name: salty-dog-kubernetes rules: - name: kubernetes-resources desc: containers must have complete resources specified level: info tags: - kubernetes - resources select: '$.spec.template.spec.containers[*]' check: type: object additionalProperties: true required: [resources] properties: resources: type: object required: [limits, requests] properties: limits: type: object required: [cpu, memory] properties: cpu: &resources-cpu oneOf: - type: number minimum: 1 - type: string pattern: "[1-9][0-9]*m" memory: &resources-memory oneOf: - type: number minimum: 1 - type: string pattern: "[1-9][0-9]*[KMG]i" requests: type: object required: [cpu, memory] properties: cpu: *resources-cpu memory: *resources-memory - name: kubernetes-resources-minimum-cpu desc: resource limits are too low level: debug tags: - kubernetes - resources select: '$.spec.template.spec.containers[*].resources' # filter containers with cpu limits filter: type: object properties: limits: type: object properties: cpu: *resources-cpu # ensure the limits aren't *too* low check: type: object properties: limits: type: object properties: cpu: oneOf: - type: number minimum: 1 - type: string pattern: "[1-9][0-9]{2,}m" - name: kubernetes-deployment-replicas desc: deployments must specify a positive replica count level: info tags: - kubernetes - apps - deployment # select the root of the document select: '$' # filter deployments filter: type: object properties: kind: type: string const: Deployment # ensure replicas are greater than 0 check: type: object properties: spec: type: object properties: replica: type: number minimum: 1 - name: kubernetes-labels desc: all resources should have labels level: info tags: - kubernetes - important - labels check: type: object required: [metadata] properties: metadata: type: object required: [labels] properties: labels: type: object additionalProperties: false patternProperties: "^[-.a-z0-9]{1,63}$": type: string - name: kubernetes-container-pull-policy desc: all containers should have a pull policy level: info tags: - kubernetes - image - optional select: '$..containers.*' check: type: object required: [image, imagePullPolicy] properties: image: type: string imagePullPolicy: type: string enum: - Always - IfNotPresent - Never - name: kubernetes-image-latest desc: images should never use :latest tag level: info tags: - kubernetes - image - important select: '$..containers.*' check: type: object required: [image] properties: image: type: string not: pattern: ':latest$'