I setup my first Kubernetes cluster "the hard way" in the last few days of 2017. Since then I've migrated quite a few workloads to Kubernetes, including stateful ones. I've also been developing applications that have been built with Kubernetes in mind from the start.
Every month doing This I'd learn something new, some new configuration that should be set, or some new object that needed to exist for optimal reliability, security, or performance.
To make it easier for myself, and others around me, I built a new tool that could verify the correctness automatically without the need of a live cluster. The first version of my tool, known as kube-score was released in September 2018.
The program takes takes your object definitions in YAML format as input, and outputs the result of a bunch of "checks". The output gives you an overview of what you're doing right, and what you could do differently, to increase the reliability, and security of your application.
$ kube-score score score/testdata/deployment-poddisruptionbudget-matches.yaml
policy/v1beta1/PodDisruptionBudget app-budget
[OK] Stable version
apps/v1/Deployment statefulset-test-1
[OK] Stable version
[CRITICAL] Container Resources
* foobar -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
* foobar -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
* foobar -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu
* foobar -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory
[OK] Container Image Tag
[CRITICAL] Container Image Pull Policy
* foobar -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.
[CRITICAL] Pod NetworkPolicy
* The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
* Container is missing a readinessProbe
Without a readinessProbe Services will start sending traffic to this pod before it's ready
* Container is missing a livenessProbe
Without a livenessProbe kubelet can not restart the Pod if it has crashed
[CRITICAL] Container Security Context
* foobar -> Container has no configured security context
Set securityContext to run the container is a more secure context.
[WARNING] Deployment has host PodAntiAffinity
* Deployment does not have a host podAntiAffinity set
It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from beeing scheduled on the same node. This increases availability in case the node becomes unavailable.
[OK] Deployment has PodDisruptionBudget
If you want to try out kube-score on your setup without installing anything, you can try it out in the browser, on kube-score.com.
With the help of four external contributors, over 100 commits of improvements and bug fixes has been made since the first release. With their help, kube-score now has over 4800 downloads, and 374 stars on GitHub! A big thanks to you all!
kube-score can check for things such as missing NetworkPolicies and PodDisruptionBudgets, there is also recommendations for setting a PodAntiAffinity, to help the Kubernetes Scheduler to distribute the pods among different nodes in your cluster, and much more. A complete list of checks is available here.
If you have other ideas for what kube-score could do, please open a new Issue. Contributions are always welcome! 🙏
— Gustav Westling, April 2019