blob/master/examples/config.yaml) contains a number of those checks. This repository also includes a sample [full configuration file](https://github.com/fairwindsops/polaris/blob/master/examples/config-full.yaml) that enables all available checks.
 
+### Checks
 Each check can be assigned a `severity`. Only checks with a severity of `error` or `warning` will be validated. The results of these validations are visible on the dashboard. In the case of the validating webhook, only failures with a severity of `error` will result in a change being rejected.
 
 Polaris validation checks fall into several different categories:
@@ -17,6 +20,23 @@ Polaris validation checks fall into several different categories:
 - [Resources](check-documentation/resources.md)
 - [Security](check-documentation/security.md)
 
+### Exemptions
+Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.
+
+To exempt a controller via annotations, use the annotation `polaris.fairwinds.com/exempt=true`, e.g.
+```
+kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
+```
+
+To exempt a controller via the config, you have to specify a list of controller names and a list of rules, e.g.
+```yaml
+exemptions:
+ - controllerNames:
+ - dns-controller
+ rules:
+ - hostNetworkSet
+```
+
 # Installing
 There are several ways to install and use Polaris. Below outline ways to install using `kubectl`, `helm` and `local binary`.
 

examples/config-full.yaml

@@ -63,6 +63,13 @@ security:
  warning:
  ifAnyAddedBeyond:
  - NONE
+controllers_to_scan:
+ - Deployments
+ - StatefulSets
+ - DaemonSets
+ - CronJobs
+ - Jobs
+ - ReplicationControllers
 exemptions:
  - controllerNames:
  - dns-controller

pkg/validator/controller.go

@@ -15,13 +15,17 @@
 package validator
 
 import (
+ "strings"
+
  conf "github.com/fairwindsops/polaris/pkg/config"
  "github.com/fairwindsops/polaris/pkg/kube"
  "github.com/fairwindsops/polaris/pkg/validator/controllers"
  controller "github.com/fairwindsops/polaris/pkg/validator/controllers"
  "github.com/sirupsen/logrus"
 )
 
+const exemptionAnnotationKey = "polaris.fairwinds.com/exempt"
+
 // ValidateController validates a single controller, returns a ControllerResult.
 func ValidateController(conf conf.Configuration, controller controller.Interface) ControllerResult {
  controllerType := controller.GetType()
@@ -44,6 +48,9 @@ func ValidateControllers(config conf.Configuration, kubeResources *kube.Resource
  }
 
  for _, controller := range controllersToAudit {
+ if !config.DisallowExemptions && hasExemptionAnnotation(controller) {
+ continue
+ }
  controllerResult := ValidateController(config, controller)
  nsResult := nsResults.getNamespaceResult(controller.GetNamespace())
  nsResult.Summary.appendResults(*controllerResult.PodResult.Summary)
@@ -52,3 +59,9 @@ func ValidateControllers(config conf.Configuration, kubeResources *kube.Resource
  }
  }
 }
+
+func hasExemptionAnnotation(ctrl controller.Interface) bool {
+ annot := ctrl.GetAnnotations()
+ val := annot[exemptionAnnotationKey]
+ return strings.ToLower(val) == "true"
+}

pkg/validator/controller_test.go

@@ -17,12 +17,14 @@ package validator
 import (
  "testing"
 
- conf "github.com/fairwindsops/polaris/pkg/config"
- controller "github.com/fairwindsops/polaris/pkg/validator/controllers"
+ "github.com/stretchr/testify/assert"
+ appsv1 "k8s.io/api/apps/v1"
  corev1 "k8s.io/api/core/v1"
 
+ conf "github.com/fairwindsops/polaris/pkg/config"
+ "github.com/fairwindsops/polaris/pkg/kube"
+ controller "github.com/fairwindsops/polaris/pkg/validator/controllers"
  "github.com/fairwindsops/polaris/test"
- "github.com/stretchr/testify/assert"
 )
 
 func TestValidateController(t *testing.T) {
@@ -134,3 +136,44 @@ func TestSkipHealthChecks(t *testing.T) {
  assert.EqualValues(t, &expectedSum, actualResult.PodResult.Summary)
  assert.EqualValues(t, expectedMessages, actualResult.PodResult.ContainerResults[0].Messages)
 }
+
+func TestControllerExemptions(t *testing.T) {
+ c := conf.Configuration{
+ HealthChecks: conf.HealthChecks{
+ ReadinessProbeMissing: conf.SeverityError,
+ LivenessProbeMissing: conf.SeverityWarning,
+ },
+ ControllersToScan: []conf.SupportedController{
+ conf.Deployments,
+ },
+ }
+ resources := &kube.ResourceProvider{
+ Deployments: []appsv1.Deployment{test.MockDeploy()},
+ }
+
+ expectedSum := ResultSummary{
+ Totals: CountSummary{
+ Successes: uint(0),
+ Warnings: uint(1),
+ Errors: uint(1),
+ },
+ ByCategory: make(map[string]*CountSummary),
+ }
+ expectedSum.ByCategory["Health Checks"] = &CountSummary{
+ Successes: uint(0),
+ Warnings: uint(1),
+ Errors: uint(1),
+ }
+ nsResults := NamespacedResults{}
+ ValidateControllers(c, resources, &nsResults)
+ actualResult := nsResults[""].DeploymentResults[0]
+ assert.Equal(t, "Deployments", actualResult.Type)
+ assert.EqualValues(t, &expectedSum, actualResult.PodResult.Summary)
+
+ resources.Deployments[0].ObjectMeta.Annotations = map[string]string{
+ exemptionAnnotationKey: "true",
+ }
+ nsResults = NamespacedResults{}
+ ValidateControllers(c, resources, &nsResults)
+ assert.Equal(t, (*NamespaceResult)(nil), nsResults[""])
+}

pkg/validator/controllers/cronjob.go

@@ -27,6 +27,11 @@ func (c CronJobController) GetType() config.SupportedController {
  return config.CronJobs
 }
 
+// GetAnnotations returns the controller's annotations
+func (c CronJobController) GetAnnotations() map[string]string {
+ return c.K8SResource.ObjectMeta.Annotations
+}
+
 // NewCronJobController builds a new controller interface for Deployments
 func NewCronJobController(originalDeploymentResource kubeAPIBatchV1beta1.CronJob) Interface {
  controller := CronJobController{}

pkg/validator/controllers/daemonset.go

@@ -22,6 +22,11 @@ func (d DaemonSetController) GetPodSpec() *kubeAPICoreV1.PodSpec {
  return &d.K8SResource.Spec.Template.Spec
 }
 
+// GetAnnotations returns the controller's annotations
+func (d DaemonSetController) GetAnnotations() map[string]string {
+ return d.K8SResource.ObjectMeta.Annotations
+}
+
 // GetType returns the supportedcontroller enum type
 func (d DaemonSetController) GetType() config.SupportedController {
  return config.DaemonSets

pkg/validator/controllers/deployment.go

@@ -22,6 +22,11 @@ func (d DeploymentController) GetPodSpec() *kubeAPICoreV1.PodSpec {
  return &d.K8SResource.Spec.Template.Spec
 }
 
+// GetAnnotations returns the controller's annotations
+func (d DeploymentController) GetAnnotations() map[string]string {
+ return d.K8SResource.ObjectMeta.Annotations
+}
+
 // GetType returns the supportedcontroller enum type
 func (d DeploymentController) GetType() config.SupportedController {
  return config.Deployments

pkg/validator/controllers/interface.go

@@ -15,6 +15,7 @@ type Interface interface {
  GetPodTemplate() *kubeAPICoreV1.PodTemplateSpec
  GetPodSpec() *kubeAPICoreV1.PodSpec
  GetType() config.SupportedController
+ GetAnnotations() map[string]string
 }
 
 // GenericController is a base implementation with some free methods for inherited structs

pkg/validator/controllers/job.go

@@ -22,6 +22,11 @@ func (j JobController) GetPodSpec() *kubeAPICoreV1.PodSpec {
  return &j.K8SResource.Spec.Template.Spec
 }
 
+// GetAnnotations returns the controller's annotations
+func (j JobController) GetAnnotations() map[string]string {
+ return j.K8SResource.ObjectMeta.Annotations
+}
+
 // GetType returns the supportedcontroller enum type
 func (j JobController) GetType() config.SupportedController {
  return config.Jobs

pkg/validator/controllers/replicationcontroller.go

@@ -24,6 +24,11 @@ func (r ReplicationControllerController) GetPodSpec() *kubeAPICoreV1.PodSpec {
  return &r.K8SResource.Spec.Template.Spec
 }
 
+// GetAnnotations returns the controller's annotations
+func (r ReplicationControllerController) GetAnnotations() map[string]string {
+ return r.K8SResource.ObjectMeta.Annotations
+}
+
 // GetType returns the supportedcontroller enum type
 func (r ReplicationControllerController) GetType() config.SupportedController {
  return config.ReplicationControllers

pkg/validator/controllers/statefulsets.go

@@ -22,6 +22,11 @@ func (s StatefulSetController) GetPodSpec() *kubeAPICoreV1.PodSpec {
  return &s.K8SResource.Spec.Template.Spec
 }
 
+// GetAnnotations returns the controller's annotations
+func (s StatefulSetController) GetAnnotations() map[string]string {
+ return s.K8SResource.ObjectMeta.Annotations
+}
+
 // GetType returns the supportedcontroller enum type
 func (s StatefulSetController) GetType() config.SupportedController {
  return config.StatefulSets