deployment-strategy |
Deployment |
Makes sure that all Deployments targeted by service use RollingUpdate strategy |
default |
deployment-replicas |
Deployment |
Makes sure that Deployment has multiple replicas. The --min-replicas-deployment flag can be used to specify the required minimum. Default is 2. |
default |
ingress-targets-service |
Ingress |
Makes sure that the Ingress targets a Service |
default |
cronjob-has-deadline |
CronJob |
Makes sure that all CronJobs has a configured deadline |
default |
cronjob-restartpolicy |
CronJob |
Makes sure CronJobs have a valid RestartPolicy |
default |
container-resources |
Pod |
Makes sure that all pods have resource limits and requests set. The --ignore-container-cpu-limit flag can be used to disable the requirement of having a CPU limit |
default |
container-resource-requests-equal-limits |
Pod |
Makes sure that all pods have the same requests as limits on resources set. |
optional |
container-cpu-requests-equal-limits |
Pod |
Makes sure that all pods have the same CPU requests as limits set. |
optional |
container-memory-requests-equal-limits |
Pod |
Makes sure that all pods have the same memory requests as limits set. |
optional |
container-image-tag |
Pod |
Makes sure that a explicit non-latest tag is used |
default |
container-image-pull-policy |
Pod |
Makes sure that the pullPolicy is set to Always. This makes sure that imagePullSecrets are always validated. |
default |
container-ephemeral-storage-request-and-limit |
Pod |
Makes sure all pods have ephemeral-storage requests and limits set |
default |
container-ephemeral-storage-request-equals-limit |
Pod |
Make sure all pods have matching ephemeral-storage requests and limits |
optional |
container-ports-check |
Pod |
Container Ports Checks |
optional |
environment-variable-key-duplication |
Pod |
Makes sure that duplicated environment variable keys are not duplicated |
default |
statefulset-has-poddisruptionbudget |
StatefulSet |
Makes sure that all StatefulSets are targeted by a PDB |
default |
deployment-has-poddisruptionbudget |
Deployment |
Makes sure that all Deployments are targeted by a PDB |
default |
poddisruptionbudget-has-policy |
PodDisruptionBudget |
Makes sure that PodDisruptionBudgets specify minAvailable or maxUnavailable |
default |
pod-networkpolicy |
Pod |
Makes sure that all Pods are targeted by a NetworkPolicy |
default |
networkpolicy-targets-pod |
NetworkPolicy |
Makes sure that all NetworkPolicies targets at least one Pod |
default |
pod-probes |
Pod |
Makes sure that all Pods have safe probe configurations |
default |
container-security-context-user-group-id |
Pod |
Makes sure that all pods have a security context with valid UID and GID set |
default |
container-security-context-privileged |
Pod |
Makes sure that all pods have a unprivileged security context set |
default |
container-security-context-readonlyrootfilesystem |
Pod |
Makes sure that all pods have a security context with read only filesystem set |
default |
container-seccomp-profile |
Pod |
Makes sure that all pods have at a seccomp policy configured. |
optional |
service-targets-pod |
Service |
Makes sure that all Services targets a Pod |
default |
service-type |
Service |
Makes sure that the Service type is not NodePort |
default |
stable-version |
all |
Checks if the object is using a deprecated apiVersion |
default |
deployment-has-host-podantiaffinity |
Deployment |
Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
default |
statefulset-has-host-podantiaffinity |
StatefulSet |
Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
default |
deployment-targeted-by-hpa-does-not-have-replicas-configured |
Deployment |
Makes sure that Deployments using a HorizontalPodAutoscaler doesn't have a statically configured replica count set |
default |
statefulset-has-servicename |
StatefulSet |
Makes sure that StatefulSets have an existing headless serviceName. |
default |
deployment-pod-selector-labels-match-template-metadata-labels |
Deployment |
Ensure the StatefulSet selector labels match the template metadata labels. |
default |
statefulset-pod-selector-labels-match-template-metadata-labels |
StatefulSet |
Ensure the StatefulSet selector labels match the template metadata labels. |
default |
label-values |
all |
Validates label values |
default |
horizontalpodautoscaler-has-target |
HorizontalPodAutoscaler |
Makes sure that the HPA targets a valid object |
default |
horizontalpodautoscaler-replicas |
HorizontalPodAutoscaler |
Makes sure that the HPA has multiple replicas. The --min-replicas-hpa flag can be used to specify the required minimum. Default is 2. |
default |
pod-topology-spread-constraints |
Pod |
Pod Topology Spread Constraints |
default |