StatefulSet Without Service Name

  • Query id: bb241e61-77c3-4b97-9575-c0f8a1e008d0
  • Query name: StatefulSet Without Service Name
  • Platform: Kubernetes
  • Severity: Low
  • Category: Availability
  • URL: Github

Description

StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: nginx
  labels:
    app: nginx2
spec:
  ports:
  - port: 80
    name: web
  clusterIP: All
  selector:
    app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
  namespace: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  serviceName: "nginx"
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "my-storage-class"
      resources:
        requests:
          storage: 1Gi

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Service
metadata:
  name: nginx2
  namespace: nginx2
  labels:
    app: nginx2
spec:
  ports:
  - port: 80
    name: web
  clusterIP: None
  selector:
    app: nginx2
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web2
  namespace: nginx2
spec:
  selector:
    matchLabels:
      app: nginx2
  serviceName: "nginx2"
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx2
        foo: bar
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx2
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "my-storage-class"
      resources:
        requests:
          storage: 1Gi