code-review-best-practices/example-guidelines/infrastructure/kubernetes.yaml at main · augmentcode/code-review-best-practices · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Kubernetes Code Review Guidelines
# Comprehensive rules for Kubernetes security, reliability, and best practices

name: Kubernetes Code Review Guidelines
description: Guidelines for reviewing Kubernetes manifests covering security, resource management, networking, and reliability
globs:
  - "**/k8s/**/*.yaml"
  - "**/k8s/**/*.yml"
  - "**/kubernetes/**/*.yaml"
  - "**/kubernetes/**/*.yml"
  - "**/manifests/**/*.yaml"
  - "**/manifests/**/*.yml"
  - "**/helm/**/*.yaml"
  - "**/helm/**/*.yml"
  - "**/charts/**/*.yaml"
  - "**/charts/**/*.yml"
  - "**/kustomization.yaml"
  - "**/kustomization.yml"

areas:
  - name: security
    description: Security rules for Kubernetes workloads
    rules:
      - name: implement-rbac-least-privilege
        description: Follow least privilege principle for RBAC. Avoid ClusterRoleBindings when namespaced RoleBindings suffice. Never grant cluster-admin to workloads. Use specific verbs and resources instead of wildcards.
        severity: high

      - name: use-pod-security-standards
        description: Implement Pod Security Standards (restricted or baseline). Set securityContext with runAsNonRoot, readOnlyRootFilesystem, and drop all capabilities. Avoid privileged pods and hostPID/hostNetwork.
        severity: high

      - name: implement-network-policies
        description: Define NetworkPolicies to control pod-to-pod communication. Default deny all ingress/egress and explicitly allow required traffic. Isolate sensitive workloads and limit blast radius of compromises.
        severity: high

      - name: encrypt-secrets-at-rest
        description: Enable encryption at rest for Secrets in etcd. Use external secret management (Vault, AWS Secrets Manager, sealed-secrets) for sensitive data. Never commit unencrypted secrets to version control.
        severity: high

      - name: use-service-accounts
        description: Create dedicated ServiceAccounts for each workload. Never use the default ServiceAccount. Set automountServiceAccountToken to false when not needed. Use Workload Identity where available.
        severity: medium

      - name: restrict-container-capabilities
        description: Drop all Linux capabilities and add only those required. Use securityContext.capabilities.drop with ALL and add specific capabilities. Never add SYS_ADMIN, NET_ADMIN unless absolutely necessary.
        severity: high

  - name: resource_management
    description: Resource requests, limits, and scaling configuration
    rules:
      - name: set-resource-requests-limits
        description: Always define resource requests and limits for CPU and memory. Requests ensure scheduling, limits prevent resource exhaustion. Set requests equal to limits for Guaranteed QoS class for critical workloads.
        severity: high

      - name: configure-hpa-properly
        description: Configure HorizontalPodAutoscaler with appropriate metrics and thresholds. Set minReplicas >= 2 for availability. Use custom metrics for application-specific scaling. Avoid scaling on CPU alone for I/O-bound workloads.
        severity: medium

      - name: implement-pod-disruption-budgets
        description: Create PodDisruptionBudgets for all production workloads. Set appropriate minAvailable or maxUnavailable values. PDBs protect against voluntary disruptions during node maintenance and cluster upgrades.
        severity: medium

      - name: configure-resource-quotas
        description: Implement ResourceQuotas in namespaces to prevent resource exhaustion. Set quotas for CPU, memory, storage, and object counts. Use LimitRanges to set default requests/limits for pods.
        severity: medium

  - name: reliability
    description: Reliability and availability configuration
    rules:
      - name: configure-liveness-probes
        description: Define livenessProbes to detect and restart unhealthy containers. Use appropriate probe types (httpGet, tcpSocket, exec). Set reasonable initialDelaySeconds to avoid premature restarts during startup.
        severity: high

      - name: configure-readiness-probes
        description: Define readinessProbes to control traffic routing. Pods not ready are removed from Service endpoints. Use different criteria than liveness - readiness should check dependency availability.
        severity: high

      - name: configure-startup-probes
        description: Use startupProbes for slow-starting applications. Startup probes disable liveness/readiness checks until success. This prevents containers from being killed during lengthy initialization.
        severity: medium

      - name: implement-anti-affinity
        description: Configure podAntiAffinity to spread replicas across nodes and zones. Use preferredDuringSchedulingIgnoredDuringExecution for soft rules. This improves availability during node failures.
        severity: medium

      - name: configure-pod-topology-spread
        description: Use topologySpreadConstraints for even distribution across failure domains. Configure maxSkew, topologyKey, and whenUnsatisfiable appropriately. This complements anti-affinity rules.
        severity: medium

      - name: set-replica-count
        description: Run at least 2 replicas for production workloads. Single replicas create single points of failure. Consider the minimum replicas needed to handle traffic during rolling updates.
        severity: medium

  - name: networking
    description: Service and network configuration
    rules:
      - name: use-appropriate-service-types
        description: Use ClusterIP for internal services, LoadBalancer only when needed. Prefer Ingress over LoadBalancer for HTTP traffic to reduce cloud costs. Use NodePort sparingly and only for specific use cases.
        severity: medium

      - name: configure-ingress-properly
        description: Use Ingress for HTTP/HTTPS routing instead of multiple LoadBalancers. Configure TLS termination with valid certificates. Set appropriate annotations for ingress controller behavior.
        severity: medium

      - name: use-internal-dns
        description: Reference services by DNS name, not IP addresses. Use fully qualified names (service.namespace.svc.cluster.local) for cross-namespace communication. This ensures portability and resilience.
        severity: low

  - name: configuration
    description: ConfigMaps, Secrets, and environment configuration
    rules:
      - name: use-configmaps-for-config
        description: Store non-sensitive configuration in ConfigMaps. Mount as files or expose as environment variables. Use immutable ConfigMaps for performance and reliability when values don't change.
        severity: low

      - name: avoid-env-for-secrets
        description: Prefer mounting Secrets as files over environment variables. Environment variables may leak in logs, error messages, or debugging output. File mounts provide better security boundaries.
        severity: medium

      - name: use-external-secrets
        description: Use external secret management for production secrets. Tools like External Secrets Operator, Vault Injector, or Sealed Secrets provide better security than native Secrets.
        severity: medium

  - name: best_practices
    description: Kubernetes best practices and conventions
    rules:
      - name: use-namespaces
        description: Organize workloads into namespaces for isolation and resource management. Separate environments (dev, staging, prod) and teams into different namespaces. Apply RBAC and quotas per namespace.
        severity: medium

      - name: apply-standard-labels
        description: Apply consistent labels for organization and selection. Use recommended labels like app.kubernetes.io/name, app.kubernetes.io/version, app.kubernetes.io/component. Labels enable filtering and monitoring.
        severity: low

      - name: use-annotations-appropriately
        description: Use annotations for non-identifying metadata. Store tool configurations, documentation links, and operational metadata in annotations. Don't use labels for large or frequently changing values.
        severity: low

      - name: specify-image-pull-policy
        description: Set explicit imagePullPolicy instead of relying on defaults. Use Always with mutable tags, IfNotPresent with immutable tags. Never use Always in production if using latest tag.
        severity: medium

      - name: configure-termination-grace-period
        description: Set appropriate terminationGracePeriodSeconds for graceful shutdown. Ensure applications handle SIGTERM and complete in-flight requests. Default 30s may be insufficient for long-running operations.
        severity: medium