鐵人賽系列文章- Day27 - Kubernetes plugin 範例
source link: https://www.hwchiu.com/ithome-20202-cicd-27.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
上篇文章中我們介紹了 kubectl plugin 的系統與生態系,後來我們使用 krew 這個工具來管理各式各樣的 kubectl plugin
因此本篇就從裡面挑選一些 plugin 試試看。
View Allocations
我們這邊可以隨便挑一些 plugin 來玩看看
$ kubectl krew install view-allocations
Updated the local copy of plugin index.
Installing plugin: view-allocations
Installed plugin: view-allocations
\
| Use this plugin:
| kubectl view-allocations
| Documentation:
| https://github.com/davidB/kubectl-view-allocations
/
WARNING: You installed plugin "view-allocations" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
這邊要注意,因為我們安裝的都是 kubectl plugin 所以最後執行的時候不需要補上 krew ,譬如我們上面安裝 view-allocations,安裝完畢後直接執行 kubectl view-allocations來看
View-allocations 是一個用來顯示系統上所有 有設定 resource 限定的資源 數量都列出來,可以幫助你評估當前每個節點上總共有多少 CPU/Memory,然後上面運行的資源目前總共要求多少,百分比多少。
要注意的是,如果你的 Pod 沒有用 resource limited 去限制,就不會出現在系統上
$ kubectl view-allocations
Resource Requested %Requested Limit %Limit Allocatable Free
cpu 1050.0m 9% 300.0m 2% 12.0 10.9
├─ kind-control-plane 850.0m 21% 100.0m 2% 4.0 3.1
│ ├─ coredns-6955765f44-l4z47 100.0m 0.0
│ ├─ coredns-6955765f44-zb5xx 100.0m 0.0
│ ├─ kindnet-czpsv 100.0m 100.0m
│ ├─ kube-apiserver-kind-control-plane 250.0m 0.0
│ ├─ kube-controller-manager-kind-control-plane 200.0m 0.0
│ └─ kube-scheduler-kind-control-plane 100.0m 0.0
├─ kind-worker 100.0m 2% 100.0m 2% 4.0 3.9
│ └─ kindnet-sbqxd 100.0m 100.0m
└─ kind-worker2 100.0m 2% 100.0m 2% 4.0 3.9
└─ kindnet-sw5mq 100.0m 100.0m
ephemeral-storage 0.0 0% 0.0 0% 581.5Gi 581.5Gi
├─ kind-control-plane 0.0 0% 0.0 0% 193.8Gi 193.8Gi
├─ kind-worker 0.0 0% 0.0 0% 193.8Gi 193.8Gi
└─ kind-worker2 0.0 0% 0.0 0% 193.8Gi 193.8Gi
memory 290.0Mi 1% 490.0Mi 1% 46.9Gi 46.4Gi
├─ kind-control-plane 190.0Mi 1% 390.0Mi 2% 15.6Gi 15.3Gi
│ ├─ coredns-6955765f44-l4z47 70.0Mi 170.0Mi
│ ├─ coredns-6955765f44-zb5xx 70.0Mi 170.0Mi
│ └─ kindnet-czpsv 50.0Mi 50.0Mi
├─ kind-worker 50.0Mi 0% 50.0Mi 0% 15.6Gi 15.6Gi
│ └─ kindnet-sbqxd 50.0Mi 50.0Mi
└─ kind-worker2 50.0Mi 0% 50.0Mi 0% 15.6Gi 15.6Gi
└─ kindnet-sw5mq 50.0Mi 50.0Mi
pods 0.0 0% 0.0 0% 330.0 330.0
├─ kind-control-plane 0.0 0% 0.0 0% 110.0 110.0
├─ kind-worker 0.0 0% 0.0 0% 110.0 110.0
└─ kind-worker2 0.0 0% 0.0 0% 110.0 110.0
這個工具我個人認為還滿好用的,畢竟可以幫你顯示出當前系統上運算資源所使用的 CPU/Memory 等使用量,這些使用量可以用來幫助開發者判斷要如何設定相關的資源限制。
change-ns
這套工具相對簡單,就是幫你切換預設的 namespace,減少每次輸入指令的時候都要一直透過 -n|--namespace 來指定特定的 namespace。
$ kubectl krew install change-ns
Updated the local copy of plugin index.
Installing plugin: change-ns
Installed plugin: change-ns
\
| Use this plugin:
| kubectl change-ns
| Documentation:
| https://github.com/juanvallejo/kubectl-ns
/
WARNING: You installed plugin "change-ns" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
$ kubectl change-ns kube-system
namespace changed to "kube-system"
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
coredns-6955765f44-l4z47 1/1 Running 0 2d13h
coredns-6955765f44-zb5xx 1/1 Running 0 2d13h
etcd-kind-control-plane 1/1 Running 0 2d13h
kindnet-czpsv 1/1 Running 0 2d13h
kindnet-sbqxd 1/1 Running 0 2d13h
kindnet-sw5mq 1/1 Running 0 2d13h
kube-apiserver-kind-control-plane 1/1 Running 0 2d13h
kube-controller-manager-kind-control-plane 1/1 Running 0 2d13h
kube-proxy-4b5rl 1/1 Running 0 2d13h
kube-proxy-nrspx 1/1 Running 0 2d13h
kube-proxy-skfm5 1/1 Running 0 2d13h
kube-scheduler-kind-control-plane 1/1 Running 0 2d13h
類似的工具還有ctx ,可以幫切換不同的 kubeconfig context,讓你更方便的於多個 Kubernetes Cluster 中切換
Status
這個工具算是幫你把 description 的資訊再次整理,舉例來說我們準備了一個 pull image 會失敗的案例,這時候我們用 status 這個指令來試試看
$ kubectl krew install status
Updated the local copy of plugin index.
Installing plugin: status
Installed plugin: status
\
| Use this plugin:
| kubectl status
| Documentation:
| https://github.com/bergerx/kubectl-status
/
WARNING: You installed plugin "status" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
安裝完畢後我們針對一個失敗的 pod 來使用 kubectl status pod xxxx
$ kubectl status pod pull-fail
Pod/pull-fail -n default, created 2m ago Pending Burstable
PodScheduled -> Initialized -> Not ContainersReady -> Not Ready
Ready ContainersNotReady, containers with unready status: [getting-started] for 2m
ContainersReady ContainersNotReady, containers with unready status: [getting-started] for 2m
Standalone POD.
Containers:
getting-started (hwchiu/netutils-qq) Waiting ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Events:
Scheduled 2m ago from default-scheduler: Successfully assigned default/pull-fail to kind-worker
Pulling 28s ago (x4 over 1m) from kubelet,kind-worker: Pulling image "hwchiu/netutils-qq"
Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Failed to pull image "hwchiu/netutils-qq": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Error: ErrImagePull
BackOff 13s ago (x6 over 1m) from kubelet,kind-worker: Back-off pulling image "hwchiu/netutils-qq"
Failed 13s ago (x6 over 1m) from kubelet,kind-worker: Error: ImagePullBackOff
上面可以看到一些資訊,譬如說
- PodScheduled -> Initialized -> Not ContainersReady -> Not Ready
Pod 失敗是因為卡在ContainersReady這個狀態會失敗,導致最後整個 Pod 沒有成功 - Standalone POD
這個 Pod 本身沒有任何的 StatefulSet/ReplicaSet,而是獨立的 Pod - Containers: 底下就是一些詳細訊息,譬如為什麼會失敗
- Events: 這個 Pod 的一些事件資訊
除了 Pod 之外, Status 也可以用來看其他的資源,有興趣可以玩看看
access-matrix
接下來這個工具主要是用來列出當前使用者對於系統上的全部 Resource的權限資訊,主要是該使用者對於特定資源上的不同動詞 (Get/Update/List/Delete) 等是否可以執行
$ kubectl krew install access-matrix
Updated the local copy of plugin index.
Installing plugin: access-matrix
Installed plugin: access-matrix
\
| Use this plugin:
| kubectl access-matrix
| Documentation:
| https://github.com/corneliusweig/rakkess
| Caveats:
| \
| | Usage:
| | kubectl access-matrix
| | kubectl access-matrix for pods
| /
/
WARNING: You installed plugin "access-matrix" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
此外也可以透過 --sa 等指令來切換不同的 service account,所以可以看到下列的範例,用不同的使用者去看權限,我預設的使用者有幾乎無敵的權限,什麼都可以執行。如果是系統上 kube-system:namespace-controller 則只能 LIST/DELETE。
除了這四個動詞之外,其實還有很多動詞可以用,只是預設情況下只會列出這四個
$ kubectl access-matrix --sa kube-system:namespace-controller
NAME LIST CREATE UPDATE DELETE
apiservices.apiregistration.k8s.io ✔ ✖ ✖ ✔
bindings ✖
certificatesigningrequests.certificates.k8s.io ✔ ✖ ✖ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✖ ✖ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✖ ✖ ✔
componentstatuses ✔
configmaps ✔ ✖ ✖ ✔
controllerrevisions.apps ✔ ✖ ✖ ✔
cronjobs.batch ✔ ✖ ✖ ✔
csidrivers.storage.k8s.io ✔ ✖ ✖ ✔
.....
$ kubectl access-matrix
NAME LIST CREATE UPDATE DELETE
apiservices.apiregistration.k8s.io ✔ ✔ ✔ ✔
bindings ✔
certificatesigningrequests.certificates.k8s.io ✔ ✔ ✔ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
componentstatuses ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csidrivers.storage.k8s.io ✔ ✔ ✔ ✔
starboard
最後來看一個跟安全性有關的 plugin
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a
kubectl-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.
接下來示範怎麼用(假設已經安裝完畢)
$ kubectl starboard init
$ kubectl create deployment nginx --image nginx:1.16
先透過 starboard 去初始化相關資源,接者我們部署一個 nginx:1.16 的容器到系統中
$ kubectl starboard find vulnerabilities deployment/nginx
$ kubectl starboard get vulnerabilities deployment/nginx
....
summary:
criticalCount: 0
highCount: 4
lowCount: 93
mediumCount: 34
noneCount: 0
unknownCount: 0
vulnerabilities:
- description: Missing input validation in the ar/tar implementations of APT before
version 2.1.2 could result in denial of service when processing specially
crafted deb files.
fixedVersion: 1.8.2.1
installedVersion: 1.8.2
layerID: ""
links:
- https://bugs.launchpad.net/bugs/1878177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
- https://github.com/Debian/apt/issues/111
- https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
- https://lists.debian.org/debian-security-announce/2020/msg00089.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
- https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
- https://usn.ubuntu.com/4359-1/
- https://usn.ubuntu.com/4359-2/
- https://usn.ubuntu.com/usn/usn-4359-1
- https://usn.ubuntu.com/usn/usn-4359-2
resource: apt
severity: MEDIUM
title: ""
vulnerabilityID: CVE-2020-3810
...
可以看到上面有很多訊息,列出當前 image 上有哪些潛在的 CVE,如果覺得這樣看起來實在不討喜,可以使用 starboard-octant-plugin 這個整合專案,把上述的報告用 UI 的方式視覺話呈現出來,譬如說下圖(下圖節錄自 starboard-octant-plugin 官方 Repo)
到這邊為止,我們介紹了一些有趣的 Kubectl plugin,當然這些 plugin 本身也都是一個獨立的執行檔案,所以其實就算不透過 kubectl 來執行也是沒問題的,所有個工具都可以獨立使用。透過 krew 只是我們可以更方便的搜尋到有哪些 plugin 可以用,實務上要怎麼執行都是個人喜歡,方便,操作順暢即可。
Krew 上面的工具非常多,使用上可以都可以嘗試看看,也因為這樣才有辦法找到真的對自己日常工作有幫助的好幫手
我目前於 Hiskio 平台上面有開設 Kubernetes 相關課程,歡迎有興趣的人參考並分享,裡面有我從底層到實戰中對於 Kubernetes 的各種想法
詳細可以參閱
矽谷牛線上學院
https://course.hwchiu.com
另外,歡迎按讚加入我個人的粉絲專頁,裡面會定期分享各式各樣的文章,有的是翻譯文章,也有部分是原創文章,主要會聚焦於 CNCF 領域
https://www.facebook.com/technologynoteniu
如果有使用 Telegram 的也可以訂閱下列頻道來,裡面我會定期推播通知各類文章
https://t.me/technologynote
你的捐款將給予我文章成長的動力
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK