KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Description of the problem/feature request
In addition to it being a best security practice for pods to have runAsUser set to a non-zero value, it is also recommended that the GID, determined by either the runtime default security context or the runAsGroup field, is set to a non-zero value.
Would like to propose either creating a new template/check or extend the existing run-as-non-root template to check against the runAsGroup field.
Description of the existing behavior vs. expected behavior
Below is a snippet of behavior when runAsUser set to 0. Expected behavior would be along similar lines.
$ ./kube-linter lint ~/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml
KubeLinter 0.6.8
/home/user/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml: (object: <no namespace>/homebrew-demo /v1, Kind=Pod) container "homebrew-test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)
Error: found 1 lint errors
Additional context
Not particularly familiar with Go, but would be glad to take a crack at this.
Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).
Description of the problem/feature request In addition to it being a best security practice for pods to have
runAsUser
set to a non-zero value, it is also recommended that theGID
, determined by either the runtime default security context or therunAsGroup
field, is set to a non-zero value.Would like to propose either creating a new template/check or extend the existing
run-as-non-root
template to check against therunAsGroup
field.Description of the existing behavior vs. expected behavior Below is a snippet of behavior when
runAsUser
set to0
. Expected behavior would be along similar lines.Additional context Not particularly familiar with Go, but would be glad to take a crack at this. Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).