default-namespacebasicNamespaces are a way to limit the scope of the resources that subsets of users within a team can create. While a default namespace is created for every Kubernetes cluster, we do not recommend adding all created resources into the default namespace because of the risk of privilege escalation, resource name collisions, latency in operations as resources scale up, and mismanagement of Kubernetes objects. Having namespaces lets you enable resource quotas can be enabled to track node, CPU and memory usage for individual teams.
latest-tagbasicWe do not recommend using container images with the latest tag or not specifying a tag in the image (which defaults to latest), as this leads to confusion around the version of image used. Pods get rescheduled often as conditions inside a cluster change, and upon a reschedule, you may find that the images’ versions have changed to use the latest release, which can break the application and make it difficult to debug errors. Instead, update segments of the application individually using images pinned to specific versions.
cronjob-concurrencybasicWe do not recommend having a concurrencyPolicy of Allow for CronJob resources. If a CronJob-managed Pod does not execute to completion within the expected window, it is possible that multiple Pods pile up over time, leading to several Pods stuck in a pending state and possible resource contention. Instead, prefer Forbid, which skips execution of a new job if the previous job has not exited, or Replace, which replaces the still-running job with a new job if it has not yet exited.
privileged-containerssecurityUse the privileged mode for trusted containers only. Because the privileged mode allows container processes to access the host, malicious containers can extensively damage the host and bring down services on the cluster. If you need to run containers in privileged mode, test the container before using it in production. For more information about the risks of running containers in privileged mode, please refer to the Kubernetes security context documentation.
run-as-non-rootsecurityIf containers within a pod are allowed to run with the process ID (PID) 0, then the host can be subjected to malicious activity. We recommend using a user identifier (UID) other than 0 in your container image for running applications. You can also enforce this in the Kubernetes pod configuration as shown below.
fully-qualified-imagebasicDocker is the most popular runtime for Kubernetes. However, Kubernetes supports other container runtimes as well, such as containerd and CRI-O. If the registry is not prepended to the image name, docker assumes docker.io and pulls it from Docker Hub. However, the other runtimes will result in errors while pulling images. To maintain portability, we recommend using a fully qualified image name. If the underlying runtime is changed and the object configs are deployed to a new cluster, having fully qualified image names ensures that the applications do not break.
node-name-pod-selectordoksOn upgrade of a cluster on DOKS, the worker nodes’ hostname changes. So, if your pod spec relies on the hostname to schedule pods on specific nodes, pod scheduling will fail after the upgrade.
admission-controller-webhookbasicAdmission control webhooks can disrupt normal cluster operations. Specifically, this happens when an admission control webhook targets a service that:
Powered by WHMCompleteSolution
