Updates to repo and rule documentation (#26)
This commit is contained in:
Родитель
7fc7048f7c
Коммит
1021649dde
|
@ -0,0 +1,67 @@
|
||||||
|
{
|
||||||
|
"default": true,
|
||||||
|
"header-increment": true,
|
||||||
|
"first-header-h1": {
|
||||||
|
"level": 1
|
||||||
|
},
|
||||||
|
"header-style": {
|
||||||
|
"style": "atx"
|
||||||
|
},
|
||||||
|
"ul-style": {
|
||||||
|
"style": "dash"
|
||||||
|
},
|
||||||
|
"list-indent": true,
|
||||||
|
"ul-start-left": true,
|
||||||
|
"ul-indent": {
|
||||||
|
"indent": 2
|
||||||
|
},
|
||||||
|
"no-trailing-spaces": true,
|
||||||
|
"no-hard-tabs": true,
|
||||||
|
"no-reversed-links": true,
|
||||||
|
"no-multiple-blanks": true,
|
||||||
|
"line-length": {
|
||||||
|
"line_length": 100,
|
||||||
|
"code_blocks": false,
|
||||||
|
"tables": false,
|
||||||
|
"headers": true
|
||||||
|
},
|
||||||
|
"commands-show-output": true,
|
||||||
|
"no-missing-space-atx": true,
|
||||||
|
"no-multiple-space-atx": true,
|
||||||
|
"no-missing-space-closed-atx": true,
|
||||||
|
"no-multiple-space-closed-atx": true,
|
||||||
|
"blanks-around-headers": true,
|
||||||
|
"header-start-left": true,
|
||||||
|
"no-duplicate-header": true,
|
||||||
|
"single-h1": true,
|
||||||
|
"no-trailing-punctuation": {
|
||||||
|
"punctuation": ".,;:!"
|
||||||
|
},
|
||||||
|
"no-multiple-space-blockquote": true,
|
||||||
|
"no-blanks-blockquote": true,
|
||||||
|
"ol-prefix": {
|
||||||
|
"style": "one_or_ordered"
|
||||||
|
},
|
||||||
|
"list-marker-space": true,
|
||||||
|
"blanks-around-fences": true,
|
||||||
|
"blanks-around-lists": true,
|
||||||
|
"no-bare-urls": true,
|
||||||
|
"hr-style": {
|
||||||
|
"style": "---"
|
||||||
|
},
|
||||||
|
"no-emphasis-as-header": true,
|
||||||
|
"no-space-in-emphasis": true,
|
||||||
|
"no-space-in-code": true,
|
||||||
|
"no-space-in-links": true,
|
||||||
|
"fenced-code-language": false,
|
||||||
|
"first-line-h1": false,
|
||||||
|
"no-empty-links": true,
|
||||||
|
"proper-names": {
|
||||||
|
"names": [
|
||||||
|
"PowerShell",
|
||||||
|
"JavaScript"
|
||||||
|
],
|
||||||
|
"code_blocks": false
|
||||||
|
},
|
||||||
|
"no-alt-text": true
|
||||||
|
}
|
|
@ -18,7 +18,8 @@
|
||||||
"**/.azure-pipelines/*.yaml": "azure-pipelines"
|
"**/.azure-pipelines/*.yaml": "azure-pipelines"
|
||||||
},
|
},
|
||||||
"cSpell.words": [
|
"cSpell.words": [
|
||||||
"Kubernetes"
|
"Kubernetes",
|
||||||
|
"setuid"
|
||||||
],
|
],
|
||||||
"cSpell.enabledLanguageIds": [
|
"cSpell.enabledLanguageIds": [
|
||||||
"csharp",
|
"csharp",
|
||||||
|
|
114
README.md
114
README.md
|
@ -10,11 +10,11 @@ This project is to be considered a **proof-of-concept** and **not a supported pr
|
||||||
|
|
||||||
For issues with rules and documentation please check our GitHub [issues](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues) page. If you do not see your problem captured, please file a new issue and follow the provided template.
|
For issues with rules and documentation please check our GitHub [issues](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues) page. If you do not see your problem captured, please file a new issue and follow the provided template.
|
||||||
|
|
||||||
If you have any problems with the [PSRule][project] engine, please check the project GitHub [issues](https://github.com/BernieWhite/PSRule/issues) page instead.
|
If you have any problems with the [PSRule][project] engine, please check the project GitHub [issues](https://github.com/Microsoft/PSRule/issues) page instead.
|
||||||
|
|
||||||
## Getting the modules
|
## Getting the modules
|
||||||
|
|
||||||
This project requires the PowerShell module PSRule.
|
This project requires the `PSRule` PowerShell module.
|
||||||
|
|
||||||
You can download and install these modules from the PowerShell Gallery.
|
You can download and install these modules from the PowerShell Gallery.
|
||||||
|
|
||||||
|
@ -24,25 +24,123 @@ PSRule.Rules.Kubernetes | Validate Kubernetes resources | [latest][module] / [in
|
||||||
|
|
||||||
## Getting started
|
## Getting started
|
||||||
|
|
||||||
|
PSRule for Kubernetes provides two methods for analyzing Kubernetes resources:
|
||||||
|
|
||||||
|
- _Pre-flight_ - Before resources are deployed from a YAML manifest file.
|
||||||
|
- _In-flight_ - After resources are deployed to a Kubernetes cluster.
|
||||||
|
|
||||||
### Offline with a manifest
|
### Offline with a manifest
|
||||||
|
|
||||||
Kubernetes resources can be evaluated within a YAML manifest file.
|
Kubernetes resources can be validated within a YAML manifest file.
|
||||||
|
To validate Kubernetes resources use the `Invoke-PSRule` cmdlet. PSRule natively supports reading objects from YAML files using the `-InputPath` parameter.
|
||||||
|
The `-InputPath` parameter can be abbreviated to `-f`.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Invoke-PSRule -Module PSRule.Rules.Kubernetes -InputPath .\service.yaml;
|
Invoke-PSRule -f service.yaml -Module PSRule.Rules.Kubernetes;
|
||||||
|
```
|
||||||
|
|
||||||
|
The input path can be also be a URL to a YAML file. For example:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$sourceUrl = 'https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml';
|
||||||
|
Invoke-PSRule -f $sourceUrl -Module PSRule.Rules.Kubernetes;
|
||||||
|
```
|
||||||
|
|
||||||
|
The output of this example is:
|
||||||
|
|
||||||
|
```text
|
||||||
|
TargetName: azure-vote-back
|
||||||
|
|
||||||
|
RuleName Outcome Recommendation
|
||||||
|
-------- ------- --------------
|
||||||
|
Kubernetes.API.Removal Fail Consider updating resource deployments to use newer API endpoints prior…
|
||||||
|
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
|
||||||
|
Kubernetes.Pod.PrivilegeEscalation Fail Containers should deny privilege escalation.
|
||||||
|
Kubernetes.Pod.Latest Fail Deployments or pods should identify a specific tag to use for container…
|
||||||
|
Kubernetes.Pod.Resources Fail Resource requirements are set for each container.
|
||||||
|
Kubernetes.Pod.Secrets Pass Use Kubernetes secrets to store information such as passwords or connec…
|
||||||
|
Kubernetes.Pod.Health Fail Containers should use liveness and readiness probes.
|
||||||
|
Kubernetes.Pod.Replicas Fail Consider increasing replicas to two or more to provide high availabilit…
|
||||||
|
Kubernetes.AKS.PublicLB Pass Consider creating services with an internal load balancer instead of a …
|
||||||
|
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
|
||||||
|
|
||||||
|
TargetName: azure-vote-front
|
||||||
|
|
||||||
|
RuleName Outcome Recommendation
|
||||||
|
-------- ------- --------------
|
||||||
|
Kubernetes.API.Removal Fail Consider updating resource deployments to use newer API endpoints prior…
|
||||||
|
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
|
||||||
|
Kubernetes.Pod.PrivilegeEscalation Fail Containers should deny privilege escalation.
|
||||||
|
Kubernetes.Pod.Latest Pass Deployments or pods should identify a specific tag to use for container…
|
||||||
|
Kubernetes.Pod.Resources Fail Resource requirements are set for each container.
|
||||||
|
Kubernetes.Pod.Secrets Pass Use Kubernetes secrets to store information such as passwords or connec…
|
||||||
|
Kubernetes.Pod.Health Fail Containers should use liveness and readiness probes.
|
||||||
|
Kubernetes.Pod.Replicas Fail Consider increasing replicas to two or more to provide high availabilit…
|
||||||
|
Kubernetes.AKS.PublicLB Fail Consider creating services with an internal load balancer instead of a …
|
||||||
|
Kubernetes.Metadata Fail Consider applying recommended labels defined by Kubernetes.…
|
||||||
```
|
```
|
||||||
|
|
||||||
### Online with kubectl
|
### Online with kubectl
|
||||||
|
|
||||||
|
Kubernetes resources can be validated directly from a cluster using the output from `kubectl`.
|
||||||
|
To validate resources using `kubectl`, return the output as YAML with the `-o yaml` parameter.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Invoke-PSRule -Module PSRule.Rules.Kubernetes -InputObject (kubectl get services -o yaml | Out-String) -Format Yaml -ObjectPath items;
|
kubectl get services -o yaml | Out-String | Invoke-PSRule -Format Yaml -ObjectPath items -Module PSRule.Rules.Kubernetes;
|
||||||
|
```
|
||||||
|
|
||||||
|
In the example above:
|
||||||
|
|
||||||
|
- `Out-String` - is used to concatenate the output into a single string object.
|
||||||
|
- `-Format Yaml` - indicates that the input is YAML.
|
||||||
|
- `-ObjectPath items` - indicates that the input nests objects to evaluate under the `items` property.
|
||||||
|
|
||||||
|
### Additional options
|
||||||
|
|
||||||
|
To filter results to only failed rules, use `Invoke-PSRule -Outcome Fail`.
|
||||||
|
Passed, failed and error results are shown by default.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Only show failed results
|
||||||
|
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Outcome Fail;
|
||||||
|
```
|
||||||
|
|
||||||
|
A summary of results can be displayed by using `Invoke-PSRule -As Summary`.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Display as summary results
|
||||||
|
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -As Summary;
|
||||||
|
```
|
||||||
|
|
||||||
|
The output of this example is:
|
||||||
|
|
||||||
|
```text
|
||||||
|
RuleName Pass Fail Outcome
|
||||||
|
-------- ---- ---- -------
|
||||||
|
Kubernetes.AKS.PublicLB 1 1 Fail
|
||||||
|
Kubernetes.API.Removal 0 2 Fail
|
||||||
|
Kubernetes.Metadata 0 4 Fail
|
||||||
|
Kubernetes.Pod.PrivilegeEscalation 0 2 Fail
|
||||||
|
Kubernetes.Pod.Latest 1 1 Fail
|
||||||
|
Kubernetes.Pod.Resources 0 2 Fail
|
||||||
|
Kubernetes.Pod.Secrets 2 0 Pass
|
||||||
|
Kubernetes.Pod.Health 0 2 Fail
|
||||||
|
Kubernetes.Pod.Replicas 0 2 Fail
|
||||||
```
|
```
|
||||||
|
|
||||||
## Rule reference
|
## Rule reference
|
||||||
|
|
||||||
The following rules are included in the `PSRule.Rules.Kubernetes` module:
|
For a list of rules included in the `PSRule.Rules.Kubernetes` module see:
|
||||||
|
|
||||||
- [PSRule.Rules.Kubernetes](docs/rules/en-US/module.md)
|
- [Module rule reference](docs/rules/en-US/module.md)
|
||||||
|
|
||||||
## Changes and versioning
|
## Changes and versioning
|
||||||
|
|
||||||
|
@ -61,4 +159,4 @@ This project is [licensed under the MIT License](LICENSE).
|
||||||
[install]: docs/scenarios/install-instructions.md
|
[install]: docs/scenarios/install-instructions.md
|
||||||
[ci-badge]: https://dev.azure.com/bewhite/PSRule.Rules.Kubernetes/_apis/build/status/PSRule.Rules.Kubernetes-CI?branchName=master
|
[ci-badge]: https://dev.azure.com/bewhite/PSRule.Rules.Kubernetes/_apis/build/status/PSRule.Rules.Kubernetes-CI?branchName=master
|
||||||
[module]: https://www.powershellgallery.com/packages/PSRule.Rules.Kubernetes
|
[module]: https://www.powershellgallery.com/packages/PSRule.Rules.Kubernetes
|
||||||
[project]: https://github.com/BernieWhite/PSRule
|
[project]: https://github.com/Microsoft/PSRule
|
||||||
|
|
|
@ -1,21 +1,31 @@
|
||||||
|
|
||||||
Document 'module' {
|
Document 'module' {
|
||||||
Title 'Module rules'
|
Title 'Module rule reference'
|
||||||
|
|
||||||
Import-Module .\out\modules\PSRule.Rules.Kubernetes
|
Import-Module .\out\modules\PSRule.Rules.Kubernetes
|
||||||
$rules = Get-PSRule -Module PSRule.Rules.Kubernetes -WarningAction SilentlyContinue
|
$rules = Get-PSRule -Module PSRule.Rules.Kubernetes -WarningAction SilentlyContinue |
|
||||||
|
Add-Member -MemberType ScriptProperty -Name Category -Value { $this.Info.Annotations.category } -PassThru |
|
||||||
|
Sort-Object -Property Category;
|
||||||
|
|
||||||
Section 'Baselines' {
|
Section 'Baselines' {
|
||||||
# 'The following baselines are included in `PSRule.Rules.Kubernetes`.'
|
# 'The following baselines are included within `PSRule.Rules.Kubernetes`.'
|
||||||
}
|
}
|
||||||
|
|
||||||
Section 'Rules' {
|
Section 'Rules' {
|
||||||
'The following rules are included in `PSRule.Rules.Kubernetes`.'
|
'The following rules are included within `PSRule.Rules.Kubernetes`.'
|
||||||
|
|
||||||
$rules | Table -Property @{ Name = 'RuleName'; Expression = {
|
$categories = $rules | Group-Object -Property Category;
|
||||||
"[$($_.RuleName)]($($_.RuleName).md)"
|
|
||||||
}}, Description, @{ Name = 'Category'; Expression = {
|
foreach ($category in $categories) {
|
||||||
$_.Tag.category
|
Section "$($category.Name)" {
|
||||||
}}
|
$category.Group |
|
||||||
|
Sort-Object -Property RuleName |
|
||||||
|
Table -Property @{ Name = 'Name'; Expression = {
|
||||||
|
"[$($_.RuleName)]($($_.RuleName).md)"
|
||||||
|
}}, Synopsis, @{ Name = 'Severity'; Expression = {
|
||||||
|
$_.Info.Annotations.severity
|
||||||
|
}}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Critical
|
severity: Critical
|
||||||
category: Service exposure
|
category: Security
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.AKS.PublicLB.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.AKS.PublicLB.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -21,3 +21,7 @@ When this annotation is used on a load balanced service, the Azure load balancer
|
||||||
## RECOMMENDATION
|
## RECOMMENDATION
|
||||||
|
|
||||||
Consider creating services with an internal load balancer instead of a public load balancer.
|
Consider creating services with an internal load balancer instead of a public load balancer.
|
||||||
|
|
||||||
|
## LINKS
|
||||||
|
|
||||||
|
- [Use an internal load balancer with Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/internal-lb#create-an-internal-load-balancer)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Important
|
severity: Important
|
||||||
category: Resource APIs
|
category: API
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.API.Removal.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.API.Removal.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Important
|
severity: Awareness
|
||||||
category: Resource management
|
category: Management
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Metadata.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Metadata.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -19,4 +19,6 @@ These labels should be used to consistently apply standard metadata.
|
||||||
|
|
||||||
Consider applying recommended labels defined by Kubernetes.
|
Consider applying recommended labels defined by Kubernetes.
|
||||||
|
|
||||||
For more information see [Recommended Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/).
|
## LINKS
|
||||||
|
|
||||||
|
- [Recommended Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Important
|
severity: Important
|
||||||
|
category: Reliability
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Health.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Health.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -17,7 +18,7 @@ This is accomplished through liveness and readiness probes.
|
||||||
|
|
||||||
## RECOMMENDATION
|
## RECOMMENDATION
|
||||||
|
|
||||||
Containers should use liveness and readiness probes.
|
Consider configuring liveness and readiness probes for pod containers.
|
||||||
|
|
||||||
## LINKS
|
## LINKS
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Critical
|
severity: Important
|
||||||
category: Pod security
|
category: Security
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Latest.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Latest.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -19,6 +19,6 @@ Containers should use specific tags instead of latest.
|
||||||
Deployments or pods should identify a specific tag to use for container images instead of latest.
|
Deployments or pods should identify a specific tag to use for container images instead of latest.
|
||||||
When latest is used it may be hard to determine which version of the image is running.
|
When latest is used it may be hard to determine which version of the image is running.
|
||||||
|
|
||||||
When using variable tags such as v1.0 (which may refer to v1.0.0 or v1.0.1) consider using imagePullPolicy: Always to ensure that the an out-of-date cached image is not used.
|
When using variable tags such as v1.0 (which may refer to v1.0.0 or v1.0.1) consider using `imagePullPolicy: Always` to ensure that the an out-of-date cached image is not used.
|
||||||
|
|
||||||
The latest tag automatically uses imagePullPolicy: Always instead of the default imagePullPolicy: IfNotPresent.
|
The latest tag automatically uses `imagePullPolicy: Always` instead of the default `imagePullPolicy: IfNotPresent`.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Critical
|
severity: Critical
|
||||||
category: Pod security
|
category: Security
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.PriviledgeEscalation.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.PriviledgeEscalation.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -12,8 +12,16 @@ Containers should deny privilege escalation.
|
||||||
|
|
||||||
## DESCRIPTION
|
## DESCRIPTION
|
||||||
|
|
||||||
Containers should deny privilege escalation.
|
In the default configuration, container processes are permitted to change the effective user ID through the _setuid_ binary.
|
||||||
|
Changing the effective user ID could allow a malicious or vulnerable process to gain a higher level of permission then intended.
|
||||||
|
To prevent this, explicitly set the `securityContext.allowPrivilegeEscalation` option to `false` on pod containers.
|
||||||
|
|
||||||
## RECOMMENDATION
|
## RECOMMENDATION
|
||||||
|
|
||||||
Containers should deny privilege escalation.
|
Consider explicitly setting the `securityContext.allowPrivilegeEscalation` option to `false` on pod containers.
|
||||||
|
|
||||||
|
## LINKS
|
||||||
|
|
||||||
|
- [Secure container access to resources](https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security#secure-container-access-to-resources)
|
||||||
|
- [Set the security context for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
|
||||||
|
- [Privilege Escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Important
|
severity: Important
|
||||||
|
category: Reliability
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Replicas.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Replicas.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
@ -1,19 +1,32 @@
|
||||||
---
|
---
|
||||||
severity: Important
|
severity: Important
|
||||||
category: Resource management
|
category: Performance
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Resources.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Resources.md
|
||||||
---
|
---
|
||||||
|
|
||||||
# Set requirements for resources
|
# Set compute resource requirements
|
||||||
|
|
||||||
## SYNOPSIS
|
## SYNOPSIS
|
||||||
|
|
||||||
Resource requirements are set for each container.
|
Set CPU and memory requirements for each container.
|
||||||
|
|
||||||
## DESCRIPTION
|
## DESCRIPTION
|
||||||
|
|
||||||
Resource requirements are set for each container.
|
The default scheduler uses container compute resource configuration to select a node for scheduling the pod.
|
||||||
|
If compute resources values are not provided, Kubernetes can't take these into account when making scheduling decisions.
|
||||||
|
|
||||||
|
Compute resources is not the only factor to determine pod placement.
|
||||||
|
However, if the scheduler places a pod on a host with insufficient resources, pod performance may be impacted.
|
||||||
|
|
||||||
|
If the Kubernetes cluster uses resource quotas, pods that don't specify compute resources may be rejected.
|
||||||
|
|
||||||
|
Compute resources for a container are set within the pod specification by defining `requests` and `limits`.
|
||||||
|
|
||||||
## RECOMMENDATION
|
## RECOMMENDATION
|
||||||
|
|
||||||
Resource requirements are set for each container.
|
Consider configuring CPU and memory resource requirements for each container.
|
||||||
|
|
||||||
|
## LINKS
|
||||||
|
|
||||||
|
- [Define pod resource requests and limits](https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-resource-management#define-pod-resource-requests-and-limits)
|
||||||
|
- [Managing Compute Resources for Containers](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-types)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
severity: Critical
|
severity: Critical
|
||||||
category: Pod security
|
category: Security
|
||||||
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Secrets.md
|
online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Secrets.md
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
@ -1,17 +1,39 @@
|
||||||
# Module rules
|
# Module rule reference
|
||||||
|
|
||||||
## Rules
|
## Rules
|
||||||
|
|
||||||
The following rules are included in `PSRule.Rules.Kubernetes`.
|
The following rules are included within `PSRule.Rules.Kubernetes`.
|
||||||
|
|
||||||
RuleName | Description | Category
|
### API
|
||||||
-------- | ----------- | --------
|
|
||||||
[Kubernetes.AKS.PublicLB](Kubernetes.AKS.PublicLB.md) | Use internal Azure load balancers. | Pod security
|
Name | Synopsis | Severity
|
||||||
[Kubernetes.API.Removal](Kubernetes.API.Removal.md) | Avoid using legacy API endpoints. | API
|
---- | -------- | --------
|
||||||
[Kubernetes.Metadata](Kubernetes.Metadata.md) | Use Kubernetes common labels. | Resource management
|
[Kubernetes.API.Removal](Kubernetes.API.Removal.md) | Avoid using legacy API endpoints. | Important
|
||||||
[Kubernetes.Pod.PrivilegeEscalation](Kubernetes.Pod.PrivilegeEscalation.md) | Containers should deny privilege escalation. | Pod security
|
|
||||||
[Kubernetes.Pod.Latest](Kubernetes.Pod.Latest.md) | Containers should use specific tags instead of latest. | Pod security
|
### Management
|
||||||
[Kubernetes.Pod.Resources](Kubernetes.Pod.Resources.md) | Resource requirements are set for each container. | Resource management
|
|
||||||
[Kubernetes.Pod.Secrets](Kubernetes.Pod.Secrets.md) | Sensitive environment variables should be referenced as a secret. | Pod security
|
Name | Synopsis | Severity
|
||||||
[Kubernetes.Pod.Health](Kubernetes.Pod.Health.md) | Containers should use liveness and readiness probes. | Reliability
|
---- | -------- | --------
|
||||||
[Kubernetes.Pod.Replicas](Kubernetes.Pod.Replicas.md) | Use two or more replicas. | Reliability
|
[Kubernetes.Metadata](Kubernetes.Metadata.md) | Use Kubernetes common labels. | Awareness
|
||||||
|
|
||||||
|
### Performance
|
||||||
|
|
||||||
|
Name | Synopsis | Severity
|
||||||
|
---- | -------- | --------
|
||||||
|
[Kubernetes.Pod.Resources](Kubernetes.Pod.Resources.md) | Set CPU and memory requirements for each container. | Important
|
||||||
|
|
||||||
|
### Reliability
|
||||||
|
|
||||||
|
Name | Synopsis | Severity
|
||||||
|
---- | -------- | --------
|
||||||
|
[Kubernetes.Pod.Health](Kubernetes.Pod.Health.md) | Containers should use liveness and readiness probes. | Important
|
||||||
|
[Kubernetes.Pod.Replicas](Kubernetes.Pod.Replicas.md) | Use two or more replicas. | Important
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
Name | Synopsis | Severity
|
||||||
|
---- | -------- | --------
|
||||||
|
[Kubernetes.AKS.PublicLB](Kubernetes.AKS.PublicLB.md) | Use internal Azure load balancers. | Critical
|
||||||
|
[Kubernetes.Pod.Latest](Kubernetes.Pod.Latest.md) | Containers should use specific tags instead of latest. | Important
|
||||||
|
[Kubernetes.Pod.PrivilegeEscalation](Kubernetes.Pod.PrivilegeEscalation.md) | Containers should deny privilege escalation. | Critical
|
||||||
|
[Kubernetes.Pod.Secrets](Kubernetes.Pod.Secrets.md) | Sensitive environment variables should be referenced as a secret. | Critical
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
- Windows PowerShell 5.1 with .NET Framework 4.7.2+ or
|
- Windows PowerShell 5.1 with .NET Framework 4.7.2+ or
|
||||||
- PowerShell Core 6.0 or greater on Windows, macOS and Linux
|
- PowerShell Core 6.2 or greater on Windows, MacOS and Linux
|
||||||
|
|
||||||
For a list of platforms that PowerShell Core is supported on [see](https://github.com/PowerShell/PowerShell#get-powershell).
|
For a list of platforms that PowerShell Core is supported on [see](https://github.com/PowerShell/PowerShell#get-powershell).
|
||||||
|
|
||||||
|
@ -38,7 +38,8 @@ Save-Module -Name 'PSRule', 'PSRule.Rules.Kubernetes' -Path '.\modules';
|
||||||
|
|
||||||
> For pre-release versions the `-AllowPrerelease` switch must be added when calling `Install-Module` or `Save-Module`.
|
> For pre-release versions the `-AllowPrerelease` switch must be added when calling `Install-Module` or `Save-Module`.
|
||||||
>
|
>
|
||||||
> To install pre-release module versions, upgrading to the latest version of _PowerShellGet_ may be required. To do this use:
|
> To install pre-release module versions, upgrading to the latest version of _PowerShellGet_ may be required.
|
||||||
|
To do this use:
|
||||||
>
|
>
|
||||||
> `Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force`
|
> `Install-Module -Name PowerShellGet -Repository PSGallery -Scope CurrentUser -Force`
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче