Update unset-memory-requirements and unset-cpu-requirements (stackrox…

…#734) Co-authored-by: Tomasz Janiszewski <[email protected]>
marcmognol · Feb 28, 2024 · c62e3c0 · c62e3c0
1 parent 32973f1
commit c62e3c0
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 44 deletions.
diff --git a/README.md b/README.md
@@ -5,11 +5,11 @@
 
 # What is KubeLinter?
 
-KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. 
+KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
 
 KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
 
-KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization. 
+KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
 
 When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
 
@@ -50,13 +50,13 @@ Installing KubeLinter from source is as simple as following these steps:
    ```bash
    git clone [email protected]:stackrox/kube-linter.git
    ```
-   
+
 1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder.
-   
+
    ```bash
    make build
    ```
-   
+
 1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.
 
    ```bash
@@ -132,7 +132,6 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
 1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.
 
 **Production readiness:**
-1. The container's CPU limits are not set, which could allow it to consume excessive CPU.
 1. The container's memory limits are not set, which could allow it to consume excessive memory
 
    ```yaml
@@ -162,7 +161,7 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
        securityContext:
          allowPrivilegeEscalation: false
    ```
-  
+
 1. Copy the YAML above to pod.yaml and lint this file by running the following command:
 
    ```bash
@@ -171,12 +170,12 @@ Consider the following sample pod specification file `pod.yaml`. This file has t
 1. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.
 
    ```
-   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)
+   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)
+
+   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)
+
+   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)
 
-   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set    your container's CPU requests and limits depending on its requirements. See    https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/   #requests-and-limits for more details.)
-   
-   pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation:    Set your container's memory requests and limits depending on its requirements.    See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/   #requests-and-limits for more details.)
-   
    Error: found 3 lint errors
    ```
 To learn more about using and configuring KubeLinter, visit the [documentation](./docs) page.
@@ -205,7 +204,7 @@ the future to the command usage, flags, and configuration file formats. However,
 we encourage you to use KubeLinter to test your environment YAML files, see what
 breaks, and [contribute](./CONTRIBUTING.md).
 
-## LICENSE 
+## LICENSE
 
 KubeLinter is licensed under the [Apache License 2.0](./LICENSE).
 

diff --git a/docs/generated/checks.md b/docs/generated/checks.md
@@ -629,15 +629,15 @@ unsafeSysCtls:
 
 **Description**: Indicates when containers do not have CPU requests and limits set.
 
-**Remediation**: Set CPU requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
+**Remediation**: Set CPU requests for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 
 **Template**: [cpu-requirements](templates.md#cpu-requirements)
 
 **Parameters**:
 
 ```yaml
 lowerBoundMillis: 0
-requirementsType: any
+requirementsType: request
 upperBoundMillis: 0
 ```
 ## unset-memory-requirements
@@ -646,15 +646,15 @@ upperBoundMillis: 0
 
 **Description**: Indicates when containers do not have memory requests and limits set.
 
-**Remediation**: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
+**Remediation**: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 
 **Template**: [memory-requirements](templates.md#memory-requirements)
 
 **Parameters**:
 
 ```yaml
 lowerBoundMB: 0
-requirementsType: any
+requirementsType: limit
 upperBoundMB: 0
 ```
 ## use-namespace

diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh
@@ -904,15 +904,11 @@ get_value_from() {
 
   message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
   message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
-  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
-  message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
   count=$(get_value_from "${lines[0]}" '.Reports | length')
 
   [[ "${message1}" == "Deployment: container \"app\" has cpu request 0" ]]
-  [[ "${message2}" == "Deployment: container \"app\" has cpu limit 0" ]]
-  [[ "${message3}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
-  [[ "${message4}" == "DeploymentConfig: container \"app\" has cpu limit 0" ]]
-  [[ "${count}" == "4" ]]
+  [[ "${message2}" == "DeploymentConfig: container \"app\" has cpu request 0" ]]
+  [[ "${count}" == "2" ]]
 }
 
 @test "unset-memory-requirements" {
@@ -925,15 +921,11 @@ get_value_from() {
 
   message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
   message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
-  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
-  message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
   count=$(get_value_from "${lines[0]}" '.Reports | length')
 
-  [[ "${message1}" == "Deployment: container \"app\" has memory request 0" ]]
-  [[ "${message2}" == "Deployment: container \"app\" has memory limit 0" ]]
-  [[ "${message3}" == "DeploymentConfig: container \"app\" has memory request 0" ]]
-  [[ "${message4}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
-  [[ "${count}" == "4" ]]
+  [[ "${message1}" == "Deployment: container \"app\" has memory limit 0" ]]
+  [[ "${message2}" == "DeploymentConfig: container \"app\" has memory limit 0" ]]
+  [[ "${count}" == "2" ]]
 }
 
 @test "use-namespace" {

diff --git a/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml b/pkg/builtinchecks/yamls/unset-cpu-requirements.yaml
@@ -4,10 +4,10 @@ scope:
   objectKinds:
     - DeploymentLike
 remediation: >-
-  Set CPU requests and limits for your container based on its requirements.
+  Set CPU requests for your container based on its requirements.
   Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 template: "cpu-requirements"
 params:
-  requirementsType: "any"
+  requirementsType: "request"
   lowerBoundMillis: 0
   upperBoundMillis: 0
diff --git a/pkg/builtinchecks/yamls/unset-memory-requirements.yaml b/pkg/builtinchecks/yamls/unset-memory-requirements.yaml
@@ -1,13 +1,13 @@
 name: "unset-memory-requirements"
 description: "Indicates when containers do not have memory requests and limits set."
 remediation: >-
-  Set memory requests and limits for your container based on its requirements.
+  Set memory limits for your container based on its requirements.
   Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.
 scope:
   objectKinds:
     - DeploymentLike
 template: "memory-requirements"
 params:
-  requirementsType: "any"
+  requirementsType: "limit"
   lowerBoundMB: 0
   upperBoundMB: 0
diff --git a/tests/checks/unset-cpu-requirements.yml b/tests/checks/unset-cpu-requirements.yml
@@ -11,8 +11,7 @@ spec:
       - name: app
         requests:
           memory: 1Gi
-        limits:
-          memory: 1Gi
+
 ---
 apiVersion: apps.openshift.io/v1
 kind: DeploymentConfig
@@ -25,6 +24,4 @@ spec:
       containers:
       - name: app
         requests:
-          memory: 1Gi
-        limits:
           memory: 1Gi
diff --git a/tests/checks/unset-memory-requirements.yml b/tests/checks/unset-memory-requirements.yml
@@ -9,9 +9,7 @@ spec:
     spec:
       containers:
       - name: app
-        requests:
-          cpu: 1
-        limits:
+        limit:
           cpu: 1
 ---
 apiVersion: apps.openshift.io/v1
@@ -24,7 +22,5 @@ spec:
     spec:
       containers:
       - name: app
-        requests:
-          cpu: 1
-        limits:
+        limit:
           cpu: 1