deckhouse · ldmonster · Oct 27, 2025 · Aug 18, 2025 · Aug 18, 2025 · Oct 7, 2025
diff --git a/go.mod b/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.10.0
-	github.com/tidwall/gjson v1.14.4
+	github.com/tidwall/gjson v1.18.0
 	golang.org/x/mod v0.27.0
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1

diff --git a/go.sum b/go.sum
@@ -366,8 +366,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
-github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=

diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go
@@ -23,7 +23,7 @@ func Test_SetLinterWarningsMetrics_AddsWarningsForAllLinters(t *testing.T) {
 			NoCyrillic:    global.LinterConfig{Impact: pkg.Warn.String()},
 			OpenAPI:       global.LinterConfig{Impact: pkg.Warn.String()},
 			Rbac:          global.LinterConfig{Impact: pkg.Warn.String()},
-			Templates:     global.LinterConfig{Impact: pkg.Warn.String()},
+			Templates:     global.TemplatesLinterConfig{},
 			Documentation: global.DocumentationLinterConfig{},
 		},
 	}
@@ -32,6 +32,7 @@ func Test_SetLinterWarningsMetrics_AddsWarningsForAllLinters(t *testing.T) {
 	cfg.Linters.Images.Impact = pkg.Warn.String()
 	cfg.Linters.Module.Impact = pkg.Warn.String()
 	cfg.Linters.Documentation.Impact = pkg.Warn.String()
+	cfg.Linters.Templates.Impact = pkg.Warn.String()
 
 	SetLinterWarningsMetrics(cfg)
 	num, err := testutil.GatherAndCount(metrics.Gatherer, "dmt_linter_info")

diff --git a/internal/module/module.go b/internal/module/module.go
@@ -184,6 +184,9 @@ func mapRuleSettings(linterSettings *pkg.LintersSettings, configSettings *config
 	// Module rules (uses global rule config + local fallback)
 	mapModuleRules(linterSettings, configSettings, globalConfig)
 
+	// Templates rules (uses global rule config + local fallback)
+	mapTemplatesRules(linterSettings, configSettings, globalConfig)
+
 	// Other linter rules (use local linter-level impact)
 	mapSimpleLinterRules(linterSettings, configSettings)
 }
@@ -232,6 +235,23 @@ func mapModuleRules(linterSettings *pkg.LintersSettings, configSettings *config.
 	rules.LegacyReleaseFileRule.SetLevel(globalRules.LegacyReleaseFileRule.Impact, fallbackImpact)
 }
 
+// mapTemplatesRules configures Templates linter rules
+func mapTemplatesRules(linterSettings *pkg.LintersSettings, configSettings *config.LintersSettings, globalConfig *global.Linters) {
+	rules := &linterSettings.Templates.Rules
+	globalRules := &globalConfig.Templates.Rules
+	fallbackImpact := configSettings.Templates.Impact
+
+	rules.VPARule.SetLevel(globalRules.VPARule.Impact, fallbackImpact)
+	rules.PDBRule.SetLevel(globalRules.PDBRule.Impact, fallbackImpact)
+	rules.IngressRule.SetLevel(globalRules.IngressRule.Impact, fallbackImpact)
+	rules.PrometheusRule.SetLevel(globalRules.PrometheusRule.Impact, fallbackImpact)
+	rules.GrafanaRule.SetLevel(globalRules.GrafanaRule.Impact, fallbackImpact)
+	rules.KubeRBACProxyRule.SetLevel(globalRules.KubeRBACProxyRule.Impact, fallbackImpact)
+	rules.ServicePortRule.SetLevel(globalRules.ServicePortRule.Impact, fallbackImpact)
+	rules.ClusterDomainRule.SetLevel(globalRules.ClusterDomainRule.Impact, fallbackImpact)
+	rules.RegistryRule.SetLevel(globalRules.RegistryRule.Impact, fallbackImpact)
+}
+
 // mapSimpleLinterRules configures rules that use linter-level impact without global overrides
 func mapSimpleLinterRules(linterSettings *pkg.LintersSettings, configSettings *config.LintersSettings) {
 	// NoCyrillic rules
@@ -244,18 +264,6 @@ func mapSimpleLinterRules(linterSettings *pkg.LintersSettings, configSettings *c
 	linterSettings.OpenAPI.Rules.CRDsRule.SetLevel("", openAPIImpact)
 	linterSettings.OpenAPI.Rules.KeysRule.SetLevel("", openAPIImpact)
 
-	// Templates rules
-	templatesImpact := configSettings.Templates.Impact
-	templates := &linterSettings.Templates.Rules
-	templates.VPARule.SetLevel("", templatesImpact)
-	templates.PDBRule.SetLevel("", templatesImpact)
-	templates.IngressRule.SetLevel("", templatesImpact)
-	templates.PrometheusRule.SetLevel("", templatesImpact)
-	templates.GrafanaRule.SetLevel("", templatesImpact)
-	templates.KubeRBACProxyRule.SetLevel("", templatesImpact)
-	templates.ServicePortRule.SetLevel("", templatesImpact)
-	templates.ClusterDomainRule.SetLevel("", templatesImpact)
-
 	// RBAC rules
 	rbacImpact := configSettings.Rbac.Impact
 	rbac := &linterSettings.RBAC.Rules

diff --git a/pkg/config.go b/pkg/config.go
@@ -134,6 +134,7 @@ type TemplatesLinterRules struct {
 	KubeRBACProxyRule RuleConfig
 	ServicePortRule   RuleConfig
 	ClusterDomainRule RuleConfig
+	RegistryRule      RuleConfig
 }
 
 type PrometheusRuleSettings struct {

diff --git a/pkg/config/global/global.go b/pkg/config/global/global.go
@@ -31,7 +31,7 @@ type Linters struct {
 	NoCyrillic    LinterConfig              `mapstructure:"no-cyrillic"`
 	OpenAPI       LinterConfig              `mapstructure:"openapi"`
 	Rbac          LinterConfig              `mapstructure:"rbac"`
-	Templates     LinterConfig              `mapstructure:"templates"`
+	Templates     TemplatesLinterConfig     `mapstructure:"templates"`
 	Documentation DocumentationLinterConfig `mapstructure:"documentation"`
 }
 
@@ -86,6 +86,23 @@ type ModuleLinterRules struct {
 	LegacyReleaseFileRule RuleConfig `mapstructure:"legacy-release-file"`
 }
 
+type TemplatesLinterConfig struct {
+	LinterConfig `mapstructure:",squash"`
+	Rules        TemplatesLinterRules `mapstructure:"rules"`
+}
+
+type TemplatesLinterRules struct {
+	VPARule           RuleConfig `mapstructure:"vpa"`
+	PDBRule           RuleConfig `mapstructure:"pdb"`
+	IngressRule       RuleConfig `mapstructure:"ingress"`
+	PrometheusRule    RuleConfig `mapstructure:"prometheus-rules"`
+	GrafanaRule       RuleConfig `mapstructure:"grafana-dashboards"`
+	KubeRBACProxyRule RuleConfig `mapstructure:"kube-rbac-proxy"`
+	ServicePortRule   RuleConfig `mapstructure:"service-port"`
+	ClusterDomainRule RuleConfig `mapstructure:"cluster-domain"`
+	RegistryRule      RuleConfig `mapstructure:"registry"`
+}
+
 func (c LinterConfig) IsWarn() bool {
 	return c.Impact == pkg.Warn.String()
 }
diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
@@ -187,10 +187,23 @@ type TemplatesSettings struct {
 	ExcludeRules      TemplatesExcludeRules        `mapstructure:"exclude-rules"`
 	GrafanaDashboards GrafanaDashboardsExcludeList `mapstructure:"grafana-dashboards"`
 	PrometheusRules   PrometheusRulesExcludeList   `mapstructure:"prometheus-rules"`
+	Rules             TemplatesLinterRules         `mapstructure:"rules"`
 
 	Impact string `mapstructure:"impact"`
 }
 
+type TemplatesLinterRules struct {
+	VPARule           RuleConfig `mapstructure:"vpa"`
+	PDBRule           RuleConfig `mapstructure:"pdb"`
+	IngressRule       RuleConfig `mapstructure:"ingress"`
+	PrometheusRule    RuleConfig `mapstructure:"prometheus-rules"`
+	GrafanaRule       RuleConfig `mapstructure:"grafana-dashboards"`
+	KubeRBACProxyRule RuleConfig `mapstructure:"kube-rbac-proxy"`
+	ServicePortRule   RuleConfig `mapstructure:"service-port"`
+	ClusterDomainRule RuleConfig `mapstructure:"cluster-domain"`
+	RegistryRule      RuleConfig `mapstructure:"registry"`
+}
+
 type TemplatesExcludeRules struct {
 	VPAAbsent     KindRuleExcludeList    `mapstructure:"vpa"`
 	PDBAbsent     KindRuleExcludeList    `mapstructure:"pdb"`

diff --git a/pkg/linters/container/README.md b/pkg/linters/container/README.md
@@ -85,19 +85,10 @@ metadata:
     heritage: deckhouse
 ```
 
-**Configuration:**
-
-```yaml
-# .dmt.yaml
-linters-settings:
-  container:
-    rules:
-      recommended-labels:
-        level: error  # error | warning | info | ignored
-```
-
 ---
 
+**Configuration:**
+
 ### namespace-labels
 
 **Purpose:** Ensures Deckhouse namespaces (prefixed with `d8-`) have the Prometheus rules watcher label enabled. This allows Prometheus to automatically discover and apply monitoring rules for the namespace.
@@ -1279,26 +1270,6 @@ linters-settings:
 - `info`: Violations are reported as informational messages
 - `ignored`: The linter is completely disabled
 
-### Rule-Level Settings
-
-Each rule can be individually configured with its own severity level:
-
-```yaml
-# .dmt.yaml
-linters-settings:
-  container:
-    impact: error
-    rules:
-      recommended-labels:
-        level: error            # error | warning | info | ignored
-      api-version:
-        level: error
-      priority-class:
-        level: error
-      revision-history-limit:
-        level: warning
-```
-
 ### Exclude Rules
 
 Many rules support excluding specific objects or containers:
@@ -1367,46 +1338,6 @@ linters-settings:
   container:
     # Global impact level for all container rules
     impact: error
-
-    # Rule-specific severity levels
-    rules:
-      recommended-labels:
-        level: error
-      namespace-labels:
-        level: error
-      api-version:
-        level: error
-      priority-class:
-        level: error
-      dns-policy:
-        level: error
-      controller-security-context:
-        level: error
-      revision-history-limit:
-        level: warning
-      name-duplicates:
-        level: error
-      read-only-root-filesystem:
-        level: error
-      host-network-ports:
-        level: error
-      env-variables-duplicates:
-        level: error
-      image-digest:
-        level: error
-      image-pull-policy:
-        level: error
-      resources:
-        level: error
-      security-context:
-        level: error
-      ports:
-        level: error
-      liveness-probe:
-        level: error
-      readiness-probe:
-        level: error
-
     # Exclude specific objects/containers from rules
     exclude-rules:
       read-only-root-filesystem:

diff --git a/pkg/linters/docs/README.md b/pkg/linters/docs/README.md
@@ -89,15 +89,6 @@ This module provides...
 
 **Configuration:**
 
-```yaml
-# .dmt.yaml
-linters-settings:
-  documentation:
-    rules:
-      readme:
-        level: error  # error | warning | info | ignored
-```
-
 To disable this rule for specific modules:
 
 ```yaml
@@ -179,15 +170,6 @@ my-module/
 
 **Configuration:**
 
-```yaml
-# .dmt.yaml
-linters-settings:
-  documentation:
-    rules:
-      bilingual:
-        level: error  # error | warning | info | ignored
-```
-
 To disable bilingual checks for specific files:
 
 ```yaml
@@ -303,15 +285,6 @@ Line 42: Check the документация for more details.
 
 **Configuration:**
 
-```yaml
-# .dmt.yaml
-linters-settings:
-  documentation:
-    rules:
-      cyrillic-in-english:
-        level: error  # error | warning | info | ignored
-```
-
 To exclude specific files from this check:
 
 ```yaml
@@ -345,24 +318,6 @@ linters-settings:
 - `info`: Violations are reported as informational messages
 - `ignored`: The linter is completely disabled
 
-### Rule-Level Settings
-
-Each rule can be individually configured with its own severity level:
-
-```yaml
-# .dmt.yaml
-linters-settings:
-  documentation:
-    impact: error
-    rules:
-      readme:
-        level: error            # error | warning | info | ignored
-      bilingual:
-        level: error
-      cyrillic-in-english:
-        level: warning          # Less strict for this rule
-```
-
 ### Path-Based Exclusions
 
 Exclude specific modules or files from validation:
@@ -383,48 +338,6 @@ linters-settings:
           - docs/GLOSSARY.md    # Technical terms document
 ```
 
-### Complete Configuration Example
-
-```yaml
-# .dmt.yaml
-linters-settings:
-  documentation:
-    # Global impact level for all documentation rules
-    impact: error
-
-    # Rule-specific settings
-    rules:
-      readme:
-        level: error
-        exclude:
-          - experimental-module
-
-      bilingual:
-        level: error
-        exclude:
-          - docs/INTERNAL.md
-          - docs/DEVELOPMENT.md
-
-      cyrillic-in-english:
-        level: warning
-        exclude:
-          - docs/GLOSSARY.md
-```
-
-### Configuration in Module Directory
-
-You can also place a `.dmt.yaml` configuration file directly in your module directory for module-specific settings:
-
-```yaml
-# modules/my-module/.dmt.yaml
-linters-settings:
-  documentation:
-    impact: warning  # More lenient for this specific module
-    rules:
-      bilingual:
-        level: info  # Informational only for translations
-```
-
 ## Common Issues
 
 ### Issue: Missing README.md