Liveness Probe Not Set

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-config-002
  labels:
    severity: "medium" 
    category: "config"
  annotations:
    rules.spotter.dev/title: "Liveness Probe Not Set"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-248"
    rules.spotter.dev/description: "Liveness probes are essential for application availability. Without them, Kubernetes cannot determine if an application is unresponsive and needs to be restarted."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c, !has(c.livenessProbe))) ||
    (object.kind != 'Pod' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, !has(c.livenessProbe)))
  remediation:
    manual: "Define a liveness probe for each container in the pod spec."
  references:
    - title: "Configure Liveness, Readiness and Startup Probes"
      url: "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      labels:
        test: liveness
      name: liveness-exec
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        args:
        - /bin/sh
        - -c
        - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      labels:
        test: liveness
      name: liveness-exec
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        args:
        - /bin/sh
        - -c
        - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
        livenessProbe:
          exec:
            command:
            - cat
            - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: batch/v1beta1
    kind: CronJob
    metadata:
      name: hello
    spec:
      schedule: "*/1 * * * *"
      jobTemplate:
        spec:
          template:
            spec:
              containers:
              - name: hello
                image: busybox
                imagePullPolicy: IfNotPresent
                args:
                - /bin/sh
                - -c
                - date; echo Hello from the Kubernetes cluster
              restartPolicy: OnFailure

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-config-002
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-config-002
spec:
  # Add your VAP configuration here

Rule Metadata

Liveness Probe Not Set

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub