Aller au contenu principal

Progresser dans l'écriture des manifests Kubernetes

· 13 minutes de lecture
Stéphane ROBERT

logo kubernetes

Avant de déployer une application dans Kubernetes il faut écrire des manifests, et si vous vous êtes déjà amusé à le faire vous savez au combien cela peut être fastidieux. En effet, la plupart des ressources que vous trouvez sur internet ne respectent pas les bonnes pratiques, comme limiter les ressources, empêcher à un conteneur de tourner en que Root, de ne pas déclarer des livenessProbe et readynessProbe.

Quelques ressources

Vu le manque de ressources en français, je vous propose en attendant leur écriture de parcourir quelques liens (en anglais) :

Les outils d'analyse

Il existe des outils d'analyse permettant de nous aider à progresser. Nous allons reprendre les manifests écris il y a quelques jours pour les sidecars. Je colle tout dans un seul fichier, manifest.yml, pour faciliter les commandes qui vont être utilisé. Les mauvaises pratiques ou oublis seront documentés dans de prochains billets.

apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: monapp
spec:
replicas: 1
selector:
matchLabels:
app: monapp
template:
metadata:
labels:
app: monapp
spec:
containers:
- image: artefacts.robert.local/monapp:0.1
name: monapp
resources:
requests:
memory: "64Mi"
cpu: "125m"
limits:
memory: "128Mi"
cpu: "250m"
command: ["gunicorn"]
args: ["--bind","0.0.0.0:5000","mainapp:app"]
volumeMounts:
- mountPath: /app/static
name: static
- image: nginx:1.21-alpine
name: nginx
ports:
- containerPort: 443
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 300m
memory: 512Mi
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: conf
- mountPath: /app/static
name: static

volumes:
- name: conf
configMap:
name: monapp-nginx
- name: static
emptyDir: {}
---
kind: Service
apiVersion: v1
metadata:
name: monapp-service
labels:
app: monapp
spec:
selector:
app: monapp
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: app
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: monapp.robert.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: monapp-service
port:
number: 5000

Kube-score

Kube-score analyse les manifests de manière statique avant de les déployer. Kube-score existe sous forme de plugin kubectl, pour l'installer il faut au préalable installer krew. Rien de plus simple avec asdf :

asdf plugin add krew
asdf install krew latest
asdf global krew latest

kubectl krew install score

On le lance sur notre manifest :

kubectl score score manifests.yml
apps/v1/Deployment app 💥
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod.
Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can
prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· monapp -> Container has no configured security context
Set securityContext to run the container in a more secure context.
· nginx -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Image Pull Policy
· monapp -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
· nginx -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
networking.k8s.io/v1/Ingress app ✅
v1/Service monapp-service ✅

On voit qu'il retourne quelques recommandations :

  • NetworkPolicy : Un NetworkPolicy permet de spécifier si les pods sont autorisés à communiquer entre eux en entrée (Ingress) et en sortie (Egress).
  • Probes : Les probes permettent de détecter quand le pod est prêt lors de démarrage, mais aussi de détecter quand il est tombé. Attention il faut les écrire correctement afin d'éviter qu'un container ne redémarre sans cesse ou pire fasse tomber le cluster tout entier.
  • Container Security Context : Un contexte de sécurité définit les paramètres de privilège et de contrôle d'accès pour un pod ou un conteneur.
  • Container Image Pull Policy : Permet de définir quand faut il télécharger une image.

Popeye

Popeye est une CLI qui analyse votre cluster Kubernetes et signale d"envtuels problèmes avec les configurations déployées.

Pour l'installer rien de plus simple avec asdf :

asdf plugin add popeye
asdf install popeye v0.10.1
asdf global popeye v0.10.1

Popeye regorge d'options, un petit --help vous aidera. Ex lancement du scan sur un seul namespace :

popeye --namespace monapp

___ ___ _____ _____ K .-'-.
| _ \___| _ \ __\ \ / / __| 8 __| `\
| _/ _ \ _/ _| \ V /| _| s `-,-`--._ `\
|_| \___/_| |___| |_| |___| [] .->' a `|-'
Biffs`em and Buffs`em! `=/ (__/_ /
\_, ` _)
`----; |


GENERAL [DEFAULT]
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Connectivity...................................................................................✅
· MetricServer...................................................................................✅


CLUSTER (1 SCANNED) 💥 0 😱 0 🔊 01 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Version........................................................................................
[POP-406] K8s version OK.


CLUSTERROLES (70 SCANNED) 💥 0 😱 0 🔊 1753 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· admin..........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· cluster-admin..................................................................................
· edit...........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· k3s-cloud-controller-manager...................................................................✅
· local-path-provisioner-role....................................................................
· polaris........................................................................................
· system:aggregate-to-admin......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregate-to-edit.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregate-to-view.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregated-metrics-reader...............................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:auth-delegator..........................................................................
· system:basic-user..............................................................................
· system:certificates.k8s.io:certificatesigningrequests:nodeclient...............................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:certificatesigningrequests:selfnodeclient...........................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kube-apiserver-client-approver......................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kube-apiserver-client-kubelet-approver..............................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kubelet-serving-approver............................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:legacy-unknown-approver.............................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:controller:attachdetach-controller......................................................
· system:controller:certificate-controller.......................................................✅
· system:controller:clusterrole-aggregation-controller...........................................✅
· system:controller:cronjob-controller...........................................................✅
· system:controller:daemon-set-controller........................................................
· system:controller:deployment-controller........................................................
· system:controller:disruption-controller........................................................
· system:controller:endpoint-controller..........................................................
· system:controller:endpointslice-controller.....................................................✅
· system:controller:endpointslicemirroring-controller............................................
· system:controller:ephemeral-volume-controller..................................................
· system:controller:expand-controller............................................................
· system:controller:generic-garbage-collector....................................................
· system:controller:horizontal-pod-autoscaler....................................................
· system:controller:job-controller...............................................................✅
· system:controller:namespace-controller.........................................................✅
· system:controller:node-controller..............................................................
· system:controller:persistent-volume-binder.....................................................✅
· system:controller:pod-garbage-collector........................................................
· system:controller:pv-protection-controller.....................................................✅
· system:controller:pvc-protection-controller....................................................
· system:controller:replicaset-controller........................................................
· system:controller:replication-controller.......................................................✅
· system:controller:resourcequota-controller.....................................................✅
· system:controller:root-ca-cert-publisher.......................................................✅
· system:controller:route-controller.............................................................✅
· system:controller:service-account-controller...................................................✅
· system:controller:service-controller...........................................................✅
· system:controller:statefulset-controller.......................................................✅
· system:controller:ttl-after-finished-controller................................................
· system:controller:ttl-controller...............................................................✅
· system:coredns.................................................................................✅
· system:discovery...............................................................................✅
· system:heapster................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:k3s-controller..........................................................................
· system:kube-aggregator.........................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:kube-controller-manager.................................................................✅
· system:kube-dns................................................................................
· system:kube-scheduler..........................................................................
· system:kubelet-api-admin.......................................................................✅
· system:metrics-server..........................................................................
· system:monitoring..............................................................................
· system:node....................................................................................
· system:node-bootstrapper.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:node-problem-detector...................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:node-proxier............................................................................
· system:persistent-volume-provisioner...........................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:public-info-viewer......................................................................
· system:service-account-issuer-discovery........................................................
· system:volume-scheduler........................................................................
· traefik........................................................................................
· view...........................................................................................✅


CLUSTERROLEBINDINGS (55 SCANNED) 💥 0 😱 0 🔊 055 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· cluster-admin..................................................................................
· helm-kube-system-traefik.......................................................................✅
· helm-kube-system-traefik-crd...................................................................✅
· k3s-cloud-controller-manager...................................................................✅
· kube-apiserver-kubelet-admin...................................................................✅
· local-path-provisioner-bind....................................................................
· metrics-server:system:auth-delegator...........................................................✅
· polaris........................................................................................
· polaris-view...................................................................................✅
· system:basic-user..............................................................................
· system:controller:attachdetach-controller......................................................
· system:controller:certificate-controller.......................................................✅
· system:controller:clusterrole-aggregation-controller...........................................✅
· system:controller:cronjob-controller...........................................................✅
· system:controller:daemon-set-controller........................................................
· system:controller:deployment-controller........................................................
· system:controller:disruption-controller........................................................
· system:controller:endpoint-controller..........................................................
· system:controller:endpointslice-controller.....................................................✅
· system:controller:endpointslicemirroring-controller............................................
· system:controller:ephemeral-volume-controller..................................................
· system:controller:expand-controller............................................................
· system:controller:generic-garbage-collector....................................................
· system:controller:horizontal-pod-autoscaler....................................................
· system:controller:job-controller...............................................................✅
· system:controller:namespace-controller.........................................................✅
· system:controller:node-controller..............................................................
· system:controller:persistent-volume-binder.....................................................✅
· system:controller:pod-garbage-collector........................................................
· system:controller:pv-protection-controller.....................................................✅
· system:controller:pvc-protection-controller....................................................
· system:controller:replicaset-controller........................................................
· system:controller:replication-controller.......................................................✅
· system:controller:resourcequota-controller.....................................................✅
· system:controller:root-ca-cert-publisher.......................................................✅
· system:controller:route-controller.............................................................✅
· system:controller:service-account-controller...................................................✅
· system:controller:service-controller...........................................................✅
· system:controller:statefulset-controller.......................................................✅
· system:controller:ttl-after-finished-controller................................................
· system:controller:ttl-controller...............................................................✅
· system:coredns.................................................................................✅
· system:discovery...............................................................................✅
· system:k3s-controller..........................................................................
· system:kube-controller-manager.................................................................✅
· system:kube-dns................................................................................
· system:kube-scheduler..........................................................................
· system:metrics-server..........................................................................
· system:monitoring..............................................................................
· system:node....................................................................................
· system:node-proxier............................................................................
· system:public-info-viewer......................................................................
· system:service-account-issuer-discovery........................................................
· system:volume-scheduler........................................................................
· traefik........................................................................................


CONFIGMAPS (1 SCANNED) 💥 0 😱 0 🔊 10 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/kube-root-ca.crt........................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.


DAEMONSETS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


DEPLOYMENTS (1 SCANNED) 💥 1 😱 0 🔊 00 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app.....................................................................................💥
💥 [POP-501] Unhealthy 1 desired but have 0 available.
🐳 nginx
🔊 [POP-108] Unnamed port 443.


HORIZONTALPODAUTOSCALERS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


INGRESSES (1 SCANNED) 💥 0 😱 0 🔊 01 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app.....................................................................................✅


NAMESPACES (6 SCANNED) 💥 0 😱 0 🔊 51 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· default........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· dsn160.........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-node-lease................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-public....................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-system....................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· monapp.........................................................................................✅


NETWORKPOLICIES (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


PERSISTENTVOLUMES (1 SCANNED) 💥 0 😱 0 🔊 01 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· postgres-pv-volume.............................................................................✅


PERSISTENTVOLUMECLAIMS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


PODS (1 SCANNED) 💥 1 😱 0 🔊 00 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app-55977d595f-gsl7m....................................................................💥
💥 [POP-207] Pod is in an unhappy phase (Pending).
🔊 [POP-206] No PodDisruptionBudget defined.
😱 [POP-300] Using "default" ServiceAccount.
😱 [POP-301] Connects to API Server? ServiceAccount token is mounted.
😱 [POP-302] Pod could be running as root user. Check SecurityContext/Image.
🐳 monapp
💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
😱 [POP-102] No probes defined.
😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.
🐳 nginx
💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
😱 [POP-102] No probes defined.
🔊 [POP-108] Unnamed port 443.
😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.


PODDISRUPTIONBUDGETS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


PODSECURITYPOLICIES (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


REPLICASETS (1 SCANNED) 💥 1 😱 0 🔊 00 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app-55977d595f..........................................................................💥
💥 [POP-1120] Unhealthy ReplicaSet 1 desired but have 0 ready.


ROLES (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


ROLEBINDINGS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


SECRETS (1 SCANNED) 💥 0 😱 0 🔊 10 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/default-token-dpncn.....................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.


SERVICES (1 SCANNED) 💥 1 😱 0 🔊 00 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/monapp-service..........................................................................💥
💥 [POP-1106] No target ports match service port TCP::80.
💥 [POP-1105] No associated endpoints.


SERVICEACCOUNTS (1 SCANNED) 💥 0 😱 0 🔊 01 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/default.................................................................................✅


STATEFULSETS (0 SCANNED) 💥 0 😱 0 🔊 00 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.


SUMMARY
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
Your cluster score: 81 -- B
o .-'-.
o __| B `\
o `-,-`--._ `\
[] .->' a `|-'
`=/ (__/_ /
\_, ` _)
`----; |

Pas mal d'infos sont remontées qui sont documentées ici

Polaris

Polaris, mon outil préféré des trois, peut être déployé sur cluster kubernetes mais fonctionne aussi sous forme de ligne de commande. Je préfère la seconde solution rien de pire que d'exposer les failles pouvant être exploités!

L'installation se fait avec asdf:

asdf plugin add polaris
asdf install polaris 7.1.4
asdf global polaris 7.1.4

Pour lancer l'analyse :

polaris audit --audit-path manifests.yml --format pretty


Polaris audited Path manifests.yml at 2021-12-07T12:43:28Z
Nodes: 0 | Namespaces: 0 | Controllers: 1
Final score: 69

Deployment app
hostIPCSet 🎉 Success
Security - Host IPC is not configured
hostNetworkSet 🎉 Success
Security - Host network is not configured
hostPIDSet 🎉 Success
Security - Host PID is not configured
Container monapp
pullPolicyNotAlways 😬 Warning
Reliability - Image pull policy should be "Always"
readinessProbeMissing 😬 Warning
Reliability - Readiness probe should be configured
tagNotSpecified 🎉 Success
Reliability - Image tag is specified
hostPortSet 🎉 Success
Security - Host port is not configured
livenessProbeMissing 😬 Warning
Reliability - Liveness probe should be configured
memoryRequestsMissing 🎉 Success
Efficiency - Memory requests are set
runAsRootAllowed 😬 Warning
Security - Should not be allowed to run as root
cpuLimitsMissing 🎉 Success
Efficiency - CPU limits are set
dangerousCapabilities 🎉 Success
Security - Container does not have any dangerous capabilities
insecureCapabilities 😬 Warning
Security - Container should not have insecure capabilities
memoryLimitsMissing 🎉 Success
Efficiency - Memory limits are set
notReadOnlyRootFilesystem 😬 Warning
Security - Filesystem should be read only
privilegeEscalationAllowed ❌ Danger
Security - Privilege escalation should not be allowed
cpuRequestsMissing 🎉 Success
Efficiency - CPU requests are set
runAsPrivileged 🎉 Success
Security - Not running as privileged

Container nginx
tagNotSpecified 🎉 Success
Reliability - Image tag is specified
hostPortSet 🎉 Success
Security - Host port is not configured
privilegeEscalationAllowed ❌ Danger
Security - Privilege escalation should not be allowed
memoryRequestsMissing 🎉 Success
Efficiency - Memory requests are set
pullPolicyNotAlways 😬 Warning
Reliability - Image pull policy should be "Always"
runAsPrivileged 🎉 Success
Security - Not running as privileged
runAsRootAllowed 😬 Warning
Security - Should not be allowed to run as root
cpuLimitsMissing 🎉 Success
Efficiency - CPU limits are set
insecureCapabilities 😬 Warning
Security - Container should not have insecure capabilities
memoryLimitsMissing 🎉 Success
Efficiency - Memory limits are set
readinessProbeMissing 😬 Warning
Reliability - Readiness probe should be configured
livenessProbeMissing 😬 Warning
Reliability - Liveness probe should be configured
notReadOnlyRootFilesystem 😬 Warning
Security - Filesystem should be read only
cpuRequestsMissing 🎉 Success
Efficiency - CPU requests are set
dangerousCapabilities 🎉 Success
Security - Container does not have any dangerous capabilities


Service monapp-service

Ingress app
tlsSettingsMissing 😬 Warning
Security - Ingress does not have TLS configured

Si votre application est déjà déployée, vous pouvez afficher directement le résultat sur une belle page web avec des liens sur comment corriger votre manque :

polaris dashboard --port 8081

polaris kubernetes best practices polaris kubernetes best practices

Pour avoir des explications sur comment respecter une règle il suffit de cliquer sur le point d'interrogation de chacune d'elle.

Attention certaines règles ne peuvent être utilisées que si certaines conditions sont remplies. Par exemple run as root nécessite que votre container utilise un user identifié comme ne possédant ces droits!

Regula

Regula est outil plus généraliste et pensé GitOps. En effet, c'est un outil d'analyse statique de code pour les langages Infra As Code. J'en parle dans ce billet.

S'inspirer des charts Helm

Pourquoi ne pas s'inspirer des charts pour progresser. Nous allons prendre par exemple le chart Postgres de bitnami.

Installation de Helm et du chart

asdf plugin add helm
asdf install helm latest
asdf global helm latest

helm repo add bitnami https://charts.bitnami.com/bitnami
helm fetch --untar stable/postgresql

Vous allez retrouver dans le répertoire postgresql le chart.

cd postgresql
ls
Chart.yaml ci files manifests README.md templates values-production.yaml values.schema.json values.yaml

Je vous conseille de lire le README pour activer certaines règles comme les networkPolicy. Dans le fichier values modifier ces lignes :

networkPolicy:
enabled: true

...

securityContext:
enabled: true

Ensuite, il suffit de lancer la commande permettant de générer les manifests:

helm template -f values.yaml --output-dir ./manifests --namespace dsn160 .

Vous n'avez plus qu'à parcourir le résultat dans le répertoire ./manifests/postgresql/templates/.

Bonne lecture.