GithubHelp home page GithubHelp logo

Comments (3)

gadinaor avatar gadinaor commented on May 18, 2024

@Yehoraz can you share a resource example to make sure we are on the same page ?

from skan.

Yehoraz avatar Yehoraz commented on May 18, 2024

here is an example of deployment, you can see the live\read are on the container section, I searched the web and as far as I know and according to the data google searches provide there will never be live\read checks on deployment but only on pods

apiVersion: apps/v1
kind: Deployment
metadata:
name: example-nginx-deployment
labels:
app: example-nginx
spec:
replicas: 4
selector:
matchLabels:
app: example-nginx
template:
metadata:
labels:
app: example-nginx
env: dev
tier: devops
spec:
containers:
- name: example-nginx
image: docker.io/example/nginx-test:example
ports:
- containerPort: 80
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20

from skan.

gadinaor avatar gadinaor commented on May 18, 2024

Would be useful if you paste your yaml formatted ... anyways - I used this :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: 'nginx:1.14.2'
          ports:
            - containerPort: 8080
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 15
            periodSeconds: 20

and skan generate the following:

<?xml version="1.0" encoding="UTF-8"?>

<testsuites>
	<testsuite tests="0" failures="2" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39;, is missing a CPU request or limits definitions" type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39;, is missing Memory request or limits definitions" type="Medium"></failure>
		</testcase>
	</testsuite>
	<testsuite tests="0" failures="1" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Workload Software Supply Chain | Image Registry Whitelist | Workload Software Supply Chain" time="0.001">
			<failure message="Verify that the container image(s) used by &#39;Deployment.apps nginx-deployment&#39; provisioned from whitelisted registries - &#39;nginx:1.14.2 in container nginx&#39;" type="High"></failure>
		</testcase>
	</testsuite>
	<testsuite tests="0" failures="5" time="" name="">
		<properties></properties>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="Force Kubernetes to run containers as a non-root user to ensure least privilege - see container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="High"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="An immutable root filesystem can prevent malicious binaries being added or overwrite existing binaries  - container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="Set the user id to run the container process. This is the user id of the first process in the container   - container(s): &#39;nginx&#39;&#xA;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;&#x9;                  &#xA;                                              " type="Medium"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39; - automountServiceAccountToken is not set to &#39;false&#39; in your Pod Spec. Consider reducing Kubernetes API Server access surface by disabling automount of service account. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace" type="High"></failure>
		</testcase>
		<testcase classname="Deployment.apps  nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
			<failure message="&#39;Deployment.apps nginx-deployment&#39; - &#39;In container(s) &#39;nginx&#39; capabilities that should be dropped &#39;AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,NET_BROADCAST,SETFCAP,SETGID,SETUID,SETPCAP,SYS_CHROOT,SYS_MODULE,SYS_BOOT,SYS_TIME,SYS_RESOURCE,IPC_LOCK,IPC_OWNER,SYS_PTRACE,BLOCK_SUSPEND&#39; or &#39;ALL&#39; and capabilities that one should avoid adding &#39;&#39; &#39;" type="High"></failure>
		</testcase>
	</testsuite>
</testsuites>

skan analyze the pod template within your deployment/daemonset/statefulset/cronjob/...

There are no findings on readiness or liveness probes - is there anything I am missing?

from skan.

Related Issues (6)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.