Merge pull request #10 from kubesphere/dev-ll

update prompt message and diags
This commit is contained in:
Forest 2020-12-25 18:01:32 +08:00 committed by GitHub
commit a1e30c5f56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 74 additions and 75 deletions

View File

@ -3,7 +3,7 @@
Kubeye aims to find various problems on Kubernetes, such as application misconfiguration, cluster components unhealthy and node problems(using [Node-Problem-Detector](https://github.com/kubernetes/node-problem-detector)). Besides predefined rules, it also supports custom defined rules.
## How to use
- Install kubeye on your machine
- Install Kubeye on your machine
- Download pre built executables from [Releases](https://github.com/kubesphere/kubeye/releases).
- Or you can build from source code
@ -17,11 +17,11 @@ Kubeye aims to find various problems on Kubernetes, such as application misconfi
> Note: This line will install npd on your cluster, only required if you want detailed report.
```shell script
ke install npd --kubeconfig ~/.kube/config
ke install npd
```
- Run kubeye
```shell
root@node1:# ke fault --kubeconfig ~/.kube/config
root@node1:# ke diags
NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE
node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status.
node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status.
@ -119,7 +119,7 @@ kube-system Warning coredns Deployment 2020-11-27T1
### Add custom npd rule
- Install NPD with `ke install npd --kubeconfig ~/.kube/config`
- Install NPD with `ke install npd`
- Edit configmap kube-system/node-problem-detector-config with kubectl,
```
kubectl edit cm -n kube-system node-problem-detector-config

View File

@ -1,5 +1,5 @@
successMessage: CPU limits are set
failureMessage: CPU limits should be set
#successMessage: CPU limits are set
promptMessage: CPU limits should be set
category: Resources
target: Container
containers:

View File

@ -1,5 +1,5 @@
successMessage: CPU requests are set
failureMessage: CPU requests should be set
#successMessage: CPU requests are set
promptMessage: CPU requests should be set
category: Resources
target: Container
containers:

View File

@ -1,5 +1,5 @@
successMessage: Container does not have any dangerous capabilities
failureMessage: Container should not have dangerous capabilities
#successMessage: Container does not have any dangerous capabilities
promptMessage: Container should not have dangerous capabilities
category: Security
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Host IPC is not configured
failureMessage: Host IPC should not be configured
#successMessage: Host IPC is not configured
promptMessage: Host IPC should not be configured
category: Security
target: Pod
schema:

View File

@ -1,5 +1,5 @@
successMessage: Host network is not configured
failureMessage: Host network should not be configured
#successMessage: Host network is not configured
promptMessage: Host network should not be configured
category: Networking
target: Pod
schema:

View File

@ -1,5 +1,5 @@
successMessage: Host PID is not configured
failureMessage: Host PID should not be configured
#successMessage: Host PID is not configured
promptMessage: Host PID should not be configured
category: Security
target: Pod
schema:

View File

@ -1,5 +1,5 @@
successMessage: Host port is not configured
failureMessage: Host port should not be configured
#successMessage: Host port is not configured
promptMessage: Host port should not be configured
category: Networking
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Container does not have any insecure capabilities
failureMessage: Container should not have insecure capabilities
#successMessage: Container does not have any insecure capabilities
promptMessage: Container should not have insecure capabilities
category: Security
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Liveness probe is configured
failureMessage: Liveness probe should be configured
#successMessage: Liveness probe is configured
promptMessage: Liveness probe should be configured
category: Health Checks
controllers:
exclude:

View File

@ -1,5 +1,5 @@
successMessage: Memory limits are set
failureMessage: Memory limits should be set
#successMessage: Memory limits are set
promptMessage: Memory limits should be set
category: Resources
target: Container
containers:

View File

@ -1,5 +1,5 @@
successMessage: Memory requests are set
failureMessage: Memory requests should be set
#successMessage: Memory requests are set
promptMessage: Memory requests should be set
category: Resources
target: Container
containers:

View File

@ -1,5 +1,5 @@
successMessage: Filesystem is read only
failureMessage: Filesystem should be read only
#successMessage: Filesystem is read only
promptMessage: Filesystem should be read only
category: Security
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Priority class has been set
failureMessage: Priority class should be set
#successMessage: Priority class has been set
promptMessage: Priority class should be set
category: Security
target: Pod
schema:

View File

@ -1,5 +1,5 @@
successMessage: Privilege escalation not allowed
failureMessage: Privilege escalation should not be allowed
#successMessage: Privilege escalation not allowed
promptMessage: Privilege escalation should not be allowed
category: Security
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Image pull policy is "Always"
failureMessage: Image pull policy should be "Always"
#successMessage: Image pull policy is "Always"
promptMessage: Image pull policy should be "Always"
category: Images
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Readiness probe is configured
failureMessage: Readiness probe should be configured
#successMessage: Readiness probe is configured
promptMessage: Readiness probe should be configured
category: Health Checks
controllers:
exclude:

View File

@ -1,5 +1,5 @@
successMessage: Not running as privileged
failureMessage: Should not be running as privileged
#successMessage: Not running as privileged
promptMessage: Should not be running as privileged
category: Security
target: Container
schema:

View File

@ -1,5 +1,5 @@
successMessage: Is not allowed to run as root
failureMessage: Should not be allowed to run as root
#successMessage: Is not allowed to run as root
promptMessage: Should not be allowed to run as root
category: Security
target: Container
schemaTarget: Pod

View File

@ -1,5 +1,5 @@
successMessage: Image tag is specified
failureMessage: Image tag should be specified
#successMessage: Image tag is specified
promptMessage: Image tag should be specified
category: Images
target: Container
schema:

View File

@ -25,8 +25,8 @@ import (
var config string
var auditCmd = &cobra.Command{
Use: "fault",
Short: "fault the result",
Use: "diags",
Short: "diagnostic information from the cluster",
Run: func(cmd *cobra.Command, args []string) {
err := validator.Cluster(config, cmd.Context())
if err != nil {

View File

@ -13,8 +13,7 @@ checks:
customChecks:
imageFromUnauthorizedRegistry:
successMessage: Image comes from allowed registries
failureMessage: Image should not be from disallowed registry
promptMessage: Image should not be from disallowed registry
category: Images
target: Container
schema:

View File

@ -30,15 +30,15 @@ const (
)
type SchemaCheck struct {
ID string `yaml:"id"`
Category string `yaml:"category"`
SuccessMessage string `yaml:"successMessage"`
FailureMessage string `yaml:"failureMessage"`
Containers includeExcludeList `yaml:"containers"`
Target TargetKind `yaml:"target"`
SchemaTarget TargetKind `yaml:"schemaTarget"`
Schema jsonschema.RootSchema `yaml:"schema"`
JSONSchema string `yaml:"jsonSchema"`
ID string `yaml:"id"`
Category string `yaml:"category"`
//SuccessMessage string `yaml:"successMessage"`
PromptMessage string `yaml:"promptMessage"`
Containers includeExcludeList `yaml:"containers"`
Target TargetKind `yaml:"target"`
SchemaTarget TargetKind `yaml:"schemaTarget"`
Schema jsonschema.RootSchema `yaml:"schema"`
JSONSchema string `yaml:"jsonSchema"`
}
type includeExcludeList struct {

View File

@ -54,7 +54,7 @@ func (rs ResultSet) GetWarnings() []ResultMessage {
var resourceConfMinimal = `---
checks:
cpuLimitsMissing: warning
livenessProbeMissing: warning
`
func getEmptyWorkload(t *testing.T, name string) kube.GenericWorkload {
@ -307,7 +307,7 @@ func TestValidateNetworking(t *testing.T) {
container: emptyContainer,
expectedResults: []ResultMessage{{
ID: "hostPortSet",
Message: "Host port is not configured",
Message: "success",
Success: true,
Severity: "warning",
Category: "Networking",
@ -319,7 +319,7 @@ func TestValidateNetworking(t *testing.T) {
container: emptyContainer,
expectedResults: []ResultMessage{{
ID: "hostPortSet",
Message: "Host port is not configured",
Message: "success",
Success: true,
Severity: "warning",
Category: "Networking",
@ -349,7 +349,7 @@ func TestValidateNetworking(t *testing.T) {
container: goodContainer,
expectedResults: []ResultMessage{{
ID: "hostPortSet",
Message: "Host port is not configured",
Message: "success",
Success: true,
Severity: "warning",
Category: "Networking",
@ -460,25 +460,25 @@ func TestValidateSecurity(t *testing.T) {
Category: "Security",
}, {
ID: "runAsPrivileged",
Message: "Not running as privileged",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "privilegeEscalationAllowed",
Message: "Privilege escalation not allowed",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "insecureCapabilities",
Message: "Container does not have any insecure capabilities",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "dangerousCapabilities",
Message: "Container does not have any dangerous capabilities",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
@ -620,37 +620,37 @@ func TestValidateSecurity(t *testing.T) {
pod: emptyPodSpec,
expectedResults: []ResultMessage{{
ID: "runAsRootAllowed",
Message: "Is not allowed to run as root",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "notReadOnlyRootFilesystem",
Message: "Filesystem is read only",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "runAsPrivileged",
Message: "Not running as privileged",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "privilegeEscalationAllowed",
Message: "Privilege escalation not allowed",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "dangerousCapabilities",
Message: "Container does not have any dangerous capabilities",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
}, {
ID: "insecureCapabilities",
Message: "Container does not have any insecure capabilities",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
@ -748,7 +748,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: badPod,
message: ResultMessage{
ID: "runAsRootAllowed",
Message: "Is not allowed to run as root",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
@ -760,7 +760,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: emptyPod,
message: ResultMessage{
ID: "runAsRootAllowed",
Message: "Is not allowed to run as root",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",
@ -772,7 +772,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: runAsUserPod,
message: ResultMessage{
ID: "runAsRootAllowed",
Message: "Is not allowed to run as root",
Message: "success",
Success: true,
Severity: "warning",
Category: "Security",

View File

@ -58,7 +58,7 @@ var (
)
func init() {
schemaBox = packr.New("Schemas", "../../checks")
schemaBox = packr.New("Schema", "../../checks")
for _, checkID := range checkOrder {
contents, err := schemaBox.Find(checkID + ".yaml")
if err != nil {
@ -132,9 +132,9 @@ func makeResult(conf *config.Configuration, check *config.SchemaCheck, passes bo
Success: passes,
}
if passes {
result.Message = check.SuccessMessage
result.Message = "success"
} else {
result.Message = check.FailureMessage
result.Message = check.PromptMessage
}
return result
}