All Downloads are FREE. Search and download functionalities are using the official Maven repository.

META-INF.rewrite.best-practices.yml Maven / Gradle / Ivy

The newest version!
#
# Copyright 2021 the original author or authors.
# 

# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at #

# https://www.apache.org/licenses/LICENSE-2.0 #

# Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.KubernetesBestPractices displayName: Kubernetes best practices description: Applies best practices to Kubernetes manifests. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.MissingPodLivenessProbe - org.openrewrite.kubernetes.MissingPodReadinessProbe - org.openrewrite.kubernetes.MissingCpuRequest - org.openrewrite.kubernetes.MissingCpuLimits - org.openrewrite.kubernetes.MissingMemoryRequest - org.openrewrite.kubernetes.MissingMemoryLimits - org.openrewrite.kubernetes.NoPrivilegedContainers - org.openrewrite.kubernetes.LifecycleRuleOnStorageBucket - org.openrewrite.kubernetes.NoHostProcessIdSharing - org.openrewrite.kubernetes.NoHostIPCSharing - org.openrewrite.kubernetes.NoRootContainers - org.openrewrite.kubernetes.ImagePullPolicyAlways - org.openrewrite.kubernetes.NoPrivilegeEscalation - org.openrewrite.kubernetes.NoHostNetworkSharing - org.openrewrite.kubernetes.ReadOnlyRootFilesystem - org.openrewrite.kubernetes.LimitContainerCapabilities --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingPodLivenessProbe displayName: Ensure liveness probe is configured description: The kubelet uses liveness probes to know when to schedule restarts for containers. Restarting a container in a deadlock state can help to make the application more available, despite bugs. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: resourceKind: Pod configurationPath: $.spec.containers[:1].livenessProbe --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingPodReadinessProbe displayName: Ensure readiness probe is configured description: Using the Readiness Probe ensures teams define what actions need to be taken to prevent failure and ensure recovery in case of unexpected errors. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: resourceKind: Pod configurationPath: $.spec.containers[:1].readinessProbe --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingCpuRequest displayName: Ensure CPU request is set description: If a container is created in a namespace that has a default CPU limit, and the container does not specify its own CPU limit, then the container is assigned the default CPU limit. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: configurationPath: ..spec.containers[:1].resources.requests.cpu --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingCpuLimits displayName: Ensure CPU limits are set description: A system without managed quotas could eventually collapse due to inadequate resources for the tasks it bares. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: configurationPath: ..spec.containers[:1].resources.limits.cpu --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingMemoryRequest displayName: Ensure memory request is set description: A container is guaranteed to have as much memory as it requests, but is not allowed to use more memory than the limit set. This configuration may save resources and prevent an attack on an exploited container. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: configurationPath: ..spec.containers[:1].resources.requests.memory --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.MissingMemoryLimits displayName: Ensure memory limits are set description: With no limit set, kubectl allocates more and more memory to the container until it runs out. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.search.FindResourceMissingConfiguration: configurationPath: ..spec.containers[:1].resources.limits.memory --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoPrivilegedContainers displayName: No privileged containers description: Privileged containers are containers that have all of the root capabilities of a host machine, allowing access to resources that are not accessible in ordinary containers. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: PodSecurityPolicy configurationPath: $.spec value: 'privileged: false' --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.LifecycleRuleOnStorageBucket displayName: Ensure lifecycle rule on `StorageBucket` description: When defining a rule, you can specify any set of conditions for any action. The following configuration defines a rule to delete all objects older than 7 days in a bucket. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: apiVersion: storage.cnrm.cloud.google.com/v1beta1 resourceKind: StorageBucket configurationPath: $.spec value: |- lifecycleRule: - action: type: Delete condition: age: 7 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoHostProcessIdSharing displayName: No host process ID sharing description: Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec value: 'hostPID: false' --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoHostIPCSharing displayName: No host IPC sharing description: Preventing sharing of host PID/IPC namespace, networking, and ports ensures proper isolation between Docker containers and the underlying host. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec value: 'hostIPC: false' --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoRootContainers displayName: No root containers description: Containers that run as root frequently have more permissions than their workload requires which, in case of compromise, could help an attacker further their exploits. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: PodSecurityPolicy configurationPath: $.spec value: |- runAsUser: rule: MustRunAsNonRoot --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.ImagePullPolicyAlways displayName: Ensure image pull policy is `Always` description: Ensures the latest version of a tag is deployed each time. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec.containers value: 'imagePullPolicy: Always' --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoPrivilegeEscalation displayName: No privilege escalation description: Does not allow a process to gain more privileges than its parent process. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec.containers value: |- securityContext: allowPrivilegeEscalation: false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.NoHostNetworkSharing displayName: No host network sharing description: When using the host network mode for a container, that container’s network stack is not isolated from the Docker host, so the container shares the host’s networking namespace and does not get its own IP-address allocation. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec value: 'hostNetwork: false' --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.ReadOnlyRootFilesystem displayName: Read-only root filesystem description: Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec.containers value: |- securityContext: readOnlyRootFilesystem: false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.kubernetes.LimitContainerCapabilities displayName: Limit root capabilities in a container description: Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range. tags: - kubernetes recipeList: - org.openrewrite.kubernetes.AddConfiguration: resourceKind: Pod configurationPath: $.spec.containers value: |- securityContext: capabilities: drop: - ALL





© 2015 - 2024 Weber Informatics LLC | Privacy Policy