From 050ef1fa7e7296c2938b3a22f8f38215fca3d07b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartosz=20Ga=C5=82ek?= Date: Mon, 26 Feb 2024 22:35:44 +0100 Subject: [PATCH] Update unset-memory-requirements and unset-cpu-requirements, fixes #694 #695 --- README.md | 14 +++++++------- docs/generated/checks.md | 8 ++++---- e2etests/bats-tests.sh | 18 +++++------------- .../yamls/unset-cpu-requirements.yaml | 4 ++-- .../yamls/unset-memory-requirements.yaml | 4 ++-- tests/checks/unset-cpu-requirements.yml | 2 -- tests/checks/unset-memory-requirements.yml | 2 -- 7 files changed, 20 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index d6f9d4295..d3c7feeda 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,11 @@ # What is KubeLinter? -KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. +KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets. -KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. +KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code. @@ -50,13 +50,13 @@ Installing KubeLinter from source is as simple as following these steps: ```bash git clone git@github.com:stackrox/kube-linter.git ``` - + 1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder. - + ```bash make build ``` - + 1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter. ```bash @@ -162,7 +162,7 @@ Consider the following sample pod specification file `pod.yaml`. This file has t securityContext: allowPrivilegeEscalation: false ``` - + 1. Copy the YAML above to pod.yaml and lint this file by running the following command: ```bash @@ -205,7 +205,7 @@ the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and [contribute](./CONTRIBUTING.md). -## LICENSE +## LICENSE KubeLinter is licensed under the [Apache License 2.0](./LICENSE). diff --git a/docs/generated/checks.md b/docs/generated/checks.md index 3e16209f5..6a09d6eff 100644 --- a/docs/generated/checks.md +++ b/docs/generated/checks.md @@ -629,7 +629,7 @@ unsafeSysCtls: **Description**: Indicates when containers do not have CPU requests and limits set. -**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [cpu-requirements](templates.md#cpu-requirements) @@ -637,7 +637,7 @@ unsafeSysCtls: ```yaml lowerBoundMillis: 0 -requirementsType: any +requirementsType: request upperBoundMillis: 0 ``` ## unset-memory-requirements @@ -646,7 +646,7 @@ upperBoundMillis: 0 **Description**: Indicates when containers do not have memory requests and limits set. -**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [memory-requirements](templates.md#memory-requirements) @@ -654,7 +654,7 @@ upperBoundMillis: 0 ```yaml lowerBoundMB: 0 -requirementsType: any +requirementsType: limits upperBoundMB: 0 ``` ## use-namespace diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh index 7aea9b4f4..e4ef523d4 100755 --- a/e2etests/bats-tests.sh +++ b/e2etests/bats-tests.sh @@ -904,15 +904,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') [[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] + [[ "${count}" == "2" ]] } @test "unset-memory-requirements" { @@ -925,15 +921,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') - [[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message1}" == "Deployment: container \"app\" has memory limit 0" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has memory limit 0" ]] + [[ "${count}" == "2" ]] } @test "use-namespace" { diff --git a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml index 91b124891..7ecf3f402 100644 --- a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml @@ -4,10 +4,10 @@ scope: objectKinds: - DeploymentLike remediation: >- - Set CPU requests and limits for your container based on its requirements. + Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. template: "cpu-requirements" params: - requirementsType: "any" + requirementsType: "request" lowerBoundMillis: 0 upperBoundMillis: 0 diff --git a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml index 195433b2a..e76e32b0e 100644 --- a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml @@ -1,13 +1,13 @@ name: "unset-memory-requirements" description: "Indicates when containers do not have memory requests and limits set." remediation: >- - Set memory requests and limits for your container based on its requirements. + Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. scope: objectKinds: - DeploymentLike template: "memory-requirements" params: - requirementsType: "any" + requirementsType: "limits" lowerBoundMB: 0 upperBoundMB: 0 diff --git a/tests/checks/unset-cpu-requirements.yml b/tests/checks/unset-cpu-requirements.yml index ab3ba652e..bc2a923f5 100644 --- a/tests/checks/unset-cpu-requirements.yml +++ b/tests/checks/unset-cpu-requirements.yml @@ -25,6 +25,4 @@ spec: containers: - name: app requests: - memory: 1Gi - limits: memory: 1Gi \ No newline at end of file diff --git a/tests/checks/unset-memory-requirements.yml b/tests/checks/unset-memory-requirements.yml index b85da6bd1..6ffb7f601 100644 --- a/tests/checks/unset-memory-requirements.yml +++ b/tests/checks/unset-memory-requirements.yml @@ -25,6 +25,4 @@ spec: containers: - name: app requests: - cpu: 1 - limits: cpu: 1 \ No newline at end of file