From 9bd8558010d149bd0653675217382597d97c0dbb Mon Sep 17 00:00:00 2001 From: Forest-L Date: Fri, 25 Dec 2020 17:20:10 +0800 Subject: [PATCH] update prompt message and diags --- README.md | 8 +++--- checks/cpuLimitsMissing.yaml | 3 +-- checks/cpuRequestsMissing.yaml | 4 +-- checks/dangerousCapabilities.yaml | 4 +-- checks/hostIPCSet.yaml | 4 +-- checks/hostNetworkSet.yaml | 4 +-- checks/hostPIDSet.yaml | 4 +-- checks/hostPortSet.yaml | 4 +-- checks/insecureCapabilities.yaml | 4 +-- checks/livenessProbeMissing.yaml | 4 +-- checks/memoryLimitsMissing.yaml | 4 +-- checks/memoryRequestsMissing.yaml | 4 +-- checks/notReadOnlyRootFilesystem.yaml | 4 +-- checks/priorityClassNotSet.yaml | 4 +-- checks/privilegeEscalationAllowed.yaml | 4 +-- checks/pullPolicyNotAlways.yaml | 4 +-- checks/readinessProbeMissing.yaml | 4 +-- checks/runAsPrivileged.yaml | 4 +-- checks/runAsRootAllowed.yaml | 4 +-- checks/tagNotSpecified.yaml | 4 +-- cmd/audit.go | 4 +-- examples/tmp/rule.yaml | 3 +-- pkg/config/schema.go | 18 +++++++------- pkg/validator/container_test.go | 34 +++++++++++++------------- pkg/validator/schema.go | 6 ++--- 25 files changed, 73 insertions(+), 75 deletions(-) diff --git a/README.md b/README.md index 1d2e28c..43cad81 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Kubeye aims to find various problems on Kubernetes, such as application misconfiguration, cluster components unhealthy and node problems(using [Node-Problem-Detector](https://github.com/kubernetes/node-problem-detector)). Besides predefined rules, it also supports custom defined rules. ## How to use -- Install kubeye on your machine +- Install Kubeye on your machine - Download pre built executables from [Releases](https://github.com/kubesphere/kubeye/releases). - Or you can build from source code @@ -17,11 +17,11 @@ Kubeye aims to find various problems on Kubernetes, such as application misconfi > Note: This line will install npd on your cluster, only required if you want detailed report. ```shell script -ke install npd --kubeconfig ~/.kube/config +ke install npd ``` - Run kubeye ```shell -root@node1:# ke fault --kubeconfig ~/.kube/config +root@node1:# ke diags NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status. node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status. @@ -119,7 +119,7 @@ kube-system Warning coredns Deployment 2020-11-27T1 ### Add custom npd rule -- Install NPD with `ke install npd --kubeconfig ~/.kube/config` +- Install NPD with `ke install npd` - Edit configmap kube-system/node-problem-detector-config with kubectl, ``` kubectl edit cm -n kube-system node-problem-detector-config diff --git a/checks/cpuLimitsMissing.yaml b/checks/cpuLimitsMissing.yaml index ccf1ddf..33b4f45 100644 --- a/checks/cpuLimitsMissing.yaml +++ b/checks/cpuLimitsMissing.yaml @@ -1,5 +1,4 @@ -successMessage: CPU limits are set -failureMessage: CPU limits should be set +promptMessage: CPU limits should be set category: Resources target: Container containers: diff --git a/checks/cpuRequestsMissing.yaml b/checks/cpuRequestsMissing.yaml index 77290d8..e189b79 100644 --- a/checks/cpuRequestsMissing.yaml +++ b/checks/cpuRequestsMissing.yaml @@ -1,5 +1,5 @@ -successMessage: CPU requests are set -failureMessage: CPU requests should be set +#successMessage: CPU requests are set +promptMessage: CPU requests should be set category: Resources target: Container containers: diff --git a/checks/dangerousCapabilities.yaml b/checks/dangerousCapabilities.yaml index d1daa41..b75c5fb 100644 --- a/checks/dangerousCapabilities.yaml +++ b/checks/dangerousCapabilities.yaml @@ -1,5 +1,5 @@ -successMessage: Container does not have any dangerous capabilities -failureMessage: Container should not have dangerous capabilities +#successMessage: Container does not have any dangerous capabilities +promptMessage: Container should not have dangerous capabilities category: Security target: Container schema: diff --git a/checks/hostIPCSet.yaml b/checks/hostIPCSet.yaml index db62a24..c48375b 100644 --- a/checks/hostIPCSet.yaml +++ b/checks/hostIPCSet.yaml @@ -1,5 +1,5 @@ -successMessage: Host IPC is not configured -failureMessage: Host IPC should not be configured +#successMessage: Host IPC is not configured +promptMessage: Host IPC should not be configured category: Security target: Pod schema: diff --git a/checks/hostNetworkSet.yaml b/checks/hostNetworkSet.yaml index d54419b..9b53cff 100644 --- a/checks/hostNetworkSet.yaml +++ b/checks/hostNetworkSet.yaml @@ -1,5 +1,5 @@ -successMessage: Host network is not configured -failureMessage: Host network should not be configured +#successMessage: Host network is not configured +promptMessage: Host network should not be configured category: Networking target: Pod schema: diff --git a/checks/hostPIDSet.yaml b/checks/hostPIDSet.yaml index d2b0a65..c03fec0 100644 --- a/checks/hostPIDSet.yaml +++ b/checks/hostPIDSet.yaml @@ -1,5 +1,5 @@ -successMessage: Host PID is not configured -failureMessage: Host PID should not be configured +#successMessage: Host PID is not configured +promptMessage: Host PID should not be configured category: Security target: Pod schema: diff --git a/checks/hostPortSet.yaml b/checks/hostPortSet.yaml index cd193ea..5bade52 100644 --- a/checks/hostPortSet.yaml +++ b/checks/hostPortSet.yaml @@ -1,5 +1,5 @@ -successMessage: Host port is not configured -failureMessage: Host port should not be configured +#successMessage: Host port is not configured +promptMessage: Host port should not be configured category: Networking target: Container schema: diff --git a/checks/insecureCapabilities.yaml b/checks/insecureCapabilities.yaml index e5afcfd..4e49269 100644 --- a/checks/insecureCapabilities.yaml +++ b/checks/insecureCapabilities.yaml @@ -1,5 +1,5 @@ -successMessage: Container does not have any insecure capabilities -failureMessage: Container should not have insecure capabilities +#successMessage: Container does not have any insecure capabilities +promptMessage: Container should not have insecure capabilities category: Security target: Container schema: diff --git a/checks/livenessProbeMissing.yaml b/checks/livenessProbeMissing.yaml index a782730..a698beb 100644 --- a/checks/livenessProbeMissing.yaml +++ b/checks/livenessProbeMissing.yaml @@ -1,5 +1,5 @@ -successMessage: Liveness probe is configured -failureMessage: Liveness probe should be configured +#successMessage: Liveness probe is configured +promptMessage: Liveness probe should be configured category: Health Checks controllers: exclude: diff --git a/checks/memoryLimitsMissing.yaml b/checks/memoryLimitsMissing.yaml index f3c1452..c36837c 100644 --- a/checks/memoryLimitsMissing.yaml +++ b/checks/memoryLimitsMissing.yaml @@ -1,5 +1,5 @@ -successMessage: Memory limits are set -failureMessage: Memory limits should be set +#successMessage: Memory limits are set +promptMessage: Memory limits should be set category: Resources target: Container containers: diff --git a/checks/memoryRequestsMissing.yaml b/checks/memoryRequestsMissing.yaml index a3f9178..9bdb18e 100644 --- a/checks/memoryRequestsMissing.yaml +++ b/checks/memoryRequestsMissing.yaml @@ -1,5 +1,5 @@ -successMessage: Memory requests are set -failureMessage: Memory requests should be set +#successMessage: Memory requests are set +promptMessage: Memory requests should be set category: Resources target: Container containers: diff --git a/checks/notReadOnlyRootFilesystem.yaml b/checks/notReadOnlyRootFilesystem.yaml index d4e203f..52b2d11 100644 --- a/checks/notReadOnlyRootFilesystem.yaml +++ b/checks/notReadOnlyRootFilesystem.yaml @@ -1,5 +1,5 @@ -successMessage: Filesystem is read only -failureMessage: Filesystem should be read only +#successMessage: Filesystem is read only +promptMessage: Filesystem should be read only category: Security target: Container schema: diff --git a/checks/priorityClassNotSet.yaml b/checks/priorityClassNotSet.yaml index 3516a3f..d047418 100644 --- a/checks/priorityClassNotSet.yaml +++ b/checks/priorityClassNotSet.yaml @@ -1,5 +1,5 @@ -successMessage: Priority class has been set -failureMessage: Priority class should be set +#successMessage: Priority class has been set +promptMessage: Priority class should be set category: Security target: Pod schema: diff --git a/checks/privilegeEscalationAllowed.yaml b/checks/privilegeEscalationAllowed.yaml index 6db1f83..fe1cad1 100644 --- a/checks/privilegeEscalationAllowed.yaml +++ b/checks/privilegeEscalationAllowed.yaml @@ -1,5 +1,5 @@ -successMessage: Privilege escalation not allowed -failureMessage: Privilege escalation should not be allowed +#successMessage: Privilege escalation not allowed +promptMessage: Privilege escalation should not be allowed category: Security target: Container schema: diff --git a/checks/pullPolicyNotAlways.yaml b/checks/pullPolicyNotAlways.yaml index 89e591f..0c57328 100644 --- a/checks/pullPolicyNotAlways.yaml +++ b/checks/pullPolicyNotAlways.yaml @@ -1,5 +1,5 @@ -successMessage: Image pull policy is "Always" -failureMessage: Image pull policy should be "Always" +#successMessage: Image pull policy is "Always" +promptMessage: Image pull policy should be "Always" category: Images target: Container schema: diff --git a/checks/readinessProbeMissing.yaml b/checks/readinessProbeMissing.yaml index 1309bab..6c338b2 100644 --- a/checks/readinessProbeMissing.yaml +++ b/checks/readinessProbeMissing.yaml @@ -1,5 +1,5 @@ -successMessage: Readiness probe is configured -failureMessage: Readiness probe should be configured +#successMessage: Readiness probe is configured +promptMessage: Readiness probe should be configured category: Health Checks controllers: exclude: diff --git a/checks/runAsPrivileged.yaml b/checks/runAsPrivileged.yaml index 47be7cb..cf7793c 100644 --- a/checks/runAsPrivileged.yaml +++ b/checks/runAsPrivileged.yaml @@ -1,5 +1,5 @@ -successMessage: Not running as privileged -failureMessage: Should not be running as privileged +#successMessage: Not running as privileged +promptMessage: Should not be running as privileged category: Security target: Container schema: diff --git a/checks/runAsRootAllowed.yaml b/checks/runAsRootAllowed.yaml index 3ae2fe4..f537230 100644 --- a/checks/runAsRootAllowed.yaml +++ b/checks/runAsRootAllowed.yaml @@ -1,5 +1,5 @@ -successMessage: Is not allowed to run as root -failureMessage: Should not be allowed to run as root +#successMessage: Is not allowed to run as root +promptMessage: Should not be allowed to run as root category: Security target: Container schemaTarget: Pod diff --git a/checks/tagNotSpecified.yaml b/checks/tagNotSpecified.yaml index 102d34c..2beac1f 100644 --- a/checks/tagNotSpecified.yaml +++ b/checks/tagNotSpecified.yaml @@ -1,5 +1,5 @@ -successMessage: Image tag is specified -failureMessage: Image tag should be specified +#successMessage: Image tag is specified +promptMessage: Image tag should be specified category: Images target: Container schema: diff --git a/cmd/audit.go b/cmd/audit.go index a89eec5..cd2ebed 100644 --- a/cmd/audit.go +++ b/cmd/audit.go @@ -25,8 +25,8 @@ import ( var config string var auditCmd = &cobra.Command{ - Use: "fault", - Short: "fault the result", + Use: "diags", + Short: "diagnostic information from the cluster", Run: func(cmd *cobra.Command, args []string) { err := validator.Cluster(config, cmd.Context()) if err != nil { diff --git a/examples/tmp/rule.yaml b/examples/tmp/rule.yaml index 2c75287..ee463c2 100644 --- a/examples/tmp/rule.yaml +++ b/examples/tmp/rule.yaml @@ -13,8 +13,7 @@ checks: customChecks: imageFromUnauthorizedRegistry: - successMessage: Image comes from allowed registries - failureMessage: Image should not be from disallowed registry + promptMessage: Image should not be from disallowed registry category: Images target: Container schema: diff --git a/pkg/config/schema.go b/pkg/config/schema.go index e882389..8e007e3 100644 --- a/pkg/config/schema.go +++ b/pkg/config/schema.go @@ -30,15 +30,15 @@ const ( ) type SchemaCheck struct { - ID string `yaml:"id"` - Category string `yaml:"category"` - SuccessMessage string `yaml:"successMessage"` - FailureMessage string `yaml:"failureMessage"` - Containers includeExcludeList `yaml:"containers"` - Target TargetKind `yaml:"target"` - SchemaTarget TargetKind `yaml:"schemaTarget"` - Schema jsonschema.RootSchema `yaml:"schema"` - JSONSchema string `yaml:"jsonSchema"` + ID string `yaml:"id"` + Category string `yaml:"category"` + //SuccessMessage string `yaml:"successMessage"` + PromptMessage string `yaml:"promptMessage"` + Containers includeExcludeList `yaml:"containers"` + Target TargetKind `yaml:"target"` + SchemaTarget TargetKind `yaml:"schemaTarget"` + Schema jsonschema.RootSchema `yaml:"schema"` + JSONSchema string `yaml:"jsonSchema"` } type includeExcludeList struct { diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index d0d24bf..4b3c12b 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -54,7 +54,7 @@ func (rs ResultSet) GetWarnings() []ResultMessage { var resourceConfMinimal = `--- checks: cpuLimitsMissing: warning - livenessProbeMissing: warning + ` func getEmptyWorkload(t *testing.T, name string) kube.GenericWorkload { @@ -307,7 +307,7 @@ func TestValidateNetworking(t *testing.T) { container: emptyContainer, expectedResults: []ResultMessage{{ ID: "hostPortSet", - Message: "Host port is not configured", + Message: "success", Success: true, Severity: "warning", Category: "Networking", @@ -319,7 +319,7 @@ func TestValidateNetworking(t *testing.T) { container: emptyContainer, expectedResults: []ResultMessage{{ ID: "hostPortSet", - Message: "Host port is not configured", + Message: "success", Success: true, Severity: "warning", Category: "Networking", @@ -349,7 +349,7 @@ func TestValidateNetworking(t *testing.T) { container: goodContainer, expectedResults: []ResultMessage{{ ID: "hostPortSet", - Message: "Host port is not configured", + Message: "success", Success: true, Severity: "warning", Category: "Networking", @@ -460,25 +460,25 @@ func TestValidateSecurity(t *testing.T) { Category: "Security", }, { ID: "runAsPrivileged", - Message: "Not running as privileged", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "privilegeEscalationAllowed", - Message: "Privilege escalation not allowed", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "insecureCapabilities", - Message: "Container does not have any insecure capabilities", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "dangerousCapabilities", - Message: "Container does not have any dangerous capabilities", + Message: "success", Success: true, Severity: "warning", Category: "Security", @@ -620,37 +620,37 @@ func TestValidateSecurity(t *testing.T) { pod: emptyPodSpec, expectedResults: []ResultMessage{{ ID: "runAsRootAllowed", - Message: "Is not allowed to run as root", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "notReadOnlyRootFilesystem", - Message: "Filesystem is read only", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "runAsPrivileged", - Message: "Not running as privileged", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "privilegeEscalationAllowed", - Message: "Privilege escalation not allowed", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "dangerousCapabilities", - Message: "Container does not have any dangerous capabilities", + Message: "success", Success: true, Severity: "warning", Category: "Security", }, { ID: "insecureCapabilities", - Message: "Container does not have any insecure capabilities", + Message: "success", Success: true, Severity: "warning", Category: "Security", @@ -748,7 +748,7 @@ func TestValidateRunAsRoot(t *testing.T) { pod: badPod, message: ResultMessage{ ID: "runAsRootAllowed", - Message: "Is not allowed to run as root", + Message: "success", Success: true, Severity: "warning", Category: "Security", @@ -760,7 +760,7 @@ func TestValidateRunAsRoot(t *testing.T) { pod: emptyPod, message: ResultMessage{ ID: "runAsRootAllowed", - Message: "Is not allowed to run as root", + Message: "success", Success: true, Severity: "warning", Category: "Security", @@ -772,7 +772,7 @@ func TestValidateRunAsRoot(t *testing.T) { pod: runAsUserPod, message: ResultMessage{ ID: "runAsRootAllowed", - Message: "Is not allowed to run as root", + Message: "success", Success: true, Severity: "warning", Category: "Security", diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 56765d6..8ffacab 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -58,7 +58,7 @@ var ( ) func init() { - schemaBox = packr.New("Schemas", "../../checks") + schemaBox = packr.New("Schema", "../../checks") for _, checkID := range checkOrder { contents, err := schemaBox.Find(checkID + ".yaml") if err != nil { @@ -132,9 +132,9 @@ func makeResult(conf *config.Configuration, check *config.SchemaCheck, passes bo Success: passes, } if passes { - result.Message = check.SuccessMessage + result.Message = "success" } else { - result.Message = check.FailureMessage + result.Message = check.PromptMessage } return result }