Popeye
Popeye(https://popeyecli.io/)扫描Kubernetes集群,可以报告你部署的k8s资源和配置的潜在问题。通过扫描您的集群,它可以检测到错误配置,建议您达到最佳实践,从而避免未来的麻烦。
安装Popeye
支持Linux, OSX and Windows,下载地址https://github.com/derailed/popeye/releases
编译安装
# Clone outside of GOPATH
git clone https://github.com/derailed/popeye
cd popeye
# Build and install
go install
# Run
popeye PS:下载二进制安装需要注意下,根据你当前的k8s集群版本,最新的Popeye不一定支持,笔者当前版本是1.11,经过测试最高仅支持0.9.0(高版本的k8s api有过更新,一些api不支持了)
Popeye使用
popeye help可以查看popeye支持的命令,具体的我就不一一展示了,下面我罗列几个常用的命令
1.popeye version
当时使用的0.9.0版本
2.扫描k8s某一个命名空间资源配置情况
popeye -n ops
3.扫描k8s所有namespace
popeye -A
4.只扫描k8s的service和pod
popeye -s svc,po
5.扫描结果保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save 6.扫描结果以html格式保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save --out html --output-file report.html Popeye的扫描结果支持yaml, json, html,prometheus等,也可以扫描结果到S3,支持minio,gcs等。
Popeye扫描的资源列表
| K8S资源 | Sanitizers | 别名缩写 |
| Node | no | |
| Conditions ie not ready, out of mem/disk, network, pids, etc | ||
| Pod tolerations referencing node taints | ||
| CPU/MEM utilization metrics, trips if over limits (default 80% CPU/MEM) | ||
| Namespace | ns | |
| Inactive | ||
| Dead namespaces | ||
| Pod | po | |
| Pod status | ||
| Containers statuses | ||
| ServiceAccount presence | ||
| CPU/MEM on containers over a set CPU/MEM limit (default 80% CPU/MEM) | ||
| Container image with no tags | ||
| Container image using latest tag | ||
| Resources request/limits presence | ||
| Probes liveness/readiness presence | ||
| Named ports and their references | ||
| Service | svc | |
| Endpoints presence | ||
| Matching pods labels | ||
| Named ports and their references | ||
| ServiceAccount | sa | |
| Unused, detects potentially unused SAs | ||
| Secrets | sec | |
| Unused, detects potentially unused secrets or associated keys | ||
| ConfigMap | cm | |
| Unused, detects potentially unused cm or associated keys | ||
| Deployment | dp, deploy | |
| Unused, pod template validation, resource utilization | ||
| StatefulSet | sts | |
| Unsed, pod template validation, resource utilization | ||
| DaemonSet | ds | |
| Unsed, pod template validation, resource utilization | ||
| PersistentVolume | pv | |
| Unused, check volume bound or volume error | ||
| PersistentVolumeClaim | pvc | |
| Unused, check bounded or volume mount error | ||
| HorizontalPodAutoscaler | hpa | |
| Unused, Utilization, Max burst checks | ||
| PodDisruptionBudget | ||
| Unused, Check minAvailable configuration | pdb | |
| ClusterRole | ||
| Unused | cr | |
| ClusterRoleBinding | ||
| Unused | crb | |
| Role | ||
| Unused | ro | |
| RoleBinding | ||
| Unused | rb | |
| Ingress | ||
| Valid | ing | |
| NetworkPolicy | ||
| Valid | np | |
| PodSecurityPolicy | ||
| Valid | psp |
Popeye以cronjob形式跑在k8s集群内部
git clone https://github.com/derailed/popeye
kubectl apply -f k8s/popeye/ns.yml && kubectl apply -f k8s/popeye 具体的yaml我这边就不一一展示了,巨佬们可以访问GitHub(https://github.com/derailed/popeye/tree/master/k8s/popeye)查看
展示下测试环境report
额,居然才得了一个C,得分太低了,后面根据扫描的参考建议,一一改进了。报告里的内容还是很值得借鉴的,比如我一些pod没设置资源限制,比如居然还有一个镜像的tag是latest