kube-scoreでKubernetes ManifestにLintをかける

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sample-deployment
  labels:
    app: sample
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sample
  template:
    metadata:
      labels:
        app: sample
    spec:
      containers:
      - name: sample
        image: busybox
        command:
        - /bin/sh
        - -c
        - date; env; tail -f /dev/null

brew install kube-score

$ kube-score score manifest.yaml 
apps/v1/Deployment sample-deployment                                         💥
    [CRITICAL] Container Resources
        · sample -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
        · sample -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
        · sample -> CPU request is not set
            Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu
        · sample -> Memory request is not set
            Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · sample -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an
            effect.
    [CRITICAL] Container Image Tag
        · sample -> Image with latest tag
            Using a fixed tag is recommended to avoid accidental upgrades
    [CRITICAL] Container Security Context User Group ID
        · sample -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · sample -> Container has no configured security context
            Set securityContext to run the container in a more secure context.

helm template my-app | kube-score score -

kustomize build . | kube-score score -

$ kube-score score manifest.yaml --ignore-test pod-networkpolicy,container-resources,container-image-pull-policy,container-security-context-privileged,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem,container-ephemeral-storage-request-and-limit,container-image-tag
apps/v1/Deployment sample-deployment                                         ✅

metadata:
  name: sample-deployment
  labels:
    app: sample
+ annotations:
+   kube-score/ignore: pod-networkpolicy,container-resources,container-image-pull-policy,container-security-context-privileged,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem,container-ephemeral-storage-request-and-limit,container-image-tag

$ kube-score score manifest.yaml --enable-optional-test container-seccomp-profile
apps/v1/Deployment sample-deployment                                         🤔
    [WARNING] Container Seccomp Profile
        · The pod has not configured Seccomp for its containers
            Running containers with Seccomp is recommended to reduce the kernel attack surface