diff --git a/.github/lint_config.yaml b/.github/lint_config.yaml new file mode 100644 index 0000000..40d76fd --- /dev/null +++ b/.github/lint_config.yaml @@ -0,0 +1,7 @@ +remote: origin +target-branch: main +check-version-increment: false +chart-dirs: + - apps/dev + - apps/stage + - apps/prod diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml new file mode 100644 index 0000000..5d3fa9a --- /dev/null +++ b/.github/workflows/codespell.yaml @@ -0,0 +1,18 @@ +name: Codespell + +on: pull_request + +jobs: + codespell: + name: Codespell + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v2 + - name: Codespell + uses: codespell-project/actions-codespell@master + with: + ignore_words_list: aks + check_filenames: true + check_hidden: false + skip: ./.git,*-secret.yaml,codespell.yaml diff --git a/.github/workflows/kustomized-helm-diff.yaml b/.github/workflows/kustomized-helm-diff.yaml new file mode 100644 index 0000000..e59e167 --- /dev/null +++ b/.github/workflows/kustomized-helm-diff.yaml @@ -0,0 +1,116 @@ +name: Kustomized-Helm manifest diff + +on: + pull_request: + +jobs: + list-changed-charts: + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + changed_charts: ${{ steps.list-changed.outputs.charts }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: azure/setup-helm@v3 + with: + version: v3.12.1 + + - uses: actions/setup-python@v4 + with: + python-version: '3.10' + check-latest: true + + - uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed_files=$(ct list-changed --config .github/lint_config.yaml | jq -R -s -c 'split("\n") | map(select(. != ""))') + echo "Changed files: $changed_files" + echo "charts=${changed_files}" >> "$GITHUB_OUTPUT" + + dynamic_matrix: + needs: list-changed-charts + runs-on: ubuntu-latest + timeout-minutes: 5 + strategy: + matrix: + file: ${{ fromJson(needs.list-changed-charts.outputs.changed_charts) }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: head + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.base.ref }} + fetch-depth: 0 + path: main + + - uses: azure/setup-helm@v3 + with: + version: v3.12.1 + + - name: Helm dependency update and render + run: | + REF_PATH=head + if [ ! -d "${REF_PATH}/${{ matrix.file }}" ]; then + mkdir -p "${REF_PATH}/${{ matrix.file }}" + touch "${REF_PATH}/${{ matrix.file }}/all.yaml" + touch "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + + echo "apiVersion: kustomize.config.k8s.io/v1beta1" > "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + echo "kind: Kustomization" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + + echo "resources:" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + echo " - all.yaml" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + else + pushd ${REF_PATH}/${{ matrix.file }} + helm dependency update + helm template . --name-template $(basename $PWD) --namespace frinx --values values.yaml --values cluster-values.yaml --include-crds > all.yaml + popd + fi + + - name: Helm dependency update and render + run: | + REF_PATH=main + + if [ ! -d "${REF_PATH}/${{ matrix.file }}" ]; then + mkdir -p "${REF_PATH}/${{ matrix.file }}" + touch "${REF_PATH}/${{ matrix.file }}/all.yaml" + touch "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + + echo "apiVersion: kustomize.config.k8s.io/v1beta1" > "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + echo "kind: Kustomization" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + + echo "resources:" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + echo " - all.yaml" >> "${REF_PATH}/${{ matrix.file }}/kustomization.yaml" + else + pushd ${REF_PATH}/${{ matrix.file }} + helm dependency update + helm template . --name-template $(basename $PWD) --namespace frinx --values values.yaml --values cluster-values.yaml --include-crds > all.yaml + popd + fi + + - uses: int128/kustomize-action@v1 + id: kustomize-head + with: + base-directory: head/${{ matrix.file }} + kustomization: kustomization.yaml + write-individual-files: true + + - uses: int128/kustomize-action@v1 + id: kustomize-base + with: + base-directory: main/${{ matrix.file }} + kustomization: kustomization.yaml + write-individual-files: true + + - uses: int128/diff-action@v1 + with: + base: ${{ steps.kustomize-base.outputs.directory }} + head: ${{ steps.kustomize-head.outputs.directory }} \ No newline at end of file diff --git a/.github/workflows/kustomized-helm-kube-score.yaml b/.github/workflows/kustomized-helm-kube-score.yaml new file mode 100644 index 0000000..f93c18a --- /dev/null +++ b/.github/workflows/kustomized-helm-kube-score.yaml @@ -0,0 +1,22 @@ +name: Kustomized-Helm manifest diff + +on: + pull_request: + +env: + KUBE_SCORE_VERSION: 1.18.0 + +jobs: + + kube-score: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + + - name: install kube-scre + run: | + wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION}}/kube-score_${{ env.KUBE_SCORE_VERSION}}_linux_amd64 -O /usr/local/bin/kube-score + chmod +x /usr/local/bin/kube-score + + - run: kube-score version diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a433e3f --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.tgz +*.lock +**/temp/* +.idea diff --git a/apps/dev/argocd-appset-frinx-machine-persistence.yaml b/apps/dev/argocd-appset-frinx-machine-persistence.yaml new file mode 100644 index 0000000..259969d --- /dev/null +++ b/apps/dev/argocd-appset-frinx-machine-persistence.yaml @@ -0,0 +1,66 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: frinx-machine-persistence-dev + namespace: argocd + # finalizers: + # - resources-finalizer.argocd.argoproj.io + labels: + deployment: fm-dev + type: frinx-machine-persistence +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + # - matrix: + # generators: + # - list: + # elements: + # - cluster: in-cluster + # namespace: fm-dev + # project: default + - list: + elements: + - name: frinx-arango-config + - name: kafka + - name: postgresql + - name: timescale-db + - name: uniconfig-postgres + template: + metadata: + name: "{{name}}-dev" + labels: + name: "{{name}}" + type: frinx-machine-persistence + finalizers: + - resources-finalizer.argocd.argoproj.io + spec: + project: "default" + destination: + name: "in-cluster" + namespace: "fm-dev" + + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + + source: + repoURL: git@github.com:FRINXio/gitops-boilerplate.git + targetRevision: HEAD + path: "apps/dev/frinx-machine-persistence/{{name}}" + plugin: + name: kustomized-helm + parameters: + - name: helm-template-extra-args + string: | + -f values.yaml -f cluster-values.yaml diff --git a/apps/dev/frinx-machine-monitoring/.helmignore b/apps/dev/frinx-machine-monitoring/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-monitoring/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-monitoring/Chart.yaml b/apps/dev/frinx-machine-monitoring/Chart.yaml new file mode 100644 index 0000000..713fc67 --- /dev/null +++ b/apps/dev/frinx-machine-monitoring/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: frinx-machine-monitoring +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 diff --git a/apps/dev/frinx-machine-monitoring/cluster-values.yaml b/apps/dev/frinx-machine-monitoring/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-monitoring/kustomization.yaml b/apps/dev/frinx-machine-monitoring/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-monitoring/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-monitoring/local-values.yaml b/apps/dev/frinx-machine-monitoring/local-values.yaml new file mode 100644 index 0000000..2b95195 --- /dev/null +++ b/apps/dev/frinx-machine-monitoring/local-values.yaml @@ -0,0 +1,11 @@ +frinx-machine: + frinx-machine-monitoring: + grafana: + ingress: + enabled: true + ingressClassName: nginx + # Values can be templated + path: / + pathType: Prefix + hosts: + - grafana.127.0.0.1.nip.io \ No newline at end of file diff --git a/apps/dev/frinx-machine-monitoring/values.yaml b/apps/dev/frinx-machine-monitoring/values.yaml new file mode 100644 index 0000000..bb17f24 --- /dev/null +++ b/apps/dev/frinx-machine-monitoring/values.yaml @@ -0,0 +1,12 @@ +frinx-machine: + frinx-machine-monitoring: + enabled: true + + frinx-machine-operators: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-persistence: + enabled: false diff --git a/apps/dev/frinx-machine-operators/.helmignore b/apps/dev/frinx-machine-operators/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-operators/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-operators/Chart.yaml b/apps/dev/frinx-machine-operators/Chart.yaml new file mode 100644 index 0000000..908cfb7 --- /dev/null +++ b/apps/dev/frinx-machine-operators/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: frinx-machine-operators +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 + diff --git a/apps/dev/frinx-machine-operators/cluster-values.yaml b/apps/dev/frinx-machine-operators/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-operators/kustomization.yaml b/apps/dev/frinx-machine-operators/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-operators/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-operators/values.yaml b/apps/dev/frinx-machine-operators/values.yaml new file mode 100644 index 0000000..a606652 --- /dev/null +++ b/apps/dev/frinx-machine-operators/values.yaml @@ -0,0 +1,13 @@ +frinx-machine: + + frinx-machine-operators: + enabled: true + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-persistence: + enabled: false diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/.helmignore b/apps/dev/frinx-machine-persistence/frinx-arango-config/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/frinx-arango-config/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/Chart.yaml b/apps/dev/frinx-machine-persistence/frinx-arango-config/Chart.yaml new file mode 100644 index 0000000..c864043 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/frinx-arango-config/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: frinx-arango-config +description: Kubernetes deployment of FRINX-machine arangodb +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/cluster-values.yaml b/apps/dev/frinx-machine-persistence/frinx-arango-config/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/kustomization.yaml b/apps/dev/frinx-machine-persistence/frinx-arango-config/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/frinx-arango-config/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/local-values.yaml b/apps/dev/frinx-machine-persistence/frinx-arango-config/local-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/frinx-arango-config/values.yaml b/apps/dev/frinx-machine-persistence/frinx-arango-config/values.yaml new file mode 100644 index 0000000..f3e2db1 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/frinx-arango-config/values.yaml @@ -0,0 +1,30 @@ +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-operators: + enabled: false + + # CONFUGIRE PERSISTENCE + + frinx-machine-persistence: + enabled: true + + frinx-arango-config: + enabled: true + + uniconfig-postgres: + enabled: false + + workflow-manager-postgres: + enabled: false + + kafka: + enabled: false + + timescale-db: + enabled: false diff --git a/apps/dev/frinx-machine-persistence/kafka/.helmignore b/apps/dev/frinx-machine-persistence/kafka/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/kafka/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-persistence/kafka/Chart.yaml b/apps/dev/frinx-machine-persistence/kafka/Chart.yaml new file mode 100644 index 0000000..f999822 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/kafka/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: kafka +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 + diff --git a/apps/dev/frinx-machine-persistence/kafka/cluster-values.yaml b/apps/dev/frinx-machine-persistence/kafka/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/kafka/kustomization.yaml b/apps/dev/frinx-machine-persistence/kafka/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/kafka/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-persistence/kafka/local-values.yaml b/apps/dev/frinx-machine-persistence/kafka/local-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/kafka/values.yaml b/apps/dev/frinx-machine-persistence/kafka/values.yaml new file mode 100644 index 0000000..776e67c --- /dev/null +++ b/apps/dev/frinx-machine-persistence/kafka/values.yaml @@ -0,0 +1,28 @@ +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-operators: + enabled: false + + frinx-machine-persistence: + enabled: true + + kafka: + enabled: true + + frinx-arango-config: + enabled: false + + uniconfig-postgres: + enabled: false + + workflow-manager-postgres: + enabled: false + + timescale-db: + enabled: false diff --git a/apps/dev/frinx-machine-persistence/postgresql/.helmignore b/apps/dev/frinx-machine-persistence/postgresql/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/postgresql/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-persistence/postgresql/Chart.yaml b/apps/dev/frinx-machine-persistence/postgresql/Chart.yaml new file mode 100644 index 0000000..e4eed89 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/postgresql/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: postgresql +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 + diff --git a/apps/dev/frinx-machine-persistence/postgresql/cluster-values.yaml b/apps/dev/frinx-machine-persistence/postgresql/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/postgresql/kustomization.yaml b/apps/dev/frinx-machine-persistence/postgresql/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/postgresql/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-persistence/postgresql/local-values.yaml b/apps/dev/frinx-machine-persistence/postgresql/local-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/postgresql/values.yaml b/apps/dev/frinx-machine-persistence/postgresql/values.yaml new file mode 100644 index 0000000..4da9810 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/postgresql/values.yaml @@ -0,0 +1,28 @@ +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-operators: + enabled: false + + frinx-machine-persistence: + enabled: true + + workflow-manager-postgres: + enabled: true + + frinx-arango-config: + enabled: false + + uniconfig-postgres: + enabled: false + + kafka: + enabled: false + + timescale-db: + enabled: false diff --git a/apps/dev/frinx-machine-persistence/timescale-db/.helmignore b/apps/dev/frinx-machine-persistence/timescale-db/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/timescale-db/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-persistence/timescale-db/Chart.yaml b/apps/dev/frinx-machine-persistence/timescale-db/Chart.yaml new file mode 100644 index 0000000..1edb38b --- /dev/null +++ b/apps/dev/frinx-machine-persistence/timescale-db/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: timescale-db +description: Kubernetes deployment of timescale-db +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 + diff --git a/apps/dev/frinx-machine-persistence/timescale-db/cluster-values.yaml b/apps/dev/frinx-machine-persistence/timescale-db/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/timescale-db/kustomization.yaml b/apps/dev/frinx-machine-persistence/timescale-db/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/timescale-db/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-persistence/timescale-db/local-values.yaml b/apps/dev/frinx-machine-persistence/timescale-db/local-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/timescale-db/values.yaml b/apps/dev/frinx-machine-persistence/timescale-db/values.yaml new file mode 100644 index 0000000..fe1ab6e --- /dev/null +++ b/apps/dev/frinx-machine-persistence/timescale-db/values.yaml @@ -0,0 +1,28 @@ +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-operators: + enabled: false + + frinx-machine-persistence: + enabled: true + + timescale-db: + enabled: true + + workflow-manager-postgres: + enabled: false + + frinx-arango-config: + enabled: false + + uniconfig-postgres: + enabled: false + + kafka: + enabled: false diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/.helmignore b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/Chart.yaml b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/Chart.yaml new file mode 100644 index 0000000..95bdd72 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: uniconfig-postgresql +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 + diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/cluster-values.yaml b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/cluster-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/kustomization.yaml b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/local-values.yaml b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/local-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/dev/frinx-machine-persistence/uniconfig-postgresql/values.yaml b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/values.yaml new file mode 100644 index 0000000..69ea569 --- /dev/null +++ b/apps/dev/frinx-machine-persistence/uniconfig-postgresql/values.yaml @@ -0,0 +1,30 @@ +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-core: + enabled: false + + frinx-machine-operators: + enabled: false + + frinx-machine-persistence: + enabled: true + + uniconfig-postgres: + enabled: true + + timescale-db: + enabled: false + + workflow-manager-postgres: + enabled: false + + frinx-arango-config: + enabled: false + + kafka: + enabled: false + + diff --git a/apps/dev/frinx-machine/.helmignore b/apps/dev/frinx-machine/.helmignore new file mode 100644 index 0000000..898df48 --- /dev/null +++ b/apps/dev/frinx-machine/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/apps/dev/frinx-machine/Chart.yaml b/apps/dev/frinx-machine/Chart.yaml new file mode 100644 index 0000000..58d877d --- /dev/null +++ b/apps/dev/frinx-machine/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: frinx-machine +description: Kubernetes deployment of FRINX-machine +icon: https://avatars.githubusercontent.com/u/23452093?s=200&v=4 +type: application +version: 6.1.0 +maintainers: + - name: FRINX +dependencies: + - name: frinx-machine + # repository: https://FRINXio.github.io/helm-charts + repository: file:///home/jozef/Documents/frinx/github/FM-debug/helm-charts/charts/frinx-machine + version: 9.0.0 diff --git a/apps/dev/frinx-machine/cluster-values.yaml b/apps/dev/frinx-machine/cluster-values.yaml new file mode 100644 index 0000000..28dd05d --- /dev/null +++ b/apps/dev/frinx-machine/cluster-values.yaml @@ -0,0 +1,43 @@ +environment: + cluster: + enabled: true + local: + enabled: false + +frinx-machine: + frinx-machine-core: + krakend: + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + hosts: + - host: fm-dev.10.7.6.124.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific + + uniconfig: + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + hosts: + - host: uniconfig-controller.10.7.6.124.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific + + image: + repository: "frinxio/uniconfig" + + performance-monitor: + image: + repository: "frinxio/performance-monitor" diff --git a/apps/dev/frinx-machine/kustomization.yaml b/apps/dev/frinx-machine/kustomization.yaml new file mode 100755 index 0000000..9710555 --- /dev/null +++ b/apps/dev/frinx-machine/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - all.yaml diff --git a/apps/dev/frinx-machine/local-values.yaml b/apps/dev/frinx-machine/local-values.yaml new file mode 100644 index 0000000..36aea1e --- /dev/null +++ b/apps/dev/frinx-machine/local-values.yaml @@ -0,0 +1,50 @@ +environment: + cluster: + enabled: false + local: + enabled: true + +frinx-machine: + frinx-machine-core: + krakend: + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + hosts: + - host: krakend.127.0.0.1.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific + + workflow-manager: + ingress: + enabled: true + hosts: + - host: workflow-manager.127.0.0.1.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific + schellarHosts: + - host: workflow-manager-schellar.127.0.0.1.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific + + uniconfig: + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + hosts: + - host: uniconfig-controller.127.0.0.1.nip.io + paths: + - path: "/" + pathType: ImplementationSpecific diff --git a/apps/dev/frinx-machine/templates/regcred-sealed-secret.yaml b/apps/dev/frinx-machine/templates/regcred-sealed-secret.yaml new file mode 100644 index 0000000..6d1d410 --- /dev/null +++ b/apps/dev/frinx-machine/templates/regcred-sealed-secret.yaml @@ -0,0 +1,19 @@ +{{- if .Values.environment.cluster.enabled }} +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: regcred + namespace: fm-development +spec: + encryptedData: + .dockerconfigjson: AgCyuD+Ep9oErjk1QG4qJaRuAgd3bygUWWdl1UPs+SBiWKdkEdQa8eJJvVluO9ZHRBi0QK/KthJUua7YngfQj+USX14zs5gRStZwu5Qy74phJgHYYAeHxAPlKcwU0vXEHMT6UB1DtsiU/Ecilv2mJXi9T2ki9ghSDC2RC7m8vTV139sqTJO0SJzDnYx9Ic/HqXencLmLMmu/P7OAx6Qj5Pr2VRbvIuUsoebak9ljttx3+cL7xUA+3THCC7cp22ee/BOAIoMPcEnOioT8XxMjQ7SO3Zd87gAAiac0abH/+p27P92GHkGMSaytr+vVfe5GQURNOI0kX2CPSqR/S5ThH9D/ucYgda1kdQUgJKxgJc2XsZklDRSvQ71Mbc7qTSHqH4RS1kt3zSjvFNi4NCC0YfWXYrUB5IWehzWUDmY73pwPS1ym6fdww5h5/DmqZEHBLGv4Tlqzbyt3q+lKJQPqdUWBcrLi+FkZFbJH91RbFL4wG+6rlxWsBjSXD+UwGjcEnDUuVDS4I27PzGNv+5qg8N3ul35hjIhqKF4k/OcNnwEOIZz0pglm+noyai0h9B3smjnR0FR44p7v7MqC9x/9Jak5MNhEbE16zfhLpsoaKJDkk7LG/Mro/3ZbNwrevvaRkpnF9Kw3p1Q4IAZLWr2/d2gC1A2XPnl3Dks3ns5pbyYv9EfyLl7veMPJBxknRmuwHs543drs8ICP+sX+9jQ8tOIggFN0ugmpQU8mAWZNSxs4L0QozM+aE4hb1ISLjQYXU/3jLBmRCY9YgfwDhKj8qhUcwfwzwJM0VpLv6fD3wMelpng1NkAKrcNQ6Xc1nTatWCTATuGu19tJnIhxY4JVHueNXAZV2OKWvYzf8AfZbvnoeG5iyZV3vYzM7vave94gJ+1R52KR9wkKOegV3bU13AJbpNV4ArSH6vd0QCR7L7fi8cXcCgRroZBtmUc+dm3W7FxSL45ThA== + template: + metadata: + creationTimestamp: null + name: regcred + namespace: fm-development + type: kubernetes.io/dockerconfigjson + + +{{- end }} \ No newline at end of file diff --git a/apps/dev/frinx-machine/values.yaml b/apps/dev/frinx-machine/values.yaml new file mode 100644 index 0000000..0a18bb4 --- /dev/null +++ b/apps/dev/frinx-machine/values.yaml @@ -0,0 +1,31 @@ +# Global settings + +environment: + cluster: + enabled: false + local: + enabled: false + +frinx-machine: + + frinx-machine-monitoring: + enabled: false + + frinx-machine-persistence: + enabled: false + + frinx-machine-operators: + enabled: false + + frinx-machine-core: + global: + dbPersistence: + enabled: true + + krakend: + enabled: true + + debug: + # This setting should be disabled in production + enabled: true + diff --git a/infra/kind/cilium-helm-values.yaml b/infra/kind/cilium-helm-values.yaml new file mode 100644 index 0000000..8ca0a5f --- /dev/null +++ b/infra/kind/cilium-helm-values.yaml @@ -0,0 +1,27 @@ +kubeProxyReplacement: true +k8sServiceHost: kind-control-plane +k8sServicePort: 6443 +hostServices: + enabled: false +externalIPs: + enabled: true +nodePort: + enabled: true +hostPort: + enabled: true +image: + pullPolicy: IfNotPresent +ipam: + mode: kubernetes +hubble: + enabled: true + relay: + enabled: true + ui: + enabled: true + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + hosts: + - hubble-ui.127.0.0.1.nip.io diff --git a/infra/kind/kind-config.yaml b/infra/kind/kind-config.yaml new file mode 100644 index 0000000..739209e --- /dev/null +++ b/infra/kind/kind-config.yaml @@ -0,0 +1,32 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +# networking: +# disableDefaultCNI: true +# kubeProxyMode: none +nodes: +- role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + listenAddress: 127.0.0.1 + protocol: TCP + - containerPort: 443 + hostPort: 443 + listenAddress: 127.0.0.1 + protocol: TCP +- role: worker + # labels: + # tier: backend +- role: worker + # labels: + # tier: backend +- role: worker + # labels: + # tier: backend + diff --git a/infra/kind/kube-score.yaml b/infra/kind/kube-score.yaml new file mode 100644 index 0000000..2e9a206 --- /dev/null +++ b/infra/kind/kube-score.yaml @@ -0,0 +1,2917 @@ +apps/v1/Deployment arango-frinx-machine-operators-operator in gitops-boilerplate-dev💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · operator -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · operator -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · operator -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · operator -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · operator -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Deployment has PodDisruptionBudget + · No matching PodDisruptionBudget was found + It's recommended to define a PodDisruptionBudget to avoid + unexpected downtime during Kubernetes maintenance operations, such + as when draining a node. +apps/v1/Deployment cloudnative-pg-operator in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Resources + · manager -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · manager -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · manager -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · manager -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment conductor-server in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-schellar -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-schellar -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-schellar -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-schellar -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · workflow-manager-schellar -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-schellar -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment device-induction in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-uniconfig-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-uniconfig-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-inventory-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-inventory-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · copy-worker-files -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · copy-worker-files -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · device-induction -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · device-induction -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Tag + · check-uniconfig-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-conductor-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-inventory-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + [CRITICAL] Container Image Pull Policy + · copy-worker-files -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · device-induction -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · check-uniconfig-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-uniconfig-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-conductor-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-conductor-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-inventory-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-inventory-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · copy-worker-files -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · copy-worker-files -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · device-induction -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · device-induction -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-uniconfig-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-conductor-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-inventory-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · copy-worker-files -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · device-induction -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +apps/v1/Deployment frinx-frontend in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · frinx-frontend -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · frinx-frontend-proxy -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · frinx-frontend -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · frinx-frontend-proxy -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend-proxy -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · frinx-frontend -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · frinx-frontend-proxy -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · frinx-frontend -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment frinx-machine-oauth2-proxy in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · oauth2-proxy -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · oauth2-proxy -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · oauth2-proxy -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · oauth2-proxy -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · oauth2-proxy -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · oauth2-proxy -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · oauth2-proxy -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · oauth2-proxy -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · oauth2-proxy -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment inventory in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · inventory -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · inventory -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · inventory -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · inventory -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · inventory -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · inventory -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment krakend in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · krakend -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · nginx -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · krakend -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · nginx -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · nginx -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · krakend -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · krakend -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · nginx -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · nginx -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · nginx -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · nginx -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · nginx -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · nginx -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · krakend -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · krakend -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment performance-monitor in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-kafka-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-kafka-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · performance-monitor -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · performance-monitor -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Tag + · check-kafka-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · check-kafka-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · performance-monitor -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-kafka-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-kafka-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · performance-monitor -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · performance-monitor -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-kafka-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · performance-monitor -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment resource-manager in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · resource-manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · resource-manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · resource-manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · resource-manager -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · resource-manager -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · resource-manager -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment strimzi-cluster-operator in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · strimzi-cluster-operator -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · strimzi-cluster-operator -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · strimzi-cluster-operator -> Container has no configured security context + Set securityContext to run the container in a more secure context. + [CRITICAL] Container Image Pull Policy + · strimzi-cluster-operator -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · strimzi-cluster-operator -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · strimzi-cluster-operator -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 +apps/v1/Deployment swagger-ui in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · uniconfig-fetch -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig-fetch -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · uniconfig-format -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig-format -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-fetch -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-fetch -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-format -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-format -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · swagger-ui -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · swagger-ui -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · uniconfig-fetch -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · uniconfig-format -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager-fetch -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager-format -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · swagger-ui -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · uniconfig-fetch -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · uniconfig-format -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-fetch -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-format -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · swagger-ui -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container is missing a readinessProbe + A readinessProbe should be used to indicate when the service is + ready to receive traffic. Without it, the Pod is risking to receive + traffic before it has booted. It's also used during rollouts, and + can prevent downtime if a new version of the application is failing. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · uniconfig-fetch -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig-fetch -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · uniconfig-format -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig-format -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-fetch -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-fetch -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-format -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-format -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · swagger-ui -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · swagger-ui -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · uniconfig-fetch -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · uniconfig-fetch -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · uniconfig-fetch -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · uniconfig-fetch -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · uniconfig-format -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · uniconfig-format -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · uniconfig-format -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · uniconfig-format -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · workflow-manager-fetch -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · workflow-manager-fetch -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · workflow-manager-fetch -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · workflow-manager-fetch -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · workflow-manager-format -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · workflow-manager-format -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · workflow-manager-format -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · workflow-manager-format -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment topology-discovery in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-conductor-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-arangodb-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-arangodb-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · topology-discovery -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · topology-discovery -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · topology-discovery-kafka-consumer-api -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · topology-discovery-kafka-consumer-api -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-conductor-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-conductor-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-arangodb-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-arangodb-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · topology-discovery -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · topology-discovery -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · topology-discovery-kafka-consumer-api -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · topology-discovery-kafka-consumer-api -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-conductor-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-arangodb-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · topology-discovery -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · topology-discovery-kafka-consumer-api -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Tag + · check-conductor-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-arangodb-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + [CRITICAL] Container Image Pull Policy + · topology-discovery -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · topology-discovery-kafka-consumer-api -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Resources + · check-conductor-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-conductor-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-conductor-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-conductor-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · check-arangodb-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-arangodb-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-arangodb-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-arangodb-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · topology-discovery-kafka-consumer-api -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · topology-discovery-kafka-consumer-api -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · topology-discovery-kafka-consumer-api -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · topology-discovery-kafka-consumer-api -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment uc-zone-lb in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · uc-zone-lb -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uc-zone-lb -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · uc-zone-lb -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +apps/v1/Deployment uniconfig-controller in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · copy-config-files -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · copy-config-files -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · uniconfig -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · copy-config-files -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · uniconfig -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · copy-config-files -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · copy-config-files -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · uniconfig -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · copy-config-files -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · uniconfig -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [WARNING] Deployment Replicas + · Deployment few replicas + Deployments targeted by Services are recommended to have at least 2 + replicas to prevent unwanted downtime. +networking.k8s.io/v1/Ingress conductor-server in gitops-boilerplate-dev ✅ +networking.k8s.io/v1/Ingress krakend in gitops-boilerplate-dev ✅ +networking.k8s.io/v1/Ingress uniconfig-controller in gitops-boilerplate-dev ✅ +v1/Pod arango-frinx-machine-operators-operator-55865f6dbc-dr9xm in gitops-boilerplate-dev💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · operator -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · operator -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · operator -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · operator -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · operator -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +v1/Pod arango-frinx-machine-operators-operator-55865f6dbc-ssx8f in gitops-boilerplate-dev💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · operator -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · operator -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · operator -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · operator -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · operator -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 +v1/Pod arangodb-sngl-ngmjr8i7-e0f232 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Resources + · init-lifecycle -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · init-lifecycle -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · init-lifecycle -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · init-lifecycle -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · version-check -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · version-check -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · version-check -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · version-check -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · server -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · server -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · server -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · server -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · init-lifecycle -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · init-lifecycle -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · uuid -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uuid -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · version-check -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · version-check -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · server -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · server -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · init-lifecycle -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · uuid -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · version-check -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · server -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · init-lifecycle -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · init-lifecycle -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · uuid -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uuid -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · version-check -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · version-check -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · server -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · server -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 +v1/Pod cloudnative-pg-operator-996c7f45-9h2f8 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Resources + · manager -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · manager -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · manager -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · manager -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md +v1/Pod conductor-server-7586f64698-lqr28 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-schellar -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-schellar -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-schellar -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-schellar -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-schellar -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · workflow-manager-schellar -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +v1/Pod device-induction-67fb8f9ff6-c6q2w in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-uniconfig-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-uniconfig-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-inventory-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-inventory-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · copy-worker-files -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · copy-worker-files -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · device-induction -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · device-induction -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · copy-worker-files -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · device-induction -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · check-uniconfig-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-uniconfig-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-conductor-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-conductor-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-inventory-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-inventory-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · copy-worker-files -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · copy-worker-files -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · device-induction -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · device-induction -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-uniconfig-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-conductor-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-inventory-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · copy-worker-files -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · device-induction -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Tag + · check-uniconfig-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-conductor-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-inventory-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades +v1/Pod frinx-frontend-7c9c7cffc4-zngpf in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · frinx-frontend -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · frinx-frontend -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · frinx-frontend-proxy -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · frinx-frontend -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · frinx-frontend-proxy -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend-proxy -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · frinx-frontend -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · frinx-frontend-proxy -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · frinx-frontend -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · frinx-frontend -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · frinx-frontend -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · frinx-frontend -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · frinx-frontend-proxy -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · frinx-frontend-proxy -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · frinx-frontend-proxy -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · frinx-frontend-proxy -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory +v1/Pod frinx-frontend-ffbc86f4-f697h in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · frinx-frontend -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · frinx-frontend-proxy -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · frinx-frontend -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · frinx-frontend-proxy -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · frinx-frontend-proxy -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · frinx-frontend -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · frinx-frontend-proxy -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · frinx-frontend -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · frinx-frontend-proxy -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod frinx-machine-oauth2-proxy-5cc549fcfb-2j8h2 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · oauth2-proxy -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · oauth2-proxy -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · oauth2-proxy -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · oauth2-proxy -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · oauth2-proxy -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · oauth2-proxy -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · oauth2-proxy -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · oauth2-proxy -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · oauth2-proxy -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod inventory-55b648dc84-n9dsq in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · inventory -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · inventory -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · inventory -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · inventory -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · inventory -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · inventory -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +v1/Pod kafka-controller-0 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Resources + · kafka-init -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · kafka-init -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · kafka-init -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · kafka-init -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · kafka -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · kafka -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · kafka -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · kafka -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · kafka-init -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · kafka-init -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · kafka -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · kafka -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · kafka-init -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · kafka -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · kafka-init -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · kafka-init -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · kafka -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · kafka -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 +v1/Pod krakend-77744f8798-rd85v in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · nginx -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · nginx -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · krakend -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · krakend -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · nginx -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · krakend -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · nginx -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · nginx -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · krakend -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · krakend -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · krakend -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · nginx -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · nginx -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · nginx -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · nginx -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory +v1/Pod performance-monitor-5bd76679c9-vhwg2 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-kafka-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · performance-monitor -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Tag + · check-kafka-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · check-kafka-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · performance-monitor -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-kafka-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-kafka-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · performance-monitor -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · performance-monitor -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-kafka-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-kafka-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · performance-monitor -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · performance-monitor -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod postgresql-1 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · bootstrap-controller -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · bootstrap-controller -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · postgres -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgres -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · bootstrap-controller -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · postgres -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · bootstrap-controller -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · bootstrap-controller -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · postgres -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgres -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · bootstrap-controller -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · bootstrap-controller -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · bootstrap-controller -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · bootstrap-controller -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · postgres -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgres -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · postgres -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · postgres -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory +v1/Pod postgresql-2 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · bootstrap-controller -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · postgres -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · bootstrap-controller -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · bootstrap-controller -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · postgres -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgres -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · bootstrap-controller -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · bootstrap-controller -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · bootstrap-controller -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · bootstrap-controller -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · postgres -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgres -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · postgres -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · postgres -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · bootstrap-controller -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · bootstrap-controller -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · postgres -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgres -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod resource-manager-7bb6bb75d6-zjv2k in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · resource-manager -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · resource-manager -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · resource-manager -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · resource-manager -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · resource-manager -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · resource-manager -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Resources + · check-db-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-db-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-db-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-db-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory +v1/Pod strimzi-cluster-operator-6948497896-dvw2p in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · strimzi-cluster-operator -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · strimzi-cluster-operator -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · strimzi-cluster-operator -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · strimzi-cluster-operator -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · strimzi-cluster-operator -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · strimzi-cluster-operator -> Container has no configured security context + Set securityContext to run the container in a more secure context. + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +v1/Pod swagger-ui-649cbc6475-mq6lg in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · uniconfig-fetch -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · uniconfig-format -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-fetch -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · workflow-manager-format -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · swagger-ui -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container is missing a readinessProbe + A readinessProbe should be used to indicate when the service is + ready to receive traffic. Without it, the Pod is risking to receive + traffic before it has booted. It's also used during rollouts, and + can prevent downtime if a new version of the application is failing. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · uniconfig-fetch -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig-fetch -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · uniconfig-format -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig-format -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-fetch -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-fetch -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · workflow-manager-format -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · workflow-manager-format -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · swagger-ui -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · swagger-ui -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · uniconfig-fetch -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · uniconfig-format -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager-fetch -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · workflow-manager-format -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · swagger-ui -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Resources + · uniconfig-fetch -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · uniconfig-fetch -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · uniconfig-fetch -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · uniconfig-fetch -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · uniconfig-format -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · uniconfig-format -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · uniconfig-format -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · uniconfig-format -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · workflow-manager-fetch -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · workflow-manager-fetch -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · workflow-manager-fetch -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · workflow-manager-fetch -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · workflow-manager-format -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · workflow-manager-format -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · workflow-manager-format -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · workflow-manager-format -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · uniconfig-fetch -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig-fetch -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · uniconfig-format -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig-format -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-fetch -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-fetch -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · workflow-manager-format -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · workflow-manager-format -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · swagger-ui -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · swagger-ui -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod timescale-db-0 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Security Context User Group ID + · postgresql -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgresql -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · postgresql -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · postgresql -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Resources + · postgresql -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgresql -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · postgresql -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgresql -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod topology-discovery-664c5f9f57-b4w2t in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-conductor-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-conductor-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · check-arangodb-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-arangodb-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · topology-discovery -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · topology-discovery -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · topology-discovery-kafka-consumer-api -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · topology-discovery-kafka-consumer-api -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context User Group ID + · check-conductor-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-conductor-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · check-arangodb-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-arangodb-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · topology-discovery -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · topology-discovery -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · topology-discovery-kafka-consumer-api -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · topology-discovery-kafka-consumer-api -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-conductor-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · check-arangodb-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · topology-discovery -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + · topology-discovery-kafka-consumer-api -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Tag + · check-conductor-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + · check-arangodb-ready -> Image with latest tag + Using a fixed tag is recommended to avoid accidental upgrades + [CRITICAL] Container Image Pull Policy + · topology-discovery -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · topology-discovery-kafka-consumer-api -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Resources + · check-conductor-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-conductor-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-conductor-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-conductor-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · check-arangodb-ready -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · check-arangodb-ready -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · check-arangodb-ready -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · check-arangodb-ready -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · topology-discovery-kafka-consumer-api -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · topology-discovery-kafka-consumer-api -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · topology-discovery-kafka-consumer-api -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · topology-discovery-kafka-consumer-api -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory +v1/Pod uc-zone-lb-8c659b6b8-2q5fc in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · uc-zone-lb -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uc-zone-lb -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · uc-zone-lb -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +v1/Pod uniconfig-controller-99dc876f8-4lvkc in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · check-db-ready -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · check-db-ready -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · copy-config-files -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · copy-config-files -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · uniconfig -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · uniconfig -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · check-db-ready -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · copy-config-files -> Container has no configured security context + Set securityContext to run the container in a more secure context. + · uniconfig -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · check-db-ready -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · copy-config-files -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · uniconfig -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · check-db-ready -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · check-db-ready -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · copy-config-files -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · copy-config-files -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · uniconfig -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · uniconfig -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod uniconfig-postgresql-1 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Image Pull Policy + · bootstrap-controller -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · postgres -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Security Context User Group ID + · bootstrap-controller -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · bootstrap-controller -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · postgres -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgres -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · bootstrap-controller -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · bootstrap-controller -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · bootstrap-controller -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · bootstrap-controller -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · postgres -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgres -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · postgres -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · postgres -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · bootstrap-controller -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · bootstrap-controller -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · postgres -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgres -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage +v1/Pod uniconfig-postgresql-2 in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Resources + · bootstrap-controller -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · bootstrap-controller -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · bootstrap-controller -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · bootstrap-controller -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · postgres -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgres -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · postgres -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · postgres -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. + [CRITICAL] Container Ephemeral Storage Request and Limit + · bootstrap-controller -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · bootstrap-controller -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · postgres -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgres -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context User Group ID + · bootstrap-controller -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · bootstrap-controller -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · postgres -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgres -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Image Pull Policy + · bootstrap-controller -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · postgres -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. +policy/v1/PodDisruptionBudget postgresql-primary in gitops-boilerplate-dev ✅ +policy/v1/PodDisruptionBudget uniconfig-postgresql-primary in gitops-boilerplate-dev✅ +v1/Service arango-frinx-machine-operators-operator in gitops-boilerplate-dev ✅ +v1/Service arangodb in gitops-boilerplate-dev ✅ +v1/Service arangodb-int in gitops-boilerplate-dev ✅ +v1/Service arangodb-single-ngmjr8i7 in gitops-boilerplate-dev ✅ +v1/Service cnpg-webhook-service in gitops-boilerplate-dev ✅ +v1/Service conductor-server in gitops-boilerplate-dev ✅ +v1/Service frinx-frontend in gitops-boilerplate-dev ✅ +v1/Service frinx-machine-oauth2-proxy in gitops-boilerplate-dev ✅ +v1/Service inventory in gitops-boilerplate-dev ✅ +v1/Service kafka in gitops-boilerplate-dev ✅ +v1/Service kafka-controller-headless in gitops-boilerplate-dev ✅ +v1/Service krakend in gitops-boilerplate-dev ✅ +v1/Service performance-monitor in gitops-boilerplate-dev ✅ +v1/Service postgresql-r in gitops-boilerplate-dev ✅ +v1/Service postgresql-ro in gitops-boilerplate-dev ✅ +v1/Service postgresql-rw in gitops-boilerplate-dev ✅ +v1/Service resource-manager in gitops-boilerplate-dev ✅ +v1/Service swagger-ui in gitops-boilerplate-dev ✅ +v1/Service timescale-db in gitops-boilerplate-dev ✅ +v1/Service timescale-db-hl in gitops-boilerplate-dev ✅ +v1/Service topology-discovery in gitops-boilerplate-dev ✅ +v1/Service uniconfig in gitops-boilerplate-dev ✅ +v1/Service uniconfig-controller in gitops-boilerplate-dev ✅ +v1/Service uniconfig-postgresql-r in gitops-boilerplate-dev ✅ +v1/Service uniconfig-postgresql-ro in gitops-boilerplate-dev ✅ +v1/Service uniconfig-postgresql-rw in gitops-boilerplate-dev ✅ +apps/v1/StatefulSet kafka-controller in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · kafka-init -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · kafka-init -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + · kafka -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · kafka -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Image Pull Policy + · kafka-init -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + · kafka -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Pod Probes + · Container has the same readiness and liveness probe + Using the same probe for liveness and readiness is very likely + dangerous. Generally it's better to avoid the livenessProbe than + re-using the readinessProbe. + More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md + [CRITICAL] Container Security Context User Group ID + · kafka-init -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · kafka-init -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + · kafka -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · kafka -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Resources + · kafka-init -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · kafka-init -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · kafka-init -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · kafka-init -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + · kafka -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · kafka -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + · kafka -> CPU request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.cpu + · kafka -> Memory request is not set + Resource requests are recommended to make sure that the application + can start and run without crashing. Set resources.requests.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. +apps/v1/StatefulSet timescale-db in gitops-boilerplate-dev 💥 + path=STDIN + [CRITICAL] Container Ephemeral Storage Request and Limit + · postgresql -> Ephemeral Storage limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.ephemeral-storage + · postgresql -> Ephemeral Storage request is not set + Resource requests are recommended to make sure the application can + start and run without crashing. Set + resource.requests.ephemeral-storage + [CRITICAL] Container Security Context User Group ID + · postgresql -> The container is running with a low user ID + A userid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsUser to a value > 10000 + · postgresql -> The container running with a low group ID + A groupid above 10 000 is recommended to avoid conflicts with the + host. Set securityContext.runAsGroup to a value > 10000 + [CRITICAL] Container Security Context ReadOnlyRootFilesystem + · postgresql -> The pod has a container with a writable root filesystem + Set securityContext.readOnlyRootFilesystem to true + [CRITICAL] Container Image Pull Policy + · postgresql -> ImagePullPolicy is not set to Always + It's recommended to always set the ImagePullPolicy to Always, to + make sure that the imagePullSecrets are always correct, and to + always get the image you want. + [CRITICAL] Container Resources + · postgresql -> CPU limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.cpu + · postgresql -> Memory limit is not set + Resource limits are recommended to avoid resource DDOS. Set + resources.limits.memory + [CRITICAL] Pod NetworkPolicy + · The pod does not have a matching NetworkPolicy + Create a NetworkPolicy that targets this pod to control who/what + can communicate with this pod. Note, this feature needs to be + supported by the CNI implementation used in the Kubernetes cluster + to have an effect. diff --git a/infra/kind/metrics-server.yaml b/infra/kind/metrics-server.yaml new file mode 100644 index 0000000..45e211e --- /dev/null +++ b/infra/kind/metrics-server.yaml @@ -0,0 +1,202 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregated-metrics-reader +rules: +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + k8s-app: metrics-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: metrics-server + strategy: + rollingUpdate: + maxUnavailable: 0 + template: + metadata: + labels: + k8s-app: metrics-server + spec: + containers: + - args: + - --cert-dir=/tmp + - --secure-port=10250 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --kubelet-insecure-tls + - --metric-resolution=15s + image: registry.k8s.io/metrics-server/metrics-server:v0.7.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 10250 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: tmp-dir + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + volumes: + - emptyDir: {} + name: tmp-dir +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + k8s-app: metrics-server + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + version: v1beta1 + versionPriority: 100 diff --git a/justfile b/justfile new file mode 100644 index 0000000..73f77ef --- /dev/null +++ b/justfile @@ -0,0 +1,166 @@ +# Define environment variables (if any) +set dotenv-load := true + +# Global ENVs +justfileDir := justfile_directory() +namespace := shell('basename $1', justfileDir) +operatorChartName := "frinx-machine-operators" + +# Execution ENVs. Can be overided on startup +values := "local-values.yaml" +include := "" + +[private] +default: + @echo '{{ \ + "\nJustfile for Frinx Machine execution: start Frinx Machine stage locally\n\n" + \ + "Default env variables: \n\n" + \ + "\tvalues: Add extra value files to helm command\n" + \ + "\tinclude: Include apps to installation process\n\n" + \ + "Example of usage: \n\n" + \ + "\t just deploy-dev \n" + \ + "\t just --set values \"local-values.yaml\" deploy-dev \n" + \ + "\t just --set include \"frinx-machine-monitoring,frinx-machine\" deploy-dev" \ + }}\n' + + @just --list + +[private] +create-namespace stage: + kubectl create namespace {{namespace}}-{{stage}} || true + +[private] +uninstall-operators stage values="": + #!/usr/bin/env bash + set -euo pipefail + pushd {{justfileDir}}/apps/{{stage}}/{{operatorChartName}} > /dev/null + helm dependency update + helm uninstall -n {{namespace}}-{{stage}} $(basename $PWD) . || true + helm template -n {{namespace}}-{{stage}} {{operatorChartName}} . --values values.yaml $(for val in {{values}}; do if [ -f $val ]; then echo --values $val; fi ; done) | kubectl delete -f- || true + popd > /dev/null + +# Function to deploy a stage with the ability to exclude apps and specify values files +[private] +deploy stage include values: + #!/usr/bin/env bash + set -euo pipefail + + pushd {{justfileDir}}/apps/{{stage}} > /dev/null + + DEPLOY_CHARTS=(./{{operatorChartName}}) + DEPLOY_CHARTS+=($(find -type d \( -name '{{operatorChartName}}' -prune \) -o -name 'Chart.yaml' -exec dirname {} \;)) + + echo ${DEPLOY_CHARTS[@]} + + if [ {{include}} ]; then + # Parse input string to array + IFS=',' read -r -a INCLUDE <<< "{{include}}" + + # Loop through the array and build the regex filter + FILTER=$(for val in ${INCLUDE}; do echo -regex ".*/$val/Chart.yaml -o"; done) + + # Remove the trailing ' -o' + FILTER="${FILTER::-3}" + + # Construct the find command + DEPLOY_CHARTS=($(find . -type f \( $FILTER \) -exec dirname {} \;)) + fi + + for dir in "${DEPLOY_CHARTS[@]}"; do + if [ -d "$dir" ]; then + pushd "$dir" > /dev/null + BASENAME=$(basename "$PWD") + + echo "Processing directory: $BASENAME" + helm dependency update + helm upgrade --install --create-namespace -n {{namespace}}-{{stage}} $(basename $PWD) . --values values.yaml $(for val in {{values}}; do if [ -f $val ]; then echo --values $val; fi ; done) + + popd > /dev/null + fi + done + + popd > /dev/null + +# Function to deploy a stage with the ability to exclude apps and specify values files +[private] +uninstall stage exclude: + #!/usr/bin/env bash + set -euo pipefail + + pushd {{justfileDir}}/apps/{{stage}} > /dev/null + + DEPLOY_CHARTS=($(find -type d \( -name '{{operatorChartName}}' -prune \) -o -name 'Chart.yaml' -exec dirname {} \;)) + + if [ {{include}} ]; then + # Parse input string to array + IFS=',' read -r -a INCLUDE <<< "{{include}}" + + # Loop through the array and build the regex filter + FILTER=$(for val in ${INCLUDE}; do echo -regex ".*/$val/Chart.yaml -o"; done) + + # Remove the trailing ' -o' + FILTER="${FILTER::-3}" + + # Construct the find command + DEPLOY_CHARTS=($(find . -type f \( $FILTER \) -exec dirname {} \;)) + fi + + for dir in "${DEPLOY_CHARTS[@]}"; do + if [ -d "$dir" ]; then + pushd "$dir" > /dev/null + BASENAME=$(basename "$PWD") + + echo "Processing directory: $BASENAME" + helm uninstall -n {{namespace}}-{{stage}} $(basename $PWD) || true + + popd > /dev/null + fi + done + popd > /dev/null + +# Recipe to deploy the dev with optional apps exclusion and values files +deploy-dev: + just create-namespace dev + just docker-secret dev + just deploy dev "{{include}}" "{{values}}" + +# Recipe to deploy the stage with optional apps exclusion and values files +deploy-stage: + just create-namespace stage + just docker-secret stage + just deploy stage "{{include}}" "{{values}}" + +# Recipe to deploy the prod with optional apps exclusion and values files +deploy-prod: + just create-namespace prod + just docker-secret prod + just deploy prod "{{include}}" "{{values}}" + +# Recipe to uninstall the dev stage with optional apps exclusion and values files +uninstall-dev: + just uninstall dev "{{include}}" + just uninstall-operators dev "{{values}}" + +# Recipe to uninstall the stage stage with optional apps exclusion and values files +uninstall-stage: + just uninstall stage "{{include}}" + just uninstall-operators stage "{{values}}" + +# Recipe to uninstall prod stage with optional app exclusion and values files +uninstall-prod: + just uninstall prod "{{include}}" + just uninstall-operators prod "{{values}}" + +# Recipe to start minikube with 12 CPUs and 24G memory, instess addon enabled +cluster-start: + kind create cluster --name {{namespace}}-kind --config {{justfileDir}}/infra/kind/kind-config.yaml || true + # helm upgrade --install --namespace kube-system --repo https://helm.cilium.io cilium cilium --values {{justfileDir}}/infra/kind/cilium-helm-values.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/kind/deploy.yaml + kubectl apply -f {{justfileDir}}/infra/kind/metrics-server.yaml + +# Create docker secret from $HOME/.docker/config.json +docker-secret stage: + kubectl create secret generic regcred \ + --from-file=.dockerconfigjson=$HOME/.docker/config.json \ + --type=kubernetes.io/dockerconfigjson \ + --namespace={{namespace}}-{{stage}} || true