166 lines
3.7 KiB
YAML
166 lines
3.7 KiB
YAML
name: salty-dog-kubernetes
|
|
rules:
|
|
- name: kubernetes-resources
|
|
desc: containers must have complete resources specified
|
|
level: info
|
|
tags:
|
|
- kubernetes
|
|
- resources
|
|
|
|
select: '$.spec.template.spec.containers[*]'
|
|
check:
|
|
type: object
|
|
additionalProperties: true
|
|
required: [resources]
|
|
properties:
|
|
resources:
|
|
type: object
|
|
required: [limits, requests]
|
|
properties:
|
|
limits:
|
|
type: object
|
|
required: [cpu, memory]
|
|
properties:
|
|
cpu: &resources-cpu
|
|
oneOf:
|
|
- type: number
|
|
minimum: 1
|
|
- type: string
|
|
pattern: "[1-9][0-9]*m"
|
|
memory: &resources-memory
|
|
oneOf:
|
|
- type: number
|
|
minimum: 1
|
|
- type: string
|
|
pattern: "[1-9][0-9]*[KMG]i"
|
|
requests:
|
|
type: object
|
|
required: [cpu, memory]
|
|
properties:
|
|
cpu: *resources-cpu
|
|
memory: *resources-memory
|
|
|
|
- name: kubernetes-resources-minimum-cpu
|
|
desc: resource limits are too low
|
|
level: debug
|
|
tags:
|
|
- kubernetes
|
|
- resources
|
|
|
|
select: '$.spec.template.spec.containers[*].resources'
|
|
# filter containers with cpu limits
|
|
filter:
|
|
type: object
|
|
properties:
|
|
limits:
|
|
type: object
|
|
properties:
|
|
cpu: *resources-cpu
|
|
|
|
# ensure the limits aren't *too* low
|
|
check:
|
|
type: object
|
|
properties:
|
|
limits:
|
|
type: object
|
|
properties:
|
|
cpu:
|
|
oneOf:
|
|
- type: number
|
|
minimum: 1
|
|
- type: string
|
|
pattern: "[1-9][0-9]{2,}m"
|
|
|
|
- name: kubernetes-deployment-replicas
|
|
desc: deployments must specify a positive replica count
|
|
level: info
|
|
tags:
|
|
- kubernetes
|
|
- apps
|
|
- deployment
|
|
|
|
# select the root of the document
|
|
select: '$'
|
|
|
|
# filter deployments
|
|
filter:
|
|
type: object
|
|
properties:
|
|
kind:
|
|
type: string
|
|
const: Deployment
|
|
|
|
# ensure replicas are greater than 0
|
|
check:
|
|
type: object
|
|
properties:
|
|
spec:
|
|
type: object
|
|
properties:
|
|
replica:
|
|
type: number
|
|
minimum: 1
|
|
|
|
- name: kubernetes-labels
|
|
desc: all resources should have labels
|
|
level: info
|
|
tags:
|
|
- kubernetes
|
|
- important
|
|
- labels
|
|
|
|
check:
|
|
type: object
|
|
required: [metadata]
|
|
properties:
|
|
metadata:
|
|
type: object
|
|
required: [labels]
|
|
properties:
|
|
labels:
|
|
type: object
|
|
additionalProperties: false
|
|
patternProperties:
|
|
"^[-.a-z0-9]{1,63}$":
|
|
type: string
|
|
|
|
- name: kubernetes-container-pull-policy
|
|
desc: all containers should have a pull policy
|
|
level: info
|
|
tags:
|
|
- kubernetes
|
|
- image
|
|
- optional
|
|
|
|
select: '$..containers.*'
|
|
check:
|
|
type: object
|
|
required: [image, imagePullPolicy]
|
|
properties:
|
|
image:
|
|
type: string
|
|
imagePullPolicy:
|
|
type: string
|
|
enum:
|
|
- Always
|
|
- IfNotPresent
|
|
- Never
|
|
|
|
- name: kubernetes-image-latest
|
|
desc: images should never use :latest tag
|
|
level: info
|
|
tags:
|
|
- kubernetes
|
|
- image
|
|
- important
|
|
|
|
select: '$..containers.*'
|
|
check:
|
|
type: object
|
|
required: [image]
|
|
properties:
|
|
image:
|
|
type: string
|
|
not:
|
|
pattern: ':latest$'
|