Helm chart linting rules

Helm liniting reports offer the linting rules, rule decriptions, and remediations as they are presented in the following table.

Name

Description

Remediation

dangling-service

Alert on services that don’t have any matching deployments

Make sure your service selector correctly matches the labels on one of your deployments.

default-service-account

Alert on pods that use the default service account

Create a dedicated service account for your pod. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for more details.

deprecated-service-account-field

Alert on deployments that use the deprecated serviceAccount field

Use the serviceAccountName field instead of the serviceAccount field.

drop-net-raw-capability

Alert on containers not dropping NET_RAW capability

NET_RAW grants an application within the container the ability to craft raw packets, use raw sockets, and it also allows an application to bind to any address. Please specify to drop this capability in the containers under containers security contexts.

env-var-secret

Alert on objects using a secret in an environment variable

Don’t use raw secrets in an environment variable. Instead, either mount the secret as a file or use a secretKeyRef. See https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for more details.

mismatching-selector

Alert on deployments where the selector doesn’t match the pod template labels

Make sure your deployment’s selector correctly matches the labels in its pod template.

no-anti-affinity

Alert on deployments with multiple replicas that don’t specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different nodes

Specify anti-affinity in your pod spec to ensure that the orchestrator attempts to schedule replicas on different nodes. You can do this by using podAntiAffinity, specifying a labelSelector that matches pods of this deployment, and setting the topologyKey to kubernetes.io/hostname. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity for more details.

no-extensions-v1beta

Alert on objects using deprecated API versions under extensions v1beta

Migrate to using the apps/v1 API versions for these objects. See https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.

no-liveness-probe

Alert on containers which don’t specify a liveness probe

Specify a liveness probe in your container. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for more details.

no-read-only-root-fs

Alert on containers not running with a read-only root filesystem

Set readOnlyRootFilesystem to true in your container’s securityContext.

no-readiness-probe

Alert on containers which don’t specify a readiness probe

Specify a readiness probe in your container. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for more details.

non-existent-service-account

Alert on pods referencing a service account that isn’t found

Make sure to create the service account, or to refer to an existing service account.

privileged-container

Alert on deployments with containers running in privileged mode

Don’t run your container as privileged unless required.

required-annotation-email

Alert on objects without an email annotation with a valid email

Add an email annotation to your object with the contact information of the object’s owner.

required-label-owner

Alert on objects without the owner label

Add an email annotation to your object with information about the object’s owner.

run-as-non-root

Alert on containers not set to runAsNonRoot

Set runAsUser to a non-zero number, and runAsNonRoot to true, in your pod or container securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.

ssh-port

Alert on deployments exposing port 22, commonly reserved for SSH access

Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.

unset-cpu-requirements

Alert on containers without CPU requests and limits set

Set your container’s CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.

unset-memory-requirements

Alert on containers without memory requests and limits set

Set your container’s memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.

writable-host-mount

Alert on containers that mount a host path as writable

If you need to access files on the host, mount them as readOnly.