Comments (3)
@Yehoraz can you share a resource example to make sure we are on the same page ?
from skan.
here is an example of deployment, you can see the live\read are on the container section, I searched the web and as far as I know and according to the data google searches provide there will never be live\read checks on deployment but only on pods
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-nginx-deployment
labels:
app: example-nginx
spec:
replicas: 4
selector:
matchLabels:
app: example-nginx
template:
metadata:
labels:
app: example-nginx
env: dev
tier: devops
spec:
containers:
- name: example-nginx
image: docker.io/example/nginx-test:example
ports:
- containerPort: 80
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
from skan.
Would be useful if you paste your yaml formatted ... anyways - I used this :
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: 'nginx:1.14.2'
ports:
- containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
and skan generate the following:
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite tests="0" failures="2" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
<failure message="'Deployment.apps nginx-deployment', is missing a CPU request or limits definitions" type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
<failure message="'Deployment.apps nginx-deployment', is missing Memory request or limits definitions" type="Medium"></failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="1" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Workload Software Supply Chain | Image Registry Whitelist | Workload Software Supply Chain" time="0.001">
<failure message="Verify that the container image(s) used by 'Deployment.apps nginx-deployment' provisioned from whitelisted registries - 'nginx:1.14.2 in container nginx'" type="High"></failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="5" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="Force Kubernetes to run containers as a non-root user to ensure least privilege - see container(s): 'nginx'
							 
 " type="High"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="An immutable root filesystem can prevent malicious binaries being added or overwrite existing binaries - container(s): 'nginx'
							 
 " type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="Set the user id to run the container process. This is the user id of the first process in the container - container(s): 'nginx'
							 
 " type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="'Deployment.apps nginx-deployment' - automountServiceAccountToken is not set to 'false' in your Pod Spec. Consider reducing Kubernetes API Server access surface by disabling automount of service account. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace" type="High"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="'Deployment.apps nginx-deployment' - 'In container(s) 'nginx' capabilities that should be dropped 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,NET_BROADCAST,SETFCAP,SETGID,SETUID,SETPCAP,SYS_CHROOT,SYS_MODULE,SYS_BOOT,SYS_TIME,SYS_RESOURCE,IPC_LOCK,IPC_OWNER,SYS_PTRACE,BLOCK_SUSPEND' or 'ALL' and capabilities that one should avoid adding '' '" type="High"></failure>
</testcase>
</testsuite>
</testsuites>
skan analyze the pod template within your deployment/daemonset/statefulset/cronjob/...
There are no findings on readiness or liveness probes - is there anything I am missing?
from skan.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skan.