MADL!AR
Code is cheap, show me the PPT!
首页
分类
Fragment
关于
kube-score:一个K8s对象的静态代码分析工具
分类:
k8s
发布于: 2025-05-05
[https://github.com/zegl/kube-score](https://github.com/zegl/kube-score) kube-score 是一款针对 Kubernetes 对象定义的静态代码分析的工具,其会输出一系列改进建议,以提升应用程序的安全性和容错能力。 官方支持多种集成方式,可以与CI、Helm、Kustomize等联动,也可以直接在Docker下执行,这里直接编译好的windows exe程序验证效果。写一个Deployment的测试yaml: ``` apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.25.3 ports: - containerPort: 80 resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "200m" memory: "256Mi" ``` 执行:```.\kube-score_1.20.0_windows_amd64.exe score .\app.yaml```输出: ``` apps/v1/Deployment nginx-deployment 💥 path=C:\Users\Administrator\Downloads\app.yaml [CRITICAL] Container Security Context User Group ID · nginx -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Image Pull Policy · nginx -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Security Context ReadOnlyRootFilesystem · nginx -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Ephemeral Storage Request and Limit · nginx -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage · nginx -> Ephemeral Storage request is not set Resource requests are recommended to make sure the application can start and run without crashing. Set resource.requests.ephemeral-storage [CRITICAL] Deployment has PodDisruptionBudget · No matching PodDisruptionBudget was found It's recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes maintenance operations, such as when draining a node. [WARNING] Deployment has host PodAntiAffinity · Deployment does not have a host podAntiAffinity set It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from being scheduled on the same node. This increases availability in case the node becomes unavailable. ``` 对于这样一条yaml,输出了六条[CTICAL]级别的消息,其中包括: 1. 未配置securityContext(此为K8s用于限制容器内用户权限的配置项,主要用于防止容器内进程突破隔离,如攻击者利用内核漏洞尝试逃逸或进行横向攻击等方面 2. 镜像拉取策略未指定 3. Pod的NetworkPolicy未指定。Kubernetes 默认允许所有 Pod 间通信,存在横向渗透风险 4. 依旧是提示未配置安全上下文,这里建议指定ReadOnlyRootFilesystem选项 5. 未限制临时存储 6. 未指定PDB 详细的检查项清单在这里[: https://github.com/zegl/kube-score/blob/master/README_CHECKS.md](https://github.com/zegl/kube-score/blob/master/README_CHECKS.md) 涉其中及以下几类: * 工作负载类 * Deployment * StatefulSet * CronJob * Pod * 网络类 * Ingress * NetworkPolicy * Service * 弹性与稳定类 * PodDisruptionBudget * HorizontalPodAutoscaler 此外还有一些面向所有对象的检查项如```label-values```。相关配置项有默认开启(值为"default")和手动开启(值为"optional"),均可以在yaml中通过```kube-score/ignore```和```kube-score/enable```控制。 验证一下屏蔽检查项,在测试yaml的```metadata.annotations```下新增```kube-score/ignore: deployment-has-poddisruptionbudget```,再次执行,发现之前``` [CRITICAL] Deployment has PodDisruptionBudget```的报错已不再提示。 总结来说,kube-score 的检查主要聚焦于安全(Security)、稳定性(Stability)、规范化(Best Practices) 等通用维度,覆盖了业界通行的 Kubernetes 配置标准(如 CIS Benchmark),但在业务场景的精细化控制 方面仍存在不足,例如: 1. 业务逻辑依赖的检查。 例如: * 特定微服务间的调用关系,Service A 必须通过 Service Mesh 访问 Service B; * 业务级熔断/降级策略,如 HPA 的扩展规则需结合业务 QPS 阈值,此静态检查工具也未找到合适的扩展接口 2. 自定义准入控制 * 业务镜像必须来自特定私有仓库 * 禁止特定注解,或限制某Labels的使用,甚至针对字段的取值范围进行限定等 kube-score 作为基础合规性检查工具,整体设计和易用性方面值得肯定,适合作为K8s配置的“第一道防线”,但需结合业务定制化才能实现更高的可靠性和实用性。