diff --git a/Makefile b/Makefile index 92dc10404..e1ced1ca5 100644 --- a/Makefile +++ b/Makefile @@ -109,6 +109,7 @@ source-code-archive: .PHONY: test test: + echo $(TAG) go test ./... .PHONY: e2e-test diff --git a/README.md b/README.md index d6f9d4295..4e45e4dde 100644 --- a/README.md +++ b/README.md @@ -126,15 +126,11 @@ Running KubeLinter to Lint your YAML files only requires two steps in its most b ### Example -Consider the following sample pod specification file `pod.yaml`. This file has two production readiness issues and one security issue: +Consider the following sample pod specification file `pod.yaml`. This file has one security issue: **Security Issue:** 1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem. -**Production readiness:** -1. The container's CPU limits are not set, which could allow it to consume excessive CPU. -1. The container's memory limits are not set, which could allow it to consume excessive memory - ```yaml apiVersion: v1 kind: Pod @@ -172,12 +168,8 @@ Consider the following sample pod specification file `pod.yaml`. This file has t ``` pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.) - - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) - - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) - Error: found 3 lint errors + Error: found 1 lint error ``` To learn more about using and configuring KubeLinter, visit the [documentation](./docs) page. diff --git a/docs/README.md b/docs/README.md index 528945d54..d6762ac04 100755 --- a/docs/README.md +++ b/docs/README.md @@ -174,11 +174,6 @@ COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME > - The container in this pod is not running as a read-only file system, > allowing it to write to the root filesystem. > - > **Production readiness issue** - > - The configuration doesn't specify the container's CPU limits, - > allowing it to consume excessive CPU. - > - The configuration doesn't specify the container's memory limits, - > allowing it to consume excessive memory. 1. To lint this file with KubeLinter, run the following command: ```bash @@ -188,11 +183,7 @@ COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME ``` pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.) - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.) - - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.) - - Error: found 3 lint errors + Error: found 1 lint error ``` @@ -216,11 +207,10 @@ chart: helm-chart-sample/helm-chart-sample/templates/tests/test-connection.yaml: (object: /test-release-helm-chart-sample-test-connection /v1, Kind=Pod) container "wget" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number, and runAsNonRoot to true, in your pod or container securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.) - helm-chart-sample/helm-chart-sample/templates/tests/test-connection.yaml: (object: /test-release-helm-chart-sample-test-connection /v1, Kind=Pod) container "wget" has cpu request 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.) ... - Error: found 12 lint errors + Error: found 11 lint errors ``` diff --git a/docs/generated/checks.md b/docs/generated/checks.md index 3e16209f5..5699f7ede 100644 --- a/docs/generated/checks.md +++ b/docs/generated/checks.md @@ -627,9 +627,9 @@ unsafeSysCtls: **Enabled by default**: Yes -**Description**: Indicates when containers do not have CPU requests and limits set. +**Description**: Indicates when containers do not have CPU requests set. -**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [cpu-requirements](templates.md#cpu-requirements) @@ -644,9 +644,9 @@ upperBoundMillis: 0 **Enabled by default**: Yes -**Description**: Indicates when containers do not have memory requests and limits set. +**Description**: Indicates when containers do not have memory requests set. -**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set memory requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [memory-requirements](templates.md#memory-requirements) diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh index 87efe7c8f..059ac62e7 100755 --- a/e2etests/bats-tests.sh +++ b/e2etests/bats-tests.sh @@ -902,15 +902,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') [[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] + [[ "${count}" == "2" ]] } @test "unset-memory-requirements" { @@ -923,15 +919,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') [[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has memory request 0" ]] + [[ "${count}" == "2" ]] } @test "use-namespace" { diff --git a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml index 91b124891..8d3d2987e 100644 --- a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml @@ -1,10 +1,10 @@ name: "unset-cpu-requirements" -description: "Indicates when containers do not have CPU requests and limits set." +description: "Indicates when containers do not have CPU requests set." scope: objectKinds: - DeploymentLike remediation: >- - Set CPU requests and limits for your container based on its requirements. + Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. template: "cpu-requirements" params: diff --git a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml index 195433b2a..35eb7acb2 100644 --- a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml @@ -1,7 +1,7 @@ name: "unset-memory-requirements" -description: "Indicates when containers do not have memory requests and limits set." +description: "Indicates when containers do not have memory requests set." remediation: >- - Set memory requests and limits for your container based on its requirements. + Set memory requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. scope: objectKinds: diff --git a/pkg/templates/cpurequirements/template.go b/pkg/templates/cpurequirements/template.go index c9a5df571..71983ac15 100644 --- a/pkg/templates/cpurequirements/template.go +++ b/pkg/templates/cpurequirements/template.go @@ -39,9 +39,6 @@ func init() { if p.RequirementsType == "request" || p.RequirementsType == "any" { process(&results, container.Name, "request", container.Resources.Requests.Cpu(), p.LowerBoundMillis, p.UpperBoundMillis) } - if p.RequirementsType == "limit" || p.RequirementsType == "any" { - process(&results, container.Name, "limit", container.Resources.Limits.Cpu(), p.LowerBoundMillis, p.UpperBoundMillis) - } return results }), nil }), diff --git a/pkg/templates/memoryrequirements/template.go b/pkg/templates/memoryrequirements/template.go index bd63cdda1..346e335bf 100644 --- a/pkg/templates/memoryrequirements/template.go +++ b/pkg/templates/memoryrequirements/template.go @@ -48,9 +48,6 @@ func init() { if p.RequirementsType == "request" || p.RequirementsType == "any" { process(&results, container.Name, "request", container.Resources.Requests.Memory(), lowerBoundBytes, upperBoundBytes) } - if p.RequirementsType == "limit" || p.RequirementsType == "any" { - process(&results, container.Name, "limit", container.Resources.Limits.Memory(), lowerBoundBytes, upperBoundBytes) - } return results }), nil }),