Update unset-memory-requirements and unset-cpu-requirements, fixes st…

…ackrox#694 stackrox#695

README.md

@@ -5,11 +5,11 @@
 
 # What is KubeLinter?
 
-KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. 
+KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
 
 KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
 
-KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. 
+KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
 
 When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
 
@@ -50,13 +50,13 @@ Installing KubeLinter from source is as simple as following these steps:
    ```bash
    git clone git@github.com:stackrox/kube-linter.git
    ```
-   
+
 1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder.
-   
+
    ```bash
    make build
    ```
-   
+
 1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.
 
    ```bash
@@ -162,7 +162,7 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
        securityContext:
          allowPrivilegeEscalation: false
    ```
-  
+
 1. Copy the YAML above to pod.yaml and lint this file by running the following command:
 
    ```bash
@@ -205,7 +205,7 @@ the future to the command usage, flags, and configuration file formats. However,
 we encourage you to use KubeLinter to test your environment YAML files, see what
 breaks, and [contribute](./CONTRIBUTING.md).
 
-## LICENSE 
+## LICENSE
 
 KubeLinter is licensed under the [Apache License 2.0](./LICENSE).
 

docs/generated/checks.md

@@ -629,15 +629,15 @@ unsafeSysCtls:
 
 **Description**: Indicates when containers do not have CPU requests and limits set.
 
-**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
+**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 
 **Template**: [cpu-requirements](templates.md#cpu-requirements)
 
 **Parameters**:
 
 ```yaml
 lowerBoundMillis: 0
-requirementsType: any
+requirementsType: request
 upperBoundMillis: 0
 ```
 ## unset-memory-requirements
@@ -646,15 +646,15 @@ upperBoundMillis: 0
 
 **Description**: Indicates when containers do not have memory requests and limits set.
 
-**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
+**Remediation**: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 
 **Template**: [memory-requirements](templates.md#memory-requirements)
 
 **Parameters**:
 
 ```yaml
 lowerBoundMB: 0
-requirementsType: any
+requirementsType: limits
 upperBoundMB: 0
 ```
 ## use-namespace

e2etests/bats-tests.sh

@@ -904,15 +904,11 @@ get_value_from() {
 
   message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
   message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
-  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
-  message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
   count=$(get_value_from "${lines[0]}" '.Reports | length')
 
   [[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]]
-  [[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]]
-  [[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
-  [[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]]
-  [[ "${count}" == "4" ]]
+  [[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
+  [[ "${count}" == "2" ]]
 }
 
 @test "unset-memory-requirements" {
@@ -925,15 +921,11 @@ get_value_from() {
 
   message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
   message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
-  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
-  message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
   count=$(get_value_from "${lines[0]}" '.Reports | length')
 
-  [[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]]
-  [[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]]
-  [[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]]
-  [[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
-  [[ "${count}" == "4" ]]
+  [[ "${message1}" == "Deployment: container \"app\" has memory limit 0" ]]
+  [[ "${message2}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
+  [[ "${count}" == "2" ]]
 }
 
 @test "use-namespace" {

pkg/builtinchecks/yamls/unset-cpu-requirements.yaml

@@ -4,10 +4,10 @@ scope:
   objectKinds:
     - DeploymentLike
 remediation: >-
-  Set CPU requests and limits for your container based on its requirements.
+  Set CPU requests for your container based on its requirements.
   Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 template: "cpu-requirements"
 params:
-  requirementsType: "any"
+  requirementsType: "request"
   lowerBoundMillis: 0
   upperBoundMillis: 0

pkg/builtinchecks/yamls/unset-memory-requirements.yaml

@@ -1,13 +1,13 @@
 name: "unset-memory-requirements"
 description: "Indicates when containers do not have memory requests and limits set."
 remediation: >-
-  Set memory requests and limits for your container based on its requirements.
+  Set memory limits for your container based on its requirements.
   Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 scope:
   objectKinds:
     - DeploymentLike
 template: "memory-requirements"
 params:
-  requirementsType: "any"
+  requirementsType: "limits"
   lowerBoundMB: 0
   upperBoundMB: 0

tests/checks/unset-cpu-requirements.yml

@@ -25,6 +25,4 @@ spec:
       containers:
       - name: app
         requests:
-          memory: 1Gi
-        limits:
           memory: 1Gi

tests/checks/unset-memory-requirements.yml

@@ -25,6 +25,4 @@ spec:
       containers:
       - name: app
         requests:
-          cpu: 1
-        limits:
           cpu: 1