Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package polaris for openSUSE:Factory checked in at 2023-05-17 10:53:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polaris (Old) and /work/SRC/openSUSE:Factory/.polaris.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polaris" Wed May 17 10:53:27 2023 rev:14 rq:1087484 version:7.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/polaris/polaris.changes 2023-04-03 17:46:55.256789524 +0200 +++ /work/SRC/openSUSE:Factory/.polaris.new.1533/polaris.changes 2023-05-17 10:53:57.971617168 +0200 @@ -1,0 +2,8 @@ +Wed May 17 04:40:00 UTC 2023 - [email protected] + +- Update to version 7.4.2: + * move to latest alpine (#944) + * Update checks documentation (#936) + * Managed by Terraform + +------------------------------------------------------------------- Old: ---- polaris-7.4.1.obscpio New: ---- polaris-7.4.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polaris.spec ++++++ --- /var/tmp/diff_new_pack.tWBwSJ/_old 2023-05-17 10:53:58.555620313 +0200 +++ /var/tmp/diff_new_pack.tWBwSJ/_new 2023-05-17 10:53:58.563620356 +0200 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: polaris -Version: 7.4.1 +Version: 7.4.2 Release: 0 Summary: Validation of best practices in your Kubernetes clusters License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.tWBwSJ/_old 2023-05-17 10:53:58.599620550 +0200 +++ /var/tmp/diff_new_pack.tWBwSJ/_new 2023-05-17 10:53:58.603620571 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/FairwindsOps/polaris</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">7.4.1</param> + <param name="revision">7.4.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.tWBwSJ/_old 2023-05-17 10:53:58.623620679 +0200 +++ /var/tmp/diff_new_pack.tWBwSJ/_new 2023-05-17 10:53:58.627620700 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/FairwindsOps/polaris</param> - <param name="changesrevision">1ddd2d985a1e0d8299c4bfac7677b8998d2329d9</param></service></servicedata> + <param name="changesrevision">166b39b695128f7c34af25580e073cbf5864671d</param></service></servicedata> (No newline at EOF) ++++++ polaris-7.4.1.obscpio -> polaris-7.4.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/.github/workflows/stale.yml new/polaris-7.4.2/.github/workflows/stale.yml --- old/polaris-7.4.1/.github/workflows/stale.yml 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/.github/workflows/stale.yml 2023-05-17 00:24:13.000000000 +0200 @@ -11,7 +11,7 @@ stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v4 with: exempt-issue-labels: pinned stale-pr-label: stale diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/Dockerfile new/polaris-7.4.2/Dockerfile --- old/polaris-7.4.1/Dockerfile 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/Dockerfile 2023-05-17 00:24:13.000000000 +0200 @@ -1,4 +1,4 @@ -FROM alpine:20230208 +FROM alpine:3.18 LABEL org.opencontainers.image.authors="FairwindsOps, Inc." \ org.opencontainers.image.vendor="FairwindsOps, Inc." \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/docs/admission-controller.md new/polaris-7.4.2/docs/admission-controller.md --- old/polaris-7.4.1/docs/admission-controller.md 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/docs/admission-controller.md 2023-05-17 00:24:13.000000000 +0200 @@ -55,7 +55,28 @@ To enable the mutating webhook, add `--set webhook.mutate=true` to your Helm instlallation command. -By default, the only mutation enabled is `pullPolicyNotAlways`. If you'd like to +The following default checks currently have mutation support enabled: +* `hostPIDSet` +* `hostNetworkSet` +* `hostIPCSet` +* `priorityClassNotSet` +* `hostPortSet` +* `pullPolicyNotAlways` +* `deploymentMissingReplicas` +* `dangerousCapabilities` +* `cpuLimitsMissing` +* `memoryLimitsMissing` +* `livenessProbeMissing` +* `memoryRequestsMissing` +* `cpuRequestsMissing` +* `runAsPrivileged` +* `readinessProbeMissing` +* `privilegeEscalationAllowed` +* `notReadOnlyRootFilesystem` +* `insecureCapabilities` +* `runAsRootAllowed` + +If you'd like to enable other mutations, you can set the `webhook.mutations` flag. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/docs/checks/reliability.md new/polaris-7.4.2/docs/checks/reliability.md --- old/polaris-7.4.1/docs/checks/reliability.md 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/docs/checks/reliability.md 2023-05-17 00:24:13.000000000 +0200 @@ -16,7 +16,8 @@ `pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`. `priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod. `deploymentMissingReplicas` | `warning` | Fails when there is only one replica for a deployment. -`missingPodDisruptionBudget` | `ignore` +`missingPodDisruptionBudget` | `ignore` +`metadataAndNameMismatched` | `ignore` `topologySpreadConstraint` | `warning` | Fails when there is no topology spread constraint on the pod ## Background diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/docs/checks/security.md new/polaris-7.4.2/docs/checks/security.md --- old/polaris-7.4.1/docs/checks/security.md 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/docs/checks/security.md 2023-05-17 00:24:13.000000000 +0200 @@ -11,8 +11,10 @@ key | default | description ----|---------|------------ +`automountServiceAccountToken` | `warning` | Fails when `automountServiceAccountToken` is automounted. `hostIPCSet` | `danger` | Fails when `hostIPC` attribute is configured. `hostPIDSet` | `danger` | Fails when `hostPID` attribute is configured. +`linuxHardening` | `danger` | Fails when neither `AppArmor`, `Seccomp`, `SELinux`, or dropping Linux Capabilities is in use. `notReadOnlyRootFilesystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true. `privilegeEscalationAllowed` | `danger` | Fails when `securityContext.allowPrivilegeEscalation` is true. `runAsRootAllowed` | `warning` | Fails when `securityContext.runAsNonRoot` is not true. @@ -22,6 +24,17 @@ `hostNetworkSet` | `warning` | Fails when `hostNetwork` attribute is configured. `hostPortSet` | `warning` | Fails when `hostPort` attribute is configured. `tlsSettingsMissing` | `warning` | Fails when an Ingress lacks TLS settings. +`sensitiveContainerEnvVar` | `warning` | Fails when the container sets potentially sensitive environment variables. +`sensitiveConfigmapContent` | `warning` | Fails when potentially sensitive content is detected in the ConfigMap keys or values. +`missingNetworkPolicy` | `ignore` +`clusterrolePodExecAttach` | `warning` | Fails when the ClusterRole allows Pods/exec or pods/attach. +`rolePodExecAttach` | `warning` | Fails when the Role allows Pods/exec or pods/attach. +`clusterrolebindingPodExecAttach` | `warning` | Fails when the ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist. +`rolebindingRolePodExecAttach` | `warning` | Fails when the RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist. +`rolebindingClusterRolePodExecAttach` | `warning` | Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist. +`clusterrolebindingClusterAdmin` | `warning` | Fails when the ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions. +`rolebindingClusterAdminClusterRole` | `warning` | Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions. +`rolebindingClusterAdminRole` | `warning` | Fails when the RoleBinding references a Role with wildcard permissions. ## Background diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/examples/config-full.yaml new/polaris-7.4.2/examples/config-full.yaml --- old/polaris-7.4.1/examples/config-full.yaml 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/examples/config-full.yaml 2023-05-17 00:24:13.000000000 +0200 @@ -6,17 +6,23 @@ pullPolicyNotAlways: warning readinessProbeMissing: warning livenessProbeMissing: warning + topologySpreadConstraint: warning + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + metadataAndNameMismatched: ignore + # efficiency cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning + # security automountServiceAccountToken: warning hostIPCSet: danger hostPIDSet: danger linuxHardening: danger - missingNetworkPolicy: warning + missingNetworkPolicy: ignore notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: danger runAsRootAllowed: danger @@ -25,6 +31,7 @@ insecureCapabilities: warning hostNetworkSet: danger hostPortSet: warning + tlsSettingsMissing: warning sensitiveContainerEnvVar: danger sensitiveConfigmapContent: danger clusterrolePodExecAttach: danger @@ -39,7 +46,6 @@ resourceLimits: warning imageRegistry: danger - exemptions: - controllerNames: - my-network-controller diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polaris-7.4.1/examples/config.yaml new/polaris-7.4.2/examples/config.yaml --- old/polaris-7.4.1/examples/config.yaml 2023-03-31 16:43:46.000000000 +0200 +++ new/polaris-7.4.2/examples/config.yaml 2023-05-17 00:24:13.000000000 +0200 @@ -16,6 +16,7 @@ cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning + # security automountServiceAccountToken: ignore hostIPCSet: danger ++++++ polaris.obsinfo ++++++ --- /var/tmp/diff_new_pack.tWBwSJ/_old 2023-05-17 10:53:58.931622337 +0200 +++ /var/tmp/diff_new_pack.tWBwSJ/_new 2023-05-17 10:53:58.935622359 +0200 @@ -1,5 +1,5 @@ name: polaris -version: 7.4.1 -mtime: 1680273826 -commit: 1ddd2d985a1e0d8299c4bfac7677b8998d2329d9 +version: 7.4.2 +mtime: 1684275853 +commit: 166b39b695128f7c34af25580e073cbf5864671d ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/polaris/vendor.tar.gz /work/SRC/openSUSE:Factory/.polaris.new.1533/vendor.tar.gz differ: char 5, line 1
