C-0076 - Label usage for resources

Framework

AllControls, DevOpsBest

Severity

Low

Description of the the issue

It is recommended to set labels that identify semantic attributes of your application or deployment. For example, { app: myapp, tier: frontend, phase: test, deployment: v3 }. These labels can used to assign policies to logical groups of the deployments as well as for presentation and tracking purposes. This control helps you find deployments without any of the expected labels.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Test will check if a certain set of labels is defined, this is a configurable control. Initial list: app, tier, phase, version, owner, env.

Remediation

Define labels that are most suitable to your needs of use the exceptions to prevent further notifications.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Recommended Labels

recommendedLabels
Kubescape checks that workloads have at least one label that identifies semantic attributes.

Example

apiVersion: apps/v1
kind: ReplicaSet
metadata:
  name: replicaset-without-label-usage
  labels:
    app: m1234
spec:
  # modify replicas according to your case
  replicas: 3
  selector:
    matchLabels:
      tier: frontend
  template:
    metadata:
      labels:
        tier: frontend
    spec:
      containers:
      - name: php-redis
        image: gcr.io/google_samples/gb-frontend:v3