1
0
Fork 0

feat(rules/kubernetes): add rule to prevent latest tag, rule to ensure pull policy is set

This commit is contained in:
ssube 2019-11-15 20:53:09 -06:00 committed by Sean Sube
parent 26eda4c6fe
commit 8254848ef8
7 changed files with 59 additions and 1 deletions

View File

@ -106,6 +106,7 @@ rules:
level: info level: info
tags: tags:
- kubernetes - kubernetes
- important
- labels - labels
check: check:
@ -122,3 +123,42 @@ rules:
patternProperties: patternProperties:
"^[-.a-z0-9]{1,63}$": "^[-.a-z0-9]{1,63}$":
type: string type: string
- name: kubernetes-container-pull-policy
desc: all containers should have a pull policy
level: info
tags:
- kubernetes
- image
- optional
select: '$..containers.*'
check:
type: object
required: [image, imagePullPolicy]
properties:
imagePullPolicy:
type: string
enum:
- Always
- IfNotPresent
- Never
- name: kubernetes-image-latest
desc: images should never use :latest tag
level: info
tags:
- kubernetes
- image
- important
select: '$..containers.*'
check:
type: object
required: [image]
properties:
image:
type: string
not:
pattern: ':latest$'

View File

@ -10,6 +10,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 4000m cpu: 4000m

View File

@ -10,6 +10,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
memory: 5Mi memory: 5Mi

View File

@ -10,6 +10,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 200m cpu: 200m

View File

@ -10,6 +10,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 4000m cpu: 4000m
@ -19,6 +21,8 @@ spec:
memory: 5Gi memory: 5Gi
- name: other - name: other
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 2000m cpu: 2000m

View File

@ -10,4 +10,6 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
# missing resources # missing resources

View File

@ -10,6 +10,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 4000m cpu: 4000m
@ -28,6 +30,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 200m cpu: 200m
@ -46,6 +50,8 @@ spec:
spec: spec:
containers: containers:
- name: test - name: test
image: foo
imagePullPolicy: Always
resources: resources:
limits: limits:
cpu: 4000m cpu: 4000m