-
Notifications
You must be signed in to change notification settings - Fork 7
Skan search for 'deployment' readiness and liveness probes #11
Comments
@Yehoraz can you share a resource example to make sure we are on the same page ? |
here is an example of deployment, you can see the live\read are on the container section, I searched the web and as far as I know and according to the data google searches provide there will never be live\read checks on deployment but only on pods apiVersion: apps/v1 |
Would be useful if you paste your yaml formatted ... anyways - I used this : apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: 'nginx:1.14.2'
ports:
- containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20 and skan generate the following: <?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite tests="0" failures="2" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
<failure message="'Deployment.apps nginx-deployment', is missing a CPU request or limits definitions" type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Ops Conformance | Workload Capacity Planning | Ops Conformance" time="0.001">
<failure message="'Deployment.apps nginx-deployment', is missing Memory request or limits definitions" type="Medium"></failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="1" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Workload Software Supply Chain | Image Registry Whitelist | Workload Software Supply Chain" time="0.001">
<failure message="Verify that the container image(s) used by 'Deployment.apps nginx-deployment' provisioned from whitelisted registries - 'nginx:1.14.2 in container nginx'" type="High"></failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="5" time="" name="">
<properties></properties>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="Force Kubernetes to run containers as a non-root user to ensure least privilege - see container(s): 'nginx'
							 
 " type="High"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="An immutable root filesystem can prevent malicious binaries being added or overwrite existing binaries - container(s): 'nginx'
							 
 " type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="Set the user id to run the container process. This is the user id of the first process in the container - container(s): 'nginx'
							 
 " type="Medium"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="'Deployment.apps nginx-deployment' - automountServiceAccountToken is not set to 'false' in your Pod Spec. Consider reducing Kubernetes API Server access surface by disabling automount of service account. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace" type="High"></failure>
</testcase>
<testcase classname="Deployment.apps nginx-deployment" name="Pod Security | Workload Hardening | Pod Security" time="0.001">
<failure message="'Deployment.apps nginx-deployment' - 'In container(s) 'nginx' capabilities that should be dropped 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,NET_BROADCAST,SETFCAP,SETGID,SETUID,SETPCAP,SYS_CHROOT,SYS_MODULE,SYS_BOOT,SYS_TIME,SYS_RESOURCE,IPC_LOCK,IPC_OWNER,SYS_PTRACE,BLOCK_SUSPEND' or 'ALL' and capabilities that one should avoid adding '' '" type="High"></failure>
</testcase>
</testsuite>
</testsuites>
skan analyze the pod template within your deployment/daemonset/statefulset/cronjob/... There are no findings on readiness or liveness probes - is there anything I am missing? |
Describe the bug
Skan scan search for 'deployment' readiness and liveness probes while they exist only at pod level
To Reproduce
Steps to reproduce the behavior:
scan any template containing pod readiness and liveness probes
Expected behavior
check for pod readiness and liveness probes only
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: