Validate Probes in ValidatingPolicy

Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. Keep in mind that if both the probes are not set, they are considered to be equal and hence fails the check.

Policy Definition

/other-vpol/ensure-probes-different/ensure-probes-different.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: ValidatingPolicy
 3metadata:
 4  name: validate-probes
 5  annotations:
 6    policies.kyverno.io/title: Validate Probes in ValidatingPolicy
 7    policies.kyverno.io/category: Sample in Vpol 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.14.0
10    kyverno.io/kubernetes-version: "1.30"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Liveness and readiness probes accomplish different goals, and setting both to the same
14      is an anti-pattern and often results in app problems in the future. This policy
15      checks that liveness and readiness probes are not equal. Keep in mind that if both the 
16      probes are not set, they are considered to be equal and hence fails the check.
17spec:
18  validationActions: 
19    - Audit
20  autogen:
21   podControllers:
22     controllers: []
23  evaluation:
24    background:
25      enabled: false
26  matchConstraints:
27    resourceRules:
28      - apiGroups: ["apps"]
29        apiVersions: ["v1"]
30        resources: ["deployments", "daemonsets", "statefulsets"]
31        operations: ["CREATE", "UPDATE"]
32  validations:
33    - expression: >-
34        !object.spec.template.spec.containers.exists(container, 
35        has(container.readinessProbe) && has(container.livenessProbe) &&
36        container.readinessProbe == container.livenessProbe)
37      message: "Liveness and readiness probes cannot be the same."

Create policy issue