KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Description of the existing behavior vs. expected behavior
If applicable, please paste in the existing KubeLinter output along with the input used, and point out which part should be modified (expected output).
% .gobin/kube-linter lint ../gitsecure-k8sbenchmark/opa/input-examples --config config-example3.yaml
KubeLinter 0.2.1-12-gadfb277043-dirty
../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebinding.yaml: (object: <no namespace>/read-secrets-global rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding to "secret-reader" clusterrole that has [get watch list create] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/test-aggregation rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding via aggregationRule to "pod-creator" clusterrole that has [create] access to [pods] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/test-aggregation rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding via aggregationRule to "secret-reader" clusterrole that has [get watch list create] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/clusterrolebindings.yaml: (object: <no namespace>/create-pod-test1 rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding) binding to "pod-creator" clusterrole that has [create] access to [pods] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/clusterroles.yaml: (object: <no namespace>/pod-manager rbac.authorization.k8s.io/v1, Kind=ClusterRole) wildcard "*" in verb specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)
../gitsecure-k8sbenchmark/opa/input-examples/pod.yaml: (object: <no namespace>/ossc-new /v1, Kind=Pod) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)
../gitsecure-k8sbenchmark/opa/input-examples/pod.yaml: (object: <no namespace>/test-webserver /v1, Kind=Pod) environment variable "SECRET_USERNAME" in container "test-webserver" uses SecretKeyRef (check: read-secret-from-env-var, remediation: If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for details.)
../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test1/testadminbinding rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [*] access to [*] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test1/testadminbinding rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [*] access to [*] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test3/test-pod-create3 rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [create] access to [pods], [create] access to [deployments] (check: access-to-create-pods, remediation: Where possible, remove create access to pod objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/rolebindings.yaml: (object: test3/test-pod-create3 rbac.authorization.k8s.io/v1, Kind=RoleBinding) binding to "testadmin" role that has [get watch list] access to [secrets] (check: access-to-secrets, remediation: Where possible, remove get, list and watch access to secret objects in the cluster.)
../gitsecure-k8sbenchmark/opa/input-examples/roles.yaml: (object: test1/testadmin rbac.authorization.k8s.io/v1, Kind=Role) wildcard "*" in resource specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)
../gitsecure-k8sbenchmark/opa/input-examples/roles.yaml: (object: test1/testadmin rbac.authorization.k8s.io/v1, Kind=Role) wildcard "*" in verb specification (check: wildcard-in-rules, remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.)
../gitsecure-k8sbenchmark/opa/input-examples/service.yaml: (object: <no namespace>/hello-app-svc /v1, Kind=Service) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)
../gitsecure-k8sbenchmark/opa/input-examples/service.yaml: (object: <no namespace>/my-service /v1, Kind=Service) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment)
Error: found 15 lint errors
Additional context
Add any other context or screenshots about the feature request here.
Description of the problem/feature request A clear and concise description of the problem, or the proposed new feature.
Add four new templates (shown in bold in the table below) and checks for RBAC, secret, and namespace as recommended in CIS Benchmarks for Kubernetes
Description of the existing behavior vs. expected behavior If applicable, please paste in the existing KubeLinter output along with the input used, and point out which part should be modified (expected output).
Additional context Add any other context or screenshots about the feature request here.