StatefulSet Without PodDisruptionBudget

• Query id: 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5
• Query name: StatefulSet Without PodDisruptionBudget
• Platform: Kubernetes
• Severity: Low
• Category: Availability
• CWE: 754
• URL: Github

Description

StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: xpto
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  requiredDropCapabilities:
    - ALL
  selector:
    matchLabels:
      app: nginx
  serviceName: "nginx"
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: nginx33
      run: test
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx123
      run: test
  serviceName: "nginx"
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html