This repository represents a library of rules for Kubevious CLI project to validate errors (typos, conflicts, misconfigurations) and violations of compliance and security best practices in Kubernetes and related cloud-native projects.
Kubevious rules are expressed in a domain-specific language called Kubik.
Total Rules: 33
- π ARGO-ROLLOUT (1)
- π CERT-MANAGER (2)
- π ISTIO (1)
- π K8S/CONTAINER (7)
- π K8S/GATEWAY-API/GATEWAY (3)
- π K8S/GATEWAY-API/HTTP-ROUTE (2)
- π K8S/HPA (1)
- π K8S/INGRESS (5)
- π K8S/NETWORK-POLICY (1)
- π K8S/POD-SPEC (4)
- π K8S/RBAC (2)
- π K8S/SERVICE (1)
- π K8S/WORKLOAD (1)
- π KONG (2)
π Validate Argo Rollout to Analysis Template reference.
- π·οΈ argo π·οΈ rollout π·οΈ analysis π·οΈ reference
π Validate CertManager Certificate to Issuer reference.
- π·οΈ cert-manager π·οΈ certificate π·οΈ issuer π·οΈ reference
π Validate Ingress to CertManager Issuer reference.
- π·οΈ cert-manager π·οΈ ingress π·οΈ issuer π·οΈ reference
π Validate Istio VirtualService to IstioGateway reference.
- π·οΈ istio π·οΈ virtual-service π·οΈ istio-gateway π·οΈ reference
π Validate ContainerSpec environment variable ConfigMap reference.
- π·οΈ k8s π·οΈ container π·οΈ environment-variable π·οΈ config-map π·οΈ reference
π Validate ContainerSpec envFrom variables projection ConfigMap reference.
- π·οΈ k8s π·οΈ container π·οΈ environment-variable π·οΈ config-map π·οΈ reference
π Validate ContainerSpec envFrom variables projection Secret reference.
- π·οΈ k8s π·οΈ container π·οΈ environment-variable π·οΈ secret π·οΈ reference
π Validate ContainerSpec environment variable Secret reference.
- π·οΈ k8s π·οΈ container π·οΈ environment-variable π·οΈ secret π·οΈ reference
π Validate ContainerSpec image to have non latest tag.
- π·οΈ k8s π·οΈ container π·οΈ image π·οΈ latest
π Validate ContainerSpec resource requests to be less or equal to the limits.
- π·οΈ k8s π·οΈ container π·οΈ resources π·οΈ cpu π·οΈ memory π·οΈ request π·οΈ limit
π Validate ContainerSpec volume mount to PodSpec volume reference.
- π·οΈ k8s π·οΈ container π·οΈ volume π·οΈ volume-mount π·οΈ reference
π Validate Gateway to Certificate Secret reference.
- π·οΈ k8s π·οΈ gateway-api π·οΈ gateway π·οΈ certificate π·οΈ reference
π Validate Gateway to GatewayClass reference.
- π·οΈ k8s π·οΈ gateway-api π·οΈ gateway π·οΈ gateway-class π·οΈ reference
π Validate Gateway to have unique listeners.
- π·οΈ k8s π·οΈ gateway-api π·οΈ gateway π·οΈ unique-listeners
π Validate HTTPRoute to Backend reference.
- π·οΈ k8s π·οΈ gateway-api π·οΈ http-route π·οΈ backend π·οΈ reference
π Validate HTTPRoute to Gateway reference.
- π·οΈ k8s π·οΈ gateway-api π·οΈ http-route π·οΈ gateway π·οΈ reference
π Validate HorizontalPodAutoscaler to scale target reference.
- π·οΈ k8s π·οΈ hpa π·οΈ target π·οΈ reference
π Validate Ingress (extension) to Service reference.
- π·οΈ k8s π·οΈ ingress π·οΈ ingress-extension π·οΈ service π·οΈ reference
π Validate Ingress to Service reference.
- π·οΈ k8s π·οΈ ingress π·οΈ service π·οΈ reference
π Validate Ingress TLS and rule domain match.
- π·οΈ k8s π·οΈ ingress π·οΈ ingress-extension π·οΈ tls π·οΈ domain
π Validate Ingresses to have unique routing rules.
- π·οΈ k8s π·οΈ ingress π·οΈ ingress-extension π·οΈ unique-route
π Validate IngressClasses to have at most only one default.
- π·οΈ k8s π·οΈ ingress-class π·οΈ unique-default
π Validate NetworkPolicy to PodSpec reference.
- π·οΈ k8s π·οΈ network-policy π·οΈ pod-spec π·οΈ reference
π Validate PodSpec to ServiceAccount reference.
- π·οΈ k8s π·οΈ pod-spec π·οΈ service-account π·οΈ reference
π Validate PodSpec volume mount ConfigMap reference.
- π·οΈ k8s π·οΈ pod-spec π·οΈ config-map π·οΈ volume π·οΈ reference
π Validate PodSpec volume mount PersistentVolumeClaim reference.
- π·οΈ k8s π·οΈ pod-spec π·οΈ pvc π·οΈ volume π·οΈ reference
π Validate PodSpec volume mount Secret reference.
- π·οΈ k8s π·οΈ pod-spec π·οΈ secret π·οΈ volume π·οΈ reference
π Validate RoleBinding and ClusterRoleBinding to Role and ClusterRole reference.
- π·οΈ k8s π·οΈ rbac π·οΈ binding π·οΈ role π·οΈ reference
π Validate RoleBinding and ClusterRoleBinding to ServiceAccount subject reference.
- π·οΈ k8s π·οΈ rbac π·οΈ binding π·οΈ service-account π·οΈ reference
π Validate Service to PodSpec label selector reference.
- π·οΈ k8s π·οΈ service π·οΈ pod-spec π·οΈ reference
π Checks Deployments to have min/max replicas - with or without HPAs.
- π·οΈ k8s π·οΈ deployment π·οΈ replica-count
π Validate KongConsumer to Credential Secret reference.
- π·οΈ kong π·οΈ consumer π·οΈ credential π·οΈ secret π·οΈ reference
π Validate Ingress and Service to Kong Plugin reference
- π·οΈ kong π·οΈ ingress π·οΈ service π·οΈ plugin π·οΈ reference
To submit your rules to the library follow the steps:
- Find the right place for the rule under root directory.
- Index the library using:
$ kubevious index-library .
- Submit a pull request.