use crate::analyzer::kubelint::config::{CheckScope, CheckSpec};
pub fn builtin_checks() -> Vec<CheckSpec> {
vec![
CheckSpec::new(
"privileged-container",
"Indicates when deployments have containers running in privileged mode.",
"Do not run your container as privileged unless it is required.",
"privileged",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"privilege-escalation",
"Alert on containers of deployments that allow privilege escalation.",
"Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation to false.",
"privilege-escalation",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"run-as-non-root",
"Indicates when containers are not set to runAsNonRoot.",
"Set runAsNonRoot to true in your container's securityContext.",
"run-as-non-root",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"read-only-root-fs",
"Indicates when containers are running with a read-write root filesystem.",
"Set readOnlyRootFilesystem to true in your container's securityContext.",
"read-only-root-fs",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"drop-net-raw-capability",
"Indicates when containers do not drop NET_RAW capability.",
"NET_RAW capability allows a container to craft arbitrary network packets. Drop this capability.",
"drop-net-raw-capability",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"hostnetwork",
"Indicates when deployments use the host's network namespace.",
"Ensure deployments do not share the host's network namespace.",
"host-network",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"hostpid",
"Indicates when deployments share the host's process namespace.",
"Ensure deployments do not share the host's process namespace.",
"host-pid",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"hostipc",
"Indicates when deployments share the host's IPC namespace.",
"Ensure deployments do not share the host's IPC namespace.",
"host-ipc",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"host-mounts",
"Indicates when deployments mount sensitive host directories.",
"Do not mount sensitive host paths unless absolutely necessary.",
"host-mounts",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"writable-host-mount",
"Indicates when containers mount host directories as writable.",
"Mount host paths as read-only unless write access is required.",
"writable-host-mount",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"docker-sock",
"Indicates when deployments mount the Docker socket.",
"Do not mount /var/run/docker.sock as it gives full control over Docker.",
"host-mounts",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"unsafe-proc-mount",
"Indicates when containers have unsafe /proc mount.",
"Use the Default procMount type unless Unmasked is absolutely required.",
"unsafe-proc-mount",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"latest-tag",
"Indicates when containers use images with the 'latest' tag.",
"Use specific image tags instead of 'latest' for reproducible deployments.",
"latest-tag",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"no-liveness-probe",
"Indicates when containers do not have liveness probes configured.",
"Add a liveness probe to detect and recover from container failures.",
"liveness-probe",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"no-readiness-probe",
"Indicates when containers do not have readiness probes configured.",
"Add a readiness probe to ensure traffic is only sent to healthy containers.",
"readiness-probe",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"unset-cpu-requirements",
"Indicates when containers do not have CPU requirements set.",
"Set CPU requests and limits for better resource management.",
"cpu-requirements",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"unset-memory-requirements",
"Indicates when containers do not have memory requirements set.",
"Set memory requests and limits for better resource management.",
"memory-requirements",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"minimum-replicas",
"Indicates when deployments have fewer than the minimum recommended replicas.",
"Increase the number of replicas for better availability.",
"replicas",
)
.with_scope(CheckScope::new(&["Deployment", "StatefulSet"])),
CheckSpec::new(
"no-anti-affinity",
"Indicates when deployments do not have pod anti-affinity configured.",
"Use pod anti-affinity to spread pods across nodes for better availability.",
"anti-affinity",
)
.with_scope(CheckScope::new(&["Deployment", "StatefulSet"])),
CheckSpec::new(
"no-rolling-update-strategy",
"Indicates when deployments do not use a rolling update strategy.",
"Use RollingUpdate strategy for zero-downtime deployments.",
"rolling-update-strategy",
)
.with_scope(CheckScope::new(&["Deployment"])),
CheckSpec::new(
"default-service-account",
"Indicates when deployments use the default service account.",
"Create and use a dedicated service account for your workloads.",
"service-account",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"deprecated-service-account",
"Indicates when the deprecated serviceAccount field is used.",
"Use serviceAccountName instead of the deprecated serviceAccount field.",
"deprecated-service-account-field",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"access-to-secrets",
"Indicates when RBAC rules grant access to secrets.",
"Limit access to secrets to only those that need it.",
"access-to-secrets",
)
.with_scope(CheckScope::new(&["Role", "ClusterRole"])),
CheckSpec::new(
"access-to-create-pods",
"Indicates when RBAC rules grant create access to pods.",
"Limit the ability to create pods as it can be used for privilege escalation.",
"access-to-create-pods",
)
.with_scope(CheckScope::new(&["Role", "ClusterRole"])),
CheckSpec::new(
"cluster-admin-role-binding",
"Indicates when a ClusterRoleBinding grants cluster-admin.",
"Avoid granting cluster-admin to users or service accounts.",
"cluster-admin-role-binding",
)
.with_scope(CheckScope::new(&["ClusterRoleBinding"])),
CheckSpec::new(
"wildcard-in-rules",
"Indicates when RBAC rules use wildcards.",
"Avoid wildcards in RBAC rules; be specific about resources and verbs.",
"wildcard-in-rules",
)
.with_scope(CheckScope::new(&["Role", "ClusterRole"])),
CheckSpec::new(
"dangling-service",
"Indicates when services have selectors that do not match any pods.",
"Ensure service selectors match labels on pods.",
"dangling-service",
)
.with_scope(CheckScope::new(&["Service"])),
CheckSpec::new(
"dangling-ingress",
"Indicates when ingresses reference non-existent services.",
"Ensure ingress backends reference existing services.",
"dangling-ingress",
)
.with_scope(CheckScope::new(&["Ingress"])),
CheckSpec::new(
"dangling-horizontalpodautoscaler",
"Indicates when HPAs target non-existent deployments.",
"Ensure HPA scaleTargetRef references an existing deployment.",
"dangling-hpa",
)
.with_scope(CheckScope::new(&["HorizontalPodAutoscaler"])),
CheckSpec::new(
"dangling-networkpolicy",
"Indicates when network policies have selectors that do not match any pods.",
"Ensure network policy pod selectors match labels on pods.",
"dangling-network-policy",
)
.with_scope(CheckScope::new(&["NetworkPolicy"])),
CheckSpec::new(
"mismatching-selector",
"Indicates when deployment selectors do not match pod template labels.",
"Ensure deployment selector matches pod template labels.",
"mismatching-selector",
)
.with_scope(CheckScope::new(&["Deployment", "StatefulSet", "DaemonSet"])),
CheckSpec::new(
"duplicate-env-var",
"Indicates when containers have duplicate environment variables.",
"Remove duplicate environment variables.",
"duplicate-env-var",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"invalid-target-ports",
"Indicates when services have invalid target ports.",
"Ensure service target ports reference valid container ports.",
"target-port",
)
.with_scope(CheckScope::new(&["Service"])),
CheckSpec::new(
"env-var-secret",
"Indicates when secrets are passed as environment variables.",
"Mount secrets as volumes instead of environment variables.",
"env-var-secret",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"read-secret-from-env-var",
"Indicates when secrets are read from environment variables.",
"Consider mounting secrets as files instead.",
"read-secret-from-env-var",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"ssh-port",
"Indicates when containers expose SSH port (22).",
"Avoid exposing SSH ports in containers.",
"ssh-port",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"privileged-ports",
"Indicates when containers use privileged ports (< 1024).",
"Use non-privileged ports (>= 1024) when possible.",
"privileged-ports",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"no-extensions-v1beta",
"Indicates when deprecated extensions/v1beta1 API is used.",
"Use apps/v1 API instead of extensions/v1beta1.",
"disallowed-gvk",
)
.with_scope(CheckScope::new(&["Any"])),
CheckSpec::new(
"hpa-minimum-replicas",
"Indicates when HPA minReplicas is set too low.",
"Set HPA minReplicas to at least 2 for high availability.",
"hpa-min-replicas",
)
.with_scope(CheckScope::new(&["HorizontalPodAutoscaler"])),
CheckSpec::new(
"liveness-port",
"Indicates when liveness probe ports do not match container ports.",
"Ensure liveness probe ports match defined container ports.",
"liveness-port",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"readiness-port",
"Indicates when readiness probe ports do not match container ports.",
"Ensure readiness probe ports match defined container ports.",
"readiness-port",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"startup-port",
"Indicates when startup probe ports do not match container ports.",
"Ensure startup probe ports match defined container ports.",
"startup-port",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"non-existent-service-account",
"Indicates when pods reference non-existent service accounts.",
"Create the service account or use an existing one.",
"non-existent-service-account",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"non-isolated-pod",
"Indicates when pods are not covered by any network policy.",
"Create network policies to isolate pod traffic.",
"non-isolated-pod",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"pdb-max-unavailable",
"Indicates when PDB maxUnavailable is too permissive.",
"Set appropriate maxUnavailable for PodDisruptionBudgets.",
"pdb-max-unavailable",
)
.with_scope(CheckScope::new(&["PodDisruptionBudget"])),
CheckSpec::new(
"pdb-min-available",
"Indicates when PDB minAvailable is too permissive.",
"Set appropriate minAvailable for PodDisruptionBudgets.",
"pdb-min-available",
)
.with_scope(CheckScope::new(&["PodDisruptionBudget"])),
CheckSpec::new(
"required-annotation-email",
"Indicates when objects are missing required email annotation.",
"Add the required annotation to your resource.",
"required-annotation",
)
.with_scope(CheckScope::new(&["Any"])),
CheckSpec::new(
"required-label-owner",
"Indicates when objects are missing required owner label.",
"Add the required label to your resource.",
"required-label",
)
.with_scope(CheckScope::new(&["Any"])),
CheckSpec::new(
"no-node-affinity",
"Indicates when deployments do not have node affinity configured.",
"Consider using node affinity to control pod placement.",
"node-affinity",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"restart-policy",
"Indicates when pods have inappropriate restart policies.",
"Use an appropriate restart policy for your workload type.",
"restart-policy",
)
.with_scope(CheckScope::new(&["Pod"])),
CheckSpec::new(
"scc-deny-privileged-container",
"Indicates when SecurityContextConstraints allow privileged containers.",
"Set allowPrivilegedContainer to false in SCC.",
"scc-deny-privileged",
)
.with_scope(CheckScope::new(&["SecurityContextConstraints"])),
CheckSpec::new(
"sysctls",
"Indicates when pods use unsafe sysctls.",
"Avoid using unsafe sysctls in pod specifications.",
"sysctls",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"use-namespace",
"Indicates when objects are in the default namespace.",
"Deploy resources to a specific namespace, not default.",
"use-namespace",
)
.with_scope(CheckScope::new(&["Any"])),
CheckSpec::new(
"dangling-networkpolicypeer-podselector",
"Indicates when NetworkPolicy peer pod selectors don't match any pods.",
"Ensure NetworkPolicy peer selectors match existing pods.",
"dangling-network-policy-peer",
)
.with_scope(CheckScope::new(&["NetworkPolicy"])),
CheckSpec::new(
"dangling-servicemonitor",
"Indicates when ServiceMonitors have selectors that don't match any services.",
"Ensure ServiceMonitor selectors match existing services.",
"dangling-service-monitor",
)
.with_scope(CheckScope::new(&["ServiceMonitor"])),
CheckSpec::new(
"dnsconfig-options",
"Indicates when pods have missing recommended DNS config options.",
"Add recommended DNS config options for better reliability.",
"dnsconfig-options",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"env-var-value-from",
"Indicates when env vars reference non-existent secrets or configmaps.",
"Ensure env var references point to existing resources.",
"env-var-value-from",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"job-ttl-seconds-after-finished",
"Indicates when jobs don't have ttlSecondsAfterFinished set.",
"Set ttlSecondsAfterFinished to automatically clean up completed jobs.",
"job-ttl-seconds-after-finished",
)
.with_scope(CheckScope::new(&["Job"])),
CheckSpec::new(
"priority-class-name",
"Indicates when pods don't have a priorityClassName set.",
"Set a priorityClassName for important workloads.",
"priority-class-name",
)
.with_scope(CheckScope::new(&["DeploymentLike"])),
CheckSpec::new(
"service-type",
"Indicates when services use the LoadBalancer type.",
"Consider using ClusterIP or NodePort instead of LoadBalancer.",
"service-type",
)
.with_scope(CheckScope::new(&["Service"])),
CheckSpec::new(
"pdb-unhealthy-pod-eviction-policy",
"Indicates when PDB unhealthyPodEvictionPolicy is not configured.",
"Set unhealthyPodEvictionPolicy to control eviction behavior.",
"pdb-unhealthy-pod-eviction-policy",
)
.with_scope(CheckScope::new(&["PodDisruptionBudget"])),
]
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_builtin_checks_count() {
let checks = builtin_checks();
assert!(
checks.len() >= 60,
"Expected at least 60 builtin checks, got {}",
checks.len()
);
}
#[test]
fn test_builtin_checks_unique_names() {
let checks = builtin_checks();
let mut names: Vec<_> = checks.iter().map(|c| &c.name).collect();
let original_len = names.len();
names.sort();
names.dedup();
assert_eq!(names.len(), original_len, "Found duplicate check names");
}
}