diff --git a/README.md b/README.md index a1540da3..4836b3d2 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,20 @@ DVO performs validation checks using kube-linter. The checks configuration is mi To configure DVO with a different set of checks, create a ConfigMap in the cluster with the new checks configuration. An example of a configuration ConfigMap can be found [here](./deploy/openshift/configmap.yaml). +If no custom configuration is found (the ConfigMap does not exist or does not contain a check declaration), the operator enables the following checks by default: +* "host-ipc" +* "host-network" +* "host-pid" +* "non-isolated-pod" +* "pdb-max-unavailable" +* "pdb-min-available" +* "privilege-escalation-container" +* "privileged-container" +* "run-as-non-root" +* "unsafe-sysctls" +* "unset-cpu-requirements" +* "unset-memory-requirements" + **constraint**: Currently, the configuration isn't continuously monitored and is only checked at startup. If a new set of checks is configured in a ConfigMap, the pod running DVO will need to be rebooted. ### Enabling checks diff --git a/deploy/openshift/configmap.yaml b/deploy/openshift/configmap.yaml index de68cda5..2eb51e08 100644 --- a/deploy/openshift/configmap.yaml +++ b/deploy/openshift/configmap.yaml @@ -8,12 +8,18 @@ metadata: data: deployment-validation-operator-config.yaml: |- checks: - # if doNotAutoAddDefaults is true, default checks are not automatically added. - doNotAutoAddDefaults: false - - # addAllBuiltIn, if set, adds all built-in checks. This allows users to - # explicitly opt-out of checks that are not relevant using Exclude. - # Takes precedence over doNotAutoAddDefaults, if both are set. - addAllBuiltIn: true - - exclude: ["access-to-create-pods", "access-to-secrets", "cluster-admin-role-binding", "default-service-account", "deprecated-service-account-field", "docker-sock", "drop-net-raw-capability", "env-var-secret", "exposed-services", "latest-tag", "mismatching-selector", "no-extensions-v1beta", "no-liveness-probe", "no-read-only-root-fs", "no-readiness-probe", "no-rolling-update-strategy", "privileged-ports", "read-secret-from-env-var", "required-annotation-email", "required-label-owner", "sensitive-host-mounts", "ssh-port", "unsafe-proc-mount", "use-namespace", "wildcard-in-rules", "writable-host-mount"] \ No newline at end of file + doNotAutoAddDefaults: true + addAllBuiltIn: false + include: + - "host-ipc" + - "host-network" + - "host-pid" + - "non-isolated-pod" + - "pdb-max-unavailable" + - "pdb-min-available" + - "privilege-escalation-container" + - "privileged-container" + - "run-as-non-root" + - "unsafe-sysctls" + - "unset-cpu-requirements" + - "unset-memory-requirements" diff --git a/deploy/openshift/deployment-validation-operator-olm.yaml b/deploy/openshift/deployment-validation-operator-olm.yaml index c0ff6084..26a48aec 100644 --- a/deploy/openshift/deployment-validation-operator-olm.yaml +++ b/deploy/openshift/deployment-validation-operator-olm.yaml @@ -45,15 +45,21 @@ objects: data: deployment-validation-operator-config.yaml: |- checks: - # if doNotAutoAddDefaults is true, default checks are not automatically added. - doNotAutoAddDefaults: false - - # addAllBuiltIn, if set, adds all built-in checks. This allows users to - # explicitly opt-out of checks that are not relevant using Exclude. - # Takes precedence over doNotAutoAddDefaults, if both are set. - addAllBuiltIn: true - - exclude: ["access-to-create-pods", "access-to-secrets", "cluster-admin-role-binding", "default-service-account", "deprecated-service-account-field", "docker-sock", "drop-net-raw-capability", "env-var-secret", "exposed-services", "latest-tag", "mismatching-selector", "no-extensions-v1beta", "no-liveness-probe", "no-read-only-root-fs", "no-readiness-probe", "no-rolling-update-strategy", "privileged-ports", "read-secret-from-env-var", "required-annotation-email", "required-label-owner", "sensitive-host-mounts", "ssh-port", "unsafe-proc-mount", "use-namespace", "wildcard-in-rules", "writable-host-mount"] + doNotAutoAddDefaults: true + addAllBuiltIn: false + include: + - "host-ipc" + - "host-network" + - "host-pid" + - "non-isolated-pod" + - "pdb-max-unavailable" + - "pdb-min-available" + - "privilege-escalation-container" + - "privileged-container" + - "run-as-non-root" + - "unsafe-sysctls" + - "unset-cpu-requirements" + - "unset-memory-requirements" - apiVersion: v1 kind: Service metadata: diff --git a/hack/olm-registry/olm-artifacts-template.yaml b/hack/olm-registry/olm-artifacts-template.yaml index aebddd8e..e7b00852 100644 --- a/hack/olm-registry/olm-artifacts-template.yaml +++ b/hack/olm-registry/olm-artifacts-template.yaml @@ -151,12 +151,18 @@ objects: data: deployment-validation-operator-config.yaml: |- checks: - # if doNotAutoAddDefaults is true, default checks are not automatically added. - doNotAutoAddDefaults: false - - # addAllBuiltIn, if set, adds all built-in checks. This allows users to - # explicitly opt-out of checks that are not relevant using Exclude. - # Takes precedence over doNotAutoAddDefaults, if both are set. - addAllBuiltIn: true - - exclude: ["access-to-create-pods", "access-to-secrets", "cluster-admin-role-binding", "default-service-account", "deprecated-service-account-field", "docker-sock", "drop-net-raw-capability", "env-var-secret", "exposed-services", "latest-tag", "mismatching-selector", "no-extensions-v1beta", "no-liveness-probe", "no-read-only-root-fs", "no-readiness-probe", "no-rolling-update-strategy", "privileged-ports", "read-secret-from-env-var", "required-annotation-email", "required-label-owner", "sensitive-host-mounts", "ssh-port", "unsafe-proc-mount", "use-namespace", "wildcard-in-rules", "writable-host-mount"] + doNotAutoAddDefaults: true + addAllBuiltIn: false + include: + - "host-ipc" + - "host-network" + - "host-pid" + - "non-isolated-pod" + - "pdb-max-unavailable" + - "pdb-min-available" + - "privilege-escalation-container" + - "privileged-container" + - "run-as-non-root" + - "unsafe-sysctls" + - "unset-cpu-requirements" + - "unset-memory-requirements" diff --git a/pkg/validations/validation_engine.go b/pkg/validations/validation_engine.go index 58ff058b..14e91729 100644 --- a/pkg/validations/validation_engine.go +++ b/pkg/validations/validation_engine.go @@ -54,9 +54,22 @@ func fileExists(filename string) bool { func (ve *validationEngine) LoadConfig(path string) error { if !fileExists(path) { log.Info(fmt.Sprintf("config file %s does not exist. Use default configuration", path)) - // legacy disabled checks - ve.config.Checks.Exclude = getDisabledChecks() - ve.config.Checks.AddAllBuiltIn = true + // TODO - This hardcode will be removed when a ConfigMap is set by default in regular installation + ve.config.Checks.DoNotAutoAddDefaults = true + ve.config.Checks.Include = []string{ + "host-ipc", + "host-network", + "host-pid", + "non-isolated-pod", + "pdb-max-unavailable", + "pdb-min-available", + "privilege-escalation-container", + "privileged-container", + "run-as-non-root", + "unsafe-sysctls", + "unset-cpu-requirements", + "unset-memory-requirements", + } return nil } @@ -212,37 +225,3 @@ func getIncompatibleChecks() []string { //"non-isolated-pod", } } - -// getDisabledChecks returns an array of kube-linter check names that are disabled for DVO -// These checks are disabled as they do not have supporting Openshift documentation -// 38 checks... 47 checks according to kube-linter website -func getDisabledChecks() []string { - return []string{ - "access-to-create-pods", - "access-to-secrets", - "cluster-admin-role-binding", - "default-service-account", - "deprecated-service-account-field", - "docker-sock", - "drop-net-raw-capability", - "env-var-secret", - "exposed-services", - "latest-tag", - "mismatching-selector", - "no-extensions-v1beta", - "no-liveness-probe", - "no-read-only-root-fs", - "no-readiness-probe", - "no-rolling-update-strategy", - "privileged-ports", - "read-secret-from-env-var", - "required-annotation-email", - "required-label-owner", - "sensitive-host-mounts", - "ssh-port", - "unsafe-proc-mount", - "use-namespace", - "wildcard-in-rules", - "writable-host-mount", - } -}