An example custom plugin which checks existence of annotations.
plugins:
annotations: true
rules:
annotations/no-empty-annotations: "warn"
annotations/no-prometheus-admin: "warn"Rules
| name | description |
|---|---|
| no-empty-annotations | Require annotations as metadata. |
| no-prometheus-admin | Disallow the admin API for Prometheus instances. |
Validation rules related to ArgoCD
plugins:
argo: true
rules:
argo/argo-config-maps: "warn"
argo/app-destination: "warn"Rules
| name | description |
|---|---|
| argo-config-maps | Check that ArgoCD ConfigMaps have required label |
| app-destination | Argo Application's destination are mutually exclusive |
Validates guidelines from the NSA Kubernetes Hardening guide.
plugins:
nsa: true
rules:
nsa/no-elevated-process: "warn"
nsa/no-low-user-id: "warn"
nsa/no-writable-fs: "warn"
nsa/no-low-group-id: "warn"
nsa/no-host-mounted-path: "warn"
nsa/no-pod-execute: "warn"
nsa/no-pod-create: "warn"
nsa/no-host-port-access: "warn"
nsa/run-as-non-root: "warn"
nsa/no-automount-service-account-token: "warn"Rules
| name | description |
|---|---|
| no-elevated-process | Disallow the process from elevating its privileges. |
| no-low-user-id | Disallow running with a low user ID |
| no-writable-fs | Require a read-only root file system |
| no-low-group-id | Disallow running with a low group ID |
| no-host-mounted-path | Disallow mounting hostPath volumes |
| no-pod-execute | Disallow permissions to exec on pods |
| no-pod-create | Disallow permissions to create pods |
| no-host-port-access | Disallow accessing the host ports |
| run-as-non-root | Requires the container to runs as non root user |
| no-automount-service-account-token | Disallow automounting the service account token |