Refer to the acceptance test fixtures of passing examples of:
Denies entities with an explicit namespace. Namespace should only be
sepcified by kubectl apply --namespace. Using an explicit
namespace creates confusion.
Entity specifies labels defines Kubernetes recommended labels.
Entity template specifies labels defines Kubernetes recommended labels.
Entities does not include empty labels or annotations. If there
are none, then omit the key.
Entities labels and annotations are strings.
Resource requests and limits such that:
requests<=limits- CPU specified in floating point. Good:
1. Bad:1000m - Memory specified in
MiorGi
Container volumeMount names match a declared volume
A declared volumes is mounted in at least one container.
Container names do not contain invalid characters.
Declared env name/value pairs specify string values.
Example:
env:
- name: ENABLE_FEATURE
value: true
Resolve by quoting all values.
env:
- name: ENABLE_FEATURE
value: 'true'
Containers set livenessProbe and readinessProbe of any type.
spec.selector.matchLabels is a subset of
spec.template.metadata.labels. Ensures that a Deployment will not
be rejected by the Kubernetes API for a mismatched selector.
Container livenessProbe and readinessProbe that specifies a port
matches a declared containerPort.
Container livenessProbe and readinessProbe are the same. This
should not be the case. Liveness and readiness are two different
conditions so the same probe (either an HTTP GET or exec command)
should not be used for both.
Requires Jobs set an explicit backoffLimit. The default likely
does not work in all cases. This forces manifest authors to choose an
applicable backoffLimit.
ConfigMap value keys are explicit strings.
Broken example:
data:
ENABLE_FEATURE: true
Resolve by quoting all values.
data:
ENABLE_FEATURE: 'true'
Secret using data specify valid Base64 encoded keys.
spec.minReplicas <= spec.maxReplicas
Container envFrom references a ConfigMap or Secret declared in
the manifests.
Volumes populated from ConfigMap or Secret match one declared in
the manifests.
Service label selector matches a Deployment template labels.
HorizontalPodAutoscaler scale target matches an entity declared in
the manifests.
Service target port matches a containerPort in the matching
Deployment.
Deployment managed by an HPA does not declare replicas. This
conflicts with the HPA's settings.
Workloads specify the ad.datadoghq.com/tags annotation.
Validate workloads set specific tags by by providing a data file to
conftest.
# data/datadog_required_tags.yaml
datadog_required_tags:
- environment
- service
Next pass the -d or --data argument to conftest:
conftest test --data data
Workloads containers specify the ad.datadoghq.com/$container.logs annotation.
Example valid annotation:
ad.datadoghq.com/dummy.logs: |
[{ "source": "docker", "service": "dummy" }]
Where dummy is a declared container.
Autodiscovery annotations such as
ad.datadoghq.com/service.instances or
ad.datdoghq.com/php-fpm.instances are valid JSON.
Check the apps ingress whitelists our vpns. Exampl valid annotation:
annotations:
kubernetes.io/ingress.class: apps
nginx.ingress.kubernetes.io/whitelist-source-range: "34.196.181.12/32,35.175.17.80/32"
HorizontalPodAutoscaler has two or less maxReplicas. This keeps
resource utilization low on the cluster.
Check the apps ingress whitelists our vpns. Exampl valid annotation:
annotations:
kubernetes.io/ingress.class: apps
nginx.ingress.kubernetes.io/whitelist-source-range: "34.196.181.12/32,35.175.17.80/32"