Helm chart linting rules¶
Helm liniting reports offer the linting rules, rule decriptions, and remediations as they are presented in the following table.
Name |
Description |
Remediation |
---|---|---|
|
Alert on services that don’t have any matching deployments |
Make sure your service selector correctly matches the labels on one of your deployments. |
|
Alert on pods that use the default service account |
Create a dedicated service account for your pod. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for more details. |
|
Alert on deployments that use the deprecated |
Use the |
|
Alert on containers not dropping |
|
|
Alert on objects using a secret in an environment variable |
Don’t use raw secrets in an environment variable. Instead, either mount
the secret as a file or use a |
|
Alert on deployments where the selector doesn’t match the pod template labels |
Make sure your deployment’s selector correctly matches the labels in its pod template. |
|
Alert on deployments with multiple replicas that don’t specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different nodes |
Specify anti-affinity in your pod spec to ensure that the orchestrator
attempts to schedule replicas on different nodes. You can do this by
using |
|
Alert on objects using deprecated API versions under extensions v1beta |
Migrate to using the apps/v1 API versions for these objects. See https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. |
|
Alert on containers which don’t specify a liveness probe |
Specify a liveness probe in your container. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for more details. |
|
Alert on containers not running with a read-only root filesystem |
Set |
|
Alert on containers which don’t specify a readiness probe |
Specify a readiness probe in your container. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for more details. |
|
Alert on pods referencing a service account that isn’t found |
Make sure to create the service account, or to refer to an existing service account. |
|
Alert on deployments with containers running in privileged mode |
Don’t run your container as privileged unless required. |
|
Alert on objects without an |
Add an |
|
Alert on objects without the |
Add an email annotation to your object with information about the object’s owner. |
|
Alert on containers not set to |
Set runAsUser to a non-zero number, and |
|
Alert on deployments exposing port 22, commonly reserved for SSH access |
Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted. |
|
Alert on containers without CPU requests and limits set |
Set your container’s CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details. |
|
Alert on containers without memory requests and limits set |
Set your container’s memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details. |
|
Alert on containers that mount a host path as writable |
If you need to access files on the host, mount them as |