sluetze
commented
11 months ago Why do you think the Checks will always fail? Because there often will be at least a container without a probe?
I think it is not that much work if looking at the existing checks to create this for the probes.
Questions which come to mind, which I cant answer right now:
- Shouldn't a check on PODS be enough? (Problem might be, that there are a ton of pods, which makes the API call quite big, and the number of alerts also)
- Couldnt a manual check be enough, to provide the user with guidance on how to check that and address the concerns manually?
benruland
The existance of readiness und liveness probes can be validated technically. This check needs to be performed for each container in every pod individually. Therefore, the check is better suited as part of the Kubernetes admission control process or manually.
The adequacy of the checks and the configured time periods needs to be ensured by the application owner.
To discuss: Does it make sense to build a check for all deployments, statefulsets, daemonsets in the cluster? There are rules (resource_requests_limits_in_deployment, resource_requests_limits_in_daemonset, resource_requests_limits_in_statefulset) that we could use as a template, but I don't think the compliance operator is a good place for that. Likely, this check will always fail... What do you mean @sluetze @ermeratos?