Changes

• #192 New check for seccomp profiles on pods. Can be enabled with
  --enable-optional-test container-seccomp-profile.
• #181 Handle the default value of PolicyTypes in NetworkPolicies

This release contains contributions from: Gustav Westling, Patrick Spiegel, dacappo

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.3.0
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.3.0-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.3.0
• docker pull zegl/kube-score:v1.3.0-helm

Experimental: Images are now also available from the GitHub registry

• docker pull docker.pkg.github.com/zegl/kube-score/kube-score:v1.3.0
• docker pull docker.pkg.github.com/zegl/kube-score/kube-score:v1.3.0-helm

Changes

• #177 Fixes for panics in the human output mode when the term size can not be detected, or was too small

This release contains contributions from: Gustav Westling

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.2.1
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.2.1-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.2.1-helm
• docker pull zegl/kube-score:v1.2.1
• docker pull zegl/kube-score:v1.2.1-helm
• docker pull zegl/kube-score:v1.2.1

Changes

• #173 update helm to v2.14.3
• #174 update alpine to v3.10.1
• #171 Add new "HorizontalPodAutoscaler has target" check that verifies that the HPA target exists (autoscaling/v1 only)
• #168 Display emojis after the name of each object to indicate the status. This is only affects the human output mode.
• #167 hide OK and skipped checks by default in the "human" display mode. Set the -v flag once to display OK checks, set it twice to also display skipped checks.
• #165 remove the --threshold-ok and --threshold-warning flags

Breaking changes

The --threshold-ok and --threshold-warnings flags have been removed, as they where confusing, and never properly worked as expected. See #164 and #165 for more information.

This release contains contributions from: Gustav Westling

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.2.0
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.2.0-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.2.0
• docker pull zegl/kube-score:v1.2.0-helm

Changes

• #158 Added ca-certificates to kube-score docker image with Helm pre-installed.
• #156 Add optional score container-resource-requests-equal-limits for checking resource request and limits for equality
• #152 add the --enable-optional-test CLI flag to allow adding opt-in only scores

This release contains contributions from: Andre Hilsendeger, Arno Uhlig, Gustav Westling

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.1.0
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.1.0-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.1.0
• docker pull zegl/kube-score:v1.1.0-helm

Changes

• #153 ENTRYPOINT is no longer set in the "-helm" container

This release contains contributions from: Gustav Westling

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.0.1
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.0.1-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.0.1-helm
• docker pull zegl/kube-score:v1.0.1

This is release 1.0.0 of kube-score. The project is now used by multiple companies to make sure that their Kubernetes configurations are as secure as possible.

As of writing, the pre-built binaries have been donwloaded 7300 times, the images from Docker Hub have been downloaded 3300 times, and the repository is cloned almost 150 times every day.

The 1.0.0 release indicates that the project is now stable, and will continue to be maintained in a non-breaking way.

Changes

• #147 Values from PodSecurityContext are properly inherited to the container SecurityContext
• #138 Add support for named ports in the ingress-targets-service check
• #136 Add check that validates the value of labels
• #133 Added support for JSON output. Results in the "ci" and "human" modes are now rendered in alphabetical order. Results in "ci" mode without any comments are now always rendered.

This release contains contributions from: Gustav Westling, Manuel Rüger, Matt Glick

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:v1.0.0
• Download the image from Docker Hub with Helm pre-installed: zegl/kube-score:v1.0.0-helm
• Download from homebrew: brew install kube-score/tap/kube-score

Docker images

• docker pull zegl/kube-score:v1.0.0
• docker pull zegl/kube-score:v1.0.0-helm

Fixes

#129 ignore probes for jobs (@sstarcher)

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:0.7.1
• Download from homebrew: brew install kube-score/tap/kube-score

Features

#111 allow for ignoring memory limits (@sstarcher)
#110 ignore probes on CronJobs and enhance pod checks to be aware of the root type that created them (@sstarcher)
#105 security: alert if security context is not set (@zegl)
#121 cmd: add version sub-command (@zegl)
#117 cmd: remove backwards compatible scoring, improved error handling (@zegl)

Documentation

fa92d5c doc: improved README
359fbdc doc: update kube-score usage in the README
61ec7fe github: update contributing guidelines
0ef1e68 goreleaser: update archive configuration
0229c26 readme: minor wording changes

Testing

4a63458 apps: increased test coverage of anti affinity checks
190453a ci: configure test coverage reports with CodeCov
41e7724 ci: disable codecov PR comments
bfb2244 ci: setup bors for merging PRs
666aa67 ci: use Go 1.12
dc86c0f ingress: add tests
060e834 security: move and modify old tests

Other

c676ea7 mod: update all dependencies
1d0f679 score: propagate errors instead of panicing

Download

• Download the binaries from the GitHub release page
• Download the image from Docker Hub: zegl/kube-score:0.7.0
• NEW: Download from homebrew: brew install kube-score/tap/kube-score

Features

fbb6fe9 score: per object test ignores with the kube-score/ignore annotation
faa7074 parser: add support for List
20186ad parser: forward namespace names to pod template specs (Thanks @filintod!)

Documentation

74942ad container: clarify why the imagePullPolicy should be set to Always
742a4a9 doc: updated list of test highlights
44ac966 docs: capotalize Go
6a7b798 docs: simplify installation instructions
6b90ea0 readme: add section on ignoring tests
be4acf5 readme: update container-image-pull-policy

Internal changes

ed77d6e domain: move to a sub-package, so that the root package can be used by the public API
c589d82 parser: refactor decodeItem
e6660d7 scorecard: constants should be of type Grade
bb896f3 scorecard: simplify representation of Scorecard
bca4a0b scorecard: simplify the relationship with the object meta and the checks

Download

Download the binaries from the GitHub release page, or download the image from Docker Hub (zegl/kube-score:0.6.0).

Features

• The kube-score cli now has two sub-commands, "score" and "list". If no sub command is specified, kube-score will default to the score command.
• kube-score list: Prints a list of all commands, this is mostly used to generate documentation.

New tests

• StatefulSet/Deployment has host PodAntiAffinity: Recommend to prevent different replicas from running on the same host #78

Changes to tests

• StatefulSet/Deployment has PodDisruptionBudget: Skip check if replicas is explicitly set < 2
• Container Image Pull Policy: Will always print a descriptive message if the check fails

Download

Download the binaries from the GitHub release page, or download the image from Docker Hub (zegl/kube-score:0.5.0).

New tests

• Service Type (recommends against use of NodePort services)
• CronJob has deadline

Download

Download the binaries from the GitHub release page, or download the image from Docker Hub (zegl/kube-score:0.4.0).

Features

• Automatic release to Docker Hub
• New flag --ignore-test to disable a single test
• New flag --output-format that can toggle human- and CI friendly output
• New flags --threshold-ok and --threshold-warning

New tests

• StatefulSet has PodDisruptionBudget
• Deployment has PodDisruptionBudget
• Ingress targets Service

Fixes

• Ignore services of type ExternalName in the "Service targets Pod" test
• Handle containers without a explicit imagePullPolicy set in the "Container Image Pull Policy" test
• Handle documents with --- that isn't a document seperator

Download

Download the binaries from the GitHub release page, or download the image from Docker Hub (zegl/kube-score:0.3.0).

Note: The Docker image tagged as 0.3.0 has been tagged from fd864d9, containing an additional fix to the Docker image.