CriticalFile-scope Plug & play

Disallow public ingress without explicit allowlist

For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.

Add to Mesrai Open workspace

Why this matters

Prevents accidental public exposure of internal services.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

apiVersion: v1
kind: Service
spec:
 type: LoadBalancer
 ports: [{ port: 80 }]

Prefer

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 annotations:
 nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,192.168.0.0/16
spec:
 tls:
 - hosts: ["app.example.com"]
 secretName: app-tls
 rules:
 - host: app.example.com
 http: { paths: [...] }

More snippets

Good

nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8

Bad

kind: Service
spec:
 type: LoadBalancer

Related rules

From the same buckets as this rule.

Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1
High
Default-deny NetworkPolicy required when adding a namespace
If a PR introduces workloads in a namespace that lacks a default-deny NetworkPolicy, add one plus explicit allow rules.
infra-as-codesecurity-hardening+1

Why this matters

Bad vs. good

More snippets

Related rules

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Default-deny NetworkPolicy required when adding a namespace

Why this matters

Bad vs. good

More snippets

Related rules

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Default-deny NetworkPolicy required when adding a namespace