kube-score
kube-score copied to clipboard
New Rule: CronJob resource requires Pod restartPolicy set to Never or OnFailure
Which version of kube-score are you using?
kube-score version: 1.14.0
What did you do?
A complete description of the steps you took to trigger the incorrect behaviour. Include Kubernetes object YAML/JSON if you have it
kind: CronJob
apiVersion: batch/v1
metadata:
namespace: cronjobs
name: pwsh-test
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: pwsh
imagePullPolicy: Always
image: mcr.microsoft.com/powershell:7
command:
- pwsh
- -Command
- Start-Sleep -Seconds 5
securityContext:
readOnlyRootFilesystem: true
resources:
limits:
ephemeral-storage: 50Mi
requests:
ephemeral-storage: 50Mi
schedule: '0/1 * * * *'
startingDeadlineSeconds: 5
What did you expect to see?
Kubescore should report that the restartPolicy
property is missing from the embedded Pod spec in the CronJob resource type.
What did you see instead?
When I tried to deploy the above YAML manifest to a Kubernetes 1.23 cluster, I received the error message below.
The CronJob "pwsh-test" is invalid: spec.jobTemplate.spec.template.spec.restartPolicy: Required value: valid values: "OnFailure", "Never"
Kubescore did not catch the missing restartPolicy
property on the embedded template Pod spec.
[CRITICAL] Container Security Context User Group ID
· pwsh -> The container is running with a low user ID
A userid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsUser to a value > 10000
· pwsh -> The container running with a low group ID
A groupid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsGroup to a value > 10000
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what
can communicate with this pod. Note, this feature needs to be
supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
[CRITICAL] Container Resources
· pwsh -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.cpu
· pwsh -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.memory
· pwsh -> CPU request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.cpu
· pwsh -> Memory request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.memory
I will implement this additional CronJob resource rule
@zegl Could you please close this issue? It was fixed in #474