Comments (4)
Hi @JacksonRin I think for some checks the remediation column does have links to further details, which might give more context on how and why the implemented checks are useful. We are also planning on adding some tests with sample input yaml files that would trigger these defaults checks, which could maybe help to understand the implications of checks as well.
As for the reasons we chose these checks to start with, we are starting with some commonly observed security pitfalls among k8s manifests. It is a growing set and we do plan to include more to help make this linter more robust.
from kube-linter.
@JacksonRin To add to what Koki said, you can also find read more about these (and other) security best practices for Kubernetes in a wiki that we maintain at https://www.stackrox.com/wiki/.
from kube-linter.
there is a specific question of env-var-secret check.
I've read the refer link:https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets,but I still can not find out why the pod should use secret file instead of env,so I am confused yet
from kube-linter.
there is a specific question of env-var-secret check.
I've read the refer link:https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets,but I still can not find out why the pod should use secret file instead of env,so I am confused yet
@JacksonRin Sorry for missing this. To clarify, it is okay to use secrets in an environment variable as long as you reference a Kubernetes secret and use envFrom
as the value. However, putting a environment key value pair directly in the deployment (for example: key: AWS_SECRET_KEY
and value: s2f121qf12521gq
) is insecure, because it will show up as part of the deployment spec, which is not guarded closely by Kubernetes at all, and is accessible in a wide variety of locations by default. Hope that helps!
from kube-linter.
Related Issues (20)
- [BUG] Some releases are not published on pkg.go.dev HOT 1
- [BUG]: annotation `ignore-check.kube-linter.io/access-to-secrets` does not work HOT 1
- [BUG] failed to decode: no kind "Pipeline" is registered for version "tekton.dev/v1beta1" HOT 1
- [FEATURE_REQUEST] Support HPA maxReplicas HOT 2
- [FEATURE_REQUEST] Support Restart Policy
- [BUG] Linter reporting a low number of replicas for deployments with PDB and HPA minReplicas HOT 4
- Golang Plugins for kube-linter HOT 5
- [FEATURE_REQUEST] Add OpenShift SecurityContextConstraints
- [FEATURE_REQUEST] Explicit check for `securityContext.allowPrivilegeEscalation=false` on containers
- [Bug] no pods found matching service labels HOT 1
- [BUG] Release assets name HOT 1
- [FEATURE_REQUEST] Common target platforms (ie: linux/arm64)
- Change unset-cpu-requirements check
- Change unset-memory-requirements check
- [BUG] - since v0.6.6 linting from stdin doesn't work anymore with the command: kube-linter lint -
- [FEATURE_REQUEST] EnvVar ValueFrom checks
- [FEATURE_REQUEST] Merge arbitrary values.yaml when checking a helm chart
- [BUG] - service has no selector specified raised when using Endpoint
- [FEATURE_REQUEST] Expand `run-as-non-root` template to verify `runAsGroup` field is nonzero. HOT 1
- Include line and column number ranges for errors HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-linter.