TechQA.

Checkov - creating a basic custom policy to ensure that an annotation is set on a Kubernetes Deployment

192 views Asked by At

I've been looking at checkov to see if it can flag up if any Kubernetes Deployments which are missing the annotation kubectl.kubernetes.io/default-container.

I cannot seem to get this to work. It seems like a very simple use case for checkov.

I've currently got the following policy document:

---
metadata:
  id: "CKV2_KCDC_1"
  name: "Ensure all Deployments have default-container annotation"
  category: "KUBERNETES"
definition:
  and:
    - cond_type: filter
      value:
        - Deployment
      operator: within
      attribute: kind
    - cond_type: attribute
      resource_types:
        - Deployment
      attribute: "metadata.annotations.kubectl.kubernetes.io/default-container"
      operator: exists

My interpretation of this is "Filter for Deployments, and ensure that each one has the annotation"

When I run this, I get a lot of failures, but when I add the annotation to the failing manifests those failures are not resolved.

kubernetes static-analysis checkov
Original Q&A
1

There are 1 answers

0
Scottm On BEST ANSWER

I ended up going with datree for this. My organisation was already using it, and I found it very easy to write a policy with a custom rule for my scenario. The policy looks something like this:

apiVersion: v1
policies:
  - name: Custom
    isDefault: true
    rules:
      - identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
        messageOnFailure: Every workload must set the kubectl.kubernetes.io/default-container annotation so that multi-container workloads have sensible defaults for kubctl exec and kubectl log commands.
customRules:
  - identifier: ENSURE_DEFAULT_CONTAINER_ANNOTATION_IS_SET
    name: Ensure workload has default container annotation set
    defaultMessageOnFailure: Every workload must set the kubectl.kubernetes.io/default-container annotation so that multi-container workloads have sensible defaults for kubctl exec and kubectl log commands.
    schema:
      if:
        properties:
          kind:
            enum:
              - Deployment
              - StatefulSet
      then:
        properties:
          spec:
            properties:
              template:
                properties:
                  metadata:
                    properties:
                      annotations:
                        required:
                          - kubectl.kubernetes.io/default-container
                    required:
                      - annotations

Related Questions in KUBERNETES

Related Questions in STATIC-ANALYSIS

Related Questions in CHECKOV

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions