From fc6e385b965d81c3693db39aa7b9d011ed0db04e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartosz=20Ga=C5=82ek?= Date: Mon, 26 Feb 2024 22:35:44 +0100 Subject: [PATCH 1/2] Update unset-memory-requirements and unset-cpu-requirements, fixes #694 #695 --- README.md | 14 +++++++------- docs/generated/checks.md | 8 ++++---- e2etests/bats-tests.sh | 18 +++++------------- .../yamls/unset-cpu-requirements.yaml | 4 ++-- .../yamls/unset-memory-requirements.yaml | 4 ++-- tests/checks/unset-cpu-requirements.yml | 5 +---- tests/checks/unset-memory-requirements.yml | 8 ++------ 7 files changed, 23 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index d6f9d4295..d3c7feeda 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,11 @@ # What is KubeLinter? -KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. +KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets. -KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. +KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code. @@ -50,13 +50,13 @@ Installing KubeLinter from source is as simple as following these steps: ```bash git clone git@github.com:stackrox/kube-linter.git ``` - + 1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder. - + ```bash make build ``` - + 1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter. ```bash @@ -162,7 +162,7 @@ Consider the following sample pod specification file `pod.yaml`. This file has t securityContext: allowPrivilegeEscalation: false ``` - + 1. Copy the YAML above to pod.yaml and lint this file by running the following command: ```bash @@ -205,7 +205,7 @@ the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and [contribute](./CONTRIBUTING.md). -## LICENSE +## LICENSE KubeLinter is licensed under the [Apache License 2.0](./LICENSE). diff --git a/docs/generated/checks.md b/docs/generated/checks.md index 3e16209f5..e5a966404 100644 --- a/docs/generated/checks.md +++ b/docs/generated/checks.md @@ -629,7 +629,7 @@ unsafeSysCtls: **Description**: Indicates when containers do not have CPU requests and limits set. -**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [cpu-requirements](templates.md#cpu-requirements) @@ -637,7 +637,7 @@ unsafeSysCtls: ```yaml lowerBoundMillis: 0 -requirementsType: any +requirementsType: request upperBoundMillis: 0 ``` ## unset-memory-requirements @@ -646,7 +646,7 @@ upperBoundMillis: 0 **Description**: Indicates when containers do not have memory requests and limits set. -**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. +**Remediation**: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. **Template**: [memory-requirements](templates.md#memory-requirements) @@ -654,7 +654,7 @@ upperBoundMillis: 0 ```yaml lowerBoundMB: 0 -requirementsType: any +requirementsType: limit upperBoundMB: 0 ``` ## use-namespace diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh index 7aea9b4f4..e4ef523d4 100755 --- a/e2etests/bats-tests.sh +++ b/e2etests/bats-tests.sh @@ -904,15 +904,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') [[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]] + [[ "${count}" == "2" ]] } @test "unset-memory-requirements" { @@ -925,15 +921,11 @@ get_value_from() { message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message') message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message') - message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message') - message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message') count=$(get_value_from "${lines[0]}" '.Reports | length') - [[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]] - [[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]] - [[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]] - [[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]] - [[ "${count}" == "4" ]] + [[ "${message1}" == "Deployment: container \"app\" has memory limit 0" ]] + [[ "${message2}" == "DeploymentConfig: container \"app\" has memory limit 0" ]] + [[ "${count}" == "2" ]] } @test "use-namespace" { diff --git a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml index 91b124891..7ecf3f402 100644 --- a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml @@ -4,10 +4,10 @@ scope: objectKinds: - DeploymentLike remediation: >- - Set CPU requests and limits for your container based on its requirements. + Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. template: "cpu-requirements" params: - requirementsType: "any" + requirementsType: "request" lowerBoundMillis: 0 upperBoundMillis: 0 diff --git a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml index 195433b2a..94c8556f4 100644 --- a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml +++ b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml @@ -1,13 +1,13 @@ name: "unset-memory-requirements" description: "Indicates when containers do not have memory requests and limits set." remediation: >- - Set memory requests and limits for your container based on its requirements. + Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details. scope: objectKinds: - DeploymentLike template: "memory-requirements" params: - requirementsType: "any" + requirementsType: "limit" lowerBoundMB: 0 upperBoundMB: 0 diff --git a/tests/checks/unset-cpu-requirements.yml b/tests/checks/unset-cpu-requirements.yml index ab3ba652e..69403e1ad 100644 --- a/tests/checks/unset-cpu-requirements.yml +++ b/tests/checks/unset-cpu-requirements.yml @@ -11,8 +11,7 @@ spec: - name: app requests: memory: 1Gi - limits: - memory: 1Gi + --- apiVersion: apps.openshift.io/v1 kind: DeploymentConfig @@ -25,6 +24,4 @@ spec: containers: - name: app requests: - memory: 1Gi - limits: memory: 1Gi \ No newline at end of file diff --git a/tests/checks/unset-memory-requirements.yml b/tests/checks/unset-memory-requirements.yml index b85da6bd1..9806207d7 100644 --- a/tests/checks/unset-memory-requirements.yml +++ b/tests/checks/unset-memory-requirements.yml @@ -9,9 +9,7 @@ spec: spec: containers: - name: app - requests: - cpu: 1 - limits: + limit: cpu: 1 --- apiVersion: apps.openshift.io/v1 @@ -24,7 +22,5 @@ spec: spec: containers: - name: app - requests: - cpu: 1 - limits: + limit: cpu: 1 \ No newline at end of file From 38ffc9b2a31fcbb3c8f950b8502d1ef429a2be29 Mon Sep 17 00:00:00 2001 From: Tomasz Janiszewski Date: Tue, 27 Feb 2024 18:11:05 +0100 Subject: [PATCH 2/2] fix readme Signed-off-by: Tomasz Janiszewski --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d3c7feeda..a12c177f7 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,6 @@ Consider the following sample pod specification file `pod.yaml`. This file has t 1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem. **Production readiness:** -1. The container's CPU limits are not set, which could allow it to consume excessive CPU. 1. The container's memory limits are not set, which could allow it to consume excessive memory ```yaml @@ -171,12 +170,12 @@ Consider the following sample pod specification file `pod.yaml`. This file has t 1. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command. ``` - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.) + pod.yaml: (object: /security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.) + + pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.) + + pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.) - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) - - pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) - Error: found 3 lint errors ``` To learn more about using and configuring KubeLinter, visit the [documentation](./docs) page.