feat(rules/kubernetes): add rule to prevent latest tag, rule to ensure pull policy is set

2019-11-15 20:53:09 -06:00 · 2019-11-15 20:53:09 -06:00 · 8254848ef8
parent 26eda4c6fe
commit 8254848ef8
7 changed files with 59 additions and 1 deletions
--- a/rules/kubernetes.yml
+++ b/rules/kubernetes.yml
@ -106,6 +106,7 @@ rules:
    level: info
    tags:
      - kubernetes
+      - important
      - labels

    check:
@ -121,4 +122,43 @@ rules:
              additionalProperties: false
              patternProperties:
                "^[-.a-z0-9]{1,63}$":
-                  type: string
+                  type: string
+
+  - name: kubernetes-container-pull-policy
+    desc: all containers should have a pull policy
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - optional
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image, imagePullPolicy]
+      properties:
+        imagePullPolicy:
+          type: string
+          enum:
+            - Always
+            - IfNotPresent
+            - Never
+
+
+  - name: kubernetes-image-latest
+    desc: images should never use :latest tag
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - important
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image]
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ':latest$'
--- a/test/examples/kubernetes-resources-high.yml
+++ b/test/examples/kubernetes-resources-high.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
--- a/test/examples/kubernetes-resources-low.yml
+++ b/test/examples/kubernetes-resources-low.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              memory: 5Mi
--- a/test/examples/kubernetes-resources-med.yml
+++ b/test/examples/kubernetes-resources-med.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 200m
--- a/test/examples/kubernetes-resources-multi.yml
+++ b/test/examples/kubernetes-resources-multi.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
@ -19,6 +21,8 @@ spec:
              memory: 5Gi

        - name: other
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 2000m
--- a/test/examples/kubernetes-resources-none.yml
+++ b/test/examples/kubernetes-resources-none.yml
@ -10,4 +10,6 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          # missing resources
--- a/test/examples/kubernetes-resources-some.yml
+++ b/test/examples/kubernetes-resources-some.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
@ -28,6 +30,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 200m
@ -46,6 +50,8 @@ spec:
    spec:
      containers:
        - name: test
+          image: foo
+          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m