kube-score – static code analysis for Kubernetes

kube-score

Description

kube-score performs static code analysis of the Kubernetes YAML. It provides list of recommendations and improvements to make your cluster mode secure and stable.

Installation

Installation is quite easy.

GOBIN=$(pwd) go install github.com/zegl/kube-score/cmd/kube-score@latest
sudo mv kube-score /usr/local/bin/

As an alternative I recommend krew which is straniforward as well. kubectl krew install score

Of course, there are other options available like: brew, from source or docker however if you have environment configured for go-lang development, that option is the best.

Usage of kube-score

$ kube-score -h
Usage of kube-score:
kube-score [action] --flags

Actions:
        score   Checks all files in the input, and gives them a score and recommendations
        list    Prints a CSV list of all available score checks
        version Print the version of kube-score
        help    Print this message

Run "kube-score [action] --help" for more information about a particular command

To tell the truth we have here only two options.

Usage kube-score: score

Using kube-score is really easy. Let examine simple YAML do create pod

apiVersion: v1
kind: Pod
metadata:
  name: nginx-app
  namespace: nsp1
  labels:
    app: app1
spec:
  containers:
    - name: nginx-app
      image: nginx

And the score is?

$ kube-score score pod.yaml 
v1/Pod nginx-app in nsp1                                                      💥
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · nginx-app -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Security Context User Group ID
        · nginx-app -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · nginx-app -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes
            cluster to have an effect.
    [CRITICAL] Container Resources
        · nginx-app -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
        · nginx-app -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
        · nginx-app -> CPU request is not set
            Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu
        · nginx-app -> Memory request is not set
            Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Container Image Tag
        · nginx-app -> Image with latest tag
            Using a fixed tag is recommended to avoid accidental upgrades

As you can see, there are a lot of CRITICAL issues. Some of them are quite obvious like image tag or limits. However security context is not common to set.

Let's move to more complex example. I have minikube installed locally and I would like to check all objects inside. In order to that below command I excuted

kubectl api-resources --verbs=list --namespaced -o name \
  | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \
  | kube-score score -

Result?

apps/v1/DaemonSet kube-proxy in kube-system                                   💥
    [CRITICAL] Container Security Context Privileged
        · kube-proxy -> The container is privileged
            Set securityContext.privileged to false. Privileged containers can
            access all devices on the host, and grants almost the same access as
            non-containerized processes on the host.
    [CRITICAL] Container Resources
        · kube-proxy -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kube-proxy -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kube-proxy -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · kube-proxy -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Security Context User Group ID
        · kube-proxy -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kube-proxy -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · kube-proxy -> The pod has a container with a writable root filesystem
            Set securityContext.readOnlyRootFilesystem to true
    [CRITICAL] Container Image Pull Policy
        · kube-proxy -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kube-proxy -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
apps/v1/Deployment coredns in kube-system                                     💥
    [CRITICAL] Container Image Pull Policy
        · coredns -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · coredns -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · coredns -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · coredns -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Resources
        · coredns -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
apps/v1/Deployment dashboard-metrics-scraper in kubernetes-dashboard          💥
    [CRITICAL] Container Image Pull Policy
        · dashboard-metrics-scraper -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · dashboard-metrics-scraper -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · dashboard-metrics-scraper -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · dashboard-metrics-scraper -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is
            ready to receive traffic. Without it, the Pod is risking to receive
            traffic before it has booted. It's also used during rollouts, and
            can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Resources
        · dashboard-metrics-scraper -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · dashboard-metrics-scraper -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · dashboard-metrics-scraper -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · dashboard-metrics-scraper -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
apps/v1/Deployment kubernetes-dashboard in kubernetes-dashboard               💥
    [CRITICAL] Container Resources
        · kubernetes-dashboard -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kubernetes-dashboard -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kubernetes-dashboard -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · kubernetes-dashboard -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is
            ready to receive traffic. Without it, the Pod is risking to receive
            traffic before it has booted. It's also used during rollouts, and
            can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Image Pull Policy
        · kubernetes-dashboard -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kubernetes-dashboard -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kubernetes-dashboard -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kubernetes-dashboard -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
v1/Pod coredns-6d4b75cb6d-h9wkj in kube-system                                💥
    [CRITICAL] Container Image Pull Policy
        · coredns -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · coredns -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · coredns -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · coredns -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Resources
        · coredns -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
v1/Pod etcd-minikube in kube-system                                           💥
    [CRITICAL] Container Image Pull Policy
        · etcd -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · etcd -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · etcd -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · etcd -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · etcd -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Resources
        · etcd -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · etcd -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
v1/Pod kube-apiserver-minikube in kube-system                                 💥
    [CRITICAL] Container Resources
        · kube-apiserver -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kube-apiserver -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kube-apiserver -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · kube-apiserver -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Image Pull Policy
        · kube-apiserver -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kube-apiserver -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kube-apiserver -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kube-apiserver -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
v1/Pod kube-controller-manager-minikube in kube-system                        💥
    [CRITICAL] Container Resources
        · kube-controller-manager -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kube-controller-manager -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kube-controller-manager -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Image Pull Policy
        · kube-controller-manager -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kube-controller-manager -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kube-controller-manager -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kube-controller-manager -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · kube-controller-manager -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
v1/Pod kube-proxy-sdkbz in kube-system                                        💥
    [CRITICAL] Container Image Pull Policy
        · kube-proxy -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kube-proxy -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kube-proxy -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kube-proxy -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · kube-proxy -> The pod has a container with a writable root filesystem
            Set securityContext.readOnlyRootFilesystem to true
    [CRITICAL] Container Resources
        · kube-proxy -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kube-proxy -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kube-proxy -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · kube-proxy -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Security Context Privileged
        · kube-proxy -> The container is privileged
            Set securityContext.privileged to false. Privileged containers can
            access all devices on the host, and grants almost the same access as
            non-containerized processes on the host.
v1/Pod kube-scheduler-minikube in kube-system                                 💥
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Resources
        · kube-scheduler -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kube-scheduler -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kube-scheduler -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Container Image Pull Policy
        · kube-scheduler -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kube-scheduler -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kube-scheduler -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kube-scheduler -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · kube-scheduler -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
v1/Pod storage-provisioner in kube-system                                     💥
    [CRITICAL] Container Resources
        · storage-provisioner -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · storage-provisioner -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · storage-provisioner -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · storage-provisioner -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Image Pull Policy
        · storage-provisioner -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · storage-provisioner -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · storage-provisioner -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · storage-provisioner -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Security Context ReadOnlyRootFilesystem
        · storage-provisioner -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
v1/Pod dashboard-metrics-scraper-78dbd9dbf5-r778l in kubernetes-dashboard     💥
    [CRITICAL] Container Image Pull Policy
        · dashboard-metrics-scraper -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · dashboard-metrics-scraper -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · dashboard-metrics-scraper -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · dashboard-metrics-scraper -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Resources
        · dashboard-metrics-scraper -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · dashboard-metrics-scraper -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · dashboard-metrics-scraper -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · dashboard-metrics-scraper -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is
            ready to receive traffic. Without it, the Pod is risking to receive
            traffic before it has booted. It's also used during rollouts, and
            can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
v1/Pod kubernetes-dashboard-5fd5574d9f-7ldj8 in kubernetes-dashboard          💥
    [CRITICAL] Container Image Pull Policy
        · kubernetes-dashboard -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · kubernetes-dashboard -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage
    [CRITICAL] Container Security Context User Group ID
        · kubernetes-dashboard -> The container is running with a low user ID
            A userid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsUser to a value > 10000
        · kubernetes-dashboard -> The container running with a low group ID
            A groupid above 10 000 is recommended to avoid conflicts with the
            host. Set securityContext.runAsGroup to a value > 10000
    [CRITICAL] Container Resources
        · kubernetes-dashboard -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · kubernetes-dashboard -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · kubernetes-dashboard -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · kubernetes-dashboard -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is
            ready to receive traffic. Without it, the Pod is risking to receive
            traffic before it has booted. It's also used during rollouts, and
            can prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
v1/Service kubernetes in default                                              💥
    [CRITICAL] Service Targets Pod
        · The services selector does not match any pods
v1/Service kube-dns in kube-system                                            ✅
v1/Service dashboard-metrics-scraper in kubernetes-dashboard                  ✅
v1/Service kubernetes-dashboard in kubernetes-dashboard                       ✅

There are many issues therefor is really important to check your cluster before go to the production.

Usage kube-score: list

To show how many elements kube-score examines below command can be executed

$ kube-score list
ingress-targets-service,Ingress,Makes sure that the Ingress targets a Service,default
cronjob-has-deadline,CronJob,Makes sure that all CronJobs has a configured deadline,default
container-resources,Pod,Makes sure that all pods have resource limits and requests set. The --ignore-container-cpu-limit flag can be used to disable the requirement of having a CPU limit,default
container-resource-requests-equal-limits,Pod,Makes sure that all pods have the same requests as limits on resources set.,optional
container-cpu-requests-equal-limits,Pod,Makes sure that all pods have the same CPU requests as limits set.,optional
container-memory-requests-equal-limits,Pod,Makes sure that all pods have the same memory requests as limits set.,optional
container-image-tag,Pod,Makes sure that a explicit non-latest tag is used,default
container-image-pull-policy,Pod,Makes sure that the pullPolicy is set to Always. This makes sure that imagePullSecrets are always validated.,default
container-ephemeral-storage-request-and-limit,Pod,Makes sure all pods have ephemeral-storage requests and limits set,default
container-ephemeral-storage-request-equals-limit,Pod,Make sure all pods have matching ephemeral-storage requests and limits,optional
container-ports-check,Pod,Container Ports Checks,optional
statefulset-has-poddisruptionbudget,StatefulSet,Makes sure that all StatefulSets are targeted by a PDB,default
deployment-has-poddisruptionbudget,Deployment,Makes sure that all Deployments are targeted by a PDB,default
poddisruptionbudget-has-policy,PodDisruptionBudget,Makes sure that PodDisruptionBudgets specify minAvailable or maxUnavailable,default
pod-networkpolicy,Pod,Makes sure that all Pods are targeted by a NetworkPolicy,default
networkpolicy-targets-pod,NetworkPolicy,Makes sure that all NetworkPolicies targets at least one Pod,default
pod-probes,Pod,Makes sure that all Pods have safe probe configurations,default
container-security-context-user-group-id,Pod,Makes sure that all pods have a security context with valid UID and GID set ,default
container-security-context-privileged,Pod,Makes sure that all pods have a unprivileged security context set,default
container-security-context-readonlyrootfilesystem,Pod,Makes sure that all pods have a security context with read only filesystem set,default
container-seccomp-profile,Pod,Makes sure that all pods have at a seccomp policy configured.,optional
service-targets-pod,Service,Makes sure that all Services targets a Pod,default
service-type,Service,Makes sure that the Service type is not NodePort,default
stable-version,all,Checks if the object is using a deprecated apiVersion,default
deployment-has-host-podantiaffinity,Deployment,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default
statefulset-has-host-podantiaffinity,StatefulSet,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default
deployment-targeted-by-hpa-does-not-have-replicas-configured,Deployment,Makes sure that Deployments using a HorizontalPodAutoscaler doesn't have a statically configured replica count set,default
statefulset-has-servicename,StatefulSet,Makes sure that StatefulSets have an existing headless serviceName.,default
deployment-pod-selector-labels-match-template-metadata-labels,Deployment,Ensure the StatefulSet selector labels match the template metadata labels.,default
statefulset-pod-selector-labels-match-template-metadata-labels,StatefulSet,Ensure the StatefulSet selector labels match the template metadata labels.,default
label-values,all,Validates label values,default
horizontalpodautoscaler-has-target,HorizontalPodAutoscaler,Makes sure that the HPA targets a valid object,default

Basically, this is the table with following information:

  • ID: machine readable name
  • Target: group of IDs like pod or deployment
  • Description: description
  • Enabled: information if given check is default or optional

Personally I prefer markdown version available here

Configuration

Basically configuration is about what check needs to be executed and how output should look like. Unfortunately there are only command line flags and parameter. I prefer configuration files nonetheless some space for steeting the execution of kube-score exusts.

  • verbosity: verbose output, can be set multiple times for increased verbosity
  • kubernetes-version: this is really important, some settings matters in one version some in other
  • output-format: I reallt like this options. You have 2 options
    • human for cli (default)
    • ci for pipelines
    • json from programing
$ kube-score score prometheus-deployment.yml -o ci
[WARNING] prometheus-deployment/monitoring extensions/v1beta1/Deployment: The apiVersion and kind extensions/v1beta1/Deployment is deprecated
[OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment
[OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: The pod does not have a matching NetworkPolicy
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: Container is missing a readinessProbe
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) ImagePullPolicy is not set to Always
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Ephemeral Storage limit is not set
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Container has no configured security context
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Container has no configured security context
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) CPU limit is not set
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Memory limit is not set
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) CPU request is not set
[CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Memory request is not set
[OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment
[OK] prometheus-service/monitoring v1/Service
[OK] prometheus-service/monitoring v1/Service
[OK] prometheus-service/monitoring v1/Service
[WARNING] prometheus-service/monitoring v1/Service: The service is of type NodePort
  • select the checks to execure: Basically there are two types of cheks: default and optional. Additinally you can ingnore/enable checks one on the annotation level
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my_deployment
  labels:
    app: my_app
  annotations:
    kube-score/ignore: pod-networkpolicy,container-resources,container-security-context-user-group-id,container-ephemeral-storage-request-and-limit
    kube-score/enable: container-seccomp-profile

However on the command line layer you can steer it a bit by adding one of the paramaters:

--disable-ignore-checks-annotations   Set to true to disable the effect of the 'kube-score/ignore' annotations
--disable-optional-checks-annotations Set to true to disable the effect of the 'kube-score/enable' annotations
--enable-optional-test strings        Enable an optional test, can be set multiple times

That approach allows me to select which checks are important for me and which aren't however the lack of selecting check in configuratoin file level is annoying.

Summary

Kube-score can help everyone to analyse the Kubernetes cluster and find the security issues inside. I really recommend it because is easy to use and moreover it produces meaningful output.

More Info:

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *