Helm chart linting rules

Helm liniting reports offer the linting rules, rule decriptions, and remediations as they are presented in the following table.

Name

Description

Remediation

dangling-service

Indicates when services do not have any associated deployments.

Confirm that your service’s selector correctly matches the labels on one of your deployments.

default-service-account

Indicates when pods use the default service account.

Create a dedicated service account for your pod. Refer to Configure Service Accounts for Pods for details.

deprecated-service-account-field

Indicates when deployments use the deprecated serviceAccount field.

Use the serviceAccountName field instead.

drop-net-raw-capability

Indicates when containers do not drop NET_RAW capability.

NET_RAW makes it so that an application within the container is able to craft raw packets, use raw sockets, and bind to any address. Remove this capability in the containers under containers security contexts.

env-var-secret

Indicates when objects use a secret in an environment variable.

Do not use raw secrets in environment variables. Instead, either mount the secret as a file or use a secretKeyRef. Refer to Using Secrets for details.

mismatching-selector

Indicates when deployment selectors fail to match the pod template labels.

Confirm that your deployment selector correctly matches the labels in its pod template.

no-anti-affinity

Indicates when deployments with multiple replicas fail to specify inter-pod anti-affinity, to ensure that the orchestrator attempts to schedule replicas on different nodes.

Specify anti-affinity in your pod specification to ensure that the orchestrator attempts to schedule replicas on different nodes. Using podAntiAffinity, specify a labelSelector that matches pods for the deployment, and set the topologyKey to kubernetes.io/hostname. Refer to Inter-pod affinity and anti-afinity for details.

no-extensions-v1beta

Indicates when objects use deprecated API versions under extensions/ v1beta.

Migrate using the apps/v1 API versions for the objects. Refer to Deprecated APIs Removed In 1.16 for details.

no-liveness-probe

Indicates when containers fail to specify a liveness probe.

Specify a liveness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details.

no-read-only-root-fs

Indicates when containers are running without a read-only root filesystem.

Set readOnlyRootFilesystem to true in the container securityContext.

no-readiness-probe

Indicates when containers fail to specify a readiness probe.

Specify a readiness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details.

non-existent-service-account

Indicates when pods reference a service account that is not found.

Create the missing service account, or refer to an existing service account.

privileged-container

Indicates when deployments have containers running in privileged mode.

Do not run your container as privileged unless it is required.

required-annotation-email

Indicates when objects do not have an email annotation with a valid email address.

Add an email annotation to your object with the email address of the object’s owner.

required-label-owner

Indicates when objects do not have an email annotation with an owner label.

Add an email annotation to your object with the name of the object’s owner.

run-as-non-root

Indicates when containers are not set to runAsNonRoot.

Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to Configure a Security Context for a Pod or Container for details.

ssh-port

Indicates when deployments expose port 22, which is commonly reserved for SSH access.

Ensure that non-SSH services are not using port 22. Confirm that any actual SSH servers have been vetted.

unset-cpu-requirements

Indicates when containers do not have CPU requests and limits set.

Set CPU requests and limits for your container based on its requirements. Refer to Requests and limits for details.

unset-memory-requirements

Indicates when containers do not have memory requests and limits set.

Set memory requests and limits for your container based on its requirements. Refer to Requests and limits for details.

writable-host-mount

Indicates when containers mount a host path as writable.

Set containers to mount host paths as readOnly, if you need to access files on the host.

cluster-admin-role-binding

CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required.

Create and assign a separate role that has access to specific resources/actions needed for the service account.

docker-sock

Alert on deployments with docker.sock mounted in containers.

Ensure the Docker socket is not mounted inside any containers by removing the associated Volume and VolumeMount in deployment yaml specification. If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.

exposed-services

Alert on services for forbidden types.

Ensure containers are not exposed through a forbidden service type such as NodePort or LoadBalancer.

host-ipc

Alert on pods/deployment-likes with sharing host’s IPC namespace.

Ensure the host’s IPC namespace is not shared.

host-network

Alert on pods/deployment-likes with sharing host’s network namespace.

Ensure the host’s network namespace is not shared.

host-pid

Alert on pods/deployment-likes with sharing host’s process namespace.

Ensure the host’s process namespace is not shared.

privilege-escalation-container

Alert on containers if allowing privilege escalation that could gain more privileges than its parent process.

Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false. See Configure a Security Context for a Pod or Container for more details.

privileged-ports

Alert on deployments with privileged ports mapped in containers.

Ensure privileged ports [0, 1024] are not mapped within containers.

sensitive-host-mounts

Alert on deployments with sensitive host system directories mounted in containers.

Ensure sensitive host system directories are not mounted in containers by removing those Volumes and VolumeMounts.

unsafe-proc-mount

Alert on deployments with unsafe /proc mount (procMount=Unmasked) that will bypass the default masking behavior of the container runtime.

Ensure container does not unsafely exposes parts of /proc by setting procMount=Default. Unmasked ProcMount bypasses the default masking behavior of the container runtime. See Pod Security Standards for more details.

unsafe-sysctls

Alert on deployments specifying unsafe sysctls that may lead to severe problems like wrong behavior of containers.

Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see Using sysctls in a Kubernetes Cluster and Configure namespaced kernel parameters (sysctls) at runtime.