Flattened manifest and kubescore results

flat.yaml

apiVersion: v1
kind: Namespace
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: pocketshorten
---
apiVersion: v1
data:
  config.yaml: |
    # redacted

kind: ConfigMap
metadata:
  labels:
    environment: development
  name: staging-cloudflare-pocketshorten-configs-t59t8gk79m
  namespace: pocketshorten
---
apiVersion: v1
data:
  CONFIG: /pocketshorten.json
  LOGLEVEL: debug
  URL: http://pb-service:8080
kind: ConfigMap
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: staging-psconfig-97d62mcgd7
  namespace: pocketshorten
---
apiVersion: v1
data:
  pocketshorten.json: |
    {
      "values": [
        ["key1", "value1", "group", "2006-01-02T15:04:05-0700"],
        ["key2", "value2", "", "2006-01-02T15:04:05-0700"],
        ["key3", "value3", "", "2006-01-02T15:04:05-0700"],
        ["tm", "https://techmeme.com", "sites", "2006-01-02T15:04:05-0700"],
        ["hn", "https://news.ycombinator.com", "sites", "2006-01-02T15:04:05-0700"]
      ]
    }
kind: ConfigMap
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: staging-vipconfig-t6t6b29kf6
  namespace: pocketshorten
---
apiVersion: v1
data:
  cert.pem: |
    # redacted
kind: Secret
metadata:
  labels:
    environment: development
  name: staging-cloudflare-pocketshorten-cert-c7fg2g7hgc
  namespace: pocketshorten
type: Opaque
---
apiVersion: v1
data:
   #redacted
kind: Secret
metadata:
  labels:
    environment: development
  name: staging-cloudflare-pocketshorten-creds-2d79d9d2hb
  namespace: pocketshorten
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: staging-pocketshorten-metrics-service
  namespace: pocketshorten
spec:
  ports:
  - name: metrics
    port: 8095
  selector:
    app: pocketshorten-viper
    environment: development
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: staging-pocketshorten-service
  namespace: pocketshorten
spec:
  ports:
  - port: 8090
  selector:
    app: pocketshorten-viper
    environment: development
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: pocketshorten-tunnel
    environment: development
  name: staging-tunnel-metrics
  namespace: pocketshorten
spec:
  ports:
  - name: tunnelmetrics
    port: 2000
  selector:
    app: pocketshorten-tunnel
    environment: development
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    environment: development
  name: staging-cloudflared-tunnel
  namespace: pocketshorten
spec:
  replicas: 3
  selector:
    matchLabels:
      app: pocketshorten-tunnel
      environment: development
  template:
    metadata:
      labels:
        app: pocketshorten-tunnel
        environment: development
    spec:
      containers:
      - args:
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - --metrics
        - 0.0.0.0:2000
        - run
        image: cloudflare/cloudflared:2023.2.1
        livenessProbe:
          failureThreshold: 1
          httpGet:
            path: /ready
            port: 2000
          initialDelaySeconds: 10
          periodSeconds: 10
        name: cloudflared
        ports:
        - containerPort: 2000
          name: tunnel-port
        volumeMounts:
        - mountPath: /etc/cloudflared/config
          name: tunnel-config
          readOnly: true
        - mountPath: /etc/cloudflared
          name: tunnel-cert-volume
          readOnly: true
        - mountPath: /etc/cloudflared/creds
          name: tunnel-creds-volume
          readOnly: true
      volumes:
      - name: tunnel-cert-volume
        secret:
          secretName: staging-cloudflare-pocketshorten-cert-c7fg2g7hgc
      - name: tunnel-creds-volume
        secret:
          secretName: staging-cloudflare-pocketshorten-creds-2d79d9d2hb
      - configMap:
          name: staging-cloudflare-pocketshorten-configs-t59t8gk79m
        name: tunnel-config
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: pocketshorten-viper
    environment: development
  name: staging-pocketshorten-viper
  namespace: pocketshorten
spec:
  replicas: 3
  selector:
    matchLabels:
      app: pocketshorten-viper
      environment: development
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: pocketshorten-viper
        environment: development
    spec:
      containers:
      - args:
        - servefrontend
        - --config=/pocketshorten.json
        env:
        - name: LOGLEVEL
          valueFrom:
            configMapKeyRef:
              key: LOGLEVEL
              name: staging-psconfig-97d62mcgd7
        - name: CONFIG
          valueFrom:
            configMapKeyRef:
              key: CONFIG
              name: staging-psconfig-97d62mcgd7
        image: registry.hub.docker.com/clarkezone/pocketshorten:0.0.3
        imagePullPolicy: Always
        name: pocketshorten-viper
        ports:
        - containerPort: 8090
        - containerPort: 8095
        volumeMounts:
        - mountPath: /pocketshorten.json
          name: vipconf
          subPath: pocketshorten.json
      volumes:
      - configMap:
          name: staging-vipconfig-t6t6b29kf6
        name: vipconf

scanoutput.txt

kubectl kustomize k8s/layered_viper/overlay/staging > /tmp/pocketshorten_layered_staging_merged.yaml
kubectl score /tmp/pocketshorten_layered_staging_merged.yaml
apps/v1/Deployment staging-cloudflared-tunnel in pocketshorten                💥
    [CRITICAL] Container Resources
        · cloudflared -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
        · cloudflared -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
        · cloudflared -> CPU request is not set
            Resource requests are recommended to make sure that the application can start and run
            without crashing. Set resources.requests.cpu
        · cloudflared -> Memory request is not set
            Resource requests are recommended to make sure that the application can start and run
            without crashing. Set resources.requests.memory
    [CRITICAL] Container Image Pull Policy
        · cloudflared -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to make sure that the
            imagePullSecrets are always correct, and to always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · cloudflared -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · cloudflared -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what can communicate with this
            pod. Note, this feature needs to be supported by the CNI implementation used in the
            Kubernetes cluster to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is ready to receive traffic.
            Without it, the Pod is risking to receive traffic before it has booted. It's also used
            during rollouts, and can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Security Context User Group ID
        · cloudflared -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Deployment has PodDisruptionBudget
        · No matching PodDisruptionBudget was found
            It's recommended to define a PodDisruptionBudget to avoid unexpected downtime during
            Kubernetes maintenance operations, such as when draining a node.
    [WARNING] Deployment has host PodAntiAffinity
        · Deployment does not have a host podAntiAffinity set
            It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from
            being scheduled on the same node. This increases availability in case the node becomes
            unavailable.
apps/v1/Deployment staging-pocketshorten-viper in pocketshorten               💥
    [CRITICAL] Container Resources
        · pocketshorten-viper -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
        · pocketshorten-viper -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
        · pocketshorten-viper -> CPU request is not set
            Resource requests are recommended to make sure that the application can start and run
            without crashing. Set resources.requests.cpu
        · pocketshorten-viper -> Memory request is not set
            Resource requests are recommended to make sure that the application can start and run
            without crashing. Set resources.requests.memory
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · pocketshorten-viper -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · pocketshorten-viper -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what can communicate with this
            pod. Note, this feature needs to be supported by the CNI implementation used in the
            Kubernetes cluster to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is ready to receive traffic.
            Without it, the Pod is risking to receive traffic before it has booted. It's also used
            during rollouts, and can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Security Context User Group ID
        · pocketshorten-viper -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Deployment has PodDisruptionBudget
        · No matching PodDisruptionBudget was found
            It's recommended to define a PodDisruptionBudget to avoid unexpected downtime during
            Kubernetes maintenance operations, such as when draining a node.
    [WARNING] Deployment has host PodAntiAffinity
        · Deployment does not have a host podAntiAffinity set
            It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from
            being scheduled on the same node. This increases availability in case the node becomes
            unavailable.
v1/Service staging-pocketshorten-metrics-service in pocketshorten             ✅
v1/Service staging-pocketshorten-service in pocketshorten                     ✅
v1/Service staging-tunnel-metrics in pocketshorten                            ✅