mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-10 19:26:46 +00:00
b3f1b3b478
* Initial checkin for recategorizing checks * Fix tests * Fix tests * Update example output
90 lines
2.2 KiB
YAML
90 lines
2.2 KiB
YAML
checks:
|
|
# reliability
|
|
multipleReplicasForDeployment: warning
|
|
priorityClassNotSet: warning
|
|
tagNotSpecified: danger
|
|
pullPolicyNotAlways: warning
|
|
readinessProbeMissing: warning
|
|
livenessProbeMissing: warning
|
|
# efficiency
|
|
cpuRequestsMissing: warning
|
|
cpuLimitsMissing: warning
|
|
memoryRequestsMissing: warning
|
|
memoryLimitsMissing: warning
|
|
# security
|
|
hostIPCSet: danger
|
|
hostPIDSet: danger
|
|
notReadOnlyRootFilesystem: warning
|
|
privilegeEscalationAllowed: danger
|
|
runAsRootAllowed: warning
|
|
runAsPrivileged: danger
|
|
dangerousCapabilities: danger
|
|
insecureCapabilities: warning
|
|
hostNetworkSet: warning
|
|
hostPortSet: warning
|
|
# custom
|
|
resourceLimits: warning
|
|
imageRegistry: danger
|
|
|
|
exemptions:
|
|
- controllerNames:
|
|
- my-network-controller
|
|
rules:
|
|
- hostNetworkSet
|
|
- hostPortSet
|
|
- namespace: kube-system
|
|
controllerNames:
|
|
- my-network-controller
|
|
rules:
|
|
- hostNetworkSet
|
|
- hostPortSet
|
|
|
|
customChecks:
|
|
resourceLimits:
|
|
containers:
|
|
exclude:
|
|
- initContainer
|
|
successMessage: Resource limits are within the required range
|
|
failureMessage: Resource limits should be within the required range
|
|
category: Resources
|
|
target: Container
|
|
schema:
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
required:
|
|
- resources
|
|
properties:
|
|
resources:
|
|
type: object
|
|
required:
|
|
- limits
|
|
properties:
|
|
limits:
|
|
type: object
|
|
required:
|
|
- memory
|
|
- cpu
|
|
properties:
|
|
memory:
|
|
type: string
|
|
resourceMinimum: 100M
|
|
resourceMaximum: 6G
|
|
cpu:
|
|
type: string
|
|
resourceMinimum: 100m
|
|
resourceMaximum: "2"
|
|
imageRegistry:
|
|
successMessage: Image comes from allowed registries
|
|
failureMessage: Image should not be from disallowed registry
|
|
category: Images
|
|
target: Container
|
|
schema:
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
properties:
|
|
image:
|
|
type: string
|
|
not:
|
|
pattern: ^quay.io
|
|
|