Require Pod Probes

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-pod-probes
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
 7    policies.kyverno.io/title: Require Pod Probes
 8    policies.kyverno.io/category: Best Practices, EKS Best Practices
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Liveness and readiness probes need to be configured to correctly manage a Pod's
13      lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
14      `livenessProbe` is performed by the kubelet to determine if the Pod's containers
15      are running or need to be restarted. A `readinessProbe` is used by Services
16      and Deployments to determine if the Pod is ready to receive network traffic.
17      This policy validates that all containers have one of livenessProbe, readinessProbe,
18      or startupProbe defined.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: validate-probes
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: AnyIn
33        value:
34        - CREATE
35        - UPDATE
36    validate:
37      message: "Liveness, readiness, or startup probes are required for all containers."
38      foreach:
39      - list: request.object.spec.containers[]
40        deny:
41          conditions:
42            all:
43            - key: livenessProbe
44              operator: AllNotIn
45              value: "{{ element.keys(@)[] }}"
46            - key: startupProbe
47              operator: AllNotIn
48              value: "{{ element.keys(@)[] }}"
49            - key: readinessProbe
50              operator: AllNotIn
51              value: "{{ element.keys(@)[] }}"