💾 Archived View for thasmanie.fr › kubernetes-lint.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
2020-06-23
On peut tellement faire n'importe quoi avec les fichiers yaml de kubernetes qu'un outil qui va valider tout ça est vraiment le bienvenu.
C'est pire quand on utilise helm, un outil de packaging de fichiers yaml pour kubernetes. Ce dernier permet de générer des fichiers yaml comme si on les déployait, avec la commande `helm template`.
j'ai trouvé tout ça sur learnk8s.io
Assez simpliste kubeval va valider si les fichiers yaml sont valides pour un cluster kuberetes standard.
https://kubeval.instrumenta.dev/
$ helm template kaamelott/ | kubeval PASS - kaamelott/templates/serviceaccount.yaml contains a valid ServiceAccount (RELEASE-NAME-kaamelott) PASS - kaamelott/templates/deployment.yaml contains a valid Deployment (RELEASE-NAME-kaamelott)
C'est un début mais ça reste un peu limité...
Plus complet, kube-score va aussi remonter des messages quand les best practices ne sont pas respectés.
https://github.com/zegl/kube-score
$ helm template kaamelott/ | kube-score score - apps/v1/Deployment RELEASE-NAME-kaamelott 💥 [CRITICAL] Container Image Pull Policy · kaamelott -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. · apache-exporter -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Pod NetworkPolicy · The pod does not have a matching network policy Create a NetworkPolicy that targets this pod [CRITICAL] Pod Probes · Container has the same readiness and liveness probe Using the same probe for liveness and readiness is very likely dangerous. Generally it's better to avoid the livenessProbe than re-using the readinessProbe. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md [CRITICAL] Container Security Context · kaamelott -> The container is privileged Set securityContext.privileged to false · kaamelott -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kaamelott -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 · apache-exporter -> The container is privileged Set securityContext.privileged to false · apache-exporter -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · apache-exporter -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000
Un output plus léger existe avec l'option `--output-format ci`, mais dans un ci, je trouve qu'on peut justement être exhaustif, donc autant s'en passer :
helm template kaamelott/ | kube-score score --output-format ci - [OK] RELEASE-NAME-kaamelott apps/v1/Deployment [OK] RELEASE-NAME-kaamelott apps/v1/Deployment [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: The pod does not have a matching network policy [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: Container has the same readiness and liveness probe [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container is privileged [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container is running with a low user ID [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container running with a low group ID [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container is privileged [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container is running with a low user ID [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container running with a low group ID [OK] RELEASE-NAME-kaamelott apps/v1/Deployment [OK] RELEASE-NAME-kaamelott apps/v1/Deployment [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) ImagePullPolicy is not set to Always [CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) ImagePullPolicy is not set to Always [SKIPPED] RELEASE-NAME-kaamelott apps/v1/Deployment: Skipped because the deployment has less than 2 replicas [SKIPPED] RELEASE-NAME-kaamelott apps/v1/Deployment: Skipped because the deployment has less than 2 replicas
Il est par contre difficile d'intégrer tout ça dans vim (à la façon de shellcheck) quand on travaille avec des fichiers helm...