Progresser dans l'écriture des manifests Kubernetes
· 13 minutes de lecture
Consultant DevOps
Avant de déployer une application dans Kubernetes il faut écrire des
manifests et si vous vous êtes déjà amusé à le faire vous savez au combien
cela peut être fastidieux. En effet, la plupart des ressources que vous trouvez
sur internet ne respectent pas les bonnes pratiques, comme limiter les
ressources, empêcher à un conteneur de tourner en que Root, de ne pas déclarer
des livenessProbe et readynessProbe.
Quelques ressources
Vu le manque de ressources en français, je vous propose en attendant leur écriture de parcourir quelques liens (en anglais) :
Les outils d'analyse
Il existe des outils d'analyse permettant de nous aider à progresser. Nous
allons reprendre les manifests écris il y a quelques jours pour les sidecars. Je
colle tout dans un seul fichier, manifest.yml, pour faciliter les commandes
qui vont être utilisé. Les mauvaises pratiques ou oublis seront documentés dans
de prochains billets.
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: monapp
spec:
replicas: 1
selector:
matchLabels:
app: monapp
template:
metadata:
labels:
app: monapp
spec:
containers:
- image: artefacts.robert.local/monapp:0.1
name: monapp
resources:
requests:
memory: "64Mi"
cpu: "125m"
limits:
memory: "128Mi"
cpu: "250m"
command: ["gunicorn"]
args: ["--bind","0.0.0.0:5000","mainapp:app"]
volumeMounts:
- mountPath: /app/static
name: static
- image: nginx:1.21-alpine
name: nginx
ports:
- containerPort: 443
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 300m
memory: 512Mi
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: conf
- mountPath: /app/static
name: static
volumes:
- name: conf
configMap:
name: monapp-nginx
- name: static
emptyDir: {}
---
kind: Service
apiVersion: v1
metadata:
name: monapp-service
labels:
app: monapp
spec:
selector:
app: monapp
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: app
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: monapp.robert.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: monapp-service
port:
number: 5000
Kube-score
Kube-score analyse les manifests de manière statique avant de les déployer. Kube-score existe sous forme de plugin kubectl, pour l'installer il faut au préalable installer krew. Rien de plus simple avec asdf :
asdf plugin add krew
asdf install krew latest
asdf global krew latest
kubectl krew install score
On le lance sur notre manifest :
kubectl score score manifests.yml
apps/v1/Deployment app 💥
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod.
Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can
prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· monapp -> Container has no configured security context
Set securityContext to run the container in a more secure context.
· nginx -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Image Pull Policy
· monapp -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
· nginx -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
networking.k8s.io/v1/Ingress app ✅
v1/Service monapp-service ✅
On voit qu'il retourne quelques recommandations :
- NetworkPolicy : Un NetworkPolicy permet de spécifier si les pods sont autorisés à communiquer entre eux en entrée (Ingress) et en sortie (Egress).
- Probes : Les probes permettent de détecter quand le pod est prêt lors de démarrage, mais aussi de détecter quand il est tombé. Attention il faut les écrire correctement afin d'éviter qu'un container ne redémarre sans cesse ou pire fasse tomber le cluster tout entier.
- Container Security Context : Un contexte de sécurité définit les paramètres de privilège et de contrôle d'accès pour un pod ou un conteneur.
- Container Image Pull Policy : Permet de définir quand faut-il télécharger une image.
Popeye
Popeye est une CLI qui analyse votre cluster Kubernetes et signale d'éventuels problèmes avec les configurations déployées.
Pour l'installer rien de plus simple avec asdf :
asdf plugin add popeye
asdf install popeye v0.10.1
asdf global popeye v0.10.1
Popeye regorge d'options, un petit --help vous aidera. Ex lancement du scan sur un seul namespace :
popeye --namespace monapp
___ ___ _____ _____ K .-'-.
| _ \___| _ \ __\ \ / / __| 8 __| `\
| _/ _ \ _/ _| \ V /| _| s `-,-`--._ `\
|_| \___/_| |___| |_| |___| [] .->' a `|-'
Biffs`em and Buffs`em! `=/ (__/_ /
\_, ` _)
`----; |
GENERAL [DEFAULT]
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Connectivity...................................................................................✅
· MetricServer...................................................................................✅
CLUSTER (1 SCANNED) 💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Version........................................................................................✅
✅ [POP-406] K8s version OK.
CLUSTERROLES (70 SCANNED) 💥 0 😱 0 🔊 17 ✅ 53 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· admin..........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· cluster-admin..................................................................................✅
· edit...........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· k3s-cloud-controller-manager...................................................................✅
· local-path-provisioner-role....................................................................✅
· polaris........................................................................................✅
· system:aggregate-to-admin......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregate-to-edit.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregate-to-view.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:aggregated-metrics-reader...............................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:auth-delegator..........................................................................✅
· system:basic-user..............................................................................✅
· system:certificates.k8s.io:certificatesigningrequests:nodeclient...............................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:certificatesigningrequests:selfnodeclient...........................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kube-apiserver-client-approver......................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kube-apiserver-client-kubelet-approver..............................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:kubelet-serving-approver............................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:certificates.k8s.io:legacy-unknown-approver.............................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:controller:attachdetach-controller......................................................✅
· system:controller:certificate-controller.......................................................✅
· system:controller:clusterrole-aggregation-controller...........................................✅
· system:controller:cronjob-controller...........................................................✅
· system:controller:daemon-set-controller........................................................✅
· system:controller:deployment-controller........................................................✅
· system:controller:disruption-controller........................................................✅
· system:controller:endpoint-controller..........................................................✅
· system:controller:endpointslice-controller.....................................................✅
· system:controller:endpointslicemirroring-controller............................................✅
· system:controller:ephemeral-volume-controller..................................................✅
· system:controller:expand-controller............................................................✅
· system:controller:generic-garbage-collector....................................................✅
· system:controller:horizontal-pod-autoscaler....................................................✅
· system:controller:job-controller...............................................................✅
· system:controller:namespace-controller.........................................................✅
· system:controller:node-controller..............................................................✅
· system:controller:persistent-volume-binder.....................................................✅
· system:controller:pod-garbage-collector........................................................✅
· system:controller:pv-protection-controller.....................................................✅
· system:controller:pvc-protection-controller....................................................✅
· system:controller:replicaset-controller........................................................✅
· system:controller:replication-controller.......................................................✅
· system:controller:resourcequota-controller.....................................................✅
· system:controller:root-ca-cert-publisher.......................................................✅
· system:controller:route-controller.............................................................✅
· system:controller:service-account-controller...................................................✅
· system:controller:service-controller...........................................................✅
· system:controller:statefulset-controller.......................................................✅
· system:controller:ttl-after-finished-controller................................................✅
· system:controller:ttl-controller...............................................................✅
· system:coredns.................................................................................✅
· system:discovery...............................................................................✅
· system:heapster................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:k3s-controller..........................................................................✅
· system:kube-aggregator.........................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:kube-controller-manager.................................................................✅
· system:kube-dns................................................................................✅
· system:kube-scheduler..........................................................................✅
· system:kubelet-api-admin.......................................................................✅
· system:metrics-server..........................................................................✅
· system:monitoring..............................................................................✅
· system:node....................................................................................✅
· system:node-bootstrapper.......................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:node-problem-detector...................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:node-proxier............................................................................✅
· system:persistent-volume-provisioner...........................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· system:public-info-viewer......................................................................✅
· system:service-account-issuer-discovery........................................................✅
· system:volume-scheduler........................................................................✅
· traefik........................................................................................✅
· view...........................................................................................✅
CLUSTERROLEBINDINGS (55 SCANNED) 💥 0 😱 0 🔊 0 ✅ 55 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· cluster-admin..................................................................................✅
· helm-kube-system-traefik.......................................................................✅
· helm-kube-system-traefik-crd...................................................................✅
· k3s-cloud-controller-manager...................................................................✅
· kube-apiserver-kubelet-admin...................................................................✅
· local-path-provisioner-bind....................................................................✅
· metrics-server:system:auth-delegator...........................................................✅
· polaris........................................................................................✅
· polaris-view...................................................................................✅
· system:basic-user..............................................................................✅
· system:controller:attachdetach-controller......................................................✅
· system:controller:certificate-controller.......................................................✅
· system:controller:clusterrole-aggregation-controller...........................................✅
· system:controller:cronjob-controller...........................................................✅
· system:controller:daemon-set-controller........................................................✅
· system:controller:deployment-controller........................................................✅
· system:controller:disruption-controller........................................................✅
· system:controller:endpoint-controller..........................................................✅
· system:controller:endpointslice-controller.....................................................✅
· system:controller:endpointslicemirroring-controller............................................✅
· system:controller:ephemeral-volume-controller..................................................✅
· system:controller:expand-controller............................................................✅
· system:controller:generic-garbage-collector....................................................✅
· system:controller:horizontal-pod-autoscaler....................................................✅
· system:controller:job-controller...............................................................✅
· system:controller:namespace-controller.........................................................✅
· system:controller:node-controller..............................................................✅
· system:controller:persistent-volume-binder.....................................................✅
· system:controller:pod-garbage-collector........................................................✅
· system:controller:pv-protection-controller.....................................................✅
· system:controller:pvc-protection-controller....................................................✅
· system:controller:replicaset-controller........................................................✅
· system:controller:replication-controller.......................................................✅
· system:controller:resourcequota-controller.....................................................✅
· system:controller:root-ca-cert-publisher.......................................................✅
· system:controller:route-controller.............................................................✅
· system:controller:service-account-controller...................................................✅
· system:controller:service-controller...........................................................✅
· system:controller:statefulset-controller.......................................................✅
· system:controller:ttl-after-finished-controller................................................✅
· system:controller:ttl-controller...............................................................✅
· system:coredns.................................................................................✅
· system:discovery...............................................................................✅
· system:k3s-controller..........................................................................✅
· system:kube-controller-manager.................................................................✅
· system:kube-dns................................................................................✅
· system:kube-scheduler..........................................................................✅
· system:metrics-server..........................................................................✅
· system:monitoring..............................................................................✅
· system:node....................................................................................✅
· system:node-proxier............................................................................✅
· system:public-info-viewer......................................................................✅
· system:service-account-issuer-discovery........................................................✅
· system:volume-scheduler........................................................................✅
· traefik........................................................................................✅
CONFIGMAPS (1 SCANNED) 💥 0 😱 0 🔊 1 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/kube-root-ca.crt........................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
DAEMONSETS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
DEPLOYMENTS (1 SCANNED) 💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app.....................................................................................💥
💥 [POP-501] Unhealthy 1 desired but have 0 available.
🐳 nginx
🔊 [POP-108] Unnamed port 443.
HORIZONTALPODAUTOSCALERS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
INGRESSES (1 SCANNED) 💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app.....................................................................................✅
NAMESPACES (6 SCANNED) 💥 0 😱 0 🔊 5 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· default........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· dsn160.........................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-node-lease................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-public....................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· kube-system....................................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
· monapp.........................................................................................✅
NETWORKPOLICIES (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
PERSISTENTVOLUMES (1 SCANNED) 💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· postgres-pv-volume.............................................................................✅
PERSISTENTVOLUMECLAIMS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
PODS (1 SCANNED) 💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app-55977d595f-gsl7m....................................................................💥
💥 [POP-207] Pod is in an unhappy phase (Pending).
🔊 [POP-206] No PodDisruptionBudget defined.
😱 [POP-300] Using "default" ServiceAccount.
😱 [POP-301] Connects to API Server? ServiceAccount token is mounted.
😱 [POP-302] Pod could be running as root user. Check SecurityContext/Image.
🐳 monapp
💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
😱 [POP-102] No probes defined.
😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.
🐳 nginx
💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
😱 [POP-102] No probes defined.
🔊 [POP-108] Unnamed port 443.
😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.
PODDISRUPTIONBUDGETS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
PODSECURITYPOLICIES (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
REPLICASETS (1 SCANNED) 💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/app-55977d595f..........................................................................💥
💥 [POP-1120] Unhealthy ReplicaSet 1 desired but have 0 ready.
ROLES (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
ROLEBINDINGS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
SECRETS (1 SCANNED) 💥 0 😱 0 🔊 1 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/default-token-dpncn.....................................................................🔊
🔊 [POP-400] Used? Unable to locate resource reference.
SERVICES (1 SCANNED) 💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/monapp-service..........................................................................💥
💥 [POP-1106] No target ports match service port TCP::80.
💥 [POP-1105] No associated endpoints.
SERVICEACCOUNTS (1 SCANNED) 💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· monapp/default.................................................................................✅
STATEFULSETS (0 SCANNED) 💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
· Nothing to report.
SUMMARY
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
Your cluster score: 81 -- B
o .-'-.
o __| B `\
o `-,-`--._ `\
[] .->' a `|-'
`=/ (__/_ /
\_, ` _)
`----; |
Pas mal d'infos sont remontées qui sont documentées ici
Polaris
Polaris, mon outil préféré des trois, peut être déployé sur cluster kubernetes mais fonctionne aussi sous forme de ligne de commande. Je préfère la seconde solution rien de pire que d'exposer les failles pouvant être exploités!
L'installation se fait avec asdf:
asdf plugin add polaris
asdf install polaris 7.1.4
asdf global polaris 7.1.4
Pour lancer l'analyse :
polaris audit --audit-path manifests.yml --format pretty
Polaris audited Path manifests.yml at 2021-12-07T12:43:28Z
Nodes: 0 | Namespaces: 0 | Controllers: 1
Final score: 69
Deployment app
hostIPCSet 🎉 Success
Security - Host IPC is not configured
hostNetworkSet 🎉 Success
Security - Host network is not configured
hostPIDSet 🎉 Success
Security - Host PID is not configured
Container monapp
pullPolicyNotAlways 😬 Warning
Reliability - Image pull policy should be "Always"
readinessProbeMissing 😬 Warning
Reliability - Readiness probe should be configured
tagNotSpecified 🎉 Success
Reliability - Image tag is specified
hostPortSet 🎉 Success
Security - Host port is not configured
livenessProbeMissing 😬 Warning
Reliability - Liveness probe should be configured
memoryRequestsMissing 🎉 Success
Efficiency - Memory requests are set
runAsRootAllowed 😬 Warning
Security - Should not be allowed to run as root
cpuLimitsMissing 🎉 Success
Efficiency - CPU limits are set
dangerousCapabilities 🎉 Success
Security - Container does not have any dangerous capabilities
insecureCapabilities 😬 Warning
Security - Container should not have insecure capabilities
memoryLimitsMissing 🎉 Success
Efficiency - Memory limits are set
notReadOnlyRootFilesystem 😬 Warning
Security - Filesystem should be read only
privilegeEscalationAllowed ❌ Danger
Security - Privilege escalation should not be allowed
cpuRequestsMissing 🎉 Success
Efficiency - CPU requests are set
runAsPrivileged 🎉 Success
Security - Not running as privileged
Container nginx
tagNotSpecified 🎉 Success
Reliability - Image tag is specified
hostPortSet 🎉 Success
Security - Host port is not configured
privilegeEscalationAllowed ❌ Danger
Security - Privilege escalation should not be allowed
memoryRequestsMissing 🎉 Success
Efficiency - Memory requests are set
pullPolicyNotAlways 😬 Warning
Reliability - Image pull policy should be "Always"
runAsPrivileged 🎉 Success
Security - Not running as privileged
runAsRootAllowed 😬 Warning
Security - Should not be allowed to run as root
cpuLimitsMissing 🎉 Success
Efficiency - CPU limits are set
insecureCapabilities 😬 Warning
Security - Container should not have insecure capabilities
memoryLimitsMissing 🎉 Success
Efficiency - Memory limits are set
readinessProbeMissing 😬 Warning
Reliability - Readiness probe should be configured
livenessProbeMissing 😬 Warning
Reliability - Liveness probe should be configured
notReadOnlyRootFilesystem 😬 Warning
Security - Filesystem should be read only
cpuRequestsMissing 🎉 Success
Efficiency - CPU requests are set
dangerousCapabilities 🎉 Success
Security - Container does not have any dangerous capabilities
Service monapp-service
Ingress app
tlsSettingsMissing 😬 Warning
Security - Ingress does not have TLS configured
Si votre application est déjà déployée, vous pouvez afficher directement le résultat sur une belle page web avec des liens sur comment corriger votre manque :
polaris dashboard --port 8081
Pour avoir des explications sur comment respecter une règle il suffit de cliquer sur le point d'interrogation de chacune d'elle.
Attention certaines règles ne peuvent être utilisées que si certaines
conditions sont remplies. Par exemple run as root nécessite que votre
container utilise un user identifié comme ne possédant ces droits!
Regula
Regula est outil plus généraliste et pensé GitOps. En effet, c'est un outil d'analyse statique de code pour les langages Infra As Code. J'en parle dans ce billet.
S'inspirer des charts Helm
Pourquoi ne pas s'inspirer des charts pour progresser. Nous allons prendre par exemple le chart Postgres de bitnami.
Installation de Helm et du chart
asdf plugin add helm
asdf install helm latest
asdf global helm latest
helm repo add bitnami https://charts.bitnami.com/bitnami
helm fetch --untar stable/postgresql
Vous allez retrouver dans le répertoire postgresql le chart.
cd postgresql
ls
Chart.yaml ci files manifests README.md templates values-production.yaml values.schema.json values.yaml
Je vous conseille de lire le README pour activer certaines règles comme les networkPolicy. Dans le fichier values modifier ces lignes :
networkPolicy:
enabled: true
...
securityContext:
enabled: true
Ensuite, il suffit de lancer la commande permettant de générer les manifests:
helm template -f values.yaml --output-dir ./manifests --namespace dsn160 .
Vous n'avez plus qu'à parcourir le résultat dans le répertoire
./manifests/postgresql/templates/.
Bonne lecture.