48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
id: k8s-readiness-probe-not-set
|
|
|
|
info:
|
|
name: Readiness Probes not set in Deployments
|
|
author: princechaddha
|
|
severity: medium
|
|
description: Checks for missing readiness probes in Kubernetes Deployments, which can lead to traffic being sent to unready containers
|
|
impact: |
|
|
Not configuring readiness probes in Kubernetes Deployments can result in the routing of traffic to containers that are not ready to handle requests, leading to potential downtime or degraded performance.
|
|
remediation: |
|
|
Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it.
|
|
reference:
|
|
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
|
|
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let deployment of template.items) {
|
|
set("deployment",deployment)
|
|
javascript(1);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: kubectl get deployments --all-namespaces --output=json
|
|
extractors:
|
|
- type: json
|
|
name: items
|
|
internal: true
|
|
json:
|
|
- '.items[]'
|
|
|
|
javascript:
|
|
- code: |
|
|
deployment = JSON.parse(template.deployment);
|
|
if (!deployment.spec.template.spec.containers.some(container => container.readinessProbe)) {
|
|
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks readiness probes.`);
|
|
Export(result);
|
|
}
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- response
|
|
# digest: 4b0a00483046022100c6a0f6296b693f56a70b84b9c521f990219221bf26e0b04d4a77c1bd1a39799a022100ecc56b0184771d6ce9e5620bc111adbcd68cb0b1c8de331956e3804dbe355685:922c64590222798bb761d5b6d8e72950 |