kubelinter-config.yaml

checks:
  # NOTE: Include all checks, comment failing
  include:
    - "access-to-create-pods"
    # - "access-to-secrets"
    - "cluster-admin-role-binding"
    - "dangling-horizontalpodautoscaler"
    - "dangling-ingress"
    - "dangling-networkpolicy"
    - "dangling-networkpolicypeer-podselector"
    - "dangling-service"
    - "default-service-account"
    - "deprecated-service-account-field"
    # - "dnsconfig-options"
    - "docker-sock"
    - "drop-net-raw-capability"
    - "duplicate-env-var"
    - "env-var-secret"
    - "exposed-services"
    - "host-ipc"
    - "host-network"
    - "host-pid"
    - "hpa-minimum-three-replicas"
    - "invalid-target-ports"
    - "latest-tag"
    # - "minimum-three-replicas"
    - "mismatching-selector"
    - "no-anti-affinity"
    - "no-extensions-v1beta"
    # - "no-liveness-probe"
    # - "no-node-affinity"
    - "no-read-only-root-fs"
    # - "no-readiness-probe"
    # - "no-rolling-update-strategy"
    - "non-existent-service-account"
    # - "non-isolated-pod"
    - "privilege-escalation-container"
    - "privileged-container"
    - "privileged-ports"
    - "read-secret-from-env-var"
    # - "required-annotation-email"
    # - "required-label-owner"
    - "run-as-non-root"
    - "sensitive-host-mounts"
    - "ssh-port"
    - "unsafe-proc-mount"
    - "unsafe-sysctls"
    # - "unset-cpu-requirements"
    # - "unset-memory-requirements"
    # - "use-namespace"
    - "wildcard-in-rules"
    - "writable-host-mount"

  # NOTE: manually exclude failing for documentation, fix them in future or
  # comment why are they disabled.
  exclude:
    - "access-to-secrets"  # NOTE: COSI Provisioner Sidecar requires access to secrets
    - "dnsconfig-options"
    - "minimum-three-replicas"
    - "no-liveness-probe"
    - "no-node-affinity"
    - "no-readiness-probe"
    - "no-rolling-update-strategy"
    - "non-isolated-pod"
    - "required-annotation-email"
    - "required-label-owner"
    - "unset-cpu-requirements"
    - "unset-memory-requirements"
    - "use-namespace"