Table: kubernetes_stateful_set - Query Kubernetes Stateful Sets using SQL
A Kubernetes Stateful Set is a workload API object that manages stateful applications. It is used to manage applications which require one or more of the following: stable, unique network identifiers, stable, persistent storage, and ordered, graceful deployment and scaling. Stateful Sets are valuable for applications that require stable network identity or stable storage, like databases.
Table Usage Guide
The kubernetes_stateful_set
table provides insights into the stateful applications running in a Kubernetes environment. As a DevOps engineer, explore details of these applications through this table, including network identifiers, persistent storage, and deployment details. Utilize it to manage and monitor stateful applications, such as databases, that require stable network identity or persistent storage.
Examples
Basic Info - kubectl get statefulsets --all-namespaces
columns
Explore the organization and status of your Kubernetes stateful sets by identifying their names, associated services, and the number of replicas. This query also allows you to assess the age of these sets, helping you manage system resources and plan for updates or decommissioning.
select name, namespace, service_name, replicas, age(current_timestamp, creation_timestamp)from kubernetes_stateful_setorder by namespace, name;
select name, namespace, service_name, replicas, strftime('%s', 'now') - strftime('%s', creation_timestamp) as agefrom kubernetes_stateful_setorder by namespace, name;
List stateful sets that require manual update when the object's configuration is changed
Explore which stateful sets in your Kubernetes environment require manual updates whenever there are changes in the object's configuration. This is useful for ensuring optimal management and timely updates of stateful sets, particularly those with an 'OnDelete' update strategy.
select name, namespace, service_name, update_strategy ->> 'type' as update_strategy_typefrom kubernetes_stateful_setwhere update_strategy ->> 'type' = 'OnDelete';
select name, namespace, service_name, json_extract(update_strategy, '$.type') as update_strategy_typefrom kubernetes_stateful_setwhere json_extract(update_strategy, '$.type') = 'OnDelete';
List manifest resources
Explore which stateful applications in your Kubernetes cluster have specified storage configurations. This can help you understand how your persistent data is managed and identify any potential issues with data persistence.
select name, namespace, service_name, replicas, pathfrom kubernetes_stateful_setwhere path is not nullorder by namespace, name;
select name, namespace, service_name, replicas, pathfrom kubernetes_stateful_setwhere path is not nullorder by namespace, name;
Query examples
- cluster_statefulsets_count
- services_for_statefulset
- statefulset_1_year_count
- statefulset_24_hours_count
- statefulset_30_90_days_count
- statefulset_30_days_count
- statefulset_90_365_days_count
- statefulset_age_table
- statefulset_annotations
- statefulset_by_context
- statefulset_by_context_name
- statefulset_by_creation_month
- statefulset_by_namespace
- statefulset_container_host_ipc
- statefulset_container_host_ipc_count
- statefulset_container_host_network
- statefulset_container_host_network_count
- statefulset_container_host_pid
- statefulset_container_host_pid_count
- statefulset_count
- statefulset_default_namespace
- statefulset_default_namespace_count
- statefulset_host_table
- statefulset_input
- statefulset_labels
- statefulset_overview
- statefulset_replicas
- statefulset_replicas_detail
- statefulset_service_name
- statefulset_strategy
- statefulset_tree
- statefulsets_for_namespace
- statefulsets_for_pod
- statefulsets_for_service
Control examples
- All Controls > StatefulSet > Containers in StatefulSet should have securityContext defined
- All Controls > StatefulSet > StatefulSet containers --service-account-key-file argument should be set as appropriate
- All Controls > StatefulSet > StatefulSet containers admission control plugin should be set to 'always pull images'
- All Controls > StatefulSet > StatefulSet containers admission control plugin should not be set to 'always admit'
- All Controls > StatefulSet > StatefulSet containers argument --streaming-connection-idle-timeout should not be set to 0
- All Controls > StatefulSet > StatefulSet containers argument admission control plugin NamespaceLifecycle should be enabled
- All Controls > StatefulSet > StatefulSet containers argument admission control plugin NodeRestriction should be enabled
- All Controls > StatefulSet > StatefulSet containers argument admission control plugin PodSecurityPolicy should be enabled
- All Controls > StatefulSet > StatefulSet containers argument admission control plugin ServiceAccount should be enabled
- All Controls > StatefulSet > StatefulSet containers argument admission control plugin where either PodSecurityPolicy or SecurityContextDeny should be enabled
- All Controls > StatefulSet > StatefulSet containers argument apiserver etcd certfile and keyfile should be configured
- All Controls > StatefulSet > StatefulSet containers argument authorization mode should have node
- All Controls > StatefulSet > StatefulSet containers argument authorization mode should have RBAC
- All Controls > StatefulSet > StatefulSet containers argument authorization mode should not be set to 'always allow'
- All Controls > StatefulSet > StatefulSet containers argument basic auth file should not be set
- All Controls > StatefulSet > StatefulSet containers argument etcd auto TLS should be disabled
- All Controls > StatefulSet > StatefulSet containers argument etcd cafile should be set
- All Controls > StatefulSet > StatefulSet containers argument etcd client cert auth should be enabled
- All Controls > StatefulSet > StatefulSet containers argument event qps should be less than 5
- All Controls > StatefulSet > StatefulSet containers argument hostname override should not be configured
- All Controls > StatefulSet > StatefulSet containers argument insecure bind address should not be set
- All Controls > StatefulSet > StatefulSet containers argument insecure port should be set to 0
- All Controls > StatefulSet > StatefulSet containers argument kube controller manager service account credentials should be enabled
- All Controls > StatefulSet > StatefulSet containers argument kube-controller-manager bind address should be set to 127.0.0.1
- All Controls > StatefulSet > StatefulSet containers argument kube-scheduler bind address should be set to 127.0.0.1
- All Controls > StatefulSet > StatefulSet containers argument kubelet authorization mode should not be set to 'always allow'
- All Controls > StatefulSet > StatefulSet containers argument kubelet client certificate and key should be configured
- All Controls > StatefulSet > StatefulSet containers argument kubelet HTTPS should be enabled
- All Controls > StatefulSet > StatefulSet containers argument kubelet read-only port should be set to 0
- All Controls > StatefulSet > StatefulSet containers argument make iptables util chains should be enabled
- All Controls > StatefulSet > StatefulSet containers argument protect kernel defaults should be enabled
- All Controls > StatefulSet > StatefulSet containers argument request timeout should be set as appropriate
- All Controls > StatefulSet > StatefulSet containers argument rotate kubelet server certificate should be enabled
- All Controls > StatefulSet > StatefulSet containers argument secure port should not be set to 0
- All Controls > StatefulSet > StatefulSet containers argument service account lookup should be enabled
- All Controls > StatefulSet > StatefulSet containers certificate rotation should be enabled
- All Controls > StatefulSet > StatefulSet containers has image pull policy set to Always
- All Controls > StatefulSet > StatefulSet containers have image tag specified which should be fixed not latest or blank
- All Controls > StatefulSet > StatefulSet containers kube controller manager profiling should be disabled
- All Controls > StatefulSet > StatefulSet containers kube scheduler profiling should be disabled
- All Controls > StatefulSet > StatefulSet containers kube-apiserver profiling should be disabled
- All Controls > StatefulSet > StatefulSet containers kube-apiserver should only make use of strong cryptographic ciphers
- All Controls > StatefulSet > StatefulSet containers kubelet should only make use of strong cryptographic ciphers
- All Controls > StatefulSet > StatefulSet containers Kubernetes dashboard should not be deployed
- All Controls > StatefulSet > StatefulSet containers peer client cert auth should be enabled
- All Controls > StatefulSet > StatefulSet containers ports should not have host port specified
- All Controls > StatefulSet > StatefulSet containers should has admission capability restricted
- All Controls > StatefulSet > StatefulSet containers should has encryption providers configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have audit log max backup set to 10 or greater
- All Controls > StatefulSet > StatefulSet containers should have audit log max size set to 100 or greater
- All Controls > StatefulSet > StatefulSet containers should have audit log max-age set to 30 or greater
- All Controls > StatefulSet > StatefulSet containers should have audit log path configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have etcd certfile and keyfile configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have etcd peer certfile and peer keyfile configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kube controller manager root CA file configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kube controller manager service account private key file configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kube-apiserver TLS cert file and TLS private key file configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kubelet certificate authority configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kubelet client CA file configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kubelet terminated pod gc threshold configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have kubelet TLS cert file and TLS private key file configured appropriately
- All Controls > StatefulSet > StatefulSet containers should have liveness probe
- All Controls > StatefulSet > StatefulSet containers should have readiness probe
- All Controls > StatefulSet > StatefulSet containers should have secrets defined as files
- All Controls > StatefulSet > StatefulSet containers should minimize its admission with capabilities assigned
- All Controls > StatefulSet > StatefulSet containers should minimize the admission of containers with added capability
- All Controls > StatefulSet > StatefulSet containers should not be mapped with privilege ports
- All Controls > StatefulSet > StatefulSet containers should not use CAP_SYS_ADMIN linux capability
- All Controls > StatefulSet > StatefulSet containers token auth file should not be configured
- All Controls > StatefulSet > StatefulSet Controller containers argument anonymous auth should be disabled
- Seccomp profile is set to docker/default in your StatefulSet definition
- StatefulSet containers should have a CPU limit
- StatefulSet containers should have a CPU request
- StatefulSet containers should have a memory limit
- StatefulSet containers should have a memory request
- StatefulSet containers should not allow privilege escalation
- StatefulSet containers should not have privileged access
- StatefulSet containers should not run with host network access
- StatefulSet containers should not run with root privileges
- StatefulSet containers should not share the host process namespace
- StatefulSet containers should run with a read only root file system
- StatefulSet definition should not use default namespace
Schema for kubernetes_stateful_set
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
annotations | jsonb | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
available_replicas | bigint | Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset. | |
collision_count | bigint | The count of hash collisions for the StatefulSet. | |
conditions | jsonb | Represents the latest available observations of a stateful set's current state. | |
context_name | text | Kubectl config context name. | |
creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
current_replicas | bigint | The number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision. | |
current_revision | text | Indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas). | |
deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
end_line | bigint | The path to the manifest file. | |
finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. | |
generation | bigint | A sequence number representing a specific generation of the desired state. | |
labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
name | text | Name of the object. Name must be unique within a namespace. | |
namespace | text | Namespace defines the space within which each name must be unique. | |
observed_generation | bigint | The most recent generation observed for this StatefulSet. | |
owner_references | jsonb | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
path | text | The path to the manifest file. | |
pod_management_policy | text | Policy that controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. | |
ready_replicas | bigint | The number of Pods created by the StatefulSet controller that have a Ready Condition. | |
replicas | bigint | The desired number of replicas of the given Template. | |
resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
revision_history_limit | bigint | The maximum number of revisions that will be maintained in the StatefulSet's revision history. | |
service_name | text | The name of the service that governs this StatefulSet. | |
source_type | text | The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest. | |
sp_connection_name | text | Steampipe connection name. | |
sp_ctx | jsonb | Steampipe context in JSON form. | |
start_line | bigint | The path to the manifest file. | |
tags | jsonb | A map of tags for the resource. This includes both labels and annotations. | |
template | jsonb | Template is the object that describes the pod that will be created if insufficient replicas are detected. | |
title | text | Title of the resource. | |
uid | text | UID is the unique in time and space value for this object. | |
update_revision | text | Indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas). | |
update_strategy | jsonb | Indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template. | |
updated_replicas | bigint | The number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetes
You can pass the configuration to the command with the --config
argument:
steampipe_export_kubernetes --config '<your_config>' kubernetes_stateful_set