| ingress-targets-service |
Ingress |
Makes sure that the Ingress targets a Service |
default |
| cronjob-has-deadline |
CronJob |
Makes sure that all CronJobs has a configured deadline |
default |
| container-resources |
Pod |
Makes sure that all pods have resource limits and requests set. The --ignore-container-cpu-limit flag can be used to disable the requirement of having a CPU limit |
default |
| container-resource-requests-equal-limits |
Pod |
Makes sure that all pods have the same requests as limits on resources set. |
optional |
| container-cpu-requests-equal-limits |
Pod |
Makes sure that all pods have the same CPU requests as limits set. |
optional |
| container-memory-requests-equal-limits |
Pod |
Makes sure that all pods have the same memory requests as limits set. |
optional |
| container-image-tag |
Pod |
Makes sure that a explicit non-latest tag is used |
default |
| container-image-pull-policy |
Pod |
Makes sure that the pullPolicy is set to Always. This makes sure that imagePullSecrets are always validated. |
default |
| statefulset-has-poddisruptionbudget |
StatefulSet |
Makes sure that all StatefulSets are targeted by a PDB |
default |
| deployment-has-poddisruptionbudget |
Deployment |
Makes sure that all Deployments are targeted by a PDB |
default |
| pod-networkpolicy |
Pod |
Makes sure that all Pods are targeted by a NetworkPolicy |
default |
| networkpolicy-targets-pod |
NetworkPolicy |
Makes sure that all NetworkPolicies targets at least one Pod |
default |
| pod-probes |
Pod |
Makes sure that all Pods have safe probe configurations |
default |
| container-security-context |
Pod |
Makes sure that all pods have good securityContexts configured |
default |
| container-seccomp-profile |
Pod |
Makes sure that all pods have at a seccomp policy configured. |
optional |
| service-targets-pod |
Service |
Makes sure that all Services targets a Pod |
default |
| service-type |
Service |
Makes sure that the Service type is not NodePort |
default |
| stable-version |
all |
Checks if the object is using a deprecated apiVersion |
default |
| deployment-has-host-podantiaffinity |
Deployment |
Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
default |
| statefulset-has-host-podantiaffinity |
StatefulSet |
Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
default |
| deployment-targeted-by-hpa-does-not-have-replicas-configured |
Deployment |
Makes sure that Deployments using a HorizontalPodAutoscaler doesn't have a statically configured replica count set |
default |
| label-values |
all |
Validates label values |
default |
| horizontalpodautoscaler-has-target |
HorizontalPodAutoscaler |
Makes sure that the HPA targets a valid object |
default |