| ChartDependenciesExist |
Error |
For dependencies to function properly, the subcharts must be provided in the charts/ directory, be present in the requirements.yaml, and have a valid version. To resolve this message, ensure that all of these things are true for the chart's subcharts. |
| CheckCPUValueFormat |
Error |
Valid CPU resource values in Kubernetes are floating point numbers with no suffix or a suffix of "m" and can be no lower than 1m or 0.001. To resolve this message, revise all CPU resource values so that they follow this expectation. |
| CheckChartDescription |
Error |
Chart descriptions should be at most 80 characters, written in complete sentences, and not include hyperlinks to properly render in the catalog UI. To resolve this message, make sure that descriptions follow these guidelines. |
| CheckChartVersionFormat |
Error |
The version specified in Chart.yaml must be valid according to Semantic Versioning 2.0.0 and must not contain pre-release tags like '-beta' since they are not supported by ICP. This message can be resolved by ensuring that the chart's version adheres to this set of constraints. |
| CheckContainerPortNameFormat |
Error |
Container port names are expected to follow the format outlined in rfc6335, which defines the syntax for IANA service names. To resolve this message, revise all container port names such that they follow rfc6335. |
| CheckForEmptyServiceSelector |
Error |
Empty service selectors are usually a mistake because they match all objects. Barring exceptional circumstances, this message can be resolved by removing any empty service selectors in the chart. |
| CheckForOldMetadataLabels |
Review |
Kubernetes recently changed its standard recommended labels (metadata.labels). If a chart decides to migrate to the new labels, the chart will not be upgradeable between versions with the old and new labels; this is because selectors are immutable, so the selectors from the old standard are kept while the labels themselves have been updated to the new versions. To resolve this message, make sure that either the old selectors and labels are used, or make the proper preparations for the breaking changes involved. |
| CheckIngressAnnotations |
Error |
ICP's ingress controller requires the annotation 'ingress.kubernetes.io/' on each Ingress resource. Kubernetes changed the default annotation to 'nginx.ingress.kubernetes.io/'. To resolve this message, specify both annotations in the chart. |
| CheckMemoryValueFormat |
Error |
Valid memory resource values in Kubernetes are integers either with no suffix or one of the acceptable suffixes ("Mi" or "Gi"). To resolve this message, revise all memory values so that they are valid. |
| CheckResourceNameFormat |
Error |
By convention, the names of Kubernetes resources must not exceed 253 characters and consist of lowercase alphanumeric characters, "-", and ".". To resolve this message, revise all Kubernetes resource names to adhere to this specification. |
| CheckServiceNameFormat |
Error |
Service names (metadata.name) must abide by the rfc1035 definition of labels: 63 alphanumeric characters or hyphens, where neither the first nor the last character may be a hyphen. To resolve this message, be sure to revise all service names so that they conform to rfc1035. |
| ContainerHasDropAll |
Error |
Containers must be dropping all capabilities, and only adding the ones they need. |
| ContainerHasLivenessProbe |
Error |
Liveness probes are part of ensuring that HA is maintained. Defining liveness probes resolves this message. |
| ContainerHasReadinessProbe |
Error |
Readiness probes are part of ensuring that HA is maintained. Defining readiness probes resolves this message. |
| ContainerWithNoMatchingServiceHasReadinessProbe |
Review |
In some cases, readiness probes should be defined on Pods even if they do not match any Service. Defining readiness probes on non-matching Pods resolves this message. |
| CustomPSPInReadme |
Error |
Charts must specify a "Custom PodSecurityPolicy definition" in README.md. |
| DefinedParametersAreUsed |
Error |
Providing parameters that are never used may mislead users into believing that setting the given parameters have any effect on the workload. |
| HelmHookHasDeletePolicy |
Warning |
Helm hook resources are not automatically deleted by helm with other resources. Helm provides the "helm.sh/hook-delete-policy" annotation to mark these resources as extra ones to be deleted. |
| HelmHookMustBeValid |
Error |
This rule checks to make sure that any Helm hook values specified in the chart are valid. Valid values are test-success, test-failure, pre-install, post-install, pre-delete, post-delete, pre-upgrade, post-upgrade, pre-rollback, post-rollback, crd-install |
| HelmTestMustExist |
Error |
It is a standard practice to include Helm tests in the chart to ensure that the chart deploys the workload successfully. This rule is broken if there is not at least one test resource defined in the chart. |
| HelpersHavePrefix |
Review |
Giving chart helper templates a unique prefix, like the chart's name, avoids naming conflicts with other charts. To resolve this message, give helper templates a unique prefix. |
| IBMNotInChartName |
Error |
When a chart name does not begin with "ibm-", it signals that the chart is developed and supported by entities other than IBM. To resolve this message, remove "ibm-" from the beginning of the chart name. |
| IngressRuleHasHost |
Review |
Ingress rules that do not specify a host can work under certain circumstances, but will break under others, e.g. cases where host names are defined for some rules but not for others. |
| LatestTagHasPullPolicyAlways |
Error |
Charts with container images tagged 'latest' must have the imagePullPolicy 'Always' because if the pull policy is 'IfNotPresent' and an image is updated with that same tag and is pulled again by one container, there would be two different versions of the same image running, which is likely not intended. |
| LicenseFileExists |
Error |
The LICENSE file at a chart's root is used to communicate the legal implications of using it. To resolve this message, include a LICENSE file at the chart's root. |
| ManifestImagesAreUsed |
Review |
Images listed in manifest.yaml should be used somewhere in the chart. |
| MetadataDescriptionIsValid |
Error |
The description field in values-metadata.yaml is the source of the tooltip the in ICP UI so it should be different and more descriptive than the label of the value. To resolve this message, ensure the description in each __metadata object is different from and longer than the label of the parameter. |
| MetadataDistinctKeyAndLabel |
Error |
The label field in values-metadata.yaml is the source of the heading the in ICP UI so it should be different than the key of the value. To resolve this message, ensure the label in each __metadata object is different from the name of the parameter. |
| MeteringAnnotationLabels |
Warning |
Pod controller resources must define the productID, productName, and productVersion annotations on the Pod template in order to enable ICP's built-in metering |
| MidLevelValueHasNoMetadata |
Warning |
Metadata on mid-level values that have both a parent and children are not presented in the UI, so they provide no value. To resolve this message, ensure each mid-level value in values-metadata has no __metadata field. |
| NoAllCapabilities |
Error |
It is a poor practice to run containers with privileges beyond the minimum necessary capabilities. To resolve this message and increase security, containers should not run with capabilities set to "ALL". |
| NoAlphaAnnotations |
Error |
Alpha annotations are unstable and not meant for production use. To resolve this message, remove any alpha annotations containing ".alpha.kubernetes.io/" aside from "seccomp.security.alpha.kubernetes.io/pod". |
| NoBetaAPIVersionsWithStableAvailable |
Warning |
Resources should strive to use the latest stable apiVersion to increase the overall stability of the chart. Ensure each resource uses the latest stable apiVersion to resolve this message. |
| NoCapabilitiesInConditions |
Review |
Capabilities used in conditions may not be rendered depending upon which Kubernetes version is being used. Remove capabilities from conditionals to resolve this message. |
| NoChartLoadErrors |
Error |
Charts must be able to load correctly in order to be linted for other issues. Fix all chart load errors to resolve this message. |
| NoChartVersionInSelector |
Error |
Using the chart version in selector labels will break upgrades because the labels will not upgrade alongside the version number. Remove the chart version from selectors to resolve this message. |
| NoChartVersionInVCTLabels |
Warning |
Labels are immutable, so including the chart's version in a volumeClaimTemplate's labels will result in broken upgrades due to the version changes. Remove chart versions from any volumeClaimTemplate's labels to resolve this message. |
| NoClusterAdminRequired |
Review |
Different IAM roles have different range and strength of permissions, and it is a best practice to use the least amount of privilege possible to install a chart. |
| NoCommentsSwallowingKeyValue |
Info |
"{{- ... -}}" between a comment above and key-value pair below can wrap the key-value into the comment, leading to other errors |
| NoDefaultContainerCaps |
Warning |
Containers that run with the default set of capabilities may be running with extra unneeded privileges. Containers should run with only the capabilities needed. |
| NoDeploymentsWithReadWriteOncePVC |
Error |
It is disadvantageous for Deloyments to point to PVCs with an access mode of ReadWriteOnce because multiple Pods cannot concurrently access the same ReadWriteOnce storage. To resolve this message, revise the PVC to use a different access mode. |
| NoDuplicateHelmTemplates |
Error |
Helm templates must be defined with unique names to ensure the referenced template is always the same. |
| NoDuplicateLaunchLinkNames |
Error |
Launch link names are generated based upon Service and Ingress configurations. Configuring Services and Ingresses such that the generated names are unique makes it easier to distinguish one Service or Ingress from another. To resolve this message, configure Services and Ingresses so that their resulting launch link names are unique. |
| NoHostIP |
Error |
hostIP must not be used on any container ports |
| NoHostNetwork |
Error |
Enabling hostNetwork grants a pod access to all network ports on the worker the pod was deployed on, which makes it accessible on any of those ports. This can lead to port conflicts with other services attempting to use some of these ports as well as issues when the pod is restarted on a different worker/IP. Keeping hostNetwork disabled will resolve this message. |
| NoHostPath |
Error |
Configuring a container volume with hostPath can lead to an undesirable loss of the features that Kubernetes provides, including redundancy and having a single point of truth. Charts usually should not configure volumes using hostPath. |
| NoHostPort |
Error |
hostPort must not be used on container ports |
| NoHyphensInSubchartNames |
Warning |
Subcharts with names that contain a hyphen make it more difficult to dereference values in templates. To resolve this message, alias such subchart names with a name without a hyphen. |
| NoICPReferences |
Error |
Specific references to ICP interfere with the portability of the chart to IKS. Remove any references to ICP in README.md and RELEASENOTES.md to correct this. |
| NoIPAddresses |
Error |
Charts should not be defining IP addresses in values.yaml because IP addresses of nodes can change from cluster to cluster. |
| NoImagePolicyResources |
Error |
The use of bundled ImagePolicy and ClusterImagePolicy resources is not supported in ICP, and defining these resources in bundled charts is more generally considered to be a bad practice. In order to resolve this message, remove all ImagePolicy and ClusterImagePolicy resources from the chart. |
| NoIngressCollisions |
Warning |
Ingress resources must be configurable to ensure workloads can co-exist. If path is hardcoded, the Ingress must have a parameterized hostname to be able to define uniqueness if multiple workloads have same defined path. If host is hardcoded or missing, then path must be parameterized for the same reason. If 'hosts' exists under spec.tls, a secretName must be defined. Every host defined under spec.tls must also have a rule associated with it. |
| NoInvalidAPIVersions |
Error |
Known, stable API versions match the following regex: '^(v1 |
| NoInvalidMetadataFields |
Error |
The ICP UI only uses certain fields under __metadata in values-metadata.yaml, any other fields will have no effect. To resolve this message, ensure all fields under each __metadata object in values-metadata.yaml are valid. |
| NoInvalidValuesMetadataKeys |
Error |
Keys in values-metadata.yaml must have the same structure as those in values.yaml, so nested values in values.yaml cannot be shortcut in values-metadata.yaml by using multiple keys at once like 'topValue.childValue' or 'myList.0'. To resolve this message, match the structure of keys in values-metadata.yaml with the structure in values.yaml. |
| NoLatestImageTags |
Error |
Using the "latest" container image tag can result in two releases of the same chart using different images that behave differently. To resolve this message, provide an image tag that is not empty or "latest". |
| NoLongTooltips |
Warning |
Descriptions longer than 146 characters may not display properly in the UI. |
| NoManifestInHelmignoreNonProd |
Error |
ibm_cloud_pak/manifest.yaml may not be listed in .helmignore for non-prod charts. |
| NoMyclusterIcpInImageName |
Error |
If an image does not already exist in the container registry on the cluster, the image pull will fail; this can be encountered if a chart uses images with hard-coded paths containing "mycluster.icp". To resolve this message, do not hardcode images with paths containing "mycluster.icp" in the chart. |
| NoNamespace |
Error |
Charts for ICP and IKS assume that the namespace is provided at install time, and having resources define which namespace they install into subverts this expectation. Removing metadata.namespace definitions from resources resolves this message. |
| NoNilValuesMetadataFields |
Error |
Keys in values-metadata are not allowed to have nil values. To resolve this message, ensure all keys in values-metadata.yaml have a non-nil value. |
| NoPersistentVolumes |
Error |
PersistentVolume resources cannot be created because allocation is environment-specific and may require permissions more than those required to deploy the chart otherwise. To resolve this message, if persistent storage is required, create a PersistentVolumeClaim. |
| NoPrivateIAMEndpoints |
Error |
The kube-system NetworkPolicy will not allow accessing most services directly and will require accessing services via the management ingress. Most services and ports are blocked using the .kube-system DNS name. Ports that will be blocked (not a conclusive list) are: 9443, 4300, 4500, 10443, 39001 and 7998. |
| NoPrivilegedContainers |
Error |
Privileged containers present a security liability that may be avoided. Barring exceptional circumstances, this message can be resolved by avoiding use of privileged containers. |
| NoRangeOverValues |
Review |
When a range over .Values is used in a template, variables may not be correctly marked as used. |
| NoRenderErrors |
Error |
Templates must be able to render correctly in order to be linted for other issues. Fix all render errors to resolve this message. |
| NoRunAsRootUser |
Error |
It is a best practice to limit the privileges of a system to the lowest possible in order to operate. This message can be corrected by running the containers as a non-root user. |
| NoSecretResources |
Error |
The information in Secrets is visible via helm get manifest, so creating them with charts is hazardous. To resolve this message, remove any Secrets from the chart. |
| NoSelectorsOnJobs |
Error |
The default logic that creates Job selectors ensures uniqueness. This message can be resolved by removing selectors from all Jobs. |
| NoSensitiveInfoInValues |
Review |
Placing sensitive information like passwords or keys placed in values.yaml is an insecure practice because these values can be retrieved from the cluster. To resolve this message, do not include sensitive information in the chart. |
| NoServiceSelectorsMatchingTestPods |
Error |
If service selectors match test pods, the Service may direct traffic to the test Pod instead of the intended Deployment, StatefulSet, etc. This message can be resolved by correcting service selectors to not match any test pods. |
| NoSysctl |
Error |
Charts should usually not be creating pods which run sysctl commands |
| NoValuesLoadErrors |
Error |
Values must be able to load correctly in order to be linted for other issues. Fix all values load errors to resolve this message. |
| NoValuesMetadataLoadErrors |
Error |
The metadata is used alongside values to provide a helpful and complete user experience, so it must load properly. Failing to supply metadata to complement the values leads to missing tooltips and other deficiencies in the UI. |
| NotesFileExists |
Error |
templates/NOTES.txt is used to communicate instructions for how to access resources created by the chart. In order to resolve this message, include a templates/NOTES.txt file in your chart. |
| OneYAMLDocPerFile |
Warning |
Each YAML document should be within its own YAML file to keep resources clean and organized. |
| PSPInReadme |
Error |
Charts must specify the same PSP name in ibm_cloud_pak/qualification.yaml and README.md as a link to the PSP definitions at https://ibm.biz/cpkspec-psp. |
| PVCServiceNameLength |
Error |
PVC service names must not exceed 63 characters when added to the prefix 'glusterfs-dynamic-'. |
| PakSpecFileExists |
Error |
Including an ibm_cloud_pak/manifest.yaml file in a chart and each of its subcharts ensures that cloudctl properly creates archives containing the required container images and charts. To resolve this message, include an ibm_cloud_pak/manifest.yaml file in the chart and all of its subcharts. |
| ParametersMustBeCamelCase |
Warning |
Helm's best practices state that fields in values.yaml should be camelCase and avoid naming conflicts with predefined values in Helm. To resolve this message, follow these best practices. |
| PodControllerHasSelector |
Error |
Entries in spec.selector.matchLabels allow for proper management of groups of objects. Include at least one entry in spec.selector.matchLabels in Selectors to resolve this message. |
| PodHasArchBasedNodeAffinity |
Error |
Pods should define architecture-based node affinity, because without it, the scheduler may repeatedly attempt to schedule a pod's deployment on an unsupported node. |
| PodLabelsAreUnique |
Error |
Pod labels should be unique to increase the reliability of a given deployment, removing a class of problems that arises from naming collisions between deployments. |
| QualificationFileExists |
Error |
ibm_cloud_pak/qualification.yaml is required for certification. |
| QualificationHasRole |
Error |
Each ibm_cloud_pak/qualification.yaml should define an installer role in order to better communicate the pre-reqs for installing the chart. |
| QualificationHasValidRole |
Error |
Each ibm_cloud_pak/qualification.yaml should define a valid installer role in order to better communicate the pre-reqs for installing the chart. |
| ReadmeFileExists |
Error |
The README.md for a chart is used to communicate what the chart does, what its prerequisites are, and how to install it. To resolve this message, include a README.md at the root of the chart. |
| ReadmeHasBeta |
Error |
Beta charts must have 'Beta' in the header of their README.md |
| ReadmeHasRequiredSections |
Error |
There are a predefined list of required README sections used internally for consistency: Chart Name, Introduction, Chart Details, Prerequisites, PodSecurityPolicy Requirements, Resources Required, Installing the Chart, Configuration, Storage (only if storage is required as part of the deployment), and Limitations. |
| ReleaseNameFormat |
Error |
Helm requires that release names be up to 53 characters including upper and lower case letters, numbers, underscores, hyphens, and periods, where non-alphanumeric characters may not appear consecutively or at the beginning or end of the release name. |
| ReleaseNotesFileExists |
Error |
RELEASENOTES.md is included at the chart's root and is used to communicate changes between versions of the chart. To resolve this message, include a RELEASENOTES.md at the root of the chart. |
| ReleaseNotesHasRequiredSections |
Error |
There are a predefined list of required RELEASENOTES.md sections used internally for consistency: "What's new...", "Fixes", "Prerequisites", "Version History", "Breaking Changes", "Documentation". |
| ReleaseNotesHasSuggestedSections |
Info |
There are a predefined list of required RELEASENOTES.md sections used internally for consistency: "What's new...", "Fixes", "Prerequisites", "Version History", "Breaking Changes", "Documentation". |
| RequiredChartKeys |
Error |
The name, version, description, appVersion, kubeVersion, and tillerVersion fields in Chart.yaml are required in top-level charts because they are either required by helm or define important metadata for the catalog, customers, and testing environment. To resolve this message, provide values for each of these fields in the chart's Chart.yaml. |
| RequiredChartKeywords |
Error |
Charts must include one keyword from each required category, classification, architecture, verified, and category, in order to support filtering in the catalog UI. To resolve this message, include these required keywords. |
| RequiredMetadataFields |
Error |
The label and description fields are required on each __metadata object because they provide important information useful to the ICP UI. To resolve this message, ensure each __metadata object defines a label and description. |
| RequiredMetadataLabels |
Error |
The labels that Helm recommends provide useful identification information used by Kubernetes, other resources, and users of the cluster. To resolve this message, include these recommended labels, which can be either "app", "chart", "heritage", and "release", or "app.kubernetes.io/name", "helm.sh/chart", "app.kubernetes.io/managed-by", and "app.kubernetes.io/instance". |
| RequirementsLockInGitIgnore |
Error |
requirements.lock should not be committed to source control because it contains internal paths that should not be published. Deleting requirements.lock or listing it in .gitignore resolves this message. |
| ResourceHasName |
Error |
Resources must define metadata.name for easier identification and selection of a given resource. |
| ResourceHasUniqueNameAmongKind |
Error |
Resources must define a unique metadata.name for its kind for clear identification. |
| ReviewMaintainerEmailAddresses |
Review |
Maintainers in charts identify products or organizations and are not intended to identify individuals. To resolve this message, do not use personal email addresses. |
| SCHInitializedBeforeUse |
Error |
The sch.config.init method must be included in all templates that use SCH because it imports _sch-chart-config.tpl and the default sch values. If it is not specified, you aren't guaranteed to have the expected values needed to correctly populate sch parameters. |
| SelectorMatchLabelsAreUnique |
Error |
Selectors are intended to be unique across a given workload, i.e. no spec.selector.matchLabels may be a subset of any other spec.selector.matchLabels. Making all resource selectors unique will resolve this message. |
| SelectorsAreValid |
Error |
Selectors must be free of syntax errors in order to function properly. |
| ServiceAccountHasPullSecret |
Warning |
Image pull secrets are required on ServiceAccounts in order to provide a way for Pods to pull namespace-scoped images from the local ICP image registry. |
| ServiceAccountHasSANamespacePullSecret |
Error |
The icp-image-manager on load of image to ICP internal registry creates an ICP docker registry secret ("sa-" + namespace) and associates it with default service account. If a service account is created during chart installation, the ICP docker registry secret needs to be associated. This is required for all charts given requirement to support "airgap" environments. |
| ServiceSelectorsMatchesPod |
Review |
A Service selector matching no Pods is usually a mistake because Services usually direct traffic to a logical set of Pods. Barring exceptional circumstances, this message can be resolved by either removing the service selectors or making sure that the selectors properly match pods. |
| StandardHelmLint |
Varies |
Charts must follow rules run by Helm's built-in lint command. |
| StatefulSetWithPVCNameLength |
Error |
Names for StatefulSet volumeClaimTemplates must be no more than 37 characters in order to properly install. |
| StorageClassNameInCondition |
Warning |
Use of the storageClassName in a volumeClaimTemplate should be within conditional logic that depends on the value of the useDynamicProvisioning parameter in order to ensure a new PersistentVolume is only created when intended. |
| TemplateFunctionValidForTiller |
Error |
In order to ensure that the helm template functions specified in the chart are valid and available to use, this rule checks the tillerVersion to see if the template function is available in the given version or range of versions of Tiller. |
| TemplatesDirectoryExists |
Error |
Templates must exist in a directory named 'templates'. To resolve this message, create a templates directory at the root of the chart. |
| TopLevelValueHasMetadata |
Error |
Top-level values in values-metadata.yaml define parameters grouped together in the UI, so they should have metadata defined to clarify the grouping. To resolve this message, ensure each top-level value in values-metadata has a __metadata field. |
| TopLevelValueHasRequiredMetadataKeys |
Error |
Top-level values in values-metadata.yaml define parameters grouped together in the UI, so they should have metadata defined to clarify the grouping. To resolve this message, ensure each top-level value in values-metadata has a __metadata field. |
| UsedImagesInManifest |
Error |
Every image used in a chart must be listed in ibm_cloud_pak/manifest.yaml so that it is loaded into the ICP cluster and scanned by VA. If the helmTestOverride parameter is set to 'enabled', images listed for test pods are not required to be in the manifest. |
| UsedParametersAreDefined |
Review |
If parameters are used but not defined in the values.yaml, it means that the UI will not provide the field to be filled in. If the parameter is assumed to be set to a value, the chart will not work without providing an override from the command line. |
| UsedTemplatesAreDefined |
Error |
This rule is broken if an undefined template is used in the chart. |
| ValidMetadataType |
Error |
The UI only supports four types in the metadata: string, boolean, number, and password. The defined type in values-metadata.yaml must be compatible with the value in values.yaml. |
| ValidYAMLFormat |
Error |
Templates must render to valid YAML. |
| ValidateMetadataSchema |
Error |
Each of the fields under __metadata in values-metadata.yaml must have values of the correct type in order to display properly in the ICP UI. To resolve this message, ensure all fields under each __metadata object in values-metadata.yaml are of the correct type. |
| ValidateSchema |
Error |
Kubernetes prescribes various YAML schema to define the objects that are a part of a workload. To resolve this message, verify that all YAML files conform to these schema. |
| ValidateSubchartKubeVersion |
Error |
If a subchart in a given chart does not support all versions of Kubernetes that its parent supports, not all installs on the parent-supported versions of Kubernetes will succeed. To resolve this message, make sure all subcharts support at least the versions of Kubernetes that the parent chart supports. |
| ValidateSubchartTillerVersion |
Error |
If a subchart does not support all of the Tiller versions supported by its parent, the chart cannot be deployed on any cluster running any version of Tiller the parent chart supports. To resolve this message, make sure that the subcharts support at least the parent's supported Tiller versions. |
| ValuesMetadataFileExists |
Error |
values-metadata.yaml is used to augment the ICP UI for a given chart by providing the data needed for the UI to intelligently render parameters and provide tooltips. To resolve this message, include a values-metadata.yaml file at the root of the chart. |
| ValuesMetadataStructureMatchesValues |
Error |
The keys in values.yaml must map 1:1 with keys in values-metadata.yaml in order to correctly map metadata to values in the UI. To resolve this message, ensure all keys in values.yaml are present in the same location in values-metadata.yaml. |
| YAMLFileIsValidYAML |
Error |
All non-templated YAML files must contain valid YAML in order to be read correctly. |