Loading search data...

Kubernetes - Progresser dans l'écriture des manifests

Publié le : 7 décembre 2021 | Mis à jour le : 28 septembre 2022

Avant de déployer une application dans Kubernetes il faut écrire des manifests, et si vous vous êtes déjà amusé à le faire vous savez au combien cela peut être fastidieux. En effet, la plupart des ressources que vous trouvez sur internet ne respectent pas les bonnes pratiques, comme limiter les ressources, empêcher à un conteneur de tourner en que Root, de ne pas déclarer des livenessProbe et readynessProbe.

Quelques ressources

Vu le manque de ressources en français, je vous propose en attendant leur écriture de parcourir quelques liens (en anglais) :

Les outils d’analyse

Il existe des outils d’analyse permettant de nous aider à progresser. Nous allons reprendre les manifests écris il y a quelques jours pour les sidecars. Je colle tout dans un seul fichier, manifest.yml, pour faciliter les commandes qui vont être utilisé. Les mauvaises pratiques ou oublis seront documentés dans de prochains billets.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app: monapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: monapp
  template:
    metadata:
      labels:
        app: monapp
    spec:
      containers:
        - image: artefacts.robert.local/monapp:0.1
          name: monapp
          resources:
            requests:
              memory: "64Mi"
              cpu: "125m"
            limits:
              memory: "128Mi"
              cpu: "250m"
          command: ["gunicorn"]
          args: ["--bind","0.0.0.0:5000","mainapp:app"]
          volumeMounts:
          - mountPath: /app/static
            name: static
        - image: nginx:1.21-alpine
          name: nginx
          ports:
            - containerPort: 443
          resources:
            requests:
              cpu: 200m
              memory: 256Mi
            limits:
              cpu: 300m
              memory: 512Mi
          volumeMounts:
          - mountPath: /etc/nginx/conf.d
            name: conf
          - mountPath: /app/static
            name: static

      volumes:
      - name: conf
        configMap:
          name: monapp-nginx
      - name: static
        emptyDir: {}
---
kind: Service
apiVersion: v1
metadata:
  name: monapp-service
  labels:
    app: monapp
spec:
  selector:
    app: monapp
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: ClusterIP
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: app
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: monapp.robert.local
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: monapp-service
              port:
                number: 5000

Kube-score

Kube-score analyse les manifests de manière statique avant de les déployer. Kube-score existe sous forme de plugin kubectl, pour l’installer il faut au préalable installer krew. Rien de plus simple avec arkade :

ark get krew

kubectl krew install score

On le lance sur notre manifest :

kubectl score score manifests.yml
apps/v1/Deployment app                                                        💥
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod.
            Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Pod Probes
        · Container is missing a readinessProbe
            A readinessProbe should be used to indicate when the service is ready to receive traffic.
            Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can
            prevent downtime if a new version of the application is failing.
            More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
    [CRITICAL] Container Security Context
        · monapp -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
        · nginx -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Image Pull Policy
        · monapp -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
        · nginx -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
networking.k8s.io/v1/Ingress app                                              ✅
v1/Service monapp-service                                                     ✅

On voit qu’il retourne quelques recommandations :

  • NetworkPolicy : Un NetworkPolicy permet de spécifier si les pods sont autorisés à communiquer entre eux en entrée (Ingress) et en sortie (Egress).
  • Probes : Les probes permettent de détecter quand le pod est prêt lors de démarrage, mais aussi de détecter quand il est tombé. Attention il faut les écrire correctement afin d’éviter qu’un container ne redémarre sans cesse ou pire fasse tomber le cluster tout entier.
  • Container Security Context : Un contexte de sécurité définit les paramètres de privilège et de contrôle d’accès pour un pod ou un conteneur.
  • Container Image Pull Policy : Permet de définir quand faut il télécharger une image.

Popeye

Popeye est une CLI qui analyse votre cluster Kubernetes et signale d"envtuels problèmes avec les configurations déployées.

Pour l’installer rien de plus simple avec arkade :

ark get popeye

Popeye regorge d’options, un petit –help vous aidera. Ex lancement du scan sur un seul namespace :

popeye --namespace monapp

 ___     ___ _____   _____                                                      K          .-'-.
| _ \___| _ \ __\ \ / / __|                                                      8     __|      `\
|  _/ _ \  _/ _| \ V /| _|                                                        s   `-,-`--._   `\
|_| \___/_| |___| |_| |___|                                                      []  .->'  a     `|-'
  Biffs`em and Buffs`em!                                                          `=/ (__/_       /
                                                                                    \_,    `    _)
                                                                                       `----;  |


GENERAL [DEFAULT]
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Connectivity...................................................................................✅
  · MetricServer...................................................................................✅


CLUSTER (1 SCANNED)                                                          💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Version........................................................................................✅
    ✅ [POP-406] K8s version OK.


CLUSTERROLES (70 SCANNED)                                                  💥 0 😱 0 🔊 17 ✅ 53 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · admin..........................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · cluster-admin..................................................................................✅
  · edit...........................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · k3s-cloud-controller-manager...................................................................✅
  · local-path-provisioner-role....................................................................✅
  · polaris........................................................................................✅
  · system:aggregate-to-admin......................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:aggregate-to-edit.......................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:aggregate-to-view.......................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:aggregated-metrics-reader...............................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:auth-delegator..........................................................................✅
  · system:basic-user..............................................................................✅
  · system:certificates.k8s.io:certificatesigningrequests:nodeclient...............................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:certificates.k8s.io:certificatesigningrequests:selfnodeclient...........................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:certificates.k8s.io:kube-apiserver-client-approver......................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:certificates.k8s.io:kube-apiserver-client-kubelet-approver..............................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:certificates.k8s.io:kubelet-serving-approver............................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:certificates.k8s.io:legacy-unknown-approver.............................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:controller:attachdetach-controller......................................................✅
  · system:controller:certificate-controller.......................................................✅
  · system:controller:clusterrole-aggregation-controller...........................................✅
  · system:controller:cronjob-controller...........................................................✅
  · system:controller:daemon-set-controller........................................................✅
  · system:controller:deployment-controller........................................................✅
  · system:controller:disruption-controller........................................................✅
  · system:controller:endpoint-controller..........................................................✅
  · system:controller:endpointslice-controller.....................................................✅
  · system:controller:endpointslicemirroring-controller............................................✅
  · system:controller:ephemeral-volume-controller..................................................✅
  · system:controller:expand-controller............................................................✅
  · system:controller:generic-garbage-collector....................................................✅
  · system:controller:horizontal-pod-autoscaler....................................................✅
  · system:controller:job-controller...............................................................✅
  · system:controller:namespace-controller.........................................................✅
  · system:controller:node-controller..............................................................✅
  · system:controller:persistent-volume-binder.....................................................✅
  · system:controller:pod-garbage-collector........................................................✅
  · system:controller:pv-protection-controller.....................................................✅
  · system:controller:pvc-protection-controller....................................................✅
  · system:controller:replicaset-controller........................................................✅
  · system:controller:replication-controller.......................................................✅
  · system:controller:resourcequota-controller.....................................................✅
  · system:controller:root-ca-cert-publisher.......................................................✅
  · system:controller:route-controller.............................................................✅
  · system:controller:service-account-controller...................................................✅
  · system:controller:service-controller...........................................................✅
  · system:controller:statefulset-controller.......................................................✅
  · system:controller:ttl-after-finished-controller................................................✅
  · system:controller:ttl-controller...............................................................✅
  · system:coredns.................................................................................✅
  · system:discovery...............................................................................✅
  · system:heapster................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:k3s-controller..........................................................................✅
  · system:kube-aggregator.........................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:kube-controller-manager.................................................................✅
  · system:kube-dns................................................................................✅
  · system:kube-scheduler..........................................................................✅
  · system:kubelet-api-admin.......................................................................✅
  · system:metrics-server..........................................................................✅
  · system:monitoring..............................................................................✅
  · system:node....................................................................................✅
  · system:node-bootstrapper.......................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:node-problem-detector...................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:node-proxier............................................................................✅
  · system:persistent-volume-provisioner...........................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · system:public-info-viewer......................................................................✅
  · system:service-account-issuer-discovery........................................................✅
  · system:volume-scheduler........................................................................✅
  · traefik........................................................................................✅
  · view...........................................................................................✅


CLUSTERROLEBINDINGS (55 SCANNED)                                            💥 0 😱 0 🔊 0 ✅ 55 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · cluster-admin..................................................................................✅
  · helm-kube-system-traefik.......................................................................✅
  · helm-kube-system-traefik-crd...................................................................✅
  · k3s-cloud-controller-manager...................................................................✅
  · kube-apiserver-kubelet-admin...................................................................✅
  · local-path-provisioner-bind....................................................................✅
  · metrics-server:system:auth-delegator...........................................................✅
  · polaris........................................................................................✅
  · polaris-view...................................................................................✅
  · system:basic-user..............................................................................✅
  · system:controller:attachdetach-controller......................................................✅
  · system:controller:certificate-controller.......................................................✅
  · system:controller:clusterrole-aggregation-controller...........................................✅
  · system:controller:cronjob-controller...........................................................✅
  · system:controller:daemon-set-controller........................................................✅
  · system:controller:deployment-controller........................................................✅
  · system:controller:disruption-controller........................................................✅
  · system:controller:endpoint-controller..........................................................✅
  · system:controller:endpointslice-controller.....................................................✅
  · system:controller:endpointslicemirroring-controller............................................✅
  · system:controller:ephemeral-volume-controller..................................................✅
  · system:controller:expand-controller............................................................✅
  · system:controller:generic-garbage-collector....................................................✅
  · system:controller:horizontal-pod-autoscaler....................................................✅
  · system:controller:job-controller...............................................................✅
  · system:controller:namespace-controller.........................................................✅
  · system:controller:node-controller..............................................................✅
  · system:controller:persistent-volume-binder.....................................................✅
  · system:controller:pod-garbage-collector........................................................✅
  · system:controller:pv-protection-controller.....................................................✅
  · system:controller:pvc-protection-controller....................................................✅
  · system:controller:replicaset-controller........................................................✅
  · system:controller:replication-controller.......................................................✅
  · system:controller:resourcequota-controller.....................................................✅
  · system:controller:root-ca-cert-publisher.......................................................✅
  · system:controller:route-controller.............................................................✅
  · system:controller:service-account-controller...................................................✅
  · system:controller:service-controller...........................................................✅
  · system:controller:statefulset-controller.......................................................✅
  · system:controller:ttl-after-finished-controller................................................✅
  · system:controller:ttl-controller...............................................................✅
  · system:coredns.................................................................................✅
  · system:discovery...............................................................................✅
  · system:k3s-controller..........................................................................✅
  · system:kube-controller-manager.................................................................✅
  · system:kube-dns................................................................................✅
  · system:kube-scheduler..........................................................................✅
  · system:metrics-server..........................................................................✅
  · system:monitoring..............................................................................✅
  · system:node....................................................................................✅
  · system:node-proxier............................................................................✅
  · system:public-info-viewer......................................................................✅
  · system:service-account-issuer-discovery........................................................✅
  · system:volume-scheduler........................................................................✅
  · traefik........................................................................................✅


CONFIGMAPS (1 SCANNED)                                                       💥 0 😱 0 🔊 1 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/kube-root-ca.crt........................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.


DAEMONSETS (0 SCANNED)                                                       💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


DEPLOYMENTS (1 SCANNED)                                                        💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/app.....................................................................................💥
    💥 [POP-501] Unhealthy 1 desired but have 0 available.
    🐳 nginx
      🔊 [POP-108] Unnamed port 443.


HORIZONTALPODAUTOSCALERS (0 SCANNED)                                         💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


INGRESSES (1 SCANNED)                                                        💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/app.....................................................................................✅


NAMESPACES (6 SCANNED)                                                       💥 0 😱 0 🔊 5 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · default........................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · dsn160.........................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · kube-node-lease................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · kube-public....................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · kube-system....................................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.
  · monapp.........................................................................................✅


NETWORKPOLICIES (0 SCANNED)                                                  💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


PERSISTENTVOLUMES (1 SCANNED)                                                💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · postgres-pv-volume.............................................................................✅


PERSISTENTVOLUMECLAIMS (0 SCANNED)                                           💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


PODS (1 SCANNED)                                                               💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/app-55977d595f-gsl7m....................................................................💥
    💥 [POP-207] Pod is in an unhappy phase (Pending).
    🔊 [POP-206] No PodDisruptionBudget defined.
    😱 [POP-300] Using "default" ServiceAccount.
    😱 [POP-301] Connects to API Server? ServiceAccount token is mounted.
    😱 [POP-302] Pod could be running as root user. Check SecurityContext/Image.
    🐳 monapp
      💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
      😱 [POP-102] No probes defined.
      😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.
    🐳 nginx
      💥 [POP-203] Pod is waiting [0/2] ContainerCreating.
      😱 [POP-102] No probes defined.
      🔊 [POP-108] Unnamed port 443.
      😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.


PODDISRUPTIONBUDGETS (0 SCANNED)                                             💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


PODSECURITYPOLICIES (0 SCANNED)                                              💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


REPLICASETS (1 SCANNED)                                                        💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/app-55977d595f..........................................................................💥
    💥 [POP-1120] Unhealthy ReplicaSet 1 desired but have 0 ready.


ROLES (0 SCANNED)                                                            💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


ROLEBINDINGS (0 SCANNED)                                                     💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


SECRETS (1 SCANNED)                                                          💥 0 😱 0 🔊 1 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/default-token-dpncn.....................................................................🔊
    🔊 [POP-400] Used? Unable to locate resource reference.


SERVICES (1 SCANNED)                                                           💥 1 😱 0 🔊 0 ✅ 0 0٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/monapp-service..........................................................................💥
    💥 [POP-1106] No target ports match service port TCP::80.
    💥 [POP-1105] No associated endpoints.


SERVICEACCOUNTS (1 SCANNED)                                                  💥 0 😱 0 🔊 0 ✅ 1 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · monapp/default.................................................................................✅


STATEFULSETS (0 SCANNED)                                                     💥 0 😱 0 🔊 0 ✅ 0 100٪
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
  · Nothing to report.


SUMMARY
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅
Your cluster score: 81 -- B
                                                                                o          .-'-.
                                                                                 o     __| B    `\
                                                                                  o   `-,-`--._   `\
                                                                                 []  .->'  a     `|-'
                                                                                  `=/ (__/_       /
                                                                                    \_,    `    _)
                                                                                       `----;  |

Pas mal d’infos sont remontées qui sont documentées ici

Polaris

Polaris, mon outil préféré des trois, peut être déployé sur cluster kubernetes mais fonctionne aussi sous forme de ligne de commande. Je préfère la seconde solution rien de pire que d’exposer les failles pouvant être exploités!

L’installation se fait avec arkade:

arkade get polaris

Pour lancer l’analyse :

polaris audit --audit-path manifests.yml --format pretty


Polaris audited Path manifests.yml at 2021-12-07T12:43:28Z
    Nodes: 0 | Namespaces: 0 | Controllers: 1
    Final score: 69

Deployment app
    hostIPCSet                           🎉 Success
        Security - Host IPC is not configured
    hostNetworkSet                       🎉 Success
        Security - Host network is not configured
    hostPIDSet                           🎉 Success
        Security - Host PID is not configured
  Container monapp
    pullPolicyNotAlways                  😬 Warning
        Reliability - Image pull policy should be "Always"
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured
    tagNotSpecified                      🎉 Success
        Reliability - Image tag is specified
    hostPortSet                          🎉 Success
        Security - Host port is not configured
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured
    memoryRequestsMissing                🎉 Success
        Efficiency - Memory requests are set
    runAsRootAllowed                     😬 Warning
        Security - Should not be allowed to run as root
    cpuLimitsMissing                     🎉 Success
        Efficiency - CPU limits are set
    dangerousCapabilities                🎉 Success
        Security - Container does not have any dangerous capabilities
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    memoryLimitsMissing                  🎉 Success
        Efficiency - Memory limits are set
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    cpuRequestsMissing                   🎉 Success
        Efficiency - CPU requests are set
    runAsPrivileged                      🎉 Success
        Security - Not running as privileged

  Container nginx
    tagNotSpecified                      🎉 Success
        Reliability - Image tag is specified
    hostPortSet                          🎉 Success
        Security - Host port is not configured
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    memoryRequestsMissing                🎉 Success
        Efficiency - Memory requests are set
    pullPolicyNotAlways                  😬 Warning
        Reliability - Image pull policy should be "Always"
    runAsPrivileged                      🎉 Success
        Security - Not running as privileged
    runAsRootAllowed                     😬 Warning
        Security - Should not be allowed to run as root
    cpuLimitsMissing                     🎉 Success
        Efficiency - CPU limits are set
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    memoryLimitsMissing                  🎉 Success
        Efficiency - Memory limits are set
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    cpuRequestsMissing                   🎉 Success
        Efficiency - CPU requests are set
    dangerousCapabilities                🎉 Success
        Security - Container does not have any dangerous capabilities


Service monapp-service

Ingress app
    tlsSettingsMissing                   😬 Warning
        Security - Ingress does not have TLS configured

Si votre application est déjà déployée vous pouvez afficher directement le résultat sur une belle page web avec des liens sur comment corriger votre manque :

polaris dashboard --port 8081

polaris kubernetes best practices polaris kubernetes best practices

Pour avoir des explications sur comment respecter une règle il suffit de cliquer sur le point d’interrogation de chacune d’elle.

Attention certaines règles ne peuvent être utilisées que si certaines conditions sont remplies. Par exemple run as root nécessite que votre container utilise un user identifié comme ne possédant ces droits!

Regula

Regula est outil plus généraliste et pensé GitOps. En effet, c’est un outil d’analyse statique de code pour les langages Infra As Code. J’en parle dans ce billet.

S’inspirer des charts Helm

Pourquoi ne pas s’inspirer des charts pour progresser. Nous allons prendre par exemple le chart Postgres de bitnami.

Installation de Helm et du chart

ark get helm

helm repo add bitnami https://charts.bitnami.com/bitnami
helm fetch --untar stable/postgresql

Vous allez retrouver dans le répertoire postgresql le chart.

cd postgresql
ls
Chart.yaml  ci  files  manifests  README.md  templates  values-production.yaml  values.schema.json  values.yaml

Je vous consielle de lire le README pour activer certaines règles comme les networkPolicy. Dans le fichier values modifier ces lignes :

networkPolicy:
  enabled: true

...

securityContext:
    enabled: true

Ensuite il suffit de lancer la commande permettant de générer les manifests:

helm template -f values.yaml --output-dir ./manifests --namespace dsn160 .

Vous n’avez plus qu’à parcourir le resultat dans le répertoire ./manifests/postgresql/templates/

Bonne lecture.


Si vous avez apprécié cet article de blog, vous pouvez m'encourager à produire plus de contenu en m'offrant un café sur   Ko-Fi  . Vous pouvez aussi passer votre prochaine commande sur amazon, sans que cela ne nous coûte plus cher, via   ce lien  . Vous pouvez aussi partager le lien sur twitter ou linkedin via les boutons ci-dessous. Je vous remercie de votre soutien


Mots clés :

devops tutorials kubernetes

Autres Articles


Commentaires: