Update deployment rules #13 #12 #5 #18 #19 #20 #21 (#22)

Author: BernieWhite

.azure-pipelines/azure-pipelines.yaml

@@ -5,8 +5,8 @@ variables:
   version: '0.1.0'
   buildConfiguration: 'Release'
 
- # Use build number format, i.e. 0.1.0-B181101
-name: $(version)-B$(date:yyMM)$(rev:rr)
+ # Use build number format, i.e. 0.1.0-B1811001
+name: $(version)-B$(date:yyMM)$(rev:rrr)
 
 trigger:
   branches:
@@ -32,10 +32,10 @@ stages:
       matrix:
         Linux:
           displayName: 'Linux'
-          imageName: 'ubuntu-16.04'
+          imageName: 'ubuntu-latest'
         MacOS:
           displayName: 'MacOS'
-          imageName: 'macos-10.13'
+          imageName: 'macOS-latest'
         Windows:
           displayName: 'Windows'
           imageName: 'vs2017-win2016'
@@ -102,11 +102,9 @@ stages:
       condition: eq(variables['coverage'], 'true')
 
     # Generate artifacts
-    - task: PublishPipelineArtifact@0
+    - publish: out/modules/PSRule.Rules.Kubernetes
       displayName: 'Publish module'
-      inputs:
-        artifactName: PSRule.Rules.Kubernetes
-        targetPath: out/modules/PSRule.Rules.Kubernetes
+      artifact: PSRule.Rules.Kubernetes
       condition: and(succeeded(), eq(variables['publish'], 'true'))
 
 # Release pipeline
@@ -118,7 +116,7 @@ stages:
   - job:
     displayName: Live
     pool:
-      vmImage: 'ubuntu-16.04'
+      vmImage: 'ubuntu-latest'
     variables:
       isPreRelease: $[contains(variables['Build.SourceBranchName'], '-B')]
     steps:

.vscode/settings.json

@@ -29,5 +29,8 @@
         "text",
         "yaml",
         "yml"
-    ]
+    ],
+    "yaml.schemas": {
+        "kubernetes": "/tests/PSRule.Rules.Kubernetes.Tests/Resources.*.yaml"
+    }
 }

.vscode/tasks.json

@@ -23,7 +23,9 @@
             "label": "coverage",
             "type": "shell",
             "command": "Invoke-Build Test -CodeCoverage",
-            "problemMatcher": [ "$pester" ],
+            "problemMatcher": [
+                "$pester"
+            ],
             "presentation": {
                 "clear": true,
                 "panel": "dedicated"

CHANGELOG.md

@@ -1,7 +1,16 @@
+# Change log
 
 ## Unreleased
 
-- Update metadata rule to align to recommended labels. [#14](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/14)
+- Fixed `Kubernetes.AKS.PublicLB` handling of internal LB annotation. [#17](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/17)
+- Updated metadata rule to align to recommended labels. [#14](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/14)
+- Expanded deployment rules to include pods and replica sets. [#13](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/13)
+- Added rule documentation. [#5](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/5)
+- Added new rule `Kubernetes.API.Removal` to check for use of removed APIs. [#18](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/18)
+- Added new rule `Kubernetes.Pod.Secrets` to check if sensitive environment variables are used. [#19](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/19)
+- Added new rule `Kubernetes.Pod.Health` to check health probes are used. [#20](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/20)
+- Added new rule `Kubernetes.Pod.Replicas` to check if more then one replica is used. [#21](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/21)
+- **Breaking change**: Renamed deployment rules to relate to pods. [#12](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues/12)
 
 ## v0.1.0-B190521 (pre-release)
 

README.md

@@ -42,7 +42,7 @@ Invoke-PSRule -Module PSRule.Rules.Kubernetes -InputObject (kubectl get services
 
 The following rules are included in the `PSRule.Rules.Kubernetes` module:
 
-- [PSRule.Rules.Kubernetes](docs/rules/en-US/Kubernetes.md)
+- [PSRule.Rules.Kubernetes](docs/rules/en-US/module.md)
 
 ## Changes and versioning
 

RuleToc.Doc.ps1

@@ -1,8 +1,21 @@
 
-Document 'Kubernetes' {
-    Title 'Kubernetes rules'
+Document 'module' {
+    Title 'Module rules'
 
-    Get-PSRule -WarningAction SilentlyContinue | Table -Property @{ Name = 'RuleName'; Expression = {
-        "[$($_.RuleName)]($($_.RuleName).md)"
-    }}, Description
+    Import-Module .\out\modules\PSRule.Rules.Kubernetes
+    $rules = Get-PSRule -Module PSRule.Rules.Kubernetes -WarningAction SilentlyContinue
+
+    Section 'Baselines' {
+        # 'The following baselines are included in `PSRule.Rules.Kubernetes`.'
+    }
+
+    Section 'Rules' {
+        'The following rules are included in `PSRule.Rules.Kubernetes`.'
+
+        $rules | Table -Property @{ Name = 'RuleName'; Expression = {
+            "[$($_.RuleName)]($($_.RuleName).md)"
+        }}, Description, @{ Name = 'Category'; Expression = {
+            $_.Tag.category
+        }}
+    }
 }

docs/rules/en-US/Kubernetes.AKS.PublicLB.md

@@ -0,0 +1,23 @@
+---
+severity: Critical
+category: Service exposure
+online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.AKS.PublicLB.md
+---
+
+# Use internal load balancer
+
+## SYNOPSIS
+
+Use internal Azure load balancers.
+
+## DESCRIPTION
+
+When creating a load balanced service, by default AKS will create and attach an Azure load balancer with a public IP address.
+Creating a load balancer with a public IP address may allow Internet clients to connect to applications running on AKS.
+
+To create a load balanced service with an internal load balancer use the annotation `service.beta.kubernetes.io/azure-load-balancer-internal: "true"`.
+When this annotation is used on a load balanced service, the Azure load balancer will only be assigned a private IP address.
+
+## RECOMMENDATION
+
+Consider creating services with an internal load balancer instead of a public load balancer.

docs/rules/en-US/Kubernetes.API.Removal.md

@@ -0,0 +1,30 @@
+---
+severity: Important
+category: Resource APIs
+online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.API.Removal.md
+---
+
+# Use supported APIs
+
+## SYNOPSIS
+
+Avoid using legacy API endpoints.
+
+## DESCRIPTION
+
+In Kubernetes v1.16.0 a number of previously deprecated API endpoints have been removed.
+These removed endpoints will no longer work for new deployments after upgrading to Kubernetes v1.16.0 or greater.
+
+To prevent deployment issues use the newer API endpoints for these resources.
+
+- NetworkPolicy should use `networking.k8s.io/v1`.
+- PodSecurityPolicy should use `policy/v1beta1`.
+- DaemonSet, Deployment, StatefulSet, and ReplicaSet should use `apps/v1`.
+
+## RECOMMENDATION
+
+Consider updating resource deployments to use newer API endpoints prior to upgrading to Kubernetes >= v1.16.0.
+
+## LINKS
+
+- [Kubernetes v1.15.0 deprecations and removals](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#deprecations-and-removals)

docs/rules/en-US/Kubernetes.Metadata.md

@@ -12,7 +12,8 @@ Use Kubernetes common labels.
 
 ## DESCRIPTION
 
-Kubernetes defines a common set of labels that are recommended for tool interoperability. These labels should be used to consistently apply standard metadata.
+Kubernetes defines a common set of labels that are recommended for tool interoperability.
+These labels should be used to consistently apply standard metadata.
 
 ## RECOMMENDATION
 

docs/rules/en-US/Kubernetes.Pod.Health.md

@@ -0,0 +1,24 @@
+---
+severity: Important
+online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Health.md
+---
+
+# Use probes
+
+## SYNOPSIS
+
+Containers should use liveness and readiness probes.
+
+## DESCRIPTION
+
+Just like any other application, container applications may take time to start, fail during startup or operation.
+Kubernetes provides a way for the cluster to determine if each container is ready to respond to requests.
+This is accomplished through liveness and readiness probes.
+
+## RECOMMENDATION
+
+Containers should use liveness and readiness probes.
+
+## LINKS
+
+- [Configure Liveness, Readiness and Startup Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)