feat(rules/kubernetes): add rule to prevent latest tag, rule to ensur…

…e pull policy is set
ssube · Nov 16, 2019 · 8254848 · 8254848
1 parent 26eda4c
commit 8254848
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 1 deletion.
diff --git a/rules/kubernetes.yml b/rules/kubernetes.yml
@@ -106,6 +106,7 @@ rules:
     level: info
     tags:
       - kubernetes
+      - important
       - labels
 
     check:
@@ -121,4 +122,43 @@ rules:
               additionalProperties: false
               patternProperties:
                 "^[-.a-z0-9]{1,63}$":
-                  type: string
+                  type: string
+
+  - name: kubernetes-container-pull-policy
+    desc: all containers should have a pull policy
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - optional
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image, imagePullPolicy]
+      properties:
+        imagePullPolicy:
+          type: string
+          enum:
+            - Always
+            - IfNotPresent
+            - Never
+
+
+  - name: kubernetes-image-latest
+    desc: images should never use :latest tag
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - important
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image]
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ':latest$'
diff --git a/test/examples/kubernetes-resources-high.yml b/test/examples/kubernetes-resources-high.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m

diff --git a/test/examples/kubernetes-resources-low.yml b/test/examples/kubernetes-resources-low.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               memory: 5Mi

diff --git a/test/examples/kubernetes-resources-med.yml b/test/examples/kubernetes-resources-med.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 200m

diff --git a/test/examples/kubernetes-resources-multi.yml b/test/examples/kubernetes-resources-multi.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m
@@ -19,6 +21,8 @@ spec:
               memory: 5Gi
 
         - name: other
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 2000m

diff --git a/test/examples/kubernetes-resources-none.yml b/test/examples/kubernetes-resources-none.yml
@@ -10,4 +10,6 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           # missing resources
diff --git a/test/examples/kubernetes-resources-some.yml b/test/examples/kubernetes-resources-some.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m
@@ -28,6 +30,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 200m
@@ -46,6 +50,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m