META-INF.rewrite.best-practices.yml Maven / Gradle / Ivy
Show all versions of rewrite-kubernetes Show documentation
#
# Copyright 2021 the original author or authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.KubernetesBestPractices
displayName: Kubernetes best practices
description: Applies best practices to Kubernetes manifests.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.MissingPodLivenessProbe
- org.openrewrite.kubernetes.MissingPodReadinessProbe
- org.openrewrite.kubernetes.MissingCpuRequest
- org.openrewrite.kubernetes.MissingCpuLimits
- org.openrewrite.kubernetes.MissingMemoryRequest
- org.openrewrite.kubernetes.MissingMemoryLimits
- org.openrewrite.kubernetes.NoPrivilegedContainers
- org.openrewrite.kubernetes.LifecycleRuleOnStorageBucket
- org.openrewrite.kubernetes.NoHostProcessIdSharing
- org.openrewrite.kubernetes.NoHostIPCSharing
- org.openrewrite.kubernetes.NoRootContainers
- org.openrewrite.kubernetes.ImagePullPolicyAlways
- org.openrewrite.kubernetes.NoPrivilegeEscalation
- org.openrewrite.kubernetes.NoHostNetworkSharing
- org.openrewrite.kubernetes.ReadOnlyRootFilesystem
- org.openrewrite.kubernetes.LimitContainerCapabilities
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingPodLivenessProbe
displayName: Ensure liveness probe is configured
description: The kubelet uses liveness probes to know when to schedule restarts for containers. Restarting a container in a deadlock state can help to make the application more available, despite bugs.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers[:1].livenessProbe
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingPodReadinessProbe
displayName: Ensure readiness probe is configured
description: Using the Readiness Probe ensures teams define what actions need to be taken to prevent failure and ensure recovery in case of unexpected errors.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers[:1].readinessProbe
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingCpuRequest
displayName: Ensure CPU request is set
description: If a container is created in a namespace that has a default CPU limit, and the container does not specify its own CPU limit, then the container is assigned the default CPU limit.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
configurationPath: ..spec.containers[:1].resources.requests.cpu
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingCpuLimits
displayName: Ensure CPU limits are set
description: A system without managed quotas could eventually collapse due to inadequate resources for the tasks it bares.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
configurationPath: ..spec.containers[:1].resources.limits.cpu
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingMemoryRequest
displayName: Ensure memory request is set
description: A container is guaranteed to have as much memory as it requests, but is not allowed to use more memory than the limit set. This configuration may save resources and prevent an attack on an exploited container.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
configurationPath: ..spec.containers[:1].resources.requests.memory
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.MissingMemoryLimits
displayName: Ensure memory limits are set
description: With no limit set, kubectl allocates more and more memory to the container until it runs out.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.search.FindResourceMissingConfiguration:
configurationPath: ..spec.containers[:1].resources.limits.memory
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoPrivilegedContainers
displayName: No privileged containers
description: Privileged containers are containers that have all of the root capabilities of a host machine, allowing access to resources that are not accessible in ordinary containers.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: PodSecurityPolicy
configurationPath: $.spec
value: 'privileged: false'
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.LifecycleRuleOnStorageBucket
displayName: Ensure lifecycle rule on `StorageBucket`
description: When defining a rule, you can specify any set of conditions for any action. The following configuration defines a rule to delete all objects older than 7 days in a bucket.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
apiVersion: storage.cnrm.cloud.google.com/v1beta1
resourceKind: StorageBucket
configurationPath: $.spec
value: |-
lifecycleRule:
- action:
type: Delete
condition:
age: 7
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoHostProcessIdSharing
displayName: No host process ID sharing
description: Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec
value: 'hostPID: false'
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoHostIPCSharing
displayName: No host IPC sharing
description: Preventing sharing of host PID/IPC namespace, networking, and ports ensures proper isolation between Docker containers and the underlying host.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec
value: 'hostIPC: false'
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoRootContainers
displayName: No root containers
description: Containers that run as root frequently have more permissions than their workload requires which, in case of compromise, could help an attacker further their exploits.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: PodSecurityPolicy
configurationPath: $.spec
value: |-
runAsUser:
rule: MustRunAsNonRoot
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.ImagePullPolicyAlways
displayName: Ensure image pull policy is `Always`
description: Ensures the latest version of a tag is deployed each time.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers
value: 'imagePullPolicy: Always'
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoPrivilegeEscalation
displayName: No privilege escalation
description: Does not allow a process to gain more privileges than its parent process.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers
value: |-
securityContext:
allowPrivilegeEscalation: false
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.NoHostNetworkSharing
displayName: No host network sharing
description: When using the host network mode for a container, that container’s network stack is not isolated from the Docker host, so the container shares the host’s networking namespace and does not get its own IP-address allocation.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec
value: 'hostNetwork: false'
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.ReadOnlyRootFilesystem
displayName: Read-only root filesystem
description: Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers
value: |-
securityContext:
readOnlyRootFilesystem: false
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.kubernetes.LimitContainerCapabilities
displayName: Limit root capabilities in a container
description: Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range.
tags:
- kubernetes
recipeList:
- org.openrewrite.kubernetes.AddConfiguration:
resourceKind: Pod
configurationPath: $.spec.containers
value: |-
securityContext:
capabilities:
drop:
- ALL