Merge pull request #10 from kubesphere/dev-ll
update prompt message and diags
This commit is contained in:
commit
a1e30c5f56
|
@ -3,7 +3,7 @@
|
|||
Kubeye aims to find various problems on Kubernetes, such as application misconfiguration, cluster components unhealthy and node problems(using [Node-Problem-Detector](https://github.com/kubernetes/node-problem-detector)). Besides predefined rules, it also supports custom defined rules.
|
||||
|
||||
## How to use
|
||||
- Install kubeye on your machine
|
||||
- Install Kubeye on your machine
|
||||
- Download pre built executables from [Releases](https://github.com/kubesphere/kubeye/releases).
|
||||
|
||||
- Or you can build from source code
|
||||
|
@ -17,11 +17,11 @@ Kubeye aims to find various problems on Kubernetes, such as application misconfi
|
|||
> Note: This line will install npd on your cluster, only required if you want detailed report.
|
||||
|
||||
```shell script
|
||||
ke install npd --kubeconfig ~/.kube/config
|
||||
ke install npd
|
||||
```
|
||||
- Run kubeye
|
||||
```shell
|
||||
root@node1:# ke fault --kubeconfig ~/.kube/config
|
||||
root@node1:# ke diags
|
||||
NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE
|
||||
node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status.
|
||||
node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status.
|
||||
|
@ -119,7 +119,7 @@ kube-system Warning coredns Deployment 2020-11-27T1
|
|||
|
||||
### Add custom npd rule
|
||||
|
||||
- Install NPD with `ke install npd --kubeconfig ~/.kube/config`
|
||||
- Install NPD with `ke install npd`
|
||||
- Edit configmap kube-system/node-problem-detector-config with kubectl,
|
||||
```
|
||||
kubectl edit cm -n kube-system node-problem-detector-config
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: CPU limits are set
|
||||
failureMessage: CPU limits should be set
|
||||
#successMessage: CPU limits are set
|
||||
promptMessage: CPU limits should be set
|
||||
category: Resources
|
||||
target: Container
|
||||
containers:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: CPU requests are set
|
||||
failureMessage: CPU requests should be set
|
||||
#successMessage: CPU requests are set
|
||||
promptMessage: CPU requests should be set
|
||||
category: Resources
|
||||
target: Container
|
||||
containers:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Container does not have any dangerous capabilities
|
||||
failureMessage: Container should not have dangerous capabilities
|
||||
#successMessage: Container does not have any dangerous capabilities
|
||||
promptMessage: Container should not have dangerous capabilities
|
||||
category: Security
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Host IPC is not configured
|
||||
failureMessage: Host IPC should not be configured
|
||||
#successMessage: Host IPC is not configured
|
||||
promptMessage: Host IPC should not be configured
|
||||
category: Security
|
||||
target: Pod
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Host network is not configured
|
||||
failureMessage: Host network should not be configured
|
||||
#successMessage: Host network is not configured
|
||||
promptMessage: Host network should not be configured
|
||||
category: Networking
|
||||
target: Pod
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Host PID is not configured
|
||||
failureMessage: Host PID should not be configured
|
||||
#successMessage: Host PID is not configured
|
||||
promptMessage: Host PID should not be configured
|
||||
category: Security
|
||||
target: Pod
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Host port is not configured
|
||||
failureMessage: Host port should not be configured
|
||||
#successMessage: Host port is not configured
|
||||
promptMessage: Host port should not be configured
|
||||
category: Networking
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Container does not have any insecure capabilities
|
||||
failureMessage: Container should not have insecure capabilities
|
||||
#successMessage: Container does not have any insecure capabilities
|
||||
promptMessage: Container should not have insecure capabilities
|
||||
category: Security
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Liveness probe is configured
|
||||
failureMessage: Liveness probe should be configured
|
||||
#successMessage: Liveness probe is configured
|
||||
promptMessage: Liveness probe should be configured
|
||||
category: Health Checks
|
||||
controllers:
|
||||
exclude:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Memory limits are set
|
||||
failureMessage: Memory limits should be set
|
||||
#successMessage: Memory limits are set
|
||||
promptMessage: Memory limits should be set
|
||||
category: Resources
|
||||
target: Container
|
||||
containers:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Memory requests are set
|
||||
failureMessage: Memory requests should be set
|
||||
#successMessage: Memory requests are set
|
||||
promptMessage: Memory requests should be set
|
||||
category: Resources
|
||||
target: Container
|
||||
containers:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Filesystem is read only
|
||||
failureMessage: Filesystem should be read only
|
||||
#successMessage: Filesystem is read only
|
||||
promptMessage: Filesystem should be read only
|
||||
category: Security
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Priority class has been set
|
||||
failureMessage: Priority class should be set
|
||||
#successMessage: Priority class has been set
|
||||
promptMessage: Priority class should be set
|
||||
category: Security
|
||||
target: Pod
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Privilege escalation not allowed
|
||||
failureMessage: Privilege escalation should not be allowed
|
||||
#successMessage: Privilege escalation not allowed
|
||||
promptMessage: Privilege escalation should not be allowed
|
||||
category: Security
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Image pull policy is "Always"
|
||||
failureMessage: Image pull policy should be "Always"
|
||||
#successMessage: Image pull policy is "Always"
|
||||
promptMessage: Image pull policy should be "Always"
|
||||
category: Images
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Readiness probe is configured
|
||||
failureMessage: Readiness probe should be configured
|
||||
#successMessage: Readiness probe is configured
|
||||
promptMessage: Readiness probe should be configured
|
||||
category: Health Checks
|
||||
controllers:
|
||||
exclude:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Not running as privileged
|
||||
failureMessage: Should not be running as privileged
|
||||
#successMessage: Not running as privileged
|
||||
promptMessage: Should not be running as privileged
|
||||
category: Security
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Is not allowed to run as root
|
||||
failureMessage: Should not be allowed to run as root
|
||||
#successMessage: Is not allowed to run as root
|
||||
promptMessage: Should not be allowed to run as root
|
||||
category: Security
|
||||
target: Container
|
||||
schemaTarget: Pod
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
successMessage: Image tag is specified
|
||||
failureMessage: Image tag should be specified
|
||||
#successMessage: Image tag is specified
|
||||
promptMessage: Image tag should be specified
|
||||
category: Images
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -25,8 +25,8 @@ import (
|
|||
var config string
|
||||
|
||||
var auditCmd = &cobra.Command{
|
||||
Use: "fault",
|
||||
Short: "fault the result",
|
||||
Use: "diags",
|
||||
Short: "diagnostic information from the cluster",
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
err := validator.Cluster(config, cmd.Context())
|
||||
if err != nil {
|
||||
|
|
|
@ -13,8 +13,7 @@ checks:
|
|||
|
||||
customChecks:
|
||||
imageFromUnauthorizedRegistry:
|
||||
successMessage: Image comes from allowed registries
|
||||
failureMessage: Image should not be from disallowed registry
|
||||
promptMessage: Image should not be from disallowed registry
|
||||
category: Images
|
||||
target: Container
|
||||
schema:
|
||||
|
|
|
@ -30,15 +30,15 @@ const (
|
|||
)
|
||||
|
||||
type SchemaCheck struct {
|
||||
ID string `yaml:"id"`
|
||||
Category string `yaml:"category"`
|
||||
SuccessMessage string `yaml:"successMessage"`
|
||||
FailureMessage string `yaml:"failureMessage"`
|
||||
Containers includeExcludeList `yaml:"containers"`
|
||||
Target TargetKind `yaml:"target"`
|
||||
SchemaTarget TargetKind `yaml:"schemaTarget"`
|
||||
Schema jsonschema.RootSchema `yaml:"schema"`
|
||||
JSONSchema string `yaml:"jsonSchema"`
|
||||
ID string `yaml:"id"`
|
||||
Category string `yaml:"category"`
|
||||
//SuccessMessage string `yaml:"successMessage"`
|
||||
PromptMessage string `yaml:"promptMessage"`
|
||||
Containers includeExcludeList `yaml:"containers"`
|
||||
Target TargetKind `yaml:"target"`
|
||||
SchemaTarget TargetKind `yaml:"schemaTarget"`
|
||||
Schema jsonschema.RootSchema `yaml:"schema"`
|
||||
JSONSchema string `yaml:"jsonSchema"`
|
||||
}
|
||||
|
||||
type includeExcludeList struct {
|
||||
|
|
|
@ -54,7 +54,7 @@ func (rs ResultSet) GetWarnings() []ResultMessage {
|
|||
var resourceConfMinimal = `---
|
||||
checks:
|
||||
cpuLimitsMissing: warning
|
||||
livenessProbeMissing: warning
|
||||
|
||||
`
|
||||
|
||||
func getEmptyWorkload(t *testing.T, name string) kube.GenericWorkload {
|
||||
|
@ -307,7 +307,7 @@ func TestValidateNetworking(t *testing.T) {
|
|||
container: emptyContainer,
|
||||
expectedResults: []ResultMessage{{
|
||||
ID: "hostPortSet",
|
||||
Message: "Host port is not configured",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Networking",
|
||||
|
@ -319,7 +319,7 @@ func TestValidateNetworking(t *testing.T) {
|
|||
container: emptyContainer,
|
||||
expectedResults: []ResultMessage{{
|
||||
ID: "hostPortSet",
|
||||
Message: "Host port is not configured",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Networking",
|
||||
|
@ -349,7 +349,7 @@ func TestValidateNetworking(t *testing.T) {
|
|||
container: goodContainer,
|
||||
expectedResults: []ResultMessage{{
|
||||
ID: "hostPortSet",
|
||||
Message: "Host port is not configured",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Networking",
|
||||
|
@ -460,25 +460,25 @@ func TestValidateSecurity(t *testing.T) {
|
|||
Category: "Security",
|
||||
}, {
|
||||
ID: "runAsPrivileged",
|
||||
Message: "Not running as privileged",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "privilegeEscalationAllowed",
|
||||
Message: "Privilege escalation not allowed",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "insecureCapabilities",
|
||||
Message: "Container does not have any insecure capabilities",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "dangerousCapabilities",
|
||||
Message: "Container does not have any dangerous capabilities",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
|
@ -620,37 +620,37 @@ func TestValidateSecurity(t *testing.T) {
|
|||
pod: emptyPodSpec,
|
||||
expectedResults: []ResultMessage{{
|
||||
ID: "runAsRootAllowed",
|
||||
Message: "Is not allowed to run as root",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "notReadOnlyRootFilesystem",
|
||||
Message: "Filesystem is read only",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "runAsPrivileged",
|
||||
Message: "Not running as privileged",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "privilegeEscalationAllowed",
|
||||
Message: "Privilege escalation not allowed",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "dangerousCapabilities",
|
||||
Message: "Container does not have any dangerous capabilities",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
}, {
|
||||
ID: "insecureCapabilities",
|
||||
Message: "Container does not have any insecure capabilities",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
|
@ -748,7 +748,7 @@ func TestValidateRunAsRoot(t *testing.T) {
|
|||
pod: badPod,
|
||||
message: ResultMessage{
|
||||
ID: "runAsRootAllowed",
|
||||
Message: "Is not allowed to run as root",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
|
@ -760,7 +760,7 @@ func TestValidateRunAsRoot(t *testing.T) {
|
|||
pod: emptyPod,
|
||||
message: ResultMessage{
|
||||
ID: "runAsRootAllowed",
|
||||
Message: "Is not allowed to run as root",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
|
@ -772,7 +772,7 @@ func TestValidateRunAsRoot(t *testing.T) {
|
|||
pod: runAsUserPod,
|
||||
message: ResultMessage{
|
||||
ID: "runAsRootAllowed",
|
||||
Message: "Is not allowed to run as root",
|
||||
Message: "success",
|
||||
Success: true,
|
||||
Severity: "warning",
|
||||
Category: "Security",
|
||||
|
|
|
@ -58,7 +58,7 @@ var (
|
|||
)
|
||||
|
||||
func init() {
|
||||
schemaBox = packr.New("Schemas", "../../checks")
|
||||
schemaBox = packr.New("Schema", "../../checks")
|
||||
for _, checkID := range checkOrder {
|
||||
contents, err := schemaBox.Find(checkID + ".yaml")
|
||||
if err != nil {
|
||||
|
@ -132,9 +132,9 @@ func makeResult(conf *config.Configuration, check *config.SchemaCheck, passes bo
|
|||
Success: passes,
|
||||
}
|
||||
if passes {
|
||||
result.Message = check.SuccessMessage
|
||||
result.Message = "success"
|
||||
} else {
|
||||
result.Message = check.FailureMessage
|
||||
result.Message = check.PromptMessage
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue