Kube-Score
Kube-Score是一款针对Kubernetes的性能及安全分析工具,该工具能够对Kubernetes对象定义进行静态代码分析,并给出提升Kubernetes性能和安全性方面的建议。
工具的输出是一份带有提升建议的列表,广大研究人员可以根据Kube-Score给出的建议来提升自己应用程序的安全性和稳定性。
大家可以直接在浏览器中运行Kube-Score线上Demo来进行测试:https://kube-score.com/。
工具安装
Kube-Score的安装非常简单,广大研究人员可以从下列代码源获取Kube-Score。
针对macOS、Linux和Windows的预构建版本:【点我下载:https://github.com/zegl/kube-score/releases】
Docker安装(Docker Hub):https://hub.docker.com/r/zegl/kube-score/
docker pull zegl/kube-scoreHomebrew安装(macOS和Linux):
brew install kube-score/tap/kube-scoreKrew安装(macOS和Linux):
kubectl krew install score源码构建
Kube-Score要求使用Go v1.11或更高版本环境来进行源码构建,首先广大研究人员需要使用下列命令将该项目源码克隆至本地:
git clone https://github.com/zegl/kube-score.git接下来,运行下列命令构建项目,并运行所有测试:
# Build the projectgo build github.com/zegl/kube-score/cmd/kube-score# Run all testsgo test -v github.com/zegl/kube-score/...
CI使用方式
Kube-Score可以在你的CI/CD环境中运行,如果工具检测到了严重错误,则会返回退出代码1并退出工具的运行。我们还可以使用—exit-one-on-warning参数来设置工具的警告触发等级。
Kube-Score的输入数据为你需要在同一命名空间中部署的全部应用程序,这样才能获取到最佳的建议结果。
Helm样例:
helm template my-app | kube-score score -Kustomize样例:
kustomize build . | kube-score score -静态YAML样例:
kube-score score my-app/*.yamlkube-score score my-app/deployment.yaml my-app/service.yaml
现有集群样例:
kubectl api-resources --verbs=list --namespaced -o name| xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---"| kube-score score -
Docker样例:
docker run -v $(pwd):/project zegl/kube-score:v1.7.0 score my-app/*.yaml工具配置
Usage of kube-score:kube-score [action] --flagsActions:score Checks all files in the input, and gives them a score and recommendationslist Prints a CSV list of all available score checksversion Print the version of kube-scorehelp Print this messageFlags for score:--disable-ignore-checks-annotations Set to true to disable the effect of the 'kube-score/ignore' annotations--enable-optional-test strings Enable an optional test, can be set multiple times--exit-one-on-warning Exit with code 1 in case of warnings--help Print help--ignore-container-cpu-limit Disables the requirement of setting a container CPU limit--ignore-container-memory-limit Disables the requirement of setting a container memory limit--ignore-test strings Disable a test, can be set multiple times--kubernetes-version string Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default "v1.18")-o, --output-format string Set to 'human', 'json' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")--output-version string Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.-v, --verbose count Enable verbose output, can be set multiple times for increased verbosity.
忽略一个测试
在程序运行的过程中,我们还可以根据需要去使用—ignore-test参数来选择忽略哪个测试。除此之外,我们也可以通过向对象添加kube-score/ignore注释来忽略特定的对象,参数值为测试ID字符串,每个字符串使用逗号进行分隔。
参考样例
测试这个对象将会临时禁用掉service-type测试:
apiVersion: v1kind: Servicemetadata:name: node-port-service-with-ignorenamespace: foospaceannotations:: service-typespec:selector:app: my-appports:protocol: TCPport: 80targetPort: 8080type: NodePort
工具运行截图
参考资料
Kube-Score项目地址:https://github.com/zegl/kube-score
检测列表:https://github.com/zegl/kube-score/blob/master/README_CHECKS.md
精彩推荐
本文始发于微信公众号(FreeBuf):Kube-Score:一款针对Kubernetes的安全分析工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论