search

k0sproject / k0s

k0s - The Zero Friction Kubernetes
https://docs.k0sproject.io
Other
3.64k stars 361 forks source link

Fix datree linting warning for the embeded manifests #1230

Closed mikhail-sakhnov closed 2 years ago

mikhail-sakhnov commented 2 years ago

I Used https://www.datree.io/ to run with default policies over default manifests, looks like there are some warning, let's address those

datree test `find /var/lib/k0s/manifests -type f  | xargs `
>>  File: /var/lib/k0s/manifests/defaultpsp/default-psp.yaml

[X] YAML validation

❌  yaml validation error: yaml: unmarshal errors:
  line 119: mapping key "fsGroup" already defined at line 84
  line 112: mapping key "hostNetwork" already defined at line 91
  line 113: mapping key "runAsUser" already defined at line 95
  line 115: mapping key "seLinux" already defined at line 97
  line 117: mapping key "supplementalGroups" already defined at line 99

[?] Kubernetes schema validation didn't run for this file
[?] Policy check didn't run for this file

>>  File: /var/lib/k0s/manifests/api-config/k0s.k0sproject.io_clusterconfigs.yaml

[V] YAML validation
[X] Kubernetes schema validation

❌  k8s schema validation error: could not find schema for CustomResourceDefinition
You can skip files with missing schemas instead of failing by using the `--ignore-missing-schemas` flag

[?] Policy check didn't run for this file

>>  File: /var/lib/k0s/manifests/konnectivity/konnectivity-agent.yaml

[V] YAML validation
[X] Kubernetes schema validation

❌  k8s schema validation error: For field spec: Additional property internalTrafficPolicy is not allowed

[?] Policy check didn't run for this file

>>  File: /var/lib/k0s/manifests/helm/helm-crd-helm.k0sproject.io_charts.yaml

[V] YAML validation
[X] Kubernetes schema validation

❌  k8s schema validation error: could not find schema for CustomResourceDefinition
You can skip files with missing schemas instead of failing by using the `--ignore-missing-schemas` flag

[?] Policy check didn't run for this file

>>  File: /var/lib/k0s/manifests/coredns/coredns.yaml

[V] YAML validation
[X] Kubernetes schema validation

❌  k8s schema validation error: For field spec.template.spec.affinity: Additional property preferredDuringSchedulingIgnoredDuringExecution is not allowed

[?] Policy check didn't run for this file

>>  File: kubeproxy/kube-proxy.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure each container has a configured memory request  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured CPU request  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured memory limit  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured CPU limit  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured liveness probe  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks

❌  Ensure each container has a configured readiness probe  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic

❌  Prevent containers from having root access capabilities  [1 occurrence]
    — metadata.name: kube-proxy (kind: DaemonSet)
💡  Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host

>>  File: kuberouter/kube-router.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure each container has a configured memory limit  [1 occurrence]
    — metadata.name: kube-router (kind: DaemonSet)
💡  Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured CPU limit  [1 occurrence]
    — metadata.name: kube-router (kind: DaemonSet)
💡  Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured readiness probe  [1 occurrence]
    — metadata.name: kube-router (kind: DaemonSet)
💡  Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic

❌  Prevent containers from having root access capabilities  [1 occurrence]
    — metadata.name: kube-router (kind: DaemonSet)
💡  Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host

>>  File: metricserver/metric_server.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure each container has a configured memory limit  [1 occurrence]
    — metadata.name: metrics-server (kind: Deployment)
💡  Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization

❌  Ensure each container has a configured CPU limit  [1 occurrence]
    — metadata.name: metrics-server (kind: Deployment)
💡  Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Ensure Deployment has more than one replica configured  [1 occurrence]
    — metadata.name: metrics-server (kind: Deployment)
💡  Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service

(Summary)

- Passing YAML validation: 9/10

- Passing Kubernetes (1.18.0) schema validation: 5/10

- Passing policy check: 2/10

+-----------------------------------+----------------------------------------------------------+
| Enabled rules in policy "Default" | 21                                                       |
| Configs tested against policy     | 27                                                       |
| Total rules evaluated             | 105                                                      |
| Total rules failed                | 14                                                       |
| Total rules passed                | 91                                                       |
| See all rules in policy           | https://app.datree.io/login?cliId=d6iqraNfth2pJdmmDNtf5Q |
+-----------------------------------+----------------------------------------------------------+
mohammadmoazum commented 2 years ago

how did you add k8s schema validation error: could not find schema for SecretStore You can skip files with missing schemas instead of failing by using the --ignore-missing-schemas flag [?] Policy check didn't run for this file in ci cd runners