97dc16097f
update dependencies
2022-10-13 12:24:55 -04:00
a8c53040ec
CON-5812 Extend clusterlint to raise an error-level violation when invalid snapshots are found ( #143 )
2022-07-04 17:53:02 +01:00
7f663e5c23
Remove v1beta1 admission/controller webhook checks
2022-01-26 11:20:30 -05:00
5eeabb8136
Support both v1beta1 and v1 admission control webhooks ( #124 )
...
We have a number of checks that operate on admission control webhook
configuration. Older clusters support only v1beta1 of admission control, while
newer clusters support v1. Currently clusterlint fails to run on these older
clusters because we can't fetch v1 admission control objects from them.
This change covers the following modifications:
- When listing objects, ignore "not found" errors, which mean the cluster
doesn't support the resource we're trying to list.
- Duplicate our existing admission control webhook checks for v1beta1, so that
older clusters get the same checks as newer clusters.
- Enhance the errors we return when listing objects fails so that we can tell
which resource we failed to list.
- Remove extraneous empty import: client auth plugins are already loaded in
objects.go, so no need for the import in object_filter.go.
- Ensure all object lists are non-nil after fetching objects. (Since we now
ignore not found errors, it's possible for some object lists to be nil.)
- Skip v1beta1 admission control tests when v1 objects exist.
Co-authored-by: Timo Reimann <treimann@digitalocean.com>
2021-09-19 15:47:35 +02:00
d0bcc7f160
Added resource requirement to doks group
2021-06-19 19:15:45 -07:00
ed20e47e10
Merge pull request #108 from varshavaradarajan/unused-secret-sa
...
unused secrets check - check if secret is referenced in service accounts
2021-01-05 12:48:20 -08:00
ef03e37686
doks - check if pod referencing dobs volumes are owned by a statefulset
2021-01-05 12:41:28 -08:00
37af3b316a
Merge pull request #105 from varshavaradarajan/use-stable-webhook-client
...
Use admissionregistration/v1 client to fetch webhooks
2021-01-05 12:13:33 -08:00
3c3921eadf
unused secrets check - check if secret is referenced in service accounts
2020-12-22 10:19:52 -08:00
964b011a20
Add tests for env var secrets in init containers
2020-12-21 21:17:01 +00:00
95e7d57b51
Use admissionregistration/v1 client to fetch webhooks
...
* Do not fetch unused ComponentStatuses
2020-12-21 12:38:18 -08:00
b97f94519a
Check env vars for secret key references
2020-12-21 11:16:57 +00:00
9abf246c1c
Add cronJobConcurrencyCheck
2020-10-26 09:32:23 -04:00
ac38530e46
Add additional details to diagnostics, provide specific labels and taint keys for nodeLabelsTaints check
2020-05-26 15:07:24 -07:00
a3ccd62f2d
Check for config map key ref for unused config map test
2020-02-10 11:29:59 -08:00
0131e2f570
Merge pull request #76 from valbeat/feature/bare-pods-skip-static-pod
...
checks bare-pods: skip static pods
2020-01-15 16:43:21 -07:00
5b77ddab97
Skip static pod
2020-01-07 15:26:46 +09:00
73396932c9
checks/latest-tag: Handle unparseable image names
...
We don't expect to see unparseable image names in running pods, since
k8s was able to parse all the image names when the pod was
created. However, that appears to be what's happening in #71 , so we
should handle the case to avoid dereferencing a nil pointer.
2019-12-09 15:37:09 -07:00
21df8a7b4b
Rework service and namespace checking into helpers
2019-11-25 14:52:11 +00:00
08da1a28bb
Introduce basic admission webhook checks to handle error case
2019-11-25 04:57:32 +00:00
68416bd367
Add check names to diagnostics from the check runner
...
Rather than relying on each check to fill in its name correctly when
producing diagnostics, fill in the name in the check runner after
running the check. This reduces the likelihood that a check gets its
name wrong or forgets to fill it in.
This also fixes a bug where the admission control webhook check was not
filling in its name at all.
2019-10-28 18:07:01 -06:00
d80f88e44e
Merge pull request #60 from varshavaradarajan/varsha/audit-severity
...
Change severity levels for some checks
2019-09-30 14:25:29 -07:00
27ac46892e
Add bare-pods and hostpath-volume to doks group
...
* Checks is doks group are run by default on DOKS
2019-09-29 12:51:28 -07:00
f02cccbb98
Change severity levels for some checks
...
* If a check causes upgrade or node replacement to break, severity level is error, else warning
2019-09-29 12:13:49 -07:00
4f9e929f5d
Introduce options type to build client.
2019-07-17 15:38:06 -04:00
1030d9d0ac
Add bare pod check to checks.md
2019-07-16 15:19:40 -04:00
f11c7bd659
Bare pod check: check is pod has owner references set
2019-07-16 14:55:07 -04:00
b39a543777
Check if resource requests and limits are set on pods
2019-07-08 11:24:05 -04:00
98cd5d2b7a
Filter diagnostics based on enabled checks while writing diagnostics to stdout
2019-07-02 19:20:26 -04:00
5f62173e0b
Check for clusterlint specific annotation to disable checks for special objects.
2019-07-02 19:17:53 -04:00
dc2b0df5c3
Rename unused-pvc.go => unused_pvc.go
2019-07-02 17:16:40 -04:00
2b080d1b9a
Add license header to all files
2019-07-02 13:30:42 -06:00
9dc3f3f18c
Check for references to secret in projected volume.
2019-07-01 21:15:14 -04:00
1e9e19a078
Unused secrets: check if there are unused secrets in the cluster.
2019-07-01 21:09:07 -04:00
74152bddb0
Use empty struct in map while checking for object references
2019-07-01 21:05:56 -04:00
d0eb5a4b0a
Check for config map references in nodes and projected volumes
2019-07-01 10:41:37 -04:00
2d097ba31a
Unused config map: check if there are unused configmaps in the cluster.
2019-07-01 09:31:09 -04:00
05502e3b32
Unused PVC: Check for unused claims in the cluster.
2019-07-01 09:25:46 -04:00
f0618e9133
Fix golint errors.
2019-06-28 08:33:20 -04:00
975a255a50
Improve default namespace check for secrets: Use upstream constant to exclude default secret sa token from check.
2019-06-27 11:12:55 -04:00
3384e0b25d
Use long names for k8s object constants
2019-06-27 08:07:35 -04:00
ae35752083
Unused PV: Check if there are unused persistent volumes in the cluster.
2019-06-26 14:40:25 -04:00
8bacdc73a0
Change desc assertion in all tests, rename variables to conform to convention
2019-06-26 09:25:07 -04:00
85fdefe8b1
Show volume name in errors.
2019-06-26 08:43:06 -04:00
28e57071f5
Hostpath check: Checks if there are pods which use hostpath volumes
2019-06-26 08:29:06 -04:00
695765302e
Add level flag to filter output based on severity: error, warning, or suggestion
2019-06-25 14:19:41 -04:00
171ba02f4e
Remove TypeMeta from Diagnostic.
...
* The k8s API does not set TypeMeta on objects when the list API is used
2019-06-25 14:19:20 -04:00
65ba22e8d8
Use owner references to indicate the objects that refer to the problematic object.
...
* Change output format to json
2019-06-25 14:19:20 -04:00
0320c5633a
Introduce Diagnostic struct to store check output
2019-06-25 09:42:27 -04:00
19c60903e8
Remove quotas and limits from default-namespace check.
...
* It is perfectly reasonable to have resource quotas and limit ranges in the default namespace in order to avoid resource monopolization.
2019-06-24 11:51:32 -04:00
elijahomolo
Dylan Scott
Collin Shoop
Adam Wolfe Gordon
fish-dango
Varsha Varadarajan
Varsha Varadarajan
Stephen Paulger
jasimmons
valbeat
Nan Zhong
Varsha Varadarajan