233 lines
4.8 KiB
YAML
233 lines
4.8 KiB
YAML
checks:
|
|
|
|
#resource
|
|
cpuLimitsMissing: warning
|
|
cpuRequestsMissing: warning
|
|
memoryLimitsMissing: warning
|
|
memoryRequestsMissing: warning
|
|
#reliability
|
|
priorityClassNotSet: warning
|
|
#image
|
|
tagNotSpecified: warning
|
|
pullPolicyNotAlways: warning
|
|
|
|
#healthChecks
|
|
livenessProbeMissing: warning
|
|
readinessProbeMissing: warning
|
|
|
|
#network
|
|
hostPortSet: warning
|
|
hostNetworkSet: warning
|
|
|
|
#security
|
|
runAsPrivileged: warning
|
|
hostIPCSet: warning
|
|
hostPIDSet: warning
|
|
notReadOnlyRootFilesystem: warning
|
|
privilegeEscalationAllowed: warning
|
|
runAsRootAllowed: warning
|
|
dangerousCapabilities: warning
|
|
insecureCapabilities: warning
|
|
|
|
customChecks:
|
|
# imageRegistry:
|
|
# successMessage: Image comes from allowed registries
|
|
# failureMessage: Image should not be from disallowed registry
|
|
# category: Images
|
|
# target: Container
|
|
# schema:
|
|
# '$schema': http://json-schema.org/draft-07/schema
|
|
# type: object
|
|
# properties:
|
|
# image:
|
|
# type: string
|
|
# not:
|
|
# pattern: ^quay.io
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#exemptions:
|
|
# - controllerNames:
|
|
# - kube-apiserver
|
|
# - kube-proxy
|
|
# - kube-scheduler
|
|
# - etcd-manager-events
|
|
# - kube-controller-manager
|
|
# - kube-dns
|
|
# - etcd-manager-main
|
|
# rules:
|
|
# - hostPortSet
|
|
# - hostNetworkSet
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
# - cpuRequestsMissing
|
|
# - cpuLimitsMissing
|
|
# - memoryRequestsMissing
|
|
# - memoryLimitsMissing
|
|
# - runAsRootAllowed
|
|
# - runAsPrivileged
|
|
# - notReadOnlyRootFilesystem
|
|
# - hostPIDSet
|
|
#
|
|
# - controllerNames:
|
|
# - kube-flannel-ds
|
|
# rules:
|
|
# - notReadOnlyRootFilesystem
|
|
# - runAsRootAllowed
|
|
# - notReadOnlyRootFilesystem
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
# - cpuLimitsMissing
|
|
#
|
|
# - controllerNames:
|
|
# - cert-manager
|
|
# rules:
|
|
# - notReadOnlyRootFilesystem
|
|
# - runAsRootAllowed
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
#
|
|
# - controllerNames:
|
|
# - cluster-autoscaler
|
|
# rules:
|
|
# - notReadOnlyRootFilesystem
|
|
# - runAsRootAllowed
|
|
# - readinessProbeMissing
|
|
#
|
|
# - controllerNames:
|
|
# - vpa
|
|
# rules:
|
|
# - runAsRootAllowed
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
# - notReadOnlyRootFilesystem
|
|
#
|
|
# - controllerNames:
|
|
# - datadog
|
|
# rules:
|
|
# - runAsRootAllowed
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
# - notReadOnlyRootFilesystem
|
|
#
|
|
# - controllerNames:
|
|
# - nginx-ingress-controller
|
|
# rules:
|
|
# - privilegeEscalationAllowed
|
|
# - insecureCapabilities
|
|
# - runAsRootAllowed
|
|
#
|
|
# - controllerNames:
|
|
# - dns-controller
|
|
# - datadog-datadog
|
|
# - kube-flannel-ds
|
|
# - kube2iam
|
|
# - aws-iam-authenticator
|
|
# - datadog
|
|
# - kube2iam
|
|
# rules:
|
|
# - hostNetworkSet
|
|
#
|
|
# - controllerNames:
|
|
# - aws-iam-authenticator
|
|
# - aws-cluster-autoscaler
|
|
# - kube-state-metrics
|
|
# - dns-controller
|
|
# - external-dns
|
|
# - dnsmasq
|
|
# - autoscaler
|
|
# - kubernetes-dashboard
|
|
# - install-cni
|
|
# - kube2iam
|
|
# rules:
|
|
# - readinessProbeMissing
|
|
# - livenessProbeMissing
|
|
#
|
|
# - controllerNames:
|
|
# - aws-iam-authenticator
|
|
# - nginx-ingress-default-backend
|
|
# - aws-cluster-autoscaler
|
|
# - kube-state-metrics
|
|
# - dns-controller
|
|
# - external-dns
|
|
# - kubedns
|
|
# - dnsmasq
|
|
# - autoscaler
|
|
# - tiller
|
|
# - kube2iam
|
|
# rules:
|
|
# - runAsRootAllowed
|
|
#
|
|
# - controllerNames:
|
|
# - aws-iam-authenticator
|
|
# - nginx-ingress-controller
|
|
# - nginx-ingress-default-backend
|
|
# - aws-cluster-autoscaler
|
|
# - kube-state-metrics
|
|
# - dns-controller
|
|
# - external-dns
|
|
# - kubedns
|
|
# - dnsmasq
|
|
# - autoscaler
|
|
# - tiller
|
|
# - kube2iam
|
|
# rules:
|
|
# - notReadOnlyRootFilesystem
|
|
#
|
|
# - controllerNames:
|
|
# - cert-manager
|
|
# - dns-controller
|
|
# - kubedns
|
|
# - dnsmasq
|
|
# - autoscaler
|
|
# - insights-agent-goldilocks-vpa-install
|
|
# - datadog
|
|
# rules:
|
|
# - cpuRequestsMissing
|
|
# - cpuLimitsMissing
|
|
# - memoryRequestsMissing
|
|
# - memoryLimitsMissing
|
|
#
|
|
# - controllerNames:
|
|
# - kube2iam
|
|
# - kube-flannel-ds
|
|
# rules:
|
|
# - runAsPrivileged
|
|
#
|
|
# - controllerNames:
|
|
# - kube-hunter
|
|
# rules:
|
|
# - hostPIDSet
|
|
#
|
|
# - controllerNames:
|
|
# - polaris
|
|
# - kube-hunter
|
|
# - goldilocks
|
|
# - insights-agent-goldilocks-vpa-install
|
|
# rules:
|
|
# - notReadOnlyRootFilesystem
|
|
#
|
|
# - controllerNames:
|
|
# - insights-agent-goldilocks-controller
|
|
# rules:
|
|
# - livenessProbeMissing
|
|
# - readinessProbeMissing
|
|
#
|
|
# - controllerNames:
|
|
# - insights-agent-goldilocks-vpa-install
|
|
# - kube-hunter
|
|
# rules:
|
|
# - runAsRootAllowed
|
|
|
|
|