search

FairwindsOps / polaris

Validation of best practices in your Kubernetes clusters
https://www.fairwinds.com/polaris
Apache License 2.0
3.17k stars 213 forks source link

Pods created by DaemonSets are not validated #1038

Closed ErikLundJensen closed 4 months ago

ErikLundJensen commented 6 months ago

As described in #637 Polaris does not validate pods created by DaemonSets.

For example create a simple DaemonSet:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: my-daemonset
spec:
  selector:
    matchLabels:
      k8s-app: my-daemonset
  template:
    metadata:
      name: my-daemonset
      labels:
        k8s-app: my-daemonset
    spec:
      containers:
        - name: nginx
          image: nginx:1.25.3

The pod created by the DaemonSet does not show up at the Polaris dashboard. Isn't this a security risk if uses can create pods from DaemonSet without the webhook/dashboard validates the pod?

The documentation for Controller does not list DaemonSet : https://polaris.docs.fairwinds.com/customization/custom-checks/#available-options which might indicate that it is not included.

Work-a-round, as I see it, is to copy Pod rules to PodSpec rules and keep them aligned.

ErikLundJensen commented 6 months ago

This is only true in for some DaemonSets. We are working at finding the exact reason why some DaemonSets are not processed.