update exemption rules and check controller name prefix

FairwindsOps · Nov 7, 2019 · fc7c913 · fc7c913
1 parent 3e15586
commit fc7c913
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # x.x.x (next release)
 
+# 0.6.0
+* Exempt polaris,kubehunter and goldilock from `readOnlyRootFilesystem` check as is required.
+
 # 0.5.0
 * Added `--load-audit-file` flag to run the dashboard from an existing audit
 * Added an `ID` field to each check in the output

diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
   [![Version][version-image]][version-link] [![CircleCI][circleci-image]][circleci-link] [![Go Report Card][goreport-image]][goreport-link]
 </div>
 
-[version-image]: https://img.shields.io/static/v1.svg?label=Version&message=0.5.0&color=239922
+[version-image]: https://img.shields.io/static/v1.svg?label=Version&message=0.6.0&color=239922
 [version-link]: https://github.com/FairwindsOps/polaris
 
 [goreport-image]: https://goreportcard.com/badge/github.com/FairwindsOps/polaris

diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
@@ -179,7 +179,7 @@ spec:
         - --dashboard
         - --config
         - /opt/app/config.yaml
-        image: 'quay.io/reactiveops/polaris:0.5'
+        image: 'quay.io/reactiveops/polaris:0.6'
         imagePullPolicy: 'Always'
         name: dashboard
         ports:

diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
@@ -239,7 +239,7 @@ spec:
             - --webhook
             - --config
             - /opt/app/config.yaml
-          image: 'quay.io/reactiveops/polaris:0.5'
+          image: 'quay.io/reactiveops/polaris:0.6'
           imagePullPolicy: 'Always'
           ports:
             - containerPort: 9876

diff --git a/examples/config.yaml b/examples/config.yaml
@@ -123,6 +123,8 @@ exemptions:
     rules:
       - hostPIDSet
   - controllerNames:
-      - kube-proxy
+      - polaris
+      - kube-hunter
+      - goldilocks
     rules:
-      - runAsPrivileged
+      - readOnlyRootFilesystem
diff --git a/main.go b/main.go
@@ -41,7 +41,7 @@ import (
 
 const (
 	// Version represents the current release version of Polaris
-	Version = "0.5.0"
+	Version = "0.6.0"
 )
 
 func main() {

diff --git a/pkg/config/exemptions.go b/pkg/config/exemptions.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"reflect"
+	"strings"
 )
 
 // IsActionable determines whether a check is actionable given the current configuration
@@ -21,7 +22,7 @@ func (conf *Configuration) IsActionable(subConf interface{}, ruleName, controlle
 				continue
 			}
 			for _, controller := range example.ControllerNames {
-				if controller == controllerName {
+				if strings.HasPrefix(controllerName, controller) {
 					return false
 				}
 			}