StatefulSet Without Service Name
- Query id: bb241e61-77c3-4b97-9575-c0f8a1e008d0
- Query name: StatefulSet Without Service Name
- Platform: Kubernetes
- Severity: Low
- Category: Availability
- CWE: Ongoing
- URL: Github
Description¶
StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: nginx
labels:
app: nginx2
spec:
ports:
- port: 80
name: web
clusterIP: All
selector:
app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
namespace: nginx
spec:
selector:
matchLabels:
app: nginx
serviceName: "nginx"
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Service
metadata:
name: nginx2
namespace: nginx2
labels:
app: nginx2
spec:
ports:
- port: 80
name: web
clusterIP: None
selector:
app: nginx2
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web2
namespace: nginx2
spec:
selector:
matchLabels:
app: nginx2
serviceName: "nginx2"
replicas: 3
template:
metadata:
labels:
app: nginx2
foo: bar
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx2
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi