--- apiVersion: v1 kind: ConfigMap metadata: name: starboard namespace: starboard-operator data: vulnerabilityReports.scanner: Trivy configAuditReports.scanner: Polaris trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL trivy.imageRef: docker.io/aquasec/trivy:0.16.0 trivy.mode: Standalone trivy.serverURL: http://trivy-server.trivy-server:4954 polaris.imageRef: quay.io/fairwinds/polaris:3.2 conftest.imageRef: openpolicyagent/conftest:v0.23.0 kube-bench.imageRef: docker.io/aquasec/kube-bench:0.5.0 --- apiVersion: v1 kind: ConfigMap metadata: name: starboard-polaris-config namespace: starboard-operator data: polaris.config.yaml: | checks: # reliability multipleReplicasForDeployment: ignore priorityClassNotSet: ignore # resources cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning # images tagNotSpecified: danger pullPolicyNotAlways: ignore # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning # networking hostNetworkSet: warning hostPortSet: warning # security hostIPCSet: danger hostPIDSet: danger notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: danger runAsRootAllowed: warning runAsPrivileged: danger dangerousCapabilities: danger insecureCapabilities: warning exemptions: - controllerNames: - kube-apiserver - kube-proxy - kube-scheduler - etcd-manager-events - kube-controller-manager - kube-dns - etcd-manager-main rules: - hostPortSet - hostNetworkSet - readinessProbeMissing - livenessProbeMissing - cpuRequestsMissing - cpuLimitsMissing - memoryRequestsMissing - memoryLimitsMissing - runAsRootAllowed - runAsPrivileged - notReadOnlyRootFilesystem - hostPIDSet - controllerNames: - kube-flannel-ds rules: - notReadOnlyRootFilesystem - runAsRootAllowed - notReadOnlyRootFilesystem - readinessProbeMissing - livenessProbeMissing - cpuLimitsMissing - controllerNames: - cert-manager rules: - notReadOnlyRootFilesystem - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - controllerNames: - cluster-autoscaler rules: - notReadOnlyRootFilesystem - runAsRootAllowed - readinessProbeMissing - controllerNames: - vpa rules: - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - notReadOnlyRootFilesystem - controllerNames: - datadog rules: - runAsRootAllowed - readinessProbeMissing - livenessProbeMissing - notReadOnlyRootFilesystem - controllerNames: - nginx-ingress-controller rules: - privilegeEscalationAllowed - insecureCapabilities - runAsRootAllowed - controllerNames: - dns-controller - datadog-datadog - kube-flannel-ds - kube2iam - aws-iam-authenticator - datadog - kube2iam rules: - hostNetworkSet - controllerNames: - aws-iam-authenticator - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - dnsmasq - autoscaler - kubernetes-dashboard - install-cni - kube2iam rules: - readinessProbeMissing - livenessProbeMissing - controllerNames: - aws-iam-authenticator - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - runAsRootAllowed - controllerNames: - aws-iam-authenticator - nginx-ingress-controller - nginx-ingress-default-backend - aws-cluster-autoscaler - kube-state-metrics - dns-controller - external-dns - kubedns - dnsmasq - autoscaler - tiller - kube2iam rules: - notReadOnlyRootFilesystem - controllerNames: - cert-manager - dns-controller - kubedns - dnsmasq - autoscaler - insights-agent-goldilocks-vpa-install - datadog rules: - cpuRequestsMissing - cpuLimitsMissing - memoryRequestsMissing - memoryLimitsMissing - controllerNames: - kube2iam - kube-flannel-ds rules: - runAsPrivileged - controllerNames: - kube-hunter rules: - hostPIDSet - controllerNames: - polaris - kube-hunter - goldilocks - insights-agent-goldilocks-vpa-install rules: - notReadOnlyRootFilesystem - controllerNames: - insights-agent-goldilocks-controller rules: - livenessProbeMissing - readinessProbeMissing - controllerNames: - insights-agent-goldilocks-vpa-install - kube-hunter rules: - runAsRootAllowed --- apiVersion: v1 kind: Secret metadata: name: starboard namespace: starboard-operator --- apiVersion: v1 kind: ConfigMap metadata: name: starboard-conftest-config namespace: starboard-operator