Closed ErikLundJensen closed 4 months ago
As described in #637 Polaris does not validate pods created by DaemonSets.
For example create a simple DaemonSet:
apiVersion: apps/v1 kind: DaemonSet metadata: name: my-daemonset spec: selector: matchLabels: k8s-app: my-daemonset template: metadata: name: my-daemonset labels: k8s-app: my-daemonset spec: containers: - name: nginx image: nginx:1.25.3
The pod created by the DaemonSet does not show up at the Polaris dashboard. Isn't this a security risk if uses can create pods from DaemonSet without the webhook/dashboard validates the pod?
The documentation for Controller does not list DaemonSet : https://polaris.docs.fairwinds.com/customization/custom-checks/#available-options which might indicate that it is not included.
Work-a-round, as I see it, is to copy Pod rules to PodSpec rules and keep them aligned.
This is only true in for some DaemonSets. We are working at finding the exact reason why some DaemonSets are not processed.
As described in #637 Polaris does not validate pods created by DaemonSets.
For example create a simple DaemonSet:
The pod created by the DaemonSet does not show up at the Polaris dashboard. Isn't this a security risk if uses can create pods from DaemonSet without the webhook/dashboard validates the pod?
The documentation for Controller does not list DaemonSet : https://polaris.docs.fairwinds.com/customization/custom-checks/#available-options which might indicate that it is not included.
Work-a-round, as I see it, is to copy Pod rules to PodSpec rules and keep them aligned.