update prompt message and diags

This commit is contained in:
Forest-L 2020-12-25 17:20:10 +08:00
parent 98afe8cc23
commit bbb0f44f2f
25 changed files with 74 additions and 75 deletions

View File

@ -3,7 +3,7 @@
Kubeye aims to find various problems on Kubernetes, such as application misconfiguration, cluster components unhealthy and node problems(using [Node-Problem-Detector](https://github.com/kubernetes/node-problem-detector)). Besides predefined rules, it also supports custom defined rules. Kubeye aims to find various problems on Kubernetes, such as application misconfiguration, cluster components unhealthy and node problems(using [Node-Problem-Detector](https://github.com/kubernetes/node-problem-detector)). Besides predefined rules, it also supports custom defined rules.
## How to use ## How to use
- Install kubeye on your machine - Install Kubeye on your machine
- Download pre built executables from [Releases](https://github.com/kubesphere/kubeye/releases). - Download pre built executables from [Releases](https://github.com/kubesphere/kubeye/releases).
- Or you can build from source code - Or you can build from source code
@ -17,11 +17,11 @@ Kubeye aims to find various problems on Kubernetes, such as application misconfi
> Note: This line will install npd on your cluster, only required if you want detailed report. > Note: This line will install npd on your cluster, only required if you want detailed report.
```shell script ```shell script
ke install npd --kubeconfig ~/.kube/config ke install npd
``` ```
- Run kubeye - Run kubeye
```shell ```shell
root@node1:# ke fault --kubeconfig ~/.kube/config root@node1:# ke diags
NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE
node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status. node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status.
node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status. node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status.
@ -119,7 +119,7 @@ kube-system Warning coredns Deployment 2020-11-27T1
### Add custom npd rule ### Add custom npd rule
- Install NPD with `ke install npd --kubeconfig ~/.kube/config` - Install NPD with `ke install npd`
- Edit configmap kube-system/node-problem-detector-config with kubectl, - Edit configmap kube-system/node-problem-detector-config with kubectl,
``` ```
kubectl edit cm -n kube-system node-problem-detector-config kubectl edit cm -n kube-system node-problem-detector-config

View File

@ -1,5 +1,5 @@
successMessage: CPU limits are set #successMessage: CPU limits are set
failureMessage: CPU limits should be set promptMessage: CPU limits should be set
category: Resources category: Resources
target: Container target: Container
containers: containers:

View File

@ -1,5 +1,5 @@
successMessage: CPU requests are set #successMessage: CPU requests are set
failureMessage: CPU requests should be set promptMessage: CPU requests should be set
category: Resources category: Resources
target: Container target: Container
containers: containers:

View File

@ -1,5 +1,5 @@
successMessage: Container does not have any dangerous capabilities #successMessage: Container does not have any dangerous capabilities
failureMessage: Container should not have dangerous capabilities promptMessage: Container should not have dangerous capabilities
category: Security category: Security
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Host IPC is not configured #successMessage: Host IPC is not configured
failureMessage: Host IPC should not be configured promptMessage: Host IPC should not be configured
category: Security category: Security
target: Pod target: Pod
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Host network is not configured #successMessage: Host network is not configured
failureMessage: Host network should not be configured promptMessage: Host network should not be configured
category: Networking category: Networking
target: Pod target: Pod
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Host PID is not configured #successMessage: Host PID is not configured
failureMessage: Host PID should not be configured promptMessage: Host PID should not be configured
category: Security category: Security
target: Pod target: Pod
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Host port is not configured #successMessage: Host port is not configured
failureMessage: Host port should not be configured promptMessage: Host port should not be configured
category: Networking category: Networking
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Container does not have any insecure capabilities #successMessage: Container does not have any insecure capabilities
failureMessage: Container should not have insecure capabilities promptMessage: Container should not have insecure capabilities
category: Security category: Security
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Liveness probe is configured #successMessage: Liveness probe is configured
failureMessage: Liveness probe should be configured promptMessage: Liveness probe should be configured
category: Health Checks category: Health Checks
controllers: controllers:
exclude: exclude:

View File

@ -1,5 +1,5 @@
successMessage: Memory limits are set #successMessage: Memory limits are set
failureMessage: Memory limits should be set promptMessage: Memory limits should be set
category: Resources category: Resources
target: Container target: Container
containers: containers:

View File

@ -1,5 +1,5 @@
successMessage: Memory requests are set #successMessage: Memory requests are set
failureMessage: Memory requests should be set promptMessage: Memory requests should be set
category: Resources category: Resources
target: Container target: Container
containers: containers:

View File

@ -1,5 +1,5 @@
successMessage: Filesystem is read only #successMessage: Filesystem is read only
failureMessage: Filesystem should be read only promptMessage: Filesystem should be read only
category: Security category: Security
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Priority class has been set #successMessage: Priority class has been set
failureMessage: Priority class should be set promptMessage: Priority class should be set
category: Security category: Security
target: Pod target: Pod
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Privilege escalation not allowed #successMessage: Privilege escalation not allowed
failureMessage: Privilege escalation should not be allowed promptMessage: Privilege escalation should not be allowed
category: Security category: Security
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Image pull policy is "Always" #successMessage: Image pull policy is "Always"
failureMessage: Image pull policy should be "Always" promptMessage: Image pull policy should be "Always"
category: Images category: Images
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Readiness probe is configured #successMessage: Readiness probe is configured
failureMessage: Readiness probe should be configured promptMessage: Readiness probe should be configured
category: Health Checks category: Health Checks
controllers: controllers:
exclude: exclude:

View File

@ -1,5 +1,5 @@
successMessage: Not running as privileged #successMessage: Not running as privileged
failureMessage: Should not be running as privileged promptMessage: Should not be running as privileged
category: Security category: Security
target: Container target: Container
schema: schema:

View File

@ -1,5 +1,5 @@
successMessage: Is not allowed to run as root #successMessage: Is not allowed to run as root
failureMessage: Should not be allowed to run as root promptMessage: Should not be allowed to run as root
category: Security category: Security
target: Container target: Container
schemaTarget: Pod schemaTarget: Pod

View File

@ -1,5 +1,5 @@
successMessage: Image tag is specified #successMessage: Image tag is specified
failureMessage: Image tag should be specified promptMessage: Image tag should be specified
category: Images category: Images
target: Container target: Container
schema: schema:

View File

@ -25,8 +25,8 @@ import (
var config string var config string
var auditCmd = &cobra.Command{ var auditCmd = &cobra.Command{
Use: "fault", Use: "diags",
Short: "fault the result", Short: "diagnostic information from the cluster",
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
err := validator.Cluster(config, cmd.Context()) err := validator.Cluster(config, cmd.Context())
if err != nil { if err != nil {

View File

@ -13,8 +13,7 @@ checks:
customChecks: customChecks:
imageFromUnauthorizedRegistry: imageFromUnauthorizedRegistry:
successMessage: Image comes from allowed registries promptMessage: Image should not be from disallowed registry
failureMessage: Image should not be from disallowed registry
category: Images category: Images
target: Container target: Container
schema: schema:

View File

@ -32,8 +32,8 @@ const (
type SchemaCheck struct { type SchemaCheck struct {
ID string `yaml:"id"` ID string `yaml:"id"`
Category string `yaml:"category"` Category string `yaml:"category"`
SuccessMessage string `yaml:"successMessage"` //SuccessMessage string `yaml:"successMessage"`
FailureMessage string `yaml:"failureMessage"` PromptMessage string `yaml:"promptMessage"`
Containers includeExcludeList `yaml:"containers"` Containers includeExcludeList `yaml:"containers"`
Target TargetKind `yaml:"target"` Target TargetKind `yaml:"target"`
SchemaTarget TargetKind `yaml:"schemaTarget"` SchemaTarget TargetKind `yaml:"schemaTarget"`

View File

@ -54,7 +54,7 @@ func (rs ResultSet) GetWarnings() []ResultMessage {
var resourceConfMinimal = `--- var resourceConfMinimal = `---
checks: checks:
cpuLimitsMissing: warning cpuLimitsMissing: warning
livenessProbeMissing: warning
` `
func getEmptyWorkload(t *testing.T, name string) kube.GenericWorkload { func getEmptyWorkload(t *testing.T, name string) kube.GenericWorkload {
@ -307,7 +307,7 @@ func TestValidateNetworking(t *testing.T) {
container: emptyContainer, container: emptyContainer,
expectedResults: []ResultMessage{{ expectedResults: []ResultMessage{{
ID: "hostPortSet", ID: "hostPortSet",
Message: "Host port is not configured", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Networking", Category: "Networking",
@ -319,7 +319,7 @@ func TestValidateNetworking(t *testing.T) {
container: emptyContainer, container: emptyContainer,
expectedResults: []ResultMessage{{ expectedResults: []ResultMessage{{
ID: "hostPortSet", ID: "hostPortSet",
Message: "Host port is not configured", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Networking", Category: "Networking",
@ -349,7 +349,7 @@ func TestValidateNetworking(t *testing.T) {
container: goodContainer, container: goodContainer,
expectedResults: []ResultMessage{{ expectedResults: []ResultMessage{{
ID: "hostPortSet", ID: "hostPortSet",
Message: "Host port is not configured", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Networking", Category: "Networking",
@ -460,25 +460,25 @@ func TestValidateSecurity(t *testing.T) {
Category: "Security", Category: "Security",
}, { }, {
ID: "runAsPrivileged", ID: "runAsPrivileged",
Message: "Not running as privileged", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "privilegeEscalationAllowed", ID: "privilegeEscalationAllowed",
Message: "Privilege escalation not allowed", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "insecureCapabilities", ID: "insecureCapabilities",
Message: "Container does not have any insecure capabilities", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "dangerousCapabilities", ID: "dangerousCapabilities",
Message: "Container does not have any dangerous capabilities", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
@ -620,37 +620,37 @@ func TestValidateSecurity(t *testing.T) {
pod: emptyPodSpec, pod: emptyPodSpec,
expectedResults: []ResultMessage{{ expectedResults: []ResultMessage{{
ID: "runAsRootAllowed", ID: "runAsRootAllowed",
Message: "Is not allowed to run as root", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "notReadOnlyRootFilesystem", ID: "notReadOnlyRootFilesystem",
Message: "Filesystem is read only", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "runAsPrivileged", ID: "runAsPrivileged",
Message: "Not running as privileged", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "privilegeEscalationAllowed", ID: "privilegeEscalationAllowed",
Message: "Privilege escalation not allowed", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "dangerousCapabilities", ID: "dangerousCapabilities",
Message: "Container does not have any dangerous capabilities", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
}, { }, {
ID: "insecureCapabilities", ID: "insecureCapabilities",
Message: "Container does not have any insecure capabilities", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
@ -748,7 +748,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: badPod, pod: badPod,
message: ResultMessage{ message: ResultMessage{
ID: "runAsRootAllowed", ID: "runAsRootAllowed",
Message: "Is not allowed to run as root", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
@ -760,7 +760,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: emptyPod, pod: emptyPod,
message: ResultMessage{ message: ResultMessage{
ID: "runAsRootAllowed", ID: "runAsRootAllowed",
Message: "Is not allowed to run as root", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",
@ -772,7 +772,7 @@ func TestValidateRunAsRoot(t *testing.T) {
pod: runAsUserPod, pod: runAsUserPod,
message: ResultMessage{ message: ResultMessage{
ID: "runAsRootAllowed", ID: "runAsRootAllowed",
Message: "Is not allowed to run as root", Message: "success",
Success: true, Success: true,
Severity: "warning", Severity: "warning",
Category: "Security", Category: "Security",

View File

@ -58,7 +58,7 @@ var (
) )
func init() { func init() {
schemaBox = packr.New("Schemas", "../../checks") schemaBox = packr.New("Schema", "../../checks")
for _, checkID := range checkOrder { for _, checkID := range checkOrder {
contents, err := schemaBox.Find(checkID + ".yaml") contents, err := schemaBox.Find(checkID + ".yaml")
if err != nil { if err != nil {
@ -132,9 +132,9 @@ func makeResult(conf *config.Configuration, check *config.SchemaCheck, passes bo
Success: passes, Success: passes,
} }
if passes { if passes {
result.Message = check.SuccessMessage result.Message = "success"
} else { } else {
result.Message = check.FailureMessage result.Message = check.PromptMessage
} }
return result return result
} }