Helm chart linting rules¶
Helm liniting reports offer the linting rules, rule decriptions, and remediations as they are presented in the following table.
Name |
Description |
Remediation |
---|---|---|
|
Indicates when services do not have any associated deployments. |
Confirm that your service’s selector correctly matches the labels on one of your deployments. |
|
Indicates when pods use the default service account. |
Create a dedicated service account for your pod. Refer to Configure Service Accounts for Pods for details. |
|
Indicates when deployments use the deprecated |
Use the |
|
Indicates when containers do not drop |
|
|
Indicates when objects use a secret in an environment variable. |
Do not use raw secrets in environment variables. Instead, either mount
the secret as a file or use a |
|
Indicates when deployment selectors fail to match the pod template labels. |
Confirm that your deployment selector correctly matches the labels in its pod template. |
|
Indicates when deployments with multiple replicas fail to specify inter-pod anti-affinity, to ensure that the orchestrator attempts to schedule replicas on different nodes. |
Specify anti-affinity in your pod specification to ensure that the
orchestrator attempts to schedule replicas on different nodes. Using
|
|
Indicates when objects use deprecated API versions under |
Migrate using the |
|
Indicates when containers fail to specify a liveness probe. |
Specify a liveness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details. |
|
Indicates when containers are running without a read-only root filesystem. |
Set |
|
Indicates when containers fail to specify a readiness probe. |
Specify a readiness probe in your container. Refer to Configure Liveness, Readiness, and Startup Probes for details. |
|
Indicates when pods reference a service account that is not found. |
Create the missing service account, or refer to an existing service account. |
|
Indicates when deployments have containers running in privileged mode. |
Do not run your container as privileged unless it is required. |
|
Indicates when objects do not have an |
Add an |
|
Indicates when objects do not have an |
Add an |
|
Indicates when containers are not set to |
Set |
|
Indicates when deployments expose port 22, which is commonly reserved for SSH access. |
Ensure that non-SSH services are not using port 22. Confirm that any actual SSH servers have been vetted. |
|
Indicates when containers do not have CPU requests and limits set. |
Set CPU requests and limits for your container based on its requirements. Refer to Requests and limits for details. |
|
Indicates when containers do not have memory requests and limits set. |
Set memory requests and limits for your container based on its requirements. Refer to Requests and limits for details. |
|
Indicates when containers mount a host path as writable. |
Set containers to mount host paths as |
|
CIS Benchmark 5.1.1 Ensure that the |
Create and assign a separate role that has access to specific resources/actions needed for the service account. |
|
Alert on deployments with |
Ensure the Docker socket is not mounted inside any containers by
removing the associated |
|
Alert on services for forbidden types. |
Ensure containers are not exposed through a forbidden service type such
as |
|
Alert on pods/deployment-likes with sharing host’s IPC namespace. |
Ensure the host’s IPC namespace is not shared. |
|
Alert on pods/deployment-likes with sharing host’s network namespace. |
Ensure the host’s network namespace is not shared. |
|
Alert on pods/deployment-likes with sharing host’s process namespace. |
Ensure the host’s process namespace is not shared. |
|
Alert on containers if allowing privilege escalation that could gain more privileges than its parent process. |
Ensure containers do not allow privilege escalation by setting
|
|
Alert on deployments with privileged ports mapped in containers. |
Ensure privileged ports [ |
|
Alert on deployments with sensitive host system directories mounted in containers. |
Ensure sensitive host system directories are not mounted in containers
by removing those |
|
Alert on deployments with unsafe |
Ensure container does not unsafely exposes parts of |
|
Alert on deployments specifying unsafe |
Ensure container does not allow unsafe allocation of system resources by
removing unsafe |