All Policies
Validate Probes
Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. Keep in mind that if both the probes are not set, they are considered to be equal and hence fails the check.
Policy Definition
/other/ensure-probes-different/ensure-probes-different.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: validate-probes
5 annotations:
6 pod-policies.kyverno.io/autogen-controllers: none
7 policies.kyverno.io/title: Validate Probes
8 policies.kyverno.io/category: Sample
9 policies.kyverno.io/severity: medium
10 policies.kyverno.io/minversion: 1.6.0
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 Liveness and readiness probes accomplish different goals, and setting both to the same
14 is an anti-pattern and often results in app problems in the future. This policy
15 checks that liveness and readiness probes are not equal. Keep in mind that if both the
16 probes are not set, they are considered to be equal and hence fails the check.
17spec:
18 validationFailureAction: Audit
19 background: false
20 rules:
21 - name: validate-probes
22 match:
23 any:
24 - resources:
25 kinds:
26 - Deployment
27 - DaemonSet
28 - StatefulSet
29 validate:
30 message: "Liveness and readiness probes cannot be the same."
31 deny:
32 conditions:
33 any:
34 - key: "{{ request.object.spec.template.spec.containers[?readinessProbe==livenessProbe] | length(@) }}"
35 operator: GreaterThan
36 value: 0