Giter VIP home page Giter VIP logo

psrule.rules.kubernetes's Introduction

PSRule for Kubernetes

A suite of rules to validate Kubernetes resources using PSRule.

ci-badge

Disclaimer

This project is to be considered a proof-of-concept and not a supported product.

For issues with rules and documentation please check our GitHub issues page. If you do not see your problem captured, please file a new issue and follow the provided template.

If you have any problems with the PSRule engine, please check the project GitHub issues page instead.

Getting the modules

This project requires the PSRule PowerShell module. You can download and install these modules from the PowerShell Gallery.

Module Description Downloads / instructions
PSRule.Rules.Kubernetes Validate Kubernetes resources latest / instructions

Getting started

PSRule for Kubernetes provides two methods for analyzing Kubernetes resources:

  • Pre-flight - Before resources are deployed from a YAML manifest file.
  • In-flight - After resources are deployed to a Kubernetes cluster.

Offline with a manifest

Kubernetes resources can be validated within a YAML manifest file. To validate Kubernetes resources use the Invoke-PSRule cmdlet. PSRule natively supports reading objects from YAML files using the -InputPath parameter. The -InputPath parameter can be abbreviated to -f.

For example:

Invoke-PSRule -f service.yaml -Module PSRule.Rules.Kubernetes;

The input path can be also be a URL to a YAML file. For example:

$sourceUrl = 'https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml';
Invoke-PSRule -f $sourceUrl -Module PSRule.Rules.Kubernetes;

The output of this example is:

   TargetName: azure-vote-back

RuleName                            Outcome    Recommendation
--------                            -------    --------------
Kubernetes.API.Removal              Fail       Consider updating resource deployments to use newer API endpoints prior…
Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
Kubernetes.Pod.PrivilegeEscalation  Fail       Containers should deny privilege escalation.
Kubernetes.Pod.Latest               Fail       Deployments or pods should identify a specific tag to use for container…
Kubernetes.Pod.Resources            Fail       Resource requirements are set for each container.
Kubernetes.Pod.Secrets              Pass       Use Kubernetes secrets to store information such as passwords or connec…
Kubernetes.Pod.Health               Fail       Containers should use liveness and readiness probes.
Kubernetes.Pod.Replicas             Fail       Consider increasing replicas to two or more to provide high availabilit…
Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…

   TargetName: azure-vote-front

RuleName                            Outcome    Recommendation
--------                            -------    --------------
Kubernetes.API.Removal              Fail       Consider updating resource deployments to use newer API endpoints prior…
Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
Kubernetes.Pod.PrivilegeEscalation  Fail       Containers should deny privilege escalation.
Kubernetes.Pod.Latest               Pass       Deployments or pods should identify a specific tag to use for container…
Kubernetes.Pod.Resources            Fail       Resource requirements are set for each container.
Kubernetes.Pod.Secrets              Pass       Use Kubernetes secrets to store information such as passwords or connec…
Kubernetes.Pod.Health               Fail       Containers should use liveness and readiness probes.
Kubernetes.Pod.Replicas             Fail       Consider increasing replicas to two or more to provide high availabilit…
Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…

Online with kubectl

Kubernetes resources can be validated directly from a cluster using the output from kubectl. To validate resources using kubectl, return the output as YAML with the -o yaml parameter.

For example:

kubectl get services -o yaml | Out-String | Invoke-PSRule -Format Yaml -ObjectPath items -Module PSRule.Rules.Kubernetes;

In the example above:

  • Out-String - is used to concatenate the output into a single string object.
  • -Format Yaml - indicates that the input is YAML.
  • -ObjectPath items - indicates that the input nests objects to evaluate under the items property.

Using baselines

PSRule for Kubernetes comes with the following baselines:

  • Kubernetes - Includes common Kubernetes rules. This is the default.
  • AKS - Includes all the rules from Kubernetes plus additional Azure Kubernetes Service (AKS) specific rules.

To use the AKS baseline instead of the default use Invoke-PSRule -Baseline AKS.

For example:

Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Baseline AKS;

If -Baseline AKS is not specified, the default baseline Kubernetes will be used.

Additional options

To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

For example:

# Only show failed results
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Outcome Fail;

A summary of results can be displayed by using Invoke-PSRule -As Summary.

For example:

# Display as summary results
Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -As Summary;

The output of this example is:

RuleName                            Pass  Fail  Outcome
--------                            ----  ----  -------
Kubernetes.API.Removal              0     2     Fail
Kubernetes.Metadata                 0     4     Fail
Kubernetes.Pod.PrivilegeEscalation  0     2     Fail
Kubernetes.Pod.Latest               1     1     Fail
Kubernetes.Pod.Resources            0     2     Fail
Kubernetes.Pod.Secrets              2     0     Pass
Kubernetes.Pod.Health               0     2     Fail
Kubernetes.Pod.Replicas             0     2     Fail

Rule reference

For a list of rules included in the PSRule.Rules.Kubernetes module see:

Changes and versioning

Modules in this repository will use the semantic versioning model to declare breaking changes from v1.0.0. Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments. For a list of module changes please see the change log.

Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as standard releases are made available.

Contributing

This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Maintainers

License

This project is licensed under the MIT License.

psrule.rules.kubernetes's People

Contributors

berniewhite avatar dependabot[bot] avatar github-actions[bot] avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

bhaskers-blu-org2 taffywrinkle claudiusgonzo berniewhite armaanmcleod test-mass-forker-org-1 ms-sambell seanpm2001

psrule.rules.kubernetes's Issues

Use multiple replicas

Rule request

Suggested rule change

Check if Deployment, ReplicaSet, StatefulSet use more then one replica.

Applies to the following

The rule applies to the following:

  • Resource kind: Deployment, ReplicaSet, StatefulSet

Use liveness and readiness probes

Rule request

Suggested rule change

Optionally liveness and readiness probes can be added to determine if a container is healthy.

Pods specs should use liveness and readiness probes to determine container state, otherwise Kubernetes may route traffic to a pod has failed or is not ready to receive requests.

Applies to the following

The rule applies to the following:

  • Resource kind: Deployment, Pod, ReplicaSet

Check for removed APIs

Rule request

Suggested rule change

Kubernetes v1.16.0 removes supports for deprecated APIs. Specifically:

  • NetworkPolicy resources will no longer be served from extensions/v1beta1 migrate to the networking.k8s.io/v1 API.
  • PodSecurityPolicy resources will no longer be served from extensions/v1beta1 migrate to the policy/v1beta1 API.
  • DaemonSet, Deployment, StatefulSet, and ReplicaSet resources will no longer be served from extensions/v1beta1, apps/v1beta1, or apps/v1beta2 migrate to the apps/v1 API.

Applies to the following

The rule applies to the following:

  • Resource kind: DaemonSet, Deployment, StatefulSet, ReplicaSet, NetworkPolicy, PodSecurityPolicy

Avoid using deprecated selector labels for v1.24

Rule request

Suggested rule change

Avoid using deprecated node selector labels because when they are removed from nodes they will no longer select any nodes.

A number are deprecated as of v1.24.0.

Applies to the following

The rule applies to the following:

  • Resource kind: Deployment / Pod / DaemonSet/ StatefulSet/ ReplicaSet/ Job/ CronJob

Additional context

Expand deployment rules to include pods and replica sets

The Kubernetes.Deployment.PrivilegeEscalation, Kubernetes.Deployment.NotLatestImage and Kubernetes.Deployment.ResourcesSet rules relate to pod spec configuration.

These rules should include standalone pods and replica sets that are not created using a deployment.

We should avoid flagging pods that are in a replica set or pods in a deployment (which also creates a replica set).

So, flag a deployment, or a standalone replica set, or a standalone pod.

This is also related to #12.

Update rule tags and baselines to select different rules

Description of the issue

Currently two baselines exist but they are don't select different rules. Update rule tags and baselines to offer Kubernetes and AKS.

Expected behaviour

A clear and concise description of what you expected to happen.

Module in use and version:

  • Module: PSRule.Rules.Kubernetes
  • Version: 0.1.0-B1912003

Use qualified target names

Kubernetes resource types often use similar names for different resource types, for example a service and a deployment may use the same name.

Although PSRule processes each object individually, it may be be hard to determine which object failed in results.

PSRule v0.14.0 introduced qualified target names.
Which addresses this issue for Kubernetes resources.

Qualified names prefix the target name with the resource kind.
For example Service/azure-vote-back and Deployment/azure-vote-back.

Update documentation to use parent culture

PSRule v0.13.0 now supports using a parent culture for markdown documentation.

Update documentation files to use en instead of specific cultures by default.

Specific culture documentation files can be added as required.

Allow internal LB annotation

Description of the issue

The rule Kubernetes.AKS.PublicLoadBalancer fails any load balanced services. When actually we this should only apply to services that are not annotated.

The service.beta.kubernetes.io/azure-load-balancer-internal = 'true' annotation can be added to use an internal load balancer.

Expected behaviour

A clear and concise description of what you expected to happen.

Module in use and version:

  • Module: PSRule.Rules.Kubernetes
  • Version: 0.1.0-B190521

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      6.2.3
PSEdition                      Core
GitCommitId                    6.2.3
OS                             Microsoft Windows 10.0.18363
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Migrate repository to Microsoft

Repository migration to Microsoft GitHub organization.

We are currently in the process of a planned migration of this project to the Microsoft organization.

Check if sensitive environment variables are used

Rule request

Suggested rule change

Environment variables can be specified in a pod spec. Technically these environment variables could contain sensitive information.

Sensitive information should not be added in plain text, use secrets instead.

Applies to the following

The rule applies to the following:

  • Resource kind: Deployment, Pod, ReplicaSet

Rename deployment rules to relate to pods

The rules Kubernetes.Deployment.PrivilegeEscalation, Kubernetes.Deployment.NotLatestImage and Kubernetes.Deployment.ResourcesSet actually refer to pod spec settings so should reflect this in the naming of the rules.

Rename Kubernetes.API.Removal to handle future API deprecations

Rule request

Suggested rule change

As Kubernetes API endpoints become generally available older beta and alpha endpoints are deprecated. As this is expected to continue in the future with each release, it makes more sense to group depreciation into version specific rules, instead of continually growing Kubernetes.API.Removal and adding complexity.

So lets rename the rule Kubernetes.API.Removal to Kubernetes.API.v1.16. With the intent of Kubernetes.API.v1.16 to indicate that the deprecated APIs are not longer served from the version v1.16.0.

Additional context

#38 #39

Update CI pipeline to use PS 7.0

PowerShell 7.0 is now GA. Currently the pipeline only builds against VM configuration instead of docker images.

CI pipeline should be updated to run against different PS configurations.

Additionally CI pipeline needs to fix build issue with YamlDotNet. (#44)

Binding configuration is not working

Description of the issue

Binding configuration does not appear to be working in unit tests. Binding should inherit from baseline instead of having to be configured via options.

Needs further investigation.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.