💾 Archived View for thasmanie.fr › kubernetes-lint.gmi captured on 2023-01-29 at 15:27:30. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

K8S : outils kubectl

2020-06-23

retour

Intro

On peut tellement faire n'importe quoi avec les fichiers yaml de kubernetes qu'un outil qui va valider tout ça est vraiment le bienvenu.

C'est pire quand on utilise helm, un outil de packaging de fichiers yaml pour kubernetes. Ce dernier permet de générer des fichiers yaml comme si on les déployait, avec la commande `helm template`.

https://helm.sh/

j'ai trouvé tout ça sur learnk8s.io

kubeval

Assez simpliste kubeval va valider si les fichiers yaml sont valides pour un cluster kuberetes standard.

https://kubeval.instrumenta.dev/

$ helm template kaamelott/ | kubeval
PASS - kaamelott/templates/serviceaccount.yaml contains a valid ServiceAccount (RELEASE-NAME-kaamelott)
PASS - kaamelott/templates/deployment.yaml contains a valid Deployment (RELEASE-NAME-kaamelott)

C'est un début mais ça reste un peu limité...

kube-score

Plus complet, kube-score va aussi remonter des messages quand les best practices ne sont pas respectés.

https://github.com/zegl/kube-score

$ helm template kaamelott/ | kube-score score -
apps/v1/Deployment RELEASE-NAME-kaamelott                                     💥
    [CRITICAL] Container Image Pull Policy
        · kaamelott -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
        · apache-exporter -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching network policy
            Create a NetworkPolicy that targets this pod
    [CRITICAL] Pod Probes
        · Container has the same readiness and liveness probe
            Using the same probe for liveness and readiness is very likely
            dangerous. Generally it's better to avoid the livenessProbe than
            re-using the readinessProbe.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Security Context
        · kaamelott -> The container is privileged
            Set securityContext.privileged to false
        · kaamelott -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kaamelott -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
        · apache-exporter -> The container is privileged
            Set securityContext.privileged to false
        · apache-exporter -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · apache-exporter -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000

Un output plus léger existe avec l'option `--output-format ci`, mais dans un ci, je trouve qu'on peut justement être exhaustif, donc autant s'en passer :

helm template kaamelott/ | kube-score score --output-format ci -
[OK] RELEASE-NAME-kaamelott apps/v1/Deployment
[OK] RELEASE-NAME-kaamelott apps/v1/Deployment
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: Container has the same readiness and liveness probe
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container is privileged
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container is running with a low user ID
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) The container running with a low group ID
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container is privileged
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container is running with a low user ID
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) The container running with a low group ID
[OK] RELEASE-NAME-kaamelott apps/v1/Deployment
[OK] RELEASE-NAME-kaamelott apps/v1/Deployment
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (kaamelott) ImagePullPolicy is not set to Always
[CRITICAL] RELEASE-NAME-kaamelott apps/v1/Deployment: (apache-exporter) ImagePullPolicy is not set to Always
[SKIPPED] RELEASE-NAME-kaamelott apps/v1/Deployment: Skipped because the deployment has less than 2 replicas
[SKIPPED] RELEASE-NAME-kaamelott apps/v1/Deployment: Skipped because the deployment has less than 2 replicas

Il est par contre difficile d'intégrer tout ça dans vim (à la façon de shellcheck) quand on travaille avec des fichiers helm...