Include static code analysis (SCA) to the CI
Summary
Issue discussed with @loic.nicolle.
kube-score is a static code analysis (SCA) tool that would be worth to add to the CI. kube-score might perform static code analysis of Sylva Kubernetes objects (see below).
In a first step, the scoring is only informative. Indeed, as long as current configuration issues are not addressed (https://gitlab.com/sylva-projects/sylva-core/-/issues/396), kube-score should not block a MR.
kube-score can be executed on each MR, but limited to the static description of kustomize-units.
A full kube-score can be executed at the end of a real deployment, on the manifests created by all the sylva mechanics (flux, helm releases, ...). Issue #724 (closed) created for this full kube-score
Details
Kube-score can be applied to each kustomization during the test step. It does not take long:
$ kustomize build ./sylva-core/kustomize-units/capi | kube-score score -
apps/v1/Deployment capi-controller-manager in capi-system 💥
[CRITICAL] Container Security Context ReadOnlyRootFilesystem
· manager -> The pod has a container with a writable root filesystem
Set securityContext.readOnlyRootFilesystem to true
[CRITICAL] Container Resources
· manager -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.cpu
· manager -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.memory
· manager -> CPU request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.cpu
· manager -> Memory request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.memory
[CRITICAL] Container Image Pull Policy
· manager -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to
make sure that the imagePullSecrets are always correct, and to
always get the image you want.
[CRITICAL] Container Ephemeral Storage Request and Limit
· manager -> Ephemeral Storage limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.ephemeral-storage
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what
can communicate with this pod. Note, this feature needs to be
supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
v1/Service capi-webhook-service in capi-system Kube-score can also be applied against a cluster, i.e. on deployment jobs. It is the most accurate scoring but it takes a while (e.g. ~1m:30s on a KUBEADM-CAPO deployment of the management cluster):
$ kubectl api-resources --verbs=list --namespaced -o name | xargs -I{} bash -c "kubectl get {} --all-namespaces -o yaml && echo ---" | kube-score score -
...
apps/v1/StatefulSet vault in vault 💥
[CRITICAL] Container Image Pull Policy
· config-templating -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to
make sure that the imagePullSecrets are always correct, and to
always get the image you want.
· vault -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to
make sure that the imagePullSecrets are always correct, and to
always get the image you want.
· bank-vaults -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to
make sure that the imagePullSecrets are always correct, and to
always get the image you want.
[CRITICAL] Environment Variable Key Duplication
· config-templating -> Environment Variable Key Duplication
Container environment variable key 'POD_NAME' is duplicated
[CRITICAL] Container Ephemeral Storage Request and Limit
· config-templating -> Ephemeral Storage limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.ephemeral-storage
· vault -> Ephemeral Storage limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.ephemeral-storage
· bank-vaults -> Ephemeral Storage limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.ephemeral-storage
[CRITICAL] Container Security Context User Group ID
· config-templating -> The container is running with a low user ID
A userid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsUser to a value > 10000
· config-templating -> The container running with a low group ID
A groupid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsGroup to a value > 10000
· vault -> The container is running with a low user ID
A userid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsUser to a value > 10000
· vault -> The container running with a low group ID
A groupid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsGroup to a value > 10000
· bank-vaults -> The container is running with a low user ID
A userid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsUser to a value > 10000
· bank-vaults -> The container running with a low group ID
A groupid above 10 000 is recommended to avoid conflicts with the
host. Set securityContext.runAsGroup to a value > 10000
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what
can communicate with this pod. Note, this feature needs to be
supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
[CRITICAL] Container Security Context ReadOnlyRootFilesystem
· config-templating -> Container has no configured security context
Set securityContext to run the container in a more secure context.
· vault -> The pod has a container with a writable root filesystem
Set securityContext.readOnlyRootFilesystem to true
· bank-vaults -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] StatefulSet has ServiceName
· StatefulSet does not have a valid serviceName
StatefulSets currently require a Headless Service to be responsible
for the network identity of the Pods. You are responsible for
creating this Service.
https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#limitationsEdited by Alain Thioliere