Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update unset-memory-requirements and unset-cpu-requirements #734

Merged
merged 2 commits into from
Feb 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 12 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@

# What is KubeLinter?

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.

KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.

KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.

When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.

Expand Down Expand Up @@ -50,13 +50,13 @@ Installing KubeLinter from source is as simple as following these steps:
```bash
git clone [email protected]:stackrox/kube-linter.git
```

1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder.

```bash
make build
```

1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.

```bash
Expand Down Expand Up @@ -132,7 +132,6 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.

**Production readiness:**
1. The container's CPU limits are not set, which could allow it to consume excessive CPU.
1. The container's memory limits are not set, which could allow it to consume excessive memory

```yaml
Expand Down Expand Up @@ -162,7 +161,7 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
securityContext:
allowPrivilegeEscalation: false
```

1. Copy the YAML above to pod.yaml and lint this file by running the following command:

```bash
Expand All @@ -171,12 +170,12 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
1. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.

```
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)

pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)

pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)

pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.)

pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.)

Error: found 3 lint errors
```
To learn more about using and configuring KubeLinter, visit the [documentation](./docs) page.
Expand Down Expand Up @@ -205,7 +204,7 @@ the future to the command usage, flags, and configuration file formats. However,
we encourage you to use KubeLinter to test your environment YAML files, see what
breaks, and [contribute](./CONTRIBUTING.md).

## LICENSE
## LICENSE

KubeLinter is licensed under the [Apache License 2.0](./LICENSE).

Expand Down
8 changes: 4 additions & 4 deletions docs/generated/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -629,15 +629,15 @@ unsafeSysCtls:

**Description**: Indicates when containers do not have CPU requests and limits set.

**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.

**Template**: [cpu-requirements](templates.md#cpu-requirements)

**Parameters**:

```yaml
lowerBoundMillis: 0
requirementsType: any
requirementsType: request
upperBoundMillis: 0
```
## unset-memory-requirements
Expand All @@ -646,15 +646,15 @@ upperBoundMillis: 0

**Description**: Indicates when containers do not have memory requests and limits set.

**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
**Remediation**: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.

**Template**: [memory-requirements](templates.md#memory-requirements)

**Parameters**:

```yaml
lowerBoundMB: 0
requirementsType: any
requirementsType: limit
upperBoundMB: 0
```
## use-namespace
Expand Down
18 changes: 5 additions & 13 deletions e2etests/bats-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -904,15 +904,11 @@ get_value_from() {

message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
count=$(get_value_from "${lines[0]}" '.Reports | length')

[[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]]
[[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]]
[[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
[[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]]
[[ "${count}" == "4" ]]
[[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
[[ "${count}" == "2" ]]
}

@test "unset-memory-requirements" {
Expand All @@ -925,15 +921,11 @@ get_value_from() {

message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
count=$(get_value_from "${lines[0]}" '.Reports | length')

[[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]]
[[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]]
[[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]]
[[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
[[ "${count}" == "4" ]]
[[ "${message1}" == "Deployment: container \"app\" has memory limit 0" ]]
[[ "${message2}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
[[ "${count}" == "2" ]]
}

@test "use-namespace" {
Expand Down
4 changes: 2 additions & 2 deletions pkg/builtinchecks/yamls/unset-cpu-requirements.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ scope:
objectKinds:
- DeploymentLike
remediation: >-
Set CPU requests and limits for your container based on its requirements.
Set CPU requests for your container based on its requirements.
Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
template: "cpu-requirements"
params:
requirementsType: "any"
requirementsType: "request"
lowerBoundMillis: 0
upperBoundMillis: 0
4 changes: 2 additions & 2 deletions pkg/builtinchecks/yamls/unset-memory-requirements.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: "unset-memory-requirements"
description: "Indicates when containers do not have memory requests and limits set."
remediation: >-
Set memory requests and limits for your container based on its requirements.
Set memory limits for your container based on its requirements.
Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
scope:
objectKinds:
- DeploymentLike
template: "memory-requirements"
params:
requirementsType: "any"
requirementsType: "limit"
lowerBoundMB: 0
upperBoundMB: 0
5 changes: 1 addition & 4 deletions tests/checks/unset-cpu-requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ spec:
- name: app
requests:
memory: 1Gi
limits:
memory: 1Gi

---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
Expand All @@ -25,6 +24,4 @@ spec:
containers:
- name: app
requests:
memory: 1Gi
limits:
memory: 1Gi
8 changes: 2 additions & 6 deletions tests/checks/unset-memory-requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@ spec:
spec:
containers:
- name: app
requests:
cpu: 1
limits:
limit:
cpu: 1
---
apiVersion: apps.openshift.io/v1
Expand All @@ -24,7 +22,5 @@ spec:
spec:
containers:
- name: app
requests:
cpu: 1
limits:
limit:
cpu: 1
Loading