PopeyePopeye(https://popeyecli.io/)扫描Kubernetes集群,可以报告你部署的k8s资源和配置的潜在问题。通过扫描您的集群,它可以检测到错误配置,建议您达到最佳实践,从而避免未来的麻烦。
安装Popeye支持Linux, OSX and Windows,下载地址https://github.com/derailed/popeye/releases
编译安装
# Clone outside of GOPATH git clone https://github.com/derailed/popeye cd popeye # Build and install go install # Run popeyePS:下载二进制安装需要注意下,根据你当前的k8s集群版本,最新的Popeye不一定支持,笔者当前版本是1.11,经过测试最高仅支持0.9.0(高版本的k8s api有过更新,一些api不支持了)
Popeye使用popeye help可以查看popeye支持的命令,具体的我就不一一展示了,下面我罗列几个常用的命令
1.popeye version
当时使用的0.9.0版本
2.扫描k8s某一个命名空间资源配置情况
popeye -n ops
3.扫描k8s所有namespace
popeye -A
4.只扫描k8s的service和pod
popeye -s svc,po
5.扫描结果保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save6.扫描结果以html格式保存到本地
POPEYE_REPORT_DIR=$(pwd) popeye --save --out html --output-file report.htmlPopeye的扫描结果支持yaml, json, html,prometheus等,也可以扫描结果到S3,支持minio,gcs等。
Popeye扫描的资源列表K8S资源
Sanitizers
别名缩写
Node
no
Conditions ie not ready, out of mem/disk, network, pids, etc
Pod tolerations referencing node taints
CPU/MEM utilization metrics, trips if over limits (default 80% CPU/MEM)
Namespace
ns
Inactive
Dead namespaces
Pod
po
Pod status
Containers statuses
ServiceAccount presence
CPU/MEM on containers over a set CPU/MEM limit (default 80% CPU/MEM)
Container image with no tags
Container image using latest tag
Resources request/limits presence
Probes liveness/readiness presence
Named ports and their references
Service
svc
Endpoints presence
Matching pods labels
Named ports and their references
ServiceAccount
sa
Unused, detects potentially unused SAs
Secrets
sec
Unused, detects potentially unused secrets or associated keys
ConfigMap
cm
Unused, detects potentially unused cm or associated keys
Deployment
dp, deploy
Unused, pod template validation, resource utilization
StatefulSet
sts
Unsed, pod template validation, resource utilization
DaemonSet
ds
Unsed, pod template validation, resource utilization
PersistentVolume
pv
Unused, check volume bound or volume error
PersistentVolumeClaim
pvc
Unused, check bounded or volume mount error
HorizontalPodAutoscaler
hpa
Unused, Utilization, Max burst checks
PodDisruptionBudget
Unused, Check minAvailable configuration
pdb
ClusterRole
Unused
cr
ClusterRoleBinding
Unused
crb
Role
Unused
ro
RoleBinding
Unused
rb
Ingress
Valid
ing
NetworkPolicy
Valid
np
PodSecurityPolicy
Valid
psp
Popeye以cronjob形式跑在k8s集群内部git clone https://github.com/derailed/popeye
kubectl apply -f k8s/popeye/ns.yml && kubectl apply -f k8s/popeye具体的yaml我这边就不一一展示了,巨佬们可以访问GitHub(https://github.com/derailed/popeye/tree/master/k8s/popeye)查看
展示下测试环境report
额,居然才得了一个C,得分太低了,后面根据扫描的参考建议,一一改进了。报告里的内容还是很值得借鉴的,比如我一些pod没设置资源限制,比如居然还有一个镜像的tag是latest
