Containers Rules Checklist
This is the master checklist - 25 enforceable rules spanning image builds, Kubernetes workloads, security, and delivery.
Treat each item as a gate you can wire into a linter, CI job, or admission policy. The dedicated Dockerfile and Kubernetes pages expand the reasoning; this page is the fast, reviewable list.
How to use this list
Run it as a pre-merge and pre-deploy gate. Left-shift the cheap checks into linting and CI, and enforce the non-negotiable ones with a policy engine in the cluster.
Copy the boxes into your pull request template so every service change is reviewed against the same bar.
The four groups map to where each rule is best enforced: build rules in the image pipeline, workload and security rules at admission, and delivery rules in your GitOps controller. None of these rules assume Docker runs your pods - containerd executes them via the CRI on nodes.
Image build rules
- Pin the base image by digest -
FROM node:22.14-slim@sha256:...prevents silent, unreproducible base changes. - Use multi-stage builds - keep compilers and dev dependencies out of the final runtime image.
- Run as a non-root user - add
USER 10001so the process never starts as UID 0. - Never bake secrets into layers - use BuildKit
--mount=type=secret; layers are cached and shippable. - Add a
.dockerignore- exclude.git,node_modules, and local env files from the build context. - Order layers for cache reuse - copy dependency manifests and install before copying source.
- Set a
HEALTHCHECKor rely on K8s probes - do not ship an image with no liveness signal at all. - Scan every image in CI - fail the build on HIGH/CRITICAL CVEs with Trivy or Grype.
- Sign and verify images - use cosign so only attested images run in production.
Kubernetes workload rules
- Set requests and limits - every container declares CPU and memory requests and memory limits.
- Define liveness and readiness probes - readiness gates traffic; liveness restarts a wedged process.
- Add a startup probe for slow starters - avoid liveness killing a container that is still booting.
- Pin image tags by digest in manifests - never deploy
:latestto a cluster. - Set
replicas >= 2and a PodDisruptionBudget - survive node drains and voluntary disruptions. - Apply the recommended labels -
app.kubernetes.io/name,part-of,version, andmanaged-by. - Spread pods across nodes/zones - use
topologySpreadConstraintsfor real availability.
Security and isolation rules
- Enforce Pod Security Standards
restricted- label namespacespod-security.kubernetes.io/enforce: restricted. - Set
runAsNonRoot,allowPrivilegeEscalation: false, andreadOnlyRootFilesystem- harden every container's securityContext. - Drop all Linux capabilities -
capabilities.drop: ["ALL"], add back only what is proven necessary. - Apply a default-deny NetworkPolicy per namespace - then allow only the flows you need.
- Use least-privilege RBAC and a dedicated ServiceAccount - never mount the default token when unused.
- Store secrets in a manager - use External Secrets or CSI; do not commit secrets to Git.
Delivery and operations rules
- Deploy declaratively via GitOps - Argo CD or Flux reconciles cluster state from Git.
- Use RollingUpdate with sane surge/unavailable - and readiness probes so rollouts do not drop traffic.
- Emit structured logs, metrics, and traces - OpenTelemetry plus Prometheus/Grafana on every service.
FAQs
Do all 25 rules apply to every service? Almost. A batch job may skip readiness probes and PodDisruptionBudgets, but the security and build rules are universal.
Which rules must be enforced in-cluster versus in CI? Enforce security-critical rules (non-root, PSS restricted, no privilege escalation) at admission. Cheaper hygiene rules can live in CI and linters.
Why digest pinning instead of semantic tags? Tags are mutable; a digest is content-addressed and immutable, so a deploy is exactly reproducible and cannot drift under you.
Is :latest ever acceptable?
Only in throwaway local experiments. In any shared or production cluster it makes rollbacks and audits impossible.
How do I roll these out without blocking every team on day one? Start policies in audit mode, publish the violations, fix the golden-path templates, then switch to enforce.
Where do memory limits matter most? Always set a memory limit to prevent noisy-neighbor OOM cascades. Be cautious with CPU limits, which throttle rather than kill.
How does this relate to the Dockerfile and manifest rule pages? This page is the master index; the Dockerfile and Kubernetes manifest pages expand the reasoning, code, and edge cases behind each grouped item here.
Should image signing block deploys from day one? Verify signatures in audit mode first, onboard your pipelines to cosign, then flip verification to enforce once coverage is high enough to avoid blocking legitimate releases.
Related
- Why Rules Beat Tribal Knowledge
- Dockerfile Rules
- Kubernetes Manifest Rules
- ADR Template
- Containers Rules Best Practices
Stack versions: This page was written for Kubernetes 1.36.2, Docker Engine 29.6.1 (BuildKit default), containerd (CRI runtime on nodes), Helm 3, Compose v2, Argo CD (latest - verify at build), and Gateway API (GA - verify controller support at build).