Enforce Readiness Probe 1.1.3

Enforces a readiness probe to be defined for each container that exposes at least one port. This enables Kubernetes to direct traffic to applications only when they are ready to accept requests.


Note that this policy is part of the following security standards:

  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A11
  • Operational
  • Probes
  • bsi/kubernetes

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet

Example

apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  template:
    spec:
      containers:
        - image: grafana/grafana:5.4.2
          name: grafana
          ports:
            - containerPort: 3000
              name: http
              protocol: TCP
+         readinessProbe:
+           failureThreshold: 3
+           httpGet:
+             path: /api/health
+             port: http
+             scheme: HTTP
+           periodSeconds: 10
+           successThreshold: 1
+           timeoutSeconds: 1

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcereadinessprobe as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforcereadinessprobe: |-
      The used image is provided by vendor and do not support support appropriate readinessprobe.
...