# Configuration

# Resources

By default, the Admission Controller will monitor the following resources:

  • apps/(v1|v1beta1|v1beta2)
    • Deployments
    • DaemonSets
    • StatefulSets
  • batch/(v1|v1beta1)
    • Jobs
    • CronJobs
  • core/v1
    • Pods
    • ReplicationControllers

If you'd like to add additional resources, you can use the rules setting on the Helm chart:

- apiGroups:
  - custom
  - v1
  - customResource
  scope: Namespaced

# Checks

You can fine-tune which checks are applied by the admission controller. Any check with a danger severity will instruct the Admission Controller to deny the deployment.

Specifically, the following auditing tools can be enabled or disabled as part of admission control:

  • Polaris - checks for security and best practices
  • OPA - apply custom policies to resources (see docs)
  • Pluto - disallow resources that have been deprecated

IMPORTANT: By default, each of these auditing tools are enabled in Admission Controller when you first set it up. Polaris, which has some out-of-the-box checks that default to danger, may cause some deployments to fail. See the Polaris section below for more information.

To enable or disable a particular report, run:

curl -X POST https://insights.fairwinds.com/v0/organizations/$org/admission/reports/$report \
  -H "Authorization: Bearer $token" \
  -d '{"enabled": false}'


  • $report is one of polaris, opa, or pluto
  • $org is your organization's name in Insights
  • $token is the admin token found on your organization settings page

# Polaris

You can also upload a custom Polaris configuration (opens new window) to set which checks are marked as danger, and will therefore cause a workload to be rejected.

IMPORTANT: For a list of Polaris checks that default to danger, and therefore will cause the Admission Controller to deny a deployment, please see:

You can also use the Polaris configuration to write custom checks using JSON Schema (opens new window)

curl -X POST https://insights.fairwinds.com/v0/organizations/$org/admission/reports/polaris/config \
  -H "Authorization: Bearer $token" \
  -H "Content-Type: text/yaml" \
  -d @polaris-config.yaml


To create custom OPA policies for your organization, see the OPA docs. To reject a resource, you'll need to ensure that your OPA policy generates an Action Item with severity >= 0.67.