Lint
Name: lint.
Do common validations on descriptors. As of today mainly cpu/memory resources definition.
Linting Checks
Here is the list of available checks by defaults.
access-to-create-pods
Name: access-to-create-pods.
Indicates when a subject (Group/User/ServiceAccount) has create access to Pods. CIS Benchmark 5.1.4: The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Remediation
Where possible, remove create access to pod objects in the cluster.
access-to-secrets
Name: access-to-secrets.
Indicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
Remediation
Where possible, remove get, list and watch access to secret objects in the cluster.
cpu-limits
Name: cpu-limits.
Ensures resources.limits.cpu is set.
Remediation
Set resources.limits.cpu.
cpu-requests
Name: cpu-requests.
Ensures resources.requests.cpu is set.
Remediation
Set resources.requests.cpu.
default-service-account
Name: default-service-account.
Indicates when pods use the default service account.
Remediation
Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.
deprecated-service-account-field
Name: deprecated-service-account-field.
Indicates when deployments use the deprecated serviceAccount field.
Remediation
Use the serviceAccountName field instead. If you must specify serviceAccount, ensure values for serviceAccount and serviceAccountName match.
dnsconfig-options
Name: dnsconfig-options.
Alert on deployments that have no specified dnsConfig options
Remediation
Specify dnsconfig options in your Pod specification to ensure the expected DNS setting on the Pod. Refer to https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for details.
docker-sock
Name: docker-sock.
Alert on deployments with docker.sock mounted in containers.
Remediation
Ensure the Docker socket is not mounted inside any containers by removing the associated Volume and VolumeMount in deployment yaml specification. If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.
drop-net-raw-capability
Name: drop-net-raw-capability.
Indicates when containers do not drop NET_RAW capability
Remediation
NET_RAW makes it so that an application within the container is able to craft raw packets, use raw sockets, and bind to any address. Remove this capability in the containers under containers security contexts.
duplicate-env-var
Name: duplicate-env-var.
Check that duplicate named env vars aren’t passed to a deployment like.
Remediation
Confirm that your DeploymentLike doesn’t have duplicate env vars names.
host-ipc
Name: host-ipc.
Alert on pods/deployment-likes with sharing host’s IPC namespace
Remediation
Ensure the host’s IPC namespace is not shared.
host-network
Name: host-network.
Alert on pods/deployment-likes with sharing host’s network namespace
Remediation
Ensure the host’s network namespace is not shared.
host-pid
Name: host-pid.
Alert on pods/deployment-likes with sharing host’s process namespace
Remediation
Ensure the host’s process namespace is not shared.
hpa-minimum-three-replicas
Name: hpa-minimum-three-replicas.
Indicates when a HorizontalPodAutoscaler specifies less than three minReplicas
Remediation
Increase the number of replicas in the HorizontalPodAutoscaler to at least three to increase fault tolerance.
memory-limits
Name: memory-limits.
Ensures resources.limits.memory is set.
Remediation
Set resources.limits.memory.
memory-requests
Name: memory-requests.
Ensures resources.requests.memory is set.
Remediation
Set resources.requests.memory.
minimum-three-replicas
Name: minimum-three-replicas.
Indicates when a deployment uses less than three replicas
Remediation
Increase the number of replicas in the deployment to at least three to increase the fault tolerance of the deployment.
mismatching-selector
Name: mismatching-selector.
Indicates when deployment selectors fail to match the pod template labels.
Remediation
Confirm that your deployment selector correctly matches the labels in its pod template.
missing-anti-affinity
Name: missing-anti-affinity.
When replicas > 1 setting an anti-affinity enables to distribute the load accross machines setting 'topologyKey: "kubernetes.io/hostname"', see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity.
Remediation
Add podAntiAffinity in your deployment descriptor.
no-extensions-v1beta
Name: no-extensions-v1beta.
Indicates when objects use deprecated API versions under extensions/v1beta.
Remediation
Migrate using the apps/v1 API versions for the objects. Refer to https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for details.
no-latest
Name: no-latest.
Ensures no latest image is used.
Remediation
Ensure to tag any image you use and use an immutable tag if possible or at least versionned flavor.
no-liveness-probe
Name: no-liveness-probe.
Ensures a liveness probe is defined.
Remediation
Any container (from containers array) should have a liveness probe.
no-read-only-root-fs
Name: no-read-only-root-fs.
Indicates when containers are running without a read-only root filesystem.
Remediation
Set readOnlyRootFilesystem to true in the container securityContext.
no-readiness-probe
Name: no-readiness-probe.
Ensures a readinessProbe probe is defined.
Remediation
Any container (from containers array) should have a readinessProbe probe.
privilege-escalation-container
Name: privilege-escalation-container.
Alert on containers of allowing privilege escalation that could gain more privileges than its parent process.
Remediation
Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false, privileged=false and removing CAP_SYS_ADMIN capability. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.
privileged-container
Name: privileged-container.
Indicates when deployments have containers running in privileged mode.
Remediation
Do not run your container as privileged unless it is required.
privileged-ports
Name: privileged-ports.
Alert on deployments with privileged ports mapped in containers
Remediation
Ensure privileged ports [0, 1024] are not mapped within containers.
read-secret-from-env-var
Name: read-secret-from-env-var.
Indicates when a deployment reads secret from environment variables. CIS Benchmark 5.4.1: "Prefer using secrets as files over secrets as environment variables. "
Remediation
If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for details.
run-as-non-root
Name: run-as-non-root.
Indicates when containers are not set to runAsNonRoot.
Remediation
Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.
sensitive-host-mounts
Name: sensitive-host-mounts.
Alert on deployments with sensitive host system directories mounted in containers.
Remediation
Ensure sensitive host system directories are not mounted in containers by removing those Volumes and VolumeMounts.
unsafe-proc-mount
Name: unsafe-proc-mount.
Alert on deployments with unsafe /proc mount (procMount=Unmasked) that will bypass the default masking behavior of the container runtime
Remediation
Ensure container does not unsafely exposes parts of /proc by setting procMount=Default. Unmasked ProcMount bypasses the default masking behavior of the container runtime. See https://kubernetes.io/docs/concepts/security/pod-security-standards/ for more details.
unsafe-sysctls
Name: unsafe-sysctls.
Alert on deployments specifying unsafe sysctls that may lead to severe problems like wrong behavior of containers
Remediation
Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.
use-namespace
Name: use-namespace.
Indicates when a resource is deployed to the default namespace. CIS Benchmark 5.7.1: Create administrative boundaries between resources using namespaces. CIS Benchmark 5.7.4: The default namespace should not be used.
Remediation
Create namespaces for objects in your deployment.
wildcard-in-rules
Name: wildcard-in-rules.
Indicate when a wildcard is used in Role or ClusterRole rules. CIS Benchmark 5.1.3 Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.
Remediation
Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.
writable-host-mount
Name: writable-host-mount.
Indicates when containers mount a host path as writable.
Remediation
Set containers to mount host paths as readOnly, if you need to access files on the host.
Configuration
- --alveolus (
BUNDLEBEE_LINT_ALVEOLUS) -
Alveolus name to inspect. When set to
auto, it will look for all manifests found in the classpath. If you set manifest option, alveolus is set toautoand there is a single alveolus in it, this will default to it instead of using classpath deployment. Default value:auto - --failLevel (
BUNDLEBEE_LINT_FAILLEVEL) -
If
true, an exception is throw if there is at least one error. Default value:ERROR - --forcedRules (
BUNDLEBEE_LINT_FORCEDRULES) -
Comma separated list of rules to use (others being ignored).
allmeans use all discovered rules andnoneskip them all (useful as a toggle/bypass mode). Default value:all - --from (
BUNDLEBEE_LINT_FROM) -
Root dependency to download to get the manifest. If set to
autoit is assumed to be present in current classpath. Default value:auto - --ignoredAlveoli (
BUNDLEBEE_LINT_IGNOREDALVEOLI) -
Comma separated list of alveoli names to ignore. Default value:
- - --ignoredDescriptors (
BUNDLEBEE_LINT_IGNOREDDESCRIPTORS) -
Comma separated list of descriptors to ignore. Default value:
- - --ignoredRules (
BUNDLEBEE_LINT_IGNOREDRULES) -
Comma separated list of rules to ignore (simple class name for built-in ones and check name for the others). Default value:
- - --manifest (
BUNDLEBEE_LINT_MANIFEST) -
Manifest to load to start to find the alveolus. This optional setting mainly enables to use dependencies easily. Ignored if set to
skip. Default value:skip - --output (
BUNDLEBEE_LINT_OUTPUT) -
If not
false, the path of the output in SARIF format (JSON). Default value:false - --showRemediation (
BUNDLEBEE_LINT_SHOWREMEDIATION) -
Should remediation be shown (it is verbose so skipped by default). Default value:
false
Inherited Global Configuration
|
Tip
|
for these configurations, don’t hesitate to use ~/.bundlebeerc or --config-file <path to config> (just remove the -- prefix from option keys).
|
- --bundlebee.awaiter.retryInterval (
BUNDLEBEE_AWAITER_RETRYINTERVAL) -
How often to retry for a descriptor condition. Increasing it will reduce the pressure on the Kubernetes REST API (rate limiting for example). Default value:
500 - --bundlebee.httpclient.connectTimeout (
BUNDLEBEE_HTTPCLIENT_CONNECTTIMEOUT) -
The HTTP client connect timeout (in java Duration format),
nonecan be used to ignore this setting. Default value:none - --bundlebee.httpclient.followRedirects (
BUNDLEBEE_HTTPCLIENT_FOLLOWREDIRECTS) -
The HTTP client redirect policy. Default to
NORMAL, can be set toALWAYSorNEVER. Default value:NORMAL - --bundlebee.httpclient.forcedHttpVersion (
BUNDLEBEE_HTTPCLIENT_FORCEDHTTPVERSION) -
The HTTP client version,
nonemean the JVM default (v2),HTTP_1_1v1.1 andHTTP_2v2.0. Default value:none - --bundlebee.httpclient.threads (
BUNDLEBEE_HTTPCLIENT_THREADS) -
How many threads are allocated to async HTTP client, negative or zero value means to use common pool. Default value:
-1 - --bundlebee.kube.api (
BUNDLEBEE_KUBE_API) -
When kubeconfig is not set the base API endpoint. Default value:
http://localhost:8080 - --bundlebee.kube.context (
BUNDLEBEE_KUBE_CONTEXT) -
When kubeconfig (explicit or not) is used, the context to use. If not set it is taken from the kubeconfig itself.
- --bundlebee.kube.customMetadataInjectionPoint (
BUNDLEBEE_KUBE_CUSTOMMETADATAINJECTIONPOINT) -
When using custom metadata (bundlebee ones or timestamp to force a rollout), where to inject them. Default uses labels since it enables to query them later on but you can switch it to annotations. Default value:
labels - --bundlebee.kube.defaultPropagationPolicy (
BUNDLEBEE_KUBE_DEFAULTPROPAGATIONPOLICY) -
Default value for deletions of
propagationPolicy. Values can beOrphan,ForegroundandBackground. Default value:Foreground - --bundlebee.kube.dryRun (
BUNDLEBEE_KUBE_DRYRUN) -
If
truehttp requests/responses are skipped. Note that dry run implies verbose=true for the http client. Note that as of today, all responses are mocked by a HTTP 200 and an empty JSON payload. Default value:false - --bundlebee.kube.fieldValidation (
BUNDLEBEE_KUBE_FIELDVALIDATION) -
fieldValidation- server side validation - value when applying a descriptor, values can beStrict,WarnprIgnore. Note that usingskipwill ignore the query parameter. Default value:Strict - --bundlebee.kube.filters.statefuleset.spec.allowed (
BUNDLEBEE_KUBE_FILTERS_STATEFULESET_SPEC_ALLOWED) -
The attributes to keep from
StatefulSet(specchildren) descriptor on updates. Default value:replicas,template,updateStrategy,persistentVolumeClaimRetentionPolicy,minReadySeconds,serviceName,selector - --bundlebee.kube.force (
BUNDLEBEE_KUBE_FORCE) -
By default a descriptor update is done using
PATCHwith strategic merge patch logic, if set totrueit will use a plainPUT. Note thatio.yupiik.bundlebee/putOnUpdateannotations can be set totrueto force that in the descriptor itself and for cases it is not enough, you can setforcetotrueto delete the descriptor before applying it again (move from clusterip to nodeport or the opposite in a serice for ex). Note that you can set it totruein a descriptor annotationio.yupiik.bundlebee/forcetoo to not be global. Default value:false - --bundlebee.kube.http.timeout (
BUNDLEBEE_KUBE_HTTP_TIMEOUT) -
HTTP timeout in ms, ignored if ⇐ 0. Default value:
60000 - --bundlebee.kube.implicitlyDroppedAttributes (
BUNDLEBEE_KUBE_IMPLICITLYDROPPEDATTRIBUTES) -
Enables to tolerate custom attributes in the descriptors. Typically used to drop
/$schemaattribute which enables a nice completion in editors. Values are|delimited and are either a JSON-Pointer (wrapped in a remove JSON-Patch) or directly a JSON-Patch. Usingnoneignores this processing. Default value:/$schema|/$bundlebeeIgnoredLintingRules - --bundlebee.kube.logDescriptorOnParsingError (
BUNDLEBEE_KUBE_LOGDESCRIPTORONPARSINGERROR) -
Should YAML/JSON be logged when it can’t be parsed. Default value:
true - --bundlebee.kube.namespace (
BUNDLEBEE_KUBE_NAMESPACE) -
When kubeconfig is not set the namespace to use. Default value:
default - --bundlebee.kube.patchContentType (
BUNDLEBEE_KUBE_PATCHCONTENTTYPE) -
Default header value for
PATCHcontent-typerequests header. It uses strategic merge patch algorithm but in some cases you just want to useapplication/jsonor (better)application/merge-patch+json. Annotationio.yupiik.bundlebee/patchContentTypeis also supported. Default value:application/strategic-merge-patch+json - --bundlebee.kube.proxy.host (
BUNDLEBEE_KUBE_PROXY_HOST) -
If a proxy is needed to contact the target cluster API, its host, ignore if not set.
- --bundlebee.kube.proxy.password (
BUNDLEBEE_KUBE_PROXY_PASSWORD) -
If a proxy is needed to contact the target cluster API, its password if it needs an authentication (take care the JVM can nee
-Djdk.http.auth.tunneling.disabledSchemes=options). - --bundlebee.kube.proxy.port (
BUNDLEBEE_KUBE_PROXY_PORT) -
If a proxy is needed to contact the target cluster API, its port. Default value:
3128 - --bundlebee.kube.proxy.setProxySystemProperties (
BUNDLEBEE_KUBE_PROXY_SETPROXYSYSTEMPROPERTIES) -
If a proxy is configured to use authentication, automatically set
-Djdk.http.auth.tunneling.disabledSchemes=, note that setting it on the JVM is still more reliable depending how you run bundlebee (in particular with maven or embed). Important: the system property is "leaked", ie it is not cleaned up to limit side effect in concurrent mode. Default value:true - --bundlebee.kube.proxy.username (
BUNDLEBEE_KUBE_PROXY_USERNAME) -
If a proxy is needed to contact the target cluster API, its username if it needs an authentication (take care the JVM can nee
-Djdk.http.auth.tunneling.disabledSchemes=options). - --bundlebee.kube.putOnUpdate (
BUNDLEBEE_KUBE_PUTONUPDATE) -
By default a descriptor update is done using
PATCHwith strategic merge patch logic, if set totrueit will use a plainPUT. Note thatio.yupiik.bundlebee/putOnUpdateannotations can be set totrueto force that in the descriptor itself. Default value:false - --bundlebee.kube.rateLimiter.enabled (
BUNDLEBEE_KUBE_RATELIMITER_ENABLED) -
Should HTTP client requests be limited and HTTP 427 responses be handled. Default value:
false - --bundlebee.kube.rateLimiter.permits (
BUNDLEBEE_KUBE_RATELIMITER_PERMITS) -
How many calls can be done if rate limiting is enabled. Note that setting it to
Integer.MAX_VALUEwill disable the client rate limiting and only enable server one. Default value:100 - --bundlebee.kube.rateLimiter.window (
BUNDLEBEE_KUBE_RATELIMITER_WINDOW) -
Rate limiting window duration in milliseconds (default being 1 second). Default value:
1000 - --bundlebee.kube.resourceMapping (
BUNDLEBEE_KUBE_RESOURCEMAPPING) -
Enables to define resource mapping, syntax uses propeties one:
<lowercased resource kind>s = /apis/….. Default value: `` - --bundlebee.kube.skipDryRunForGet (
BUNDLEBEE_KUBE_SKIPDRYRUNFORGET) -
If
trueGET http requests are not skipped whendryRunis true. Default value:false - --bundlebee.kube.skipUpdateForKinds (
BUNDLEBEE_KUBE_SKIPUPDATEFORKINDS) -
List of kind of descriptors updates can be skipped, it is often useful for
PersistentVolumeClaim. Default value:PersistentVolumeClaim - --bundlebee.kube.token (
BUNDLEBEE_KUBE_TOKEN) -
When
kubeconfigis set toexplicit, the bearer token to use (if set). - --bundlebee.kube.validateSSL (
BUNDLEBEE_KUBE_VALIDATESSL) -
Should SSL connector be validated or not. Default value:
true - --bundlebee.kube.verbose (
BUNDLEBEE_KUBE_VERBOSE) -
If
truehttp requests/responses to Kubernetes will be logged. Default value:false - --bundlebee.maven.cache (
BUNDLEBEE_MAVEN_CACHE) -
Where to cache maven dependencies. If set to
auto, tries to read the system propertymaven.repo.localthen thesettings.xmllocalRepositoryand finally it would fallback on$HOME/.m2/repository. Default value:auto - --bundlebee.maven.forceCustomSettingsXml (
BUNDLEBEE_MAVEN_FORCECUSTOMSETTINGSXML) -
If
truewe only usecachevalue and never fallback on default maven settings.xml location. Default value:false - --bundlebee.maven.http.connectTimeout (
BUNDLEBEE_MAVEN_HTTP_CONNECTTIMEOUT) -
When fetching a dependency using HTTP, the connection timeout for this dependency. Default value:
30000 - --bundlebee.maven.preferCustomSettingsXml (
BUNDLEBEE_MAVEN_PREFERCUSTOMSETTINGSXML) -
If
falsewe first try to readsettings.xmlfile(s) incachelocation before the default one. Default value:true - --bundlebee.maven.repositories.downloads.enabled (
BUNDLEBEE_MAVEN_REPOSITORIES_DOWNLOADS_ENABLED) -
Enable the download, i.e. ensure it runs only with local maven repository. Default value:
false - --bundlebee.maven.repositories.httpHeaders (
BUNDLEBEE_MAVEN_REPOSITORIES_HTTPHEADERS) -
Properties to define the headers to set per repository, syntax is
host1=headerName headerValueand it supports as much lines as used repositories. Note that you can use maven~/.m2/settings.xmlservers (potentially ciphered) username/password pairs. In this last case the server id must bebundlebee.<server host>. Still in settings.xml case, if the username is null the password value is used as rawAuthorizationheader else username/password is encoded as a basic header. - --bundlebee.maven.repositories.release (
BUNDLEBEE_MAVEN_REPOSITORIES_RELEASE) -
Default release repository. Default value:
https://repo.maven.apache.org/maven2/ - --bundlebee.maven.repositories.snapshot (
BUNDLEBEE_MAVEN_REPOSITORIES_SNAPSHOT) -
Default snapshot repository, not set by default.
- --kubeconfig (
KUBECONFIG) -
Kubeconfig location. If set to
autoit will try to guess from your$HOME/.kube/configfile until you set it soexplicitwhere it will use otherbundlebee.kubeproperties to create the client. The content can also be set inline!. Default value:auto