Kubernetes Guardrails
Enforce Kubernetes best practices including manifest validation, resource limits, probes, PodDisruptionBudgets, and HPA configurations for production readiness.
k8s to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/k8s@v1.0.0
Included Guardrails
This policy includes 6 guardrails that enforce standards for your deployment and infrastructure.
valid
Validates that all Kubernetes manifests in the repository are syntactically correct and conform to K8s schema. Invalid manifests will fail deployment.
requests-and-limits
Ensures all containers have CPU and memory requests and limits defined. Missing resource specs can cause scheduling failures and noisy neighbor issues.
probes
Requires liveness and readiness probes on all containers. Probes enable Kubernetes to detect unhealthy pods and route traffic correctly.
min-replicas
Enforces minimum replica counts on HorizontalPodAutoscalers. Ensures services maintain capacity during scaling events and failures.
pdb
Requires PodDisruptionBudgets for Deployments and StatefulSets. PDBs protect availability during voluntary disruptions like node drains.
non-root
Requires containers to run as non-root users via securityContext. Running as root inside containers violates least privilege principles.
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Configuration
Configure this policy in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
min_replicas
|
Optional |
3
|
Minimum replicas required for HPAs (default 3) |
max_limit_to_request_ratio
|
Optional |
4
|
Maximum ratio of limits to requests for CPU/memory (default 4) |
Documentation
View on GitHubKubernetes Guardrails
Enforces Kubernetes best practices for production-ready workloads.
Overview
This policy validates Kubernetes manifests against industry best practices including resource limits, health probes, PodDisruptionBudgets, and security configurations. It helps ensure your K8s workloads are production-ready and resilient.
Policies
This policy provides the following guardrails (use include to select a subset):
| Policy | Description | Failure Meaning |
|---|---|---|
valid |
Validates K8s manifest syntax | Manifest has YAML or schema errors |
requests-and-limits |
Checks CPU/memory requests and limits | Container missing resource specs |
probes |
Requires liveness and readiness probes | Container missing health probes |
min-replicas |
Enforces minimum HPA replicas | HPA minReplicas below threshold |
pdb |
Requires PodDisruptionBudgets | Deployment/StatefulSet missing PDB |
non-root |
Requires non-root security context | Container may run as root |
Required Data
This policy reads from the following Component JSON paths:
| Path | Type | Provided By |
|---|---|---|
.k8s.manifests[] |
array | k8s collector |
.k8s.workloads[] |
array | k8s collector |
.k8s.hpas[] |
array | k8s collector |
.k8s.pdbs[] |
array | k8s collector |
Note: Ensure the k8s collector is configured before enabling this policy.
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/k8s@v1.0.0
on: [kubernetes]
policies:
- uses: github://earthly/lunar-lib/policies/k8s@v1.0.0
on: [kubernetes]
enforcement: report-pr
# include: [valid, requests-and-limits, probes] # Only run specific checks
# with:
# min_replicas: "3"
# max_limit_to_request_ratio: "4"
Examples
Passing Example
A compliant component with proper resource specs, probes, and security context:
{
"k8s": {
"manifests": [
{"path": "deploy/deployment.yaml", "valid": true}
],
"workloads": [
{
"kind": "Deployment",
"name": "payment-api",
"namespace": "payments",
"path": "deploy/deployment.yaml",
"containers": [
{
"name": "api",
"has_resources": true,
"has_requests": true,
"has_limits": true,
"has_liveness_probe": true,
"has_readiness_probe": true,
"runs_as_non_root": true
}
]
}
],
"pdbs": [
{"name": "payment-api-pdb", "target_workload": "payment-api"}
]
}
}
Failing Example
A component missing resources, probes, and security configuration:
{
"k8s": {
"workloads": [
{
"kind": "Deployment",
"name": "my-app",
"namespace": "default",
"path": "deploy/app.yaml",
"containers": [
{
"name": "app",
"has_resources": false,
"has_requests": false,
"has_limits": false,
"has_liveness_probe": false,
"has_readiness_probe": false,
"runs_as_non_root": false
}
]
}
],
"pdbs": []
}
}
Failure messages:
deploy/app.yaml: Deployment default/my-app container 'app' missing resource requestsdeploy/app.yaml: Deployment default/my-app container 'app' missing livenessProbedeploy/app.yaml: Deployment default/my-app container 'app' should set securityContext.runAsNonRoot: true
Remediation
When this policy fails, resolve it by:
- For
validfailures: Fix YAML syntax errors or invalid K8s fields in the manifest - For
requests-and-limitsfailures: Addresources.requestsandresources.limitsfor CPU and memory - For
probesfailures: AddlivenessProbeandreadinessProbeto each container - For
min-replicasfailures: Increasespec.minReplicasin your HPA to meet the threshold - For
pdbfailures: Create a PodDisruptionBudget that selects your workload's pods - For
non-rootfailures: AddsecurityContext.runAsNonRoot: trueto the container or pod spec
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements