Helm chart linting rules¶

Helm liniting reports offer the linting rules, rule decriptions, and remediations as they are presented in the following table.

Name	Description	Remediation
`dangling-service`	Indicates when services do not have any associated deployments.	Confirm that your service’s selector correctly matches the labels on one of your deployments.
`default-service-account`	Indicates when pods use the default service account.	Create a dedicated service account for your pod. Refer to Configure Service Accounts for Pods for details.
`deprecated-service-account-field`	Indicates when deployments use the deprecated `serviceAccount` field.	Use the `serviceAccountName` field instead.
`drop-net-raw-capability`	Indicates when containers do not drop `NET_RAW` capability.	`NET_RAW` makes it so that an application within the container is able to craft raw packets, use raw sockets, and bind to any address. Remove this capability in the containers under `containers security contexts`.
`env-var-secret`	Indicates when objects use a secret in an environment variable.	Do not use raw secrets in environment variables. Instead, either mount the secret as a file or use a `secretKeyRef`. Refer to Using Secrets for details.
`mismatching-selector`	Indicates when deployment selectors fail to match the pod template labels.	Confirm that your deployment selector correctly matches the labels in its pod template.
`no-anti-affinity`	Indicates when deployments with multiple replicas fail to specify inter-pod anti-affinity, to ensure that the orchestrator attempts to schedule replicas on different nodes.	Specify anti-affinity in your pod specification to ensure that the orchestrator attempts to schedule replicas on different nodes. Using `podAntiAffinity`, specify a `labelSelector` that matches pods for the deployment, and set the `topologyKey` to `kubernetes.io/hostname`. Refer to Inter-pod affinity and anti-afinity for details.
`no-extensions-v1beta`	Indicates when objects use deprecated API versions under `extensions/` `v1beta`.	Migrate using the `apps/v1` API versions for the objects. Refer to Deprecated APIs Removed In 1.16 for details.
`no-liveness-probe`	Indicates when containers fail to specify a liveness probe.	Specify a liveness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details.
`no-read-only-root-fs`	Indicates when containers are running without a read-only root filesystem.	Set `readOnlyRootFilesystem` to `true` in the container `securityContext`.
`no-readiness-probe`	Indicates when containers fail to specify a readiness probe.	Specify a readiness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details.
`non-existent-service-account`	Indicates when pods reference a service account that is not found.	Create the missing service account, or refer to an existing service account.
`privileged-container`	Indicates when deployments have containers running in privileged mode.	Do not run your container as privileged unless it is required.
`required-annotation-email`	Indicates when objects do not have an `email` annotation with a valid email address.	Add an `email` annotation to your object with the email address of the object’s owner.
`required-label-owner`	Indicates when objects do not have an `email` annotation with an `owner` label.	Add an `email` annotation to your object with the name of the object’s owner.
`run-as-non-root`	Indicates when containers are not set to `runAsNonRoot`.	Set `runAsUser` to a non-zero number and `runAsNonRoot` to `true` in your pod or container `securityContext`. Refer to Configure a Security Context for a Pod or Container for details.
`ssh-port`	Indicates when deployments expose port 22, which is commonly reserved for SSH access.	Ensure that non-SSH services are not using port 22. Confirm that any actual SSH servers have been vetted.
`unset-cpu-requirements`	Indicates when containers do not have CPU requests and limits set.	Set CPU requests and limits for your container based on its requirements. Refer to Requests and limits for details.
`unset-memory-requirements`	Indicates when containers do not have memory requests and limits set.	Set memory requests and limits for your container based on its requirements. Refer to Requests and limits for details.
`writable-host-mount`	Indicates when containers mount a host path as writable.	Set containers to mount host paths as `readOnly`, if you need to access files on the host.
`cluster-admin-role-binding`	CIS Benchmark 5.1.1 Ensure that the `cluster-admin` role is only used where required.	Create and assign a separate role that has access to specific resources/actions needed for the service account.
`docker-sock`	Alert on deployments with `docker.sock` mounted in containers.	Ensure the Docker socket is not mounted inside any containers by removing the associated `Volume` and `VolumeMount` in deployment yaml specification. If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.
`exposed-services`	Alert on services for forbidden types.	Ensure containers are not exposed through a forbidden service type such as `NodePort` or `LoadBalancer`.
`host-ipc`	Alert on pods/deployment-likes with sharing host’s IPC namespace.	Ensure the host’s IPC namespace is not shared.
`host-network`	Alert on pods/deployment-likes with sharing host’s network namespace.	Ensure the host’s network namespace is not shared.
`host-pid`	Alert on pods/deployment-likes with sharing host’s process namespace.	Ensure the host’s process namespace is not shared.
`privilege-escalation-container`	Alert on containers if allowing privilege escalation that could gain more privileges than its parent process.	Ensure containers do not allow privilege escalation by setting `allowPrivilegeEscalation=false`. See Configure a Security Context for a Pod or Container for more details.
`privileged-ports`	Alert on deployments with privileged ports mapped in containers.	Ensure privileged ports [`0`, `1024`] are not mapped within containers.
`sensitive-host-mounts`	Alert on deployments with sensitive host system directories mounted in containers.	Ensure sensitive host system directories are not mounted in containers by removing those `Volumes` and `VolumeMounts`.
`unsafe-proc-mount`	Alert on deployments with unsafe `/proc` mount (`procMount=Unmasked`) that will bypass the default masking behavior of the container runtime.	Ensure container does not unsafely exposes parts of `/proc` by setting `procMount=Default`. Unmasked `ProcMount` bypasses the default masking behavior of the container runtime. See Pod Security Standards for more details.
`unsafe-sysctls`	Alert on deployments specifying unsafe `sysctls` that may lead to severe problems like wrong behavior of containers.	Ensure container does not allow unsafe allocation of system resources by removing unsafe `sysctls` configurations. For more details see Using sysctls in a Kubernetes Cluster and Configure namespaced kernel parameters (sysctls) at runtime.