Description
kube-score performs static code analysis of the Kubernetes YAML. It provides list of recommendations and improvements to make your cluster mode secure and stable.
Installation
Installation is quite easy.
GOBIN=$(pwd) go install github.com/zegl/kube-score/cmd/kube-score@latest
sudo mv kube-score /usr/local/bin/
As an alternative I recommend krew
which is straniforward as well. kubectl krew install score
Of course, there are other options available like: brew
, from source or docker
however if you have environment configured for go-lang development, that option is the best.
Usage of kube-score
$ kube-score -h Usage of kube-score: kube-score [action] --flags Actions: score Checks all files in the input, and gives them a score and recommendations list Prints a CSV list of all available score checks version Print the version of kube-score help Print this message Run "kube-score [action] --help" for more information about a particular command
To tell the truth we have here only two options.
Usage kube-score: score
Using kube-score is really easy. Let examine simple YAML do create pod
apiVersion: v1 kind: Pod metadata: name: nginx-app namespace: nsp1 labels: app: app1 spec: containers: - name: nginx-app image: nginx
And the score is?
$ kube-score score pod.yaml v1/Pod nginx-app in nsp1 💥 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · nginx-app -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Security Context User Group ID · nginx-app -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Ephemeral Storage Request and Limit · nginx-app -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Resources · nginx-app -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · nginx-app -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · nginx-app -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · nginx-app -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Container Image Tag · nginx-app -> Image with latest tag Using a fixed tag is recommended to avoid accidental upgrades
As you can see, there are a lot of CRITICAL
issues. Some of them are quite obvious like image tag
or limits. However security context is not common to set.
Let's move to more complex example. I have minikube
installed locally and I would like to check all objects inside. In order to that below command I excuted
kubectl api-resources --verbs=list --namespaced -o name \ | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \ | kube-score score -
Result?
apps/v1/DaemonSet kube-proxy in kube-system 💥 [CRITICAL] Container Security Context Privileged · kube-proxy -> The container is privileged Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host. [CRITICAL] Container Resources · kube-proxy -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kube-proxy -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kube-proxy -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · kube-proxy -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Security Context User Group ID · kube-proxy -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kube-proxy -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · kube-proxy -> The pod has a container with a writable root filesystem Set securityContext.readOnlyRootFilesystem to true [CRITICAL] Container Image Pull Policy · kube-proxy -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kube-proxy -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage apps/v1/Deployment coredns in kube-system 💥 [CRITICAL] Container Image Pull Policy · coredns -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · coredns -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · coredns -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · coredns -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Resources · coredns -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. apps/v1/Deployment dashboard-metrics-scraper in kubernetes-dashboard 💥 [CRITICAL] Container Image Pull Policy · dashboard-metrics-scraper -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · dashboard-metrics-scraper -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · dashboard-metrics-scraper -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · dashboard-metrics-scraper -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Pod Probes · Container is missing a readinessProbe A readinessProbe should be used to indicate when the service is ready to receive traffic. Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can prevent downtime if a new version of the application is failing. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md [CRITICAL] Container Resources · dashboard-metrics-scraper -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · dashboard-metrics-scraper -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · dashboard-metrics-scraper -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · dashboard-metrics-scraper -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory apps/v1/Deployment kubernetes-dashboard in kubernetes-dashboard 💥 [CRITICAL] Container Resources · kubernetes-dashboard -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kubernetes-dashboard -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kubernetes-dashboard -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · kubernetes-dashboard -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Pod Probes · Container is missing a readinessProbe A readinessProbe should be used to indicate when the service is ready to receive traffic. Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can prevent downtime if a new version of the application is failing. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md [CRITICAL] Container Image Pull Policy · kubernetes-dashboard -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kubernetes-dashboard -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kubernetes-dashboard -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kubernetes-dashboard -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 v1/Pod coredns-6d4b75cb6d-h9wkj in kube-system 💥 [CRITICAL] Container Image Pull Policy · coredns -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · coredns -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · coredns -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · coredns -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Resources · coredns -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. v1/Pod etcd-minikube in kube-system 💥 [CRITICAL] Container Image Pull Policy · etcd -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · etcd -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · etcd -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · etcd -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · etcd -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Resources · etcd -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · etcd -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory v1/Pod kube-apiserver-minikube in kube-system 💥 [CRITICAL] Container Resources · kube-apiserver -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kube-apiserver -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kube-apiserver -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Security Context ReadOnlyRootFilesystem · kube-apiserver -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Image Pull Policy · kube-apiserver -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kube-apiserver -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kube-apiserver -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kube-apiserver -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 v1/Pod kube-controller-manager-minikube in kube-system 💥 [CRITICAL] Container Resources · kube-controller-manager -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kube-controller-manager -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kube-controller-manager -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Image Pull Policy · kube-controller-manager -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kube-controller-manager -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kube-controller-manager -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kube-controller-manager -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · kube-controller-manager -> Container has no configured security context Set securityContext to run the container in a more secure context. v1/Pod kube-proxy-sdkbz in kube-system 💥 [CRITICAL] Container Image Pull Policy · kube-proxy -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kube-proxy -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kube-proxy -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kube-proxy -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · kube-proxy -> The pod has a container with a writable root filesystem Set securityContext.readOnlyRootFilesystem to true [CRITICAL] Container Resources · kube-proxy -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kube-proxy -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kube-proxy -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · kube-proxy -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Security Context Privileged · kube-proxy -> The container is privileged Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host. v1/Pod kube-scheduler-minikube in kube-system 💥 [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Resources · kube-scheduler -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kube-scheduler -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kube-scheduler -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Container Image Pull Policy · kube-scheduler -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kube-scheduler -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kube-scheduler -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kube-scheduler -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · kube-scheduler -> Container has no configured security context Set securityContext to run the container in a more secure context. v1/Pod storage-provisioner in kube-system 💥 [CRITICAL] Container Resources · storage-provisioner -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · storage-provisioner -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · storage-provisioner -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · storage-provisioner -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Image Pull Policy · storage-provisioner -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · storage-provisioner -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · storage-provisioner -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · storage-provisioner -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · storage-provisioner -> Container has no configured security context Set securityContext to run the container in a more secure context. v1/Pod dashboard-metrics-scraper-78dbd9dbf5-r778l in kubernetes-dashboard 💥 [CRITICAL] Container Image Pull Policy · dashboard-metrics-scraper -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · dashboard-metrics-scraper -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · dashboard-metrics-scraper -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · dashboard-metrics-scraper -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Resources · dashboard-metrics-scraper -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · dashboard-metrics-scraper -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · dashboard-metrics-scraper -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · dashboard-metrics-scraper -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Pod Probes · Container is missing a readinessProbe A readinessProbe should be used to indicate when the service is ready to receive traffic. Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can prevent downtime if a new version of the application is failing. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md v1/Pod kubernetes-dashboard-5fd5574d9f-7ldj8 in kubernetes-dashboard 💥 [CRITICAL] Container Image Pull Policy · kubernetes-dashboard -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Container Ephemeral Storage Request and Limit · kubernetes-dashboard -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · kubernetes-dashboard -> The container is running with a low user ID A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000 · kubernetes-dashboard -> The container running with a low group ID A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 [CRITICAL] Container Resources · kubernetes-dashboard -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · kubernetes-dashboard -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · kubernetes-dashboard -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · kubernetes-dashboard -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Pod Probes · Container is missing a readinessProbe A readinessProbe should be used to indicate when the service is ready to receive traffic. Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can prevent downtime if a new version of the application is failing. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md v1/Service kubernetes in default 💥 [CRITICAL] Service Targets Pod · The services selector does not match any pods v1/Service kube-dns in kube-system ✅ v1/Service dashboard-metrics-scraper in kubernetes-dashboard ✅ v1/Service kubernetes-dashboard in kubernetes-dashboard ✅
There are many issues therefor is really important to check your cluster before go to the production.
Usage kube-score: list
To show how many elements kube-score examines below command can be executed
$ kube-score list ingress-targets-service,Ingress,Makes sure that the Ingress targets a Service,default cronjob-has-deadline,CronJob,Makes sure that all CronJobs has a configured deadline,default container-resources,Pod,Makes sure that all pods have resource limits and requests set. The --ignore-container-cpu-limit flag can be used to disable the requirement of having a CPU limit,default container-resource-requests-equal-limits,Pod,Makes sure that all pods have the same requests as limits on resources set.,optional container-cpu-requests-equal-limits,Pod,Makes sure that all pods have the same CPU requests as limits set.,optional container-memory-requests-equal-limits,Pod,Makes sure that all pods have the same memory requests as limits set.,optional container-image-tag,Pod,Makes sure that a explicit non-latest tag is used,default container-image-pull-policy,Pod,Makes sure that the pullPolicy is set to Always. This makes sure that imagePullSecrets are always validated.,default container-ephemeral-storage-request-and-limit,Pod,Makes sure all pods have ephemeral-storage requests and limits set,default container-ephemeral-storage-request-equals-limit,Pod,Make sure all pods have matching ephemeral-storage requests and limits,optional container-ports-check,Pod,Container Ports Checks,optional statefulset-has-poddisruptionbudget,StatefulSet,Makes sure that all StatefulSets are targeted by a PDB,default deployment-has-poddisruptionbudget,Deployment,Makes sure that all Deployments are targeted by a PDB,default poddisruptionbudget-has-policy,PodDisruptionBudget,Makes sure that PodDisruptionBudgets specify minAvailable or maxUnavailable,default pod-networkpolicy,Pod,Makes sure that all Pods are targeted by a NetworkPolicy,default networkpolicy-targets-pod,NetworkPolicy,Makes sure that all NetworkPolicies targets at least one Pod,default pod-probes,Pod,Makes sure that all Pods have safe probe configurations,default container-security-context-user-group-id,Pod,Makes sure that all pods have a security context with valid UID and GID set ,default container-security-context-privileged,Pod,Makes sure that all pods have a unprivileged security context set,default container-security-context-readonlyrootfilesystem,Pod,Makes sure that all pods have a security context with read only filesystem set,default container-seccomp-profile,Pod,Makes sure that all pods have at a seccomp policy configured.,optional service-targets-pod,Service,Makes sure that all Services targets a Pod,default service-type,Service,Makes sure that the Service type is not NodePort,default stable-version,all,Checks if the object is using a deprecated apiVersion,default deployment-has-host-podantiaffinity,Deployment,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default statefulset-has-host-podantiaffinity,StatefulSet,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default deployment-targeted-by-hpa-does-not-have-replicas-configured,Deployment,Makes sure that Deployments using a HorizontalPodAutoscaler doesn't have a statically configured replica count set,default statefulset-has-servicename,StatefulSet,Makes sure that StatefulSets have an existing headless serviceName.,default deployment-pod-selector-labels-match-template-metadata-labels,Deployment,Ensure the StatefulSet selector labels match the template metadata labels.,default statefulset-pod-selector-labels-match-template-metadata-labels,StatefulSet,Ensure the StatefulSet selector labels match the template metadata labels.,default label-values,all,Validates label values,default horizontalpodautoscaler-has-target,HorizontalPodAutoscaler,Makes sure that the HPA targets a valid object,default
Basically, this is the table with following information:
- ID: machine readable name
- Target: group of IDs like pod or deployment
- Description: description
- Enabled: information if given check is default or optional
Personally I prefer markdown version available here
Configuration
Basically configuration is about what check needs to be executed and how output should look like. Unfortunately there are only command line flags and parameter. I prefer configuration files nonetheless some space for steeting the execution of kube-score exusts.
- verbosity: verbose output, can be set multiple times for increased verbosity
- kubernetes-version: this is really important, some settings matters in one version some in other
- output-format: I reallt like this options. You have 2 options
human
for cli (default)ci
for pipelinesjson
from programing
$ kube-score score prometheus-deployment.yml -o ci [WARNING] prometheus-deployment/monitoring extensions/v1beta1/Deployment: The apiVersion and kind extensions/v1beta1/Deployment is deprecated [OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment [OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: The pod does not have a matching NetworkPolicy [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: Container is missing a readinessProbe [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) ImagePullPolicy is not set to Always [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Ephemeral Storage limit is not set [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Container has no configured security context [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Container has no configured security context [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) CPU limit is not set [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Memory limit is not set [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) CPU request is not set [CRITICAL] prometheus-deployment/monitoring extensions/v1beta1/Deployment: (prometheus) Memory request is not set [OK] prometheus-deployment/monitoring extensions/v1beta1/Deployment [OK] prometheus-service/monitoring v1/Service [OK] prometheus-service/monitoring v1/Service [OK] prometheus-service/monitoring v1/Service [WARNING] prometheus-service/monitoring v1/Service: The service is of type NodePort
- select the checks to execure: Basically there are two types of cheks: default and optional. Additinally you can ingnore/enable checks one on the
annotation level
apiVersion: apps/v1 kind: Deployment metadata: name: my_deployment labels: app: my_app annotations: kube-score/ignore: pod-networkpolicy,container-resources,container-security-context-user-group-id,container-ephemeral-storage-request-and-limit kube-score/enable: container-seccomp-profile
However on the command line layer you can steer it a bit by adding one of the paramaters:
--disable-ignore-checks-annotations Set to true to disable the effect of the 'kube-score/ignore' annotations --disable-optional-checks-annotations Set to true to disable the effect of the 'kube-score/enable' annotations --enable-optional-test strings Enable an optional test, can be set multiple times
That approach allows me to select which checks are important for me and which aren't however the lack of selecting check in configuratoin file level is annoying.
Summary
Kube-score can help everyone to analyse the Kubernetes cluster and find the security issues inside. I really recommend it because is easy to use and moreover it produces meaningful output.
More Info:
[…] kube-score […]