- Add namespace filter in UI
- Add priorityClass check
- Support reading from STDIN
- Ensure severity is set for all custom checks
- Support audit files which use \r or \r\n as newline character
- Add option to exempt an entire controller from checks via config file
- Fixed case where parent resources trigger error
- Fixed UI zero-state
- Fixed case where parent resources trigger error
- Fixed dashboard link when
--base-path
is set
- Fixed case where custom CRDs are not covered by RBAC
- Added ARM binaries to releases
- Added support for custom checks using JSON Schema
- Added support for arbitrary controllers, rather than a pre-configured set
- removed support for
controllers_to_scan
in config
- removed support for
- Added the ability to exempt a particular controller from a particular check.
- Docker image now includes the default config
- Breaking changes in both input and output formats. See Examples for examples of the new formats.
- removed config-level configuration for checks like max/min memory settings
- changed severity
error
todanger
- Breaking changes to the CLI
- CLI flag
--set-exit-code-on-error
is now--set-exit-code-on-danger
- Flags
--version
,--dashboard
,--webhook
, and--audit
are now arguments - Port flags are now just
--port
- CLI flag
- Fixed webhook support in Kubernetes 1.16
- this also removes support for 1.8
- Added support for exemptions via controller annotations
- Fixed missing success messages for resource requests/limits
- Added a few more exemptions
- Started checking exemptions based on controller name prefix
runAsUser != 0
now passes therunAsNonRoot
check
- Added
--load-audit-file
flag to run the dashboard from an existing audit - Added an
ID
field to each check in the output - Skip health checks for jobs, cronjobs, initcontainers
- Added support for exemptions
- Fixed dashboard base path option
- Added additional Pod Controllers to scan PodSpec (
jobs
,cronjobs
,daemonsets
,replicationcontrollers
)
- Changed dashboard branding to refer to new org name Fairwinds
- Added
--set-exit-code-on-error
and--set-exit-code-below-score
flags to better support CI/CD
- Fix: Fixed logic on RunAsNonRoot check to incorporate settings in podSpec
- Added
--output-format
flag for better CI/CD support - Added
--display-name
flag - Added support for StatefulSets
- Show error message if no kubeconfig is set
- Fix: details pages getting template errors
- Fix: support all auth providers
- Fix: Ignore readiness probe for initContainers
- Fix: dashboard not updating when running persistently
- Stored all third-party assets (e.g. Charts.js) to local files to support offline dashboard viewing
- Fix: custom configs in
ConfigMap
not respected
- Fix: missing
config.yaml
and dashboard assets in binary releases - Added some tests and better error handling
- Dashboard fully functional
- Validating webhook functional, but still considered beta
- Checks:
- Health
- readiness probe missing
- liveness probe missing
- Images
- tag not specified
- pull policy not always
- Networking
- host network set
- host port set
- Resources
- cpu/memory requests missing
- cpu/memory limits missing
- cpu/memory ranges exceeded
- Security
- security capabilities
- host IPC set
- host PID set
- not read-only fs
- privilege escalation allowed
- run as root allowed
- run as privileged
- Health