salty-dog/rules/kubernetes.yml

name: salty-dog-kubernetes
rules:
  - name: kubernetes-resources
    desc: containers must have complete resources specified
    level: info
    tags:
      - kubernetes
      - resources

    select: '$.spec.template.spec.containers[*]'
    check:
      type: object
      additionalProperties: true
      required: [resources]
      properties:
        resources:
          type: object
          required: [limits, requests]
          properties:
            limits:
              type: object
              required: [cpu, memory]
              properties:
                cpu: &resources-cpu
                  oneOf:
                    - type: number
                      minimum: 1
                    - type: string
                      pattern: "[1-9][0-9]*m"
                memory: &resources-memory
                  oneOf:
                    - type: number
                      minimum: 1
                    - type: string
                      pattern: "[1-9][0-9]*[KMG]i"
            requests:
              type: object
              required: [cpu, memory]
              properties:
                cpu: *resources-cpu
                memory: *resources-memory

  - name: kubernetes-resources-minimum-cpu
    desc: resource limits are too low
    level: debug
    tags:
      - kubernetes
      - resources

    select: '$.spec.template.spec.containers[*].resources'
    # filter containers with cpu limits
    filter:
      type: object
      properties:
        limits:
          type: object
          properties:
            cpu: *resources-cpu

    # ensure the limits aren't *too* low
    check:
      type: object
      properties:
        limits:
          type: object
          properties:
            cpu:
              oneOf:
                - type: number
                  minimum: 1
                - type: string
                  pattern: "[1-9][0-9]{2,}m"

  - name: kubernetes-deployment-replicas
    desc: deployments must specify a positive replica count
    level: info
    tags:
      - kubernetes
      - apps
      - deployment

    # select the root of the document
    select: '$'

    # filter deployments
    filter:
      type: object
      properties:
        kind:
          type: string
          const: Deployment

    # ensure replicas are greater than 0
    check:
      type: object
      properties:
        spec:
          type: object
          properties:
            replica:
              type: number
              minimum: 1

  - name: kubernetes-labels
    desc: all resources should have labels
    level: info
    tags:
      - kubernetes
      - important
      - labels

    check:
      type: object
      required: [metadata]
      properties:
        metadata:
          type: object
          required: [labels]
          properties:
            labels:
              type: object
              additionalProperties: false
              patternProperties:
                "^[-.a-z0-9]{1,63}$":
                  type: string

  - name: kubernetes-container-pull-policy
    desc: all containers should have a pull policy
    level: info
    tags:
      - kubernetes
      - image
      - optional

    select: '$..containers.*'
    check:
      type: object
      required: [image, imagePullPolicy]
      properties:
        imagePullPolicy:
          type: string
          enum:
            - Always
            - IfNotPresent
            - Never


  - name: kubernetes-image-latest
    desc: images should never use :latest tag
    level: info
    tags:
      - kubernetes
      - image
      - important

    select: '$..containers.*'
    check:
      type: object
      required: [image]
      properties:
        image:
          type: string
          not:
            pattern: ':latest$'
feat: load definitions from rules (fixes #2) BREAKING CHANGE: adds a required `name` property (string) at the top level of each `--rules` file, used as the schema name 2019-06-22 17:26:11 +00:00			`name: salty-dog-kubernetes`
feat: run schema, do everything but select nodes 2019-06-15 22:38:05 +00:00			`rules:`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00			`- name: kubernetes-resources`
rules: add meta-schema for rules 2019-06-16 00:43:01 +00:00			`desc: containers must have complete resources specified`
feat: run schema, do everything but select nodes 2019-06-15 22:38:05 +00:00			`level: info`
			`tags:`
feat(rules): add filename as tag 2019-06-16 03:54:40 +00:00			`- kubernetes`
feat(rules): kubernetes rule to require labels 2019-06-30 22:19:13 +00:00			`- resources`
feat: run schema, do everything but select nodes 2019-06-15 22:38:05 +00:00
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00			`select: '$.spec.template.spec.containers[*]'`
			`check:`
feat: run schema, do everything but select nodes 2019-06-15 22:38:05 +00:00			`type: object`
			`additionalProperties: true`
			`required: [resources]`
			`properties:`
			`resources:`
			`type: object`
			`required: [limits, requests]`
			`properties:`
			`limits:`
			`type: object`
			`required: [cpu, memory]`
			`properties:`
rules(kubernetes): allow numeric resources, validate string resources more thoroughly 2019-06-16 01:53:20 +00:00			`cpu: &resources-cpu`
fix kubernetes rules 2019-06-24 04:00:44 +00:00			`oneOf:`
			`- type: number`
			`minimum: 1`
			`- type: string`
			`pattern: "[1-9][0-9]*m"`
rules(kubernetes): allow numeric resources, validate string resources more thoroughly 2019-06-16 01:53:20 +00:00			`memory: &resources-memory`
			`oneOf:`
			`- type: number`
rules(kubernetes): require positive value for numeric cpu limits 2019-06-17 00:16:32 +00:00			`minimum: 1`
rules(kubernetes): allow numeric resources, validate string resources more thoroughly 2019-06-16 01:53:20 +00:00			`- type: string`
			`pattern: "[1-9][0-9]*[KMG]i"`
feat: run schema, do everything but select nodes 2019-06-15 22:38:05 +00:00			`requests:`
			`type: object`
			`required: [cpu, memory]`
			`properties:`
rules(kubernetes): allow numeric resources, validate string resources more thoroughly 2019-06-16 01:53:20 +00:00			`cpu: *resources-cpu`
			`memory: *resources-memory`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00
			`- name: kubernetes-resources-minimum-cpu`
			`desc: resource limits are too low`
			`level: debug`
			`tags:`
feat(rules): add filename as tag 2019-06-16 03:54:40 +00:00			`- kubernetes`
feat(rules): kubernetes rule to require labels 2019-06-30 22:19:13 +00:00			`- resources`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00
			`select: '$.spec.template.spec.containers[*].resources'`
fix(rules): ensure low CPU limits are non-0 2019-06-17 11:55:46 +00:00			`# filter containers with cpu limits`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00			`filter:`
			`type: object`
			`properties:`
			`limits:`
			`type: object`
			`properties:`
docs: clean up readme 2019-06-25 03:32:39 +00:00			`cpu: *resources-cpu`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00
lint(rules): comment up the k8s rules 2019-06-16 03:51:03 +00:00			`# ensure the limits aren't too low`
rules(kubernetes): add example of minimum CPU limit 2019-06-16 00:25:47 +00:00			`check:`
			`type: object`
			`properties:`
			`limits:`
			`type: object`
			`properties:`
			`cpu:`
fix kubernetes rules 2019-06-24 04:00:44 +00:00			`oneOf:`
			`- type: number`
			`minimum: 1`
			`- type: string`
			`pattern: "[1-9][0-9]{2,}m"`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00
			`- name: kubernetes-deployment-replicas`
lint(rules): comment up the k8s rules 2019-06-16 03:51:03 +00:00			`desc: deployments must specify a positive replica count`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00			`level: info`
			`tags:`
feat(rules): add filename as tag 2019-06-16 03:54:40 +00:00			`- kubernetes`
feat(rules): kubernetes rule to require labels 2019-06-30 22:19:13 +00:00			`- apps`
			`- deployment`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00
lint(rules): comment up the k8s rules 2019-06-16 03:51:03 +00:00			`# select the root of the document`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00			`select: '$'`
lint(rules): comment up the k8s rules 2019-06-16 03:51:03 +00:00
			`# filter deployments`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00			`filter:`
			`type: object`
			`properties:`
			`kind:`
			`type: string`
			`const: Deployment`

lint(rules): comment up the k8s rules 2019-06-16 03:51:03 +00:00			`# ensure replicas are greater than 0`
rules(kubernetes): ensure deployments have replica counts 2019-06-16 01:53:39 +00:00			`check:`
			`type: object`
			`properties:`
			`spec:`
			`type: object`
			`properties:`
			`replica:`
			`type: number`
docs: clean up readme 2019-06-25 03:32:39 +00:00			`minimum: 1`
feat(rules): kubernetes rule to require labels 2019-06-30 22:19:13 +00:00
			`- name: kubernetes-labels`
			`desc: all resources should have labels`
			`level: info`
			`tags:`
			`- kubernetes`
feat(rules/kubernetes): add rule to prevent latest tag, rule to ensure pull policy is set 2019-11-16 02:53:09 +00:00			`- important`
feat(rules): kubernetes rule to require labels 2019-06-30 22:19:13 +00:00			`- labels`

			`check:`
			`type: object`
			`required: [metadata]`
			`properties:`
			`metadata:`
			`type: object`
			`required: [labels]`
			`properties:`
			`labels:`
			`type: object`
			`additionalProperties: false`
			`patternProperties:`
			`"^[-.a-z0-9]{1,63}$":`
feat(rules/kubernetes): add rule to prevent latest tag, rule to ensure pull policy is set 2019-11-16 02:53:09 +00:00			`type: string`

			`- name: kubernetes-container-pull-policy`
			`desc: all containers should have a pull policy`
			`level: info`
			`tags:`
			`- kubernetes`
			`- image`
			`- optional`

			`select: '$..containers.*'`
			`check:`
			`type: object`
			`required: [image, imagePullPolicy]`
			`properties:`
			`imagePullPolicy:`
			`type: string`
			`enum:`
			`- Always`
			`- IfNotPresent`
			`- Never`


			`- name: kubernetes-image-latest`
			`desc: images should never use :latest tag`
			`level: info`
			`tags:`
			`- kubernetes`
			`- image`
			`- important`

			`select: '$..containers.*'`
			`check:`
			`type: object`
			`required: [image]`
			`properties:`
			`image:`
			`type: string`
			`not:`
			`pattern: ':latest$'`