Validate Probes

Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. Keep in mind that if both the probes are not set, they are considered to be equal and hence fails the check.

Policy Definition

/other/ensure-probes-different/ensure-probes-different.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: validate-probes
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: none
 7    policies.kyverno.io/title: Validate Probes
 8    policies.kyverno.io/category: Sample
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Liveness and readiness probes accomplish different goals, and setting both to the same
14      is an anti-pattern and often results in app problems in the future. This policy
15      checks that liveness and readiness probes are not equal. Keep in mind that if both the 
16      probes are not set, they are considered to be equal and hence fails the check.
17spec:
18  validationFailureAction: Audit
19  background: false
20  rules:
21    - name: validate-probes
22      match:
23        any:
24        - resources:
25            kinds:
26            - Deployment
27            - DaemonSet
28            - StatefulSet
29      validate:
30        message: "Liveness and readiness probes cannot be the same."
31        deny:
32          conditions:
33            any:
34            - key: "{{ request.object.spec.template.spec.containers[?readinessProbe==livenessProbe] | length(@) }}"
35              operator: GreaterThan
36              value: 0

Create policy issue