Check that string probe port match container port

Author: jouve

docs/generated/checks.md

@@ -428,6 +428,15 @@ strategyTypeRegex: ^(RollingUpdate|Rolling)$
 **Remediation**: Ensure privileged ports [0, 1024] are not mapped within containers.
 
 **Template**: [privileged-ports](templates.md#privileged-ports)
+## probe-port
+
+**Enabled by default**: Yes
+
+**Description**: Alert on probe port that does not match a port defined in container ports
+
+**Remediation**: Ensure probe port matches a port defined in container ports.
+
+**Template**: [probe-port](templates.md#probe-port)
 ## read-secret-from-env-var
 
 **Enabled by default**: No

docs/generated/templates.md

@@ -557,6 +557,15 @@ KubeLinter supports the following templates:
 **Supported Objects**: DeploymentLike
 
 
+## Probe Port
+
+**Key**: `probe-port`
+
+**Description**: Flag unknown probe port
+
+**Supported Objects**: DeploymentLike
+
+
 ## Read-only Root Filesystems
 
 **Key**: `read-only-root-fs`

e2etests/bats-tests.sh

@@ -608,6 +608,21 @@ get_value_from() {
   [[ "${count}" == "2" ]]
 }
 
+@test "probe-port" {
+  tmp="tests/checks/probe-port.yml"
+  cmd="${KUBE_LINTER_BIN} lint --include probe-port --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+
+  [[ "${message1}" == "Deployment: probe port \"bar\" does not match a port in container \"myapp\"." ]]
+  [[ "${count}" == "1" ]]
+}
+
 @test "read-secret-from-env-var" {
   tmp="tests/checks/read-secret-from-env-var.yml"
   cmd="${KUBE_LINTER_BIN} lint --include read-secret-from-env-var --do-not-auto-add-defaults --format json ${tmp}"

internal/defaultchecks/default_checks.go

@@ -26,6 +26,7 @@ var (
 		"ssh-port",
 		"privilege-escalation-container",
 		"privileged-container",
+		"probe-port",
 		"run-as-non-root",
 		"unsafe-sysctls",
 		"unset-cpu-requirements",

pkg/builtinchecks/yamls/probeport.yaml

@@ -0,0 +1,7 @@
+name: "probe-port"
+description: "Alert on probe port that does not match a port defined in container ports"
+remediation: "Ensure probe port matches a port defined in container ports."
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "probe-port"

pkg/templates/all/all.go

@@ -35,6 +35,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/privileged"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/privilegedports"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/privilegeescalation"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/probeport"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/readinessprobe"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/readonlyrootfs"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/readsecret"

pkg/templates/probeport/internal/params/gen-params.go

@@ -0,0 +1,5 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+}

pkg/templates/probeport/internal/params/params.go

@@ -0,0 +1,59 @@
+package probeport
+
+import (
+	"fmt"
+
+	"golang.stackrox.io/kube-linter/internal/set"
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/config"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/probeport/internal/params"
+	"golang.stackrox.io/kube-linter/pkg/templates/util"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func init() {
+	templates.Register(check.Template{
+		HumanName:   "Probe Port",
+		Key:         "probe-port",
+		Description: "Flag unknown probe port",
+		SupportedObjectKinds: config.ObjectKindsDesc{
+			ObjectKinds: []string{objectkinds.DeploymentLike},
+		},
+		Parameters:             params.ParamDescs,
+		ParseAndValidateParams: params.ParseAndValidate,
+		Instantiate: params.WrapInstantiateFunc(func(_ params.Params) (check.Func, error) {
+			return util.PerNonInitContainerCheck(func(container *v1.Container) []diagnostic.Diagnostic {
+				var portNames set.StringSet
+				for _, port := range container.Ports {
+					if name := port.Name; len(name) > 0 {
+						portNames.Add(name)
+					}
+				}
+				var results []diagnostic.Diagnostic
+				for _, probe := range []*v1.Probe{container.LivenessProbe, container.ReadinessProbe, container.StartupProbe} {
+					if probe == nil {
+						continue
+					}
+					var port intstr.IntOrString
+					if httpGet := probe.HTTPGet; httpGet != nil {
+						port = httpGet.Port
+					} else if tcpSocket := probe.TCPSocket; tcpSocket != nil {
+						port = tcpSocket.Port
+					} else {
+						continue
+					}
+					if port.Type == intstr.String && !portNames.Contains(port.StrVal) && port.IntValue() == 0 {
+						results = append(results, diagnostic.Diagnostic{
+							Message: fmt.Sprintf("probe port %q does not match a port in container %q.", port.StrVal, container.Name),
+						})
+					}
+				}
+				return results
+			}), nil
+		}),
+	})
+}

pkg/templates/probeport/template.go

@@ -0,0 +1,122 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: no-probe
+spec:
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp
+        image: myimage
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: livenessProbe-int
+spec:
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp
+        image: myimage
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            port: 1234
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: readinessProbe-int-str
+spec:
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp
+        image: myimage
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        readinessProbe:
+          tcpCheck:
+            port: "1234"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: startupProbe-str-container-port-ok
+spec:
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp
+        image: myimage
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 1234
+          name: foo
+        startupProbe:
+          httpGet:
+            port: foo
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: startupProbe-str-container-port-ko
+spec:
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp
+        image: myimage
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 1234
+          name: foo
+        startupProbe:
+          httpGet:
+            port: bar