New Rule: CronJob resource requires Pod restartPolicy set to Never or OnFailure

[pcgeek86]

Which version of kube-score are you using?

kube-score version: 1.14.0

What did you do?

A complete description of the steps you took to trigger the incorrect behaviour. Include Kubernetes object YAML/JSON if you have it

kind: CronJob
apiVersion: batch/v1
metadata:
  namespace: cronjobs
  name: pwsh-test
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: pwsh
            imagePullPolicy: Always
            image: mcr.microsoft.com/powershell:7
            command:
            - pwsh
            - -Command
            - Start-Sleep -Seconds 5
            securityContext:
              readOnlyRootFilesystem: true
            resources:
              limits:
                ephemeral-storage: 50Mi
              requests:
                ephemeral-storage: 50Mi
  schedule: '0/1 * * * *'
  startingDeadlineSeconds: 5

What did you expect to see?

Kubescore should report that the restartPolicy property is missing from the embedded Pod spec in the CronJob resource type.

What did you see instead?

When I tried to deploy the above YAML manifest to a Kubernetes 1.23 cluster, I received the error message below.

The CronJob "pwsh-test" is invalid: spec.jobTemplate.spec.template.spec.restartPolicy: Required value: valid values: "OnFailure", "Never"

Kubescore did not catch the missing restartPolicy property on the embedded template Pod spec.

    [CRITICAL] Container Security Context User Group ID
        · pwsh -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · pwsh -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Resources
        · pwsh -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · pwsh -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · pwsh -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · pwsh -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory

[kmarteaux]

I will implement this additional CronJob resource rule

[atombrella]

@zegl Could you please close this issue? It was fixed in #474