feat(rules/kubernetes): add rule to prevent latest tag, rule to ensure pull policy is set

2019-11-15 20:53:09 -06:00 · 2019-11-15 20:53:09 -06:00 · 8254848ef8
parent 26eda4c6fe
commit 8254848ef8
7 changed files with 59 additions and 1 deletions
--- a/rules/kubernetes.yml
+++ b/rules/kubernetes.yml
@ -106,6 +106,7 @@ rules:
    level: info
    tags:
      - kubernetes
      - important
      - labels
    check:
@ -122,3 +123,42 @@ rules:
              patternProperties:
                "^[-.a-z0-9]{1,63}$":
                  type: string
  - name: kubernetes-container-pull-policy
    desc: all containers should have a pull policy
    level: info
    tags:
      - kubernetes
      - image
      - optional
    select: '$..containers.*'
    check:
      type: object
      required: [image, imagePullPolicy]
      properties:
        imagePullPolicy:
          type: string
          enum:
            - Always
            - IfNotPresent
            - Never
  - name: kubernetes-image-latest
    desc: images should never use :latest tag
    level: info
    tags:
      - kubernetes
      - image
      - important
    select: '$..containers.*'
    check:
      type: object
      required: [image]
      properties:
        image:
          type: string
          not:
            pattern: ':latest$'
--- a/test/examples/kubernetes-resources-high.yml
+++ b/test/examples/kubernetes-resources-high.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
--- a/test/examples/kubernetes-resources-low.yml
+++ b/test/examples/kubernetes-resources-low.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              memory: 5Mi
--- a/test/examples/kubernetes-resources-med.yml
+++ b/test/examples/kubernetes-resources-med.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 200m
--- a/test/examples/kubernetes-resources-multi.yml
+++ b/test/examples/kubernetes-resources-multi.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
@ -19,6 +21,8 @@ spec:
              memory: 5Gi
        - name: other
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 2000m
--- a/test/examples/kubernetes-resources-none.yml
+++ b/test/examples/kubernetes-resources-none.yml
@ -10,4 +10,6 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          # missing resources
--- a/test/examples/kubernetes-resources-some.yml
+++ b/test/examples/kubernetes-resources-some.yml
@ -10,6 +10,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m
@ -28,6 +30,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 200m
@ -46,6 +50,8 @@ spec:
    spec:
      containers:
        - name: test
          image: foo
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 4000m