-
Notifications
You must be signed in to change notification settings - Fork 16
/
kube-linter.yaml
47 lines (47 loc) · 1.2 KB
/
kube-linter.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
checks:
doNotAutoAddDefaults: true
include:
- cluster-admin-role-binding
- dangling-service
- default-service-account
- deprecated-service-account-field
- docker-sock
- drop-net-raw-capability
- env-var-secret
- host-ipc
- host-network
- host-pid
- latest-tag
- mismatching-selector
- no-anti-affinity
- no-extensions-v1beta
- no-liveness-probe
- no-read-only-root-fs
- no-readiness-probe
- no-rolling-update-strategy
- non-existent-service-account
- non-isolated-pod
- privilege-escalation-container
- privileged-container
- privileged-ports
- read-secret-from-env-var
- run-as-non-root
- sensitive-host-mounts
- ssh-port
- unsafe-proc-mount
- unsafe-sysctls
- unset-cpu-requirements
- unset-memory-requirements
- use-namespace
- wildcard-in-rules
- writable-host-mount
exclude:
# Coder needs to create pods for workspaces
- access-to-create-pods
- access-to-secrets
# We use a load balancer service by default
- exposed-services
# TODO: evaluate high availability by default
- minimum-three-replicas
- required-annotation-email
- required-label-owner