checks: #resource cpuLimitsMissing: warning cpuRequestsMissing: warning memoryLimitsMissing: warning memoryRequestsMissing: warning #reliability priorityClassNotSet: warning #image tagNotSpecified: warning pullPolicyNotAlways: warning #healthChecks livenessProbeMissing: warning readinessProbeMissing: warning #network hostPortSet: warning hostNetworkSet: warning #security runAsPrivileged: warning hostIPCSet: warning hostPIDSet: warning notReadOnlyRootFilesystem: warning privilegeEscalationAllowed: warning runAsRootAllowed: warning dangerousCapabilities: warning insecureCapabilities: warning customChecks: # imageRegistry: # successMessage: Image comes from allowed registries # failureMessage: Image should not be from disallowed registry # category: Images # target: Container # schema: # '$schema': http://json-schema.org/draft-07/schema # type: object # properties: # image: # type: string # not: # pattern: ^quay.io #exemptions: # - controllerNames: # - kube-apiserver # - kube-proxy # - kube-scheduler # - etcd-manager-events # - kube-controller-manager # - kube-dns # - etcd-manager-main # rules: # - hostPortSet # - hostNetworkSet # - readinessProbeMissing # - livenessProbeMissing # - cpuRequestsMissing # - cpuLimitsMissing # - memoryRequestsMissing # - memoryLimitsMissing # - runAsRootAllowed # - runAsPrivileged # - notReadOnlyRootFilesystem # - hostPIDSet # # - controllerNames: # - kube-flannel-ds # rules: # - notReadOnlyRootFilesystem # - runAsRootAllowed # - notReadOnlyRootFilesystem # - readinessProbeMissing # - livenessProbeMissing # - cpuLimitsMissing # # - controllerNames: # - cert-manager # rules: # - notReadOnlyRootFilesystem # - runAsRootAllowed # - readinessProbeMissing # - livenessProbeMissing # # - controllerNames: # - cluster-autoscaler # rules: # - notReadOnlyRootFilesystem # - runAsRootAllowed # - readinessProbeMissing # # - controllerNames: # - vpa # rules: # - runAsRootAllowed # - readinessProbeMissing # - livenessProbeMissing # - notReadOnlyRootFilesystem # # - controllerNames: # - datadog # rules: # - runAsRootAllowed # - readinessProbeMissing # - livenessProbeMissing # - notReadOnlyRootFilesystem # # - controllerNames: # - nginx-ingress-controller # rules: # - privilegeEscalationAllowed # - insecureCapabilities # - runAsRootAllowed # # - controllerNames: # - dns-controller # - datadog-datadog # - kube-flannel-ds # - kube2iam # - aws-iam-authenticator # - datadog # - kube2iam # rules: # - hostNetworkSet # # - controllerNames: # - aws-iam-authenticator # - aws-cluster-autoscaler # - kube-state-metrics # - dns-controller # - external-dns # - dnsmasq # - autoscaler # - kubernetes-dashboard # - install-cni # - kube2iam # rules: # - readinessProbeMissing # - livenessProbeMissing # # - controllerNames: # - aws-iam-authenticator # - nginx-ingress-default-backend # - aws-cluster-autoscaler # - kube-state-metrics # - dns-controller # - external-dns # - kubedns # - dnsmasq # - autoscaler # - tiller # - kube2iam # rules: # - runAsRootAllowed # # - controllerNames: # - aws-iam-authenticator # - nginx-ingress-controller # - nginx-ingress-default-backend # - aws-cluster-autoscaler # - kube-state-metrics # - dns-controller # - external-dns # - kubedns # - dnsmasq # - autoscaler # - tiller # - kube2iam # rules: # - notReadOnlyRootFilesystem # # - controllerNames: # - cert-manager # - dns-controller # - kubedns # - dnsmasq # - autoscaler # - insights-agent-goldilocks-vpa-install # - datadog # rules: # - cpuRequestsMissing # - cpuLimitsMissing # - memoryRequestsMissing # - memoryLimitsMissing # # - controllerNames: # - kube2iam # - kube-flannel-ds # rules: # - runAsPrivileged # # - controllerNames: # - kube-hunter # rules: # - hostPIDSet # # - controllerNames: # - polaris # - kube-hunter # - goldilocks # - insights-agent-goldilocks-vpa-install # rules: # - notReadOnlyRootFilesystem # # - controllerNames: # - insights-agent-goldilocks-controller # rules: # - livenessProbeMissing # - readinessProbeMissing # # - controllerNames: # - insights-agent-goldilocks-vpa-install # - kube-hunter # rules: # - runAsRootAllowed