Deployment Has No PodAntiAffinity

  • Query id: a31b7b82-d994-48c4-bd21-3bab6c31827a
  • Query name: Deployment Has No PodAntiAffinity
  • Platform: Kubernetes
  • Severity: Low
  • Category: Resource Management
  • CWE: Ongoing
  • URL: Github

Description

Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: label-mismatch
spec:
  selector:
    matchLabels:
      app: web-store
  replicas: 3
  template:
    metadata:
      labels:
        app: web-shore
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app: web-store
            topologyKey: "kubernetes.io/hostname"
      containers:
      - name: web-app
        image: nginx:1.16-alpine
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: no-affinity
spec:
  selector:
    matchLabels:
      app: web-store
  replicas: 3
  template:
    metadata:
      labels:
        app: web-store
    spec:
      containers:
      - name: web-app
        image: nginx:1.16-alpine

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-server
spec:
  selector:
    matchLabels:
      app: web-store
  replicas: 3
  template:
    metadata:
      labels:
        app: web-store
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - web-store
            topologyKey: "kubernetes.io/hostname"
      containers:
      - name: web-app
        image: nginx:1.16-alpine