Kubevious Rules Library

This repository represents a library of rules for Kubevious CLI project to validate errors (typos, conflicts, misconfigurations) and violations of compliance and security best practices in Kubernetes and related cloud-native projects.

Kubevious rules are expressed in a domain-specific language called Kubik.

Library Contents

Total Rules: 36

Locations:

• 📂 ARGO-ROLLOUT (1)
• 📂 CERT-MANAGER (2)
• 📂 GCP-CONFIG-CONNECTOR/SQL (3)
• 📂 ISTIO (1)
• 📂 K8S/CONTAINER (7)
• 📂 K8S/GATEWAY-API/GATEWAY (3)
• 📂 K8S/GATEWAY-API/HTTP-ROUTE (2)
• 📂 K8S/HPA (1)
• 📂 K8S/INGRESS (5)
• 📂 K8S/NETWORK-POLICY (1)
• 📂 K8S/POD-SPEC (4)
• 📂 K8S/RBAC (2)
• 📂 K8S/SERVICE (1)
• 📂 K8S/WORKLOAD (1)
• 📂 KONG (2)

Rules:

📂 ARGO-ROLLOUT

📜 Validate Argo Rollout to Analysis Template reference.

• 🏷️ argo 🏷️ rollout 🏷️ analysis 🏷️ reference

📂 CERT-MANAGER

📜 Validate CertManager Certificate to Issuer reference.

• 🏷️ cert-manager 🏷️ certificate 🏷️ issuer 🏷️ reference

📜 Validate Ingress to CertManager Issuer reference.

• 🏷️ cert-manager 🏷️ ingress 🏷️ issuer 🏷️ reference

📂 GCP-CONFIG-CONNECTOR/SQL

📜 Validate GCP Config Connector SQL Database to Instance reference.

• 🏷️ gcp-config-connector 🏷️ sql-database 🏷️ sql-instance 🏷️ reference

📜 Validate GCP Config Connector SQL User to Instance reference.

• 🏷️ gcp-config-connector 🏷️ sql-user 🏷️ sql-instance 🏷️ reference

📜 Validate GCP Config Connector SQL User to Password Secret reference.

• 🏷️ gcp-config-connector 🏷️ sql-user 🏷️ secret 🏷️ reference

📂 ISTIO

📜 Validate Istio VirtualService to IstioGateway reference.

• 🏷️ istio 🏷️ virtual-service 🏷️ istio-gateway 🏷️ reference

📂 K8S/CONTAINER

📜 Validate ContainerSpec environment variable ConfigMap reference.

• 🏷️ k8s 🏷️ container 🏷️ environment-variable 🏷️ config-map 🏷️ reference

📜 Validate ContainerSpec envFrom variables projection ConfigMap reference.

• 🏷️ k8s 🏷️ container 🏷️ environment-variable 🏷️ config-map 🏷️ reference

📜 Validate ContainerSpec envFrom variables projection Secret reference.

• 🏷️ k8s 🏷️ container 🏷️ environment-variable 🏷️ secret 🏷️ reference

📜 Validate ContainerSpec environment variable Secret reference.

• 🏷️ k8s 🏷️ container 🏷️ environment-variable 🏷️ secret 🏷️ reference

📜 Validate ContainerSpec image to have non latest tag.

• 🏷️ k8s 🏷️ container 🏷️ image 🏷️ latest

📜 Validate ContainerSpec resource requests to be less or equal to the limits.

• 🏷️ k8s 🏷️ container 🏷️ resources 🏷️ cpu 🏷️ memory 🏷️ request 🏷️ limit

📜 Validate ContainerSpec volume mount to PodSpec volume reference.

• 🏷️ k8s 🏷️ container 🏷️ volume 🏷️ volume-mount 🏷️ reference

📂 K8S/GATEWAY-API/GATEWAY

📜 Validate Gateway to Certificate Secret reference.

• 🏷️ k8s 🏷️ gateway-api 🏷️ gateway 🏷️ certificate 🏷️ reference

📜 Validate Gateway to GatewayClass reference.

• 🏷️ k8s 🏷️ gateway-api 🏷️ gateway 🏷️ gateway-class 🏷️ reference

📜 Validate Gateway to have unique listeners.

• 🏷️ k8s 🏷️ gateway-api 🏷️ gateway 🏷️ unique-listeners

📂 K8S/GATEWAY-API/HTTP-ROUTE

📜 Validate HTTPRoute to Backend reference.

• 🏷️ k8s 🏷️ gateway-api 🏷️ http-route 🏷️ backend 🏷️ reference

📜 Validate HTTPRoute to Gateway reference.

• 🏷️ k8s 🏷️ gateway-api 🏷️ http-route 🏷️ gateway 🏷️ reference

📂 K8S/HPA

📜 Validate HorizontalPodAutoscaler to scale target reference.

• 🏷️ k8s 🏷️ hpa 🏷️ target 🏷️ reference

📂 K8S/INGRESS

📜 Validate Ingress (extension) to Service reference.

• 🏷️ k8s 🏷️ ingress 🏷️ ingress-extension 🏷️ service 🏷️ reference

📜 Validate Ingress to Service reference.

• 🏷️ k8s 🏷️ ingress 🏷️ service 🏷️ reference

📜 Validate Ingress TLS and rule domain match.

• 🏷️ k8s 🏷️ ingress 🏷️ ingress-extension 🏷️ tls 🏷️ domain

📜 Validate Ingresses to have unique routing rules.

• 🏷️ k8s 🏷️ ingress 🏷️ ingress-extension 🏷️ unique-route

📜 Validate IngressClasses to have at most only one default.

• 🏷️ k8s 🏷️ ingress-class 🏷️ unique-default

📂 K8S/NETWORK-POLICY

📜 Validate NetworkPolicy to PodSpec reference.

• 🏷️ k8s 🏷️ network-policy 🏷️ pod-spec 🏷️ reference

📂 K8S/POD-SPEC

📜 Validate PodSpec to ServiceAccount reference.

• 🏷️ k8s 🏷️ pod-spec 🏷️ service-account 🏷️ reference

📜 Validate PodSpec volume mount ConfigMap reference.

• 🏷️ k8s 🏷️ pod-spec 🏷️ config-map 🏷️ volume 🏷️ reference

📜 Validate PodSpec volume mount PersistentVolumeClaim reference.

• 🏷️ k8s 🏷️ pod-spec 🏷️ pvc 🏷️ volume 🏷️ reference

📜 Validate PodSpec volume mount Secret reference.

• 🏷️ k8s 🏷️ pod-spec 🏷️ secret 🏷️ volume 🏷️ reference

📂 K8S/RBAC

📜 Validate RoleBinding and ClusterRoleBinding to Role and ClusterRole reference.

• 🏷️ k8s 🏷️ rbac 🏷️ binding 🏷️ role 🏷️ reference

📜 Validate RoleBinding and ClusterRoleBinding to ServiceAccount subject reference.

• 🏷️ k8s 🏷️ rbac 🏷️ binding 🏷️ service-account 🏷️ reference

📂 K8S/SERVICE

📜 Validate Service to PodSpec label selector reference.

• 🏷️ k8s 🏷️ service 🏷️ pod-spec 🏷️ reference

📂 K8S/WORKLOAD

📜 Checks Deployments to have min/max replicas - with or without HPAs.

• 🏷️ k8s 🏷️ deployment 🏷️ replica-count

📂 KONG

📜 Validate KongConsumer to Credential Secret reference.

• 🏷️ kong 🏷️ consumer 🏷️ credential 🏷️ secret 🏷️ reference

📜 Validate Ingress and Service to Kong Plugin reference

• 🏷️ kong 🏷️ ingress 🏷️ service 🏷️ plugin 🏷️ reference

Contributing

To submit your rules to the library follow the steps:

1. Find the right place for the rule under root directory.
2. Index the library using:

$ kubevious index-library .

3. Submit a pull request.