lints.yaml

specs:
  - name: alb_ingress_controller_instance_misconfiguration
    group: Configuration
    description: Checks that all ALB ingresses are linked to services which have compatible types with the ingress. When the ingress is configured with target-type `instance`, only `NodePort` and `LoadBalancer` types are allowed; when it's configured as `ip`, only `ClusterIP` services are allowed.
    references:
      - "https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#target-type"
  - name: environment_passwords
    group: Security
    description: Finds passwords or api keys on object manifests.
    references:
      - "https://kubernetes.io/docs/concepts/configuration/secret/"
      - "https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/"
  - name: never_restart_with_liveness_probe
    group: Configuration
    description: Finds pods which have a `Never` restart policy and have liveness probe set. Those containers which have a liveness probe will be stopped if the probe fails and it will never be restarted, which may lead the pod on a inconsistent state.
    references:
      - "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes"
  - name: overlapping_probes
    group: Configuration
    description: Finds pods which liveness probe *may* execute before all readiness probes has been executed- Executing a liveness probe *before* the container is ready will provoke that pod change the status to failed.
    references:
      - "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes"
      - "https://github.com/kubernetes/kubernetes/issues/27114"
      - "https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-setting-up-health-checks-with-readiness-and-liveness-probes"
  - name: pdb_min_replicas
    group: Configuration
    description: Checks that pod controllers associated to a pod disruption budget has at least one more replica than PDB min_unavailable. The pod controller won't be able to be rolled out, as no pod can be evicted (as min_unavailable is >= to the amount of replicas desired). This may cause that a node can not be cordoned.
    references:
      - "https://itnext.io/kubernetes-in-production-poddisruptionbudget-1380009aaede"
  - name: pod_requirements
    group: Security
    description: Checks for pods without resource limits. Pods without resource limits may provoke a denial-of-service of the processes running on the same node.
    references: []
  - name: required_labels
    group: Audit
    description: Checks for missing required labels. Adding labels to your pods helps organizing the cluster and improves long-term maintainability.
    references:
      - "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#motivation"
  - name: role_similar_names
    group: Configuration
    description: Checks resources names which are similar to the default resources. For example, granting access to `daemon-set` instead of `daemonsets`. This usually is originated by a typo when writing role or cluster roles.
    references:
      - "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#motivation"
  - name: service_without_matching_labels
    group: Configuration
    description: Checks that services are well defined and has some matching object (defined by the service selector). A service without any matching pod is usually a symptom of a bad configuration.
    references: []
  - name: statefulset_no_grace_period
    group: Configuration
    description: Finds stateful sets which has a pod template with graceful period equals to zero. Stateful Sets are usually used on clustered applications in which each of the components have state. This kind of application needs a proper shutdown with a given timeout, otherwise, the application may lead to an inconsistent state.
    references:
      - "https://kubernetes.io/docs/tasks/run-application/force-delete-stateful-set-pod/#delete-pods"
  - name: hpa_no_request
    group: Configuration
    description: Finds HPAs which are linked to some controller which contains any container that does not set the requirement fro the target metric. On those cases, the HPA emits some warnings and is not scaling the controller as required.
    references:
      - "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#how-does-the-horizontal-pod-autoscaler-work"
  - name: alb_named_sg
    group: Configuration
    description: Finds ingresses of type ALB which uses identifiers instead of names on security group defintion. Using named security groups it's more semantic, less error prone and easy to verfiy that the configuration is correct.
    references:
      - "https://github.com/HotelsDotCom/alb-ingress-controller/blob/37cfd6fe1f0863a6d35d83d2d2faab2c72f49e9a/docs/ingress-resources.md"
  - name: service_target_port
    group: Configuration
    description: Finds services which uses numeric target ports. This lint suggests to use a named port with a string for a more semanthic configuration. This is also useful to be able to create an interface for the service and delegate to the underlying pod controller which port it exposes.
    references: []