Popeye
Popeye(https://popeyecli.io/)扫描Kubernetes集群,可以报告你部署的k8s资源和配置的潜在问题。通过扫描您的集群,它可以检测到错误配置,建议您达到最佳实践,从而避免未来的麻烦。
安装Popeye
支持Linux, OSX and Windows,下载地址https://github.com/derailed/popeye/releases
编译安装
# Clone outside of GOPATH
git clone https://github.com/derailed/popeye
cd popeye
# Build and install
go install
# Run
popeye
PS:下载二进制安装需要注意下,根据你当前的k8s集群版本,最新的Popeye不一定支持,笔者当前版本是1.11,经过测试最高仅支持0.9.0(高版本的k8s api有过更新,一些api不支持了)
Popeye使用
popeye help可以查看popeye支持的命令,具体的我就不一一展示了,下面我罗列几个常用的命令
1.popeye version
当时使用的0.9.0版本
2.扫描k8s某一个命名空间资源配置情况
popeye -n ops
3.扫描k8s所有namespace
popeye -A
4.只扫描k8s的service和pod
popeye -s svc,po
5.扫描结果保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save
6.扫描结果以html格式保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save --out html --output-file report.html
Popeye的扫描结果支持yaml, json, html,prometheus等,也可以扫描结果到S3,支持minio,gcs等。
Popeye扫描的资源列表
K8S资源 | Sanitizers | 别名缩写 |
Node | no | |
Conditions ie not ready, out of mem/disk, network, pids, etc | ||
Pod tolerations referencing node taints | ||
CPU/MEM utilization metrics, trips if over limits (default 80% CPU/MEM) | ||
Namespace | ns | |
Inactive | ||
Dead namespaces | ||
Pod | po | |
Pod status | ||
Containers statuses | ||
ServiceAccount presence | ||
CPU/MEM on containers over a set CPU/MEM limit (default 80% CPU/MEM) | ||
Container image with no tags | ||
Container image using latest tag | ||
Resources request/limits presence | ||
Probes liveness/readiness presence | ||
Named ports and their references | ||
Service | svc | |
Endpoints presence | ||
Matching pods labels | ||
Named ports and their references | ||
ServiceAccount | sa | |
Unused, detects potentially unused SAs | ||
Secrets | sec | |
Unused, detects potentially unused secrets or associated keys | ||
ConfigMap | cm | |
Unused, detects potentially unused cm or associated keys | ||
Deployment | dp, deploy | |
Unused, pod template validation, resource utilization | ||
StatefulSet | sts | |
Unsed, pod template validation, resource utilization | ||
DaemonSet | ds | |
Unsed, pod template validation, resource utilization | ||
PersistentVolume | pv | |
Unused, check volume bound or volume error | ||
PersistentVolumeClaim | pvc | |
Unused, check bounded or volume mount error | ||
HorizontalPodAutoscaler | hpa | |
Unused, Utilization, Max burst checks | ||
PodDisruptionBudget | ||
Unused, Check minAvailable configuration | pdb | |
ClusterRole | ||
Unused | cr | |
ClusterRoleBinding | ||
Unused | crb | |
Role | ||
Unused | ro | |
RoleBinding | ||
Unused | rb | |
Ingress | ||
Valid | ing | |
NetworkPolicy | ||
Valid | np | |
PodSecurityPolicy | ||
Valid | psp |
Popeye以cronjob形式跑在k8s集群内部
git clone https://github.com/derailed/popeye
kubectl apply -f k8s/popeye/ns.yml && kubectl apply -f k8s/popeye
具体的yaml我这边就不一一展示了,巨佬们可以访问GitHub(https://github.com/derailed/popeye/tree/master/k8s/popeye)查看
展示下测试环境report
额,居然才得了一个C,得分太低了,后面根据扫描的参考建议,一一改进了。报告里的内容还是很值得借鉴的,比如我一些pod没设置资源限制,比如居然还有一个镜像的tag是latest