privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

feat: comprehensive Polaris integration enhancements

Browse Source 
Major new features:
- App bar score badge showing cluster Polaris score
- Inline audit results in Deployment/StatefulSet/DaemonSet/Job/CronJob detail views
- Exemption management UI with annotation PATCH support
- Top issues table on overview dashboard
- Audit time display and manual refresh button
- Connection test button in settings
- Check ID to human-readable name mapping
- Enhanced error messages with context

Technical improvements:
- Added triggerRefresh to PolarisDataContext for manual refresh
- Created checkMapping.ts for check metadata
- Created topIssues.ts for extracting common failures
- Enhanced DashboardView with top issues and refresh
- Enhanced PolarisSettings with connection test
- Created InlineAuditSection for details view integration
- Created AppBarScoreBadge for app bar integration
- Created ExemptionManager for annotation patches

UI enhancements:
- 1000px namespace detail panel
- Theme-aware styling throughout
- Improved formatting and layout
- Better status indicators

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
Chris Farhood
2026-02-11 20:21:45 -05:00
parent a404c075d6
commit 811059cf75
13 changed files with 993 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/api/PolarisDataContext.tsx
+13 -1
View File
@@ -5,6 +5,7 @@ interface PolarisDataContextValue {
data: AuditData | null;
loading: boolean;
error: string | null;
refresh: () => void;
}
const PolarisDataContext = React.createContext<PolarisDataContextValue | null>(null);
@@ -13,7 +14,18 @@ export function PolarisDataProvider(props: { children: React.ReactNode }) {
const interval = getRefreshInterval();
const state = usePolarisData(interval);
return <PolarisDataContext.Provider value={state}>{props.children}</PolarisDataContext.Provider>;
// Rename triggerRefresh to refresh for consistency
const value = React.useMemo(
() => ({
data: state.data,
loading: state.loading,
error: state.error,
refresh: state.triggerRefresh,
}),
[state]
);
return <PolarisDataContext.Provider value={value}>{props.children}</PolarisDataContext.Provider>;
}
export function usePolarisDataContext(): PolarisDataContextValue {
src/api/checkMapping.ts
+238
View File
@@ -0,0 +1,238 @@
/**
* Mapping of Polaris check IDs to human-readable names and descriptions
* Sourced from Polaris documentation
*/
export interface CheckInfo {
name: string;
description: string;
category: 'Security' | 'Efficiency' | 'Reliability';
defaultSeverity: 'danger' | 'warning' | 'ignore';
}
export const CHECK_MAPPING: Record<string, CheckInfo> = {
// Security checks
hostIPCSet: {
name: 'Host IPC',
description: 'Host IPC should not be configured',
category: 'Security',
defaultSeverity: 'danger',
},
hostPIDSet: {
name: 'Host PID',
description: 'Host PID should not be configured',
category: 'Security',
defaultSeverity: 'danger',
},
hostNetworkSet: {
name: 'Host Network',
description: 'Host network should not be configured',
category: 'Security',
defaultSeverity: 'danger',
},
hostPortSet: {
name: 'Host Port',
description: 'Host port should not be configured',
category: 'Security',
defaultSeverity: 'warning',
},
runAsRootAllowed: {
name: 'Run as Root',
description: 'Should not be allowed to run as root',
category: 'Security',
defaultSeverity: 'danger',
},
runAsPrivileged: {
name: 'Privileged Container',
description: 'Should not run as privileged',
category: 'Security',
defaultSeverity: 'danger',
},
notReadOnlyRootFilesystem: {
name: 'Read-Only Root Filesystem',
description: 'Filesystem should be read-only',
category: 'Security',
defaultSeverity: 'warning',
},
privilegeEscalationAllowed: {
name: 'Privilege Escalation',
description: 'Privilege escalation should not be allowed',
category: 'Security',
defaultSeverity: 'danger',
},
dangerousCapabilities: {
name: 'Dangerous Capabilities',
description: 'Dangerous capabilities should not be allowed',
category: 'Security',
defaultSeverity: 'danger',
},
insecureCapabilities: {
name: 'Insecure Capabilities',
description: 'Insecure capabilities should not be allowed',
category: 'Security',
defaultSeverity: 'warning',
},
sensitiveContainerEnvVar: {
name: 'Sensitive Environment Variables',
description: 'Sensitive env vars detected',
category: 'Security',
defaultSeverity: 'danger',
},
sensitiveConfigmapContent: {
name: 'Sensitive ConfigMap',
description: 'Sensitive ConfigMap content detected',
category: 'Security',
defaultSeverity: 'danger',
},
automountServiceAccountToken: {
name: 'Service Account Token Auto-mount',
description: 'Service account token auto-mount',
category: 'Security',
defaultSeverity: 'warning',
},
tlsSettingsMissing: {
name: 'TLS Settings',
description: 'TLS settings missing',
category: 'Security',
defaultSeverity: 'warning',
},
missingNetworkPolicy: {
name: 'Network Policy',
description: 'Missing NetworkPolicy',
category: 'Security',
defaultSeverity: 'warning',
},
// Reliability checks
tagNotSpecified: {
name: 'Image Tag',
description: 'Image tag should be specified',
category: 'Reliability',
defaultSeverity: 'danger',
},
pullPolicyNotAlways: {
name: 'Pull Policy',
description: 'Pull policy should be Always',
category: 'Reliability',
defaultSeverity: 'warning',
},
readinessProbeMissing: {
name: 'Readiness Probe',
description: 'Readiness probe should be configured',
category: 'Reliability',
defaultSeverity: 'warning',
},
livenessProbeMissing: {
name: 'Liveness Probe',
description: 'Liveness probe should be configured',
category: 'Reliability',
defaultSeverity: 'warning',
},
deploymentMissingReplicas: {
name: 'Deployment Replicas',
description: 'Deployment should have multiple replicas',
category: 'Reliability',
defaultSeverity: 'warning',
},
priorityClassNotSet: {
name: 'Priority Class',
description: 'Priority class should be set',
category: 'Reliability',
defaultSeverity: 'warning',
},
metadataAndNameMismatched: {
name: 'Metadata Mismatch',
description: 'Metadata and name should match',
category: 'Reliability',
defaultSeverity: 'warning',
},
missingPodDisruptionBudget: {
name: 'Pod Disruption Budget',
description: 'PodDisruptionBudget should exist',
category: 'Reliability',
defaultSeverity: 'warning',
},
pdbDisruptionsIsZero: {
name: 'PDB Disruptions',
description: 'PDB maxUnavailable should not be zero',
category: 'Reliability',
defaultSeverity: 'warning',
},
// Efficiency checks
cpuRequestsMissing: {
name: 'CPU Requests',
description: 'CPU requests should be set',
category: 'Efficiency',
defaultSeverity: 'warning',
},
cpuLimitsMissing: {
name: 'CPU Limits',
description: 'CPU limits should be set',
category: 'Efficiency',
defaultSeverity: 'warning',
},
memoryRequestsMissing: {
name: 'Memory Requests',
description: 'Memory requests should be set',
category: 'Efficiency',
defaultSeverity: 'warning',
},
memoryLimitsMissing: {
name: 'Memory Limits',
description: 'Memory limits should be set',
category: 'Efficiency',
defaultSeverity: 'warning',
},
};
/**
* Get human-readable name for a check ID
*/
export function getCheckName(checkId: string): string {
return CHECK_MAPPING[checkId]?.name || checkId;
}
/**
* Get check description
*/
export function getCheckDescription(checkId: string): string {
return CHECK_MAPPING[checkId]?.description || 'Unknown check';
}
/**
* Get check category
*/
export function getCheckCategory(checkId: string): 'Security' | 'Efficiency' | 'Reliability' {
return CHECK_MAPPING[checkId]?.category || 'Security';
}
/**
* Get color for severity
*/
export function getSeverityColor(severity: string): string {
switch (severity) {
case 'danger':
return '#f44336';
case 'warning':
return '#ff9800';
case 'ignore':
return '#9e9e9e';
default:
return '#9e9e9e';
}
}
/**
* Get status for StatusLabel component
*/
export function getSeverityStatus(severity: string): 'error' | 'warning' | 'success' {
switch (severity) {
case 'danger':
return 'error';
case 'warning':
return 'warning';
default:
return 'success';
}
}
src/api/polaris.ts
+6 -1
View File
@@ -186,6 +186,7 @@ interface PolarisDataState {
data: AuditData | null;
loading: boolean;
error: string | null;
triggerRefresh: () => void;
}
export function usePolarisData(refreshIntervalSeconds: number): PolarisDataState {
@@ -194,6 +195,10 @@ export function usePolarisData(refreshIntervalSeconds: number): PolarisDataState
const [error, setError] = React.useState<string | null>(null);
const [tick, setTick] = React.useState(0);
const triggerRefresh = React.useCallback(() => {
setTick(t => t + 1);
}, []);
React.useEffect(() => {
let cancelled = false;
@@ -266,5 +271,5 @@ export function usePolarisData(refreshIntervalSeconds: number): PolarisDataState
return () => window.clearInterval(intervalId);
}, [refreshIntervalSeconds]);
return { data, loading, error };
return { data, loading, error, triggerRefresh };
}
src/api/topIssues.ts
+81
View File
@@ -0,0 +1,81 @@
import { AuditData } from './polaris';
import { getCheckName, getCheckCategory } from './checkMapping';
export interface TopIssue {
checkId: string;
checkName: string;
category: 'Security' | 'Efficiency' | 'Reliability';
severity: 'danger' | 'warning';
count: number;
}
/**
* Extract the most common failing checks across the cluster
* Returns top 10 issues sorted by severity then count
*/
export function getTopIssues(data: AuditData): TopIssue[] {
const issueCounts = new Map<string, { severity: 'danger' | 'warning'; count: number }>();
// Aggregate all failing checks
for (const result of data.Results) {
// Pod-level checks
if (result.PodResult?.Results) {
for (const [checkId, checkResult] of Object.entries(result.PodResult.Results)) {
if (!checkResult.Success && checkResult.Severity !== 'ignore') {
const existing = issueCounts.get(checkId);
issueCounts.set(checkId, {
severity: checkResult.Severity as 'danger' | 'warning',
count: (existing?.count || 0) + 1,
});
}
}
}
// Container-level checks
if (result.PodResult?.ContainerResults) {
for (const container of result.PodResult.ContainerResults) {
for (const [checkId, checkResult] of Object.entries(container.Results)) {
if (!checkResult.Success && checkResult.Severity !== 'ignore') {
const existing = issueCounts.get(checkId);
issueCounts.set(checkId, {
severity: checkResult.Severity as 'danger' | 'warning',
count: (existing?.count || 0) + 1,
});
}
}
}
}
// Controller-level checks (if any)
if (result.Results) {
for (const [checkId, checkResult] of Object.entries(result.Results)) {
if (!checkResult.Success && checkResult.Severity !== 'ignore') {
const existing = issueCounts.get(checkId);
issueCounts.set(checkId, {
severity: checkResult.Severity as 'danger' | 'warning',
count: (existing?.count || 0) + 1,
});
}
}
}
}
// Convert to array and format
const issues: TopIssue[] = Array.from(issueCounts.entries()).map(([checkId, data]) => ({
checkId,
checkName: getCheckName(checkId),
category: getCheckCategory(checkId),
severity: data.severity,
count: data.count,
}));
// Sort by severity (danger first) then by count (descending)
issues.sort((a, b) => {
if (a.severity === 'danger' && b.severity !== 'danger') return -1;
if (a.severity !== 'danger' && b.severity === 'danger') return 1;
return b.count - a.count;
});
// Return top 10
return issues.slice(0, 10);
}