• Stars
    star
    536
  • Rank 80,686 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A best practices checker for Kubernetes clusters. 🤠

Clusterlint

CircleCI

As clusters scale and become increasingly difficult to maintain, clusterlint helps operators conform to Kubernetes best practices around resources, security and reliability to avoid common problems while operating or upgrading the clusters.

Clusterlint queries live Kubernetes clusters for resources, executes common and platform specific checks against these resources and provides actionable feedback to cluster operators. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations.

Background

Kubernetes resources can be configured and applied in many ways. This flexibility often makes it difficult to identify problems across the cluster at the time of configuration. Clusterlint looks at live clusters to analyze all its resources and report problems, if any.

There are some common best practices to follow while applying configurations to a cluster like:

  • Namespace is used to limit the scope of the Kubernetes resources created by multiple sets of users within a team. Even though there is a default namespace, dumping all the created resources into one namespace is not recommended. It can lead to privilege escalation, resource name collisions, latency in operations as resources scale up and mismanagement of kubernetes objects. Having namespaces ensures that resource quotas can be enabled to keep track node, cpu and memory usage for individual teams.

  • Always specify resource requests and limits on pods: When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on. And when containers have their limits specified, contention for resources on a node can be handled in a specified manner.

While there are problems that are common to clusters irrespective of the environment they are running in, the fact that different Kubernetes configurations (VMs, managed solutions, etc.) have different subtleties affect how workloads run. Clusterlint provides platform specific checks to identify issues with resources that cluster operators can fix to run in a specific environment.

Some examples of such checks are:

  • On upgrade of a cluster on DOKS, the worker nodes' hostname changes. So, if a user's pod spec relies on the hostname to schedule pods on specific nodes, pod scheduling will fail after upgrade.

Please refer to checks.md to get some background on every check that clusterlint performs.

Install

go get github.com/digitalocean/clusterlint/cmd/clusterlint

The above command creates the clusterlint binary in $GOPATH/bin

Usage

clusterlint list [options]  // list all checks available
clusterlint run [options]  // run all or specific checks

Running in-cluster

Build the docker image to run clusterlint from within a cluster by doing:

docker build -t <hub_username>/clusterlint:<tag> .
docker push <hub_username>/clusterlint:<tag>

If you're running clusterlint from within a Pod, you can use the --in-cluster flag to access the Kubernetes API from the Pod.

clusterlint --in-cluster run

Here's a simple example of CronJob definition to run clusterlint in the default namespace without RBAC :

apiVersion: batch/v1
kind: CronJob
metadata:
  name: clusterlint-cron
spec:
  schedule: "0 */1 * * *"
  concurrencyPolicy: Replace
  failedJobsHistoryLimit: 3
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: clusterlint
              image: docker.io/<hub_username>/clusterlint:<tag>
              command: ['/clusterlint', '--in-cluster', 'run']
              imagePullPolicy: IfNotPresent
          restartPolicy: Never

If you're using RBAC, see docs/RBAC.md.

Specific checks and groups

All checks that clusterlint performs are categorized into groups. A check can belong to multiple groups. This framework allows one to only run specific checks on a cluster. For instance, if a cluster is running on DOKS, then, running checks specific to AWS does not make sense. Clusterlint can blacklist aws related checks, if any while running against a DOKS cluster.

clusterlint run -g basic                // runs only checks that are part of the basic group
clusterlint run -G security            // runs all checks that are not part of the security group
clusterlint run -c default-namespace  // runs only the default-namespace check
clusterlint run -C default-namespace // exclude default-namespace check

Disabling checks via Annotations

Clusterlint provides a way to ignore some special objects in the cluster from being checked. For example, resources in the kube-system namespace often use privileged containers. This can create a lot of noise in the output when a cluster operator is looking for feedback to improve the cluster configurations. In order to avoid such a situation where objects that are exempt from being checked, the annotation clusterlint.digitalocean.com/disabled-checks can be added in the resource configuration. The annotation takes in a comma separated list of check names that should be excluded while running clusterlint.

"metadata": {
  "annotations": {
    "clusterlint.digitalocean.com/disabled-checks" : "noop,bare-pods"
  }
}

Building local checks

Some individuals and organizations have Kubernetes best practices that are not applicable to the general community, but which they would like to check with clusterlint. If your check may be useful for anyone else, we encourage you to submit it to clusterlint rather than keeping it local. However, if you have a truly specific check that is not appropriate for sharing with the broader community, you can implement it using Go plugins.

See the example plugin for documentation on how to build a plugin. Please be sure to read the caveats and consider whether you really want to maintain a plugin.

To use your plugin with clusterlint, pass its path on the commandline:

$ clusterlint --plugins=/path/to/plugin.so list
$ clusterlint --plugins=/path/to/plugin.so run -c my-plugin-check

Release

To release a new version of clusterlint, go to the actions page on GitHub, click on Run workflow. Specify the new tag to create. Make sure the tag is prefixed with v.

The workflow does the following:

  • Checks out the source code from the default branch
  • Login with dockerhub credentials specified as secrets
  • Builds the docker image digitalocean/clusterlint:
  • Pushes digitalocean/clusterlint: to dockerhub
  • Builds binaries for all archs and computes sha256 sums for each binary
  • Creates release and tags the latest commit on the default branch with the input tag specified when workflow is triggered

Contributing

Contributions are welcome, in the form of either issues or pull requests. Please see the contribution guidelines for details.

License

Copyright 2022 DigitalOcean

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

nginxconfig.io

⚙️ NGINX config generator on steroids 💉
JavaScript
27,244
star
2

doctl

The official command line interface for the DigitalOcean API.
Go
3,155
star
3

godo

DigitalOcean Go API client
Go
1,328
star
4

go-libvirt

Package libvirt provides a pure Go interface for interacting with Libvirt. Apache 2.0 Licensed.
Go
815
star
5

do_user_scripts

Shell
804
star
6

Kubernetes-Starter-Kit-Developers

Hands-on tutorial and Automation stack for an operations-ready DigitalOcean Kubernetes (DOKS) cluster.
HCL
705
star
7

firebolt

Golang framework for streaming ETL, observability data pipeline, and event processing apps
Go
688
star
8

go-qemu

Go packages to interact with QEMU using the QEMU Machine Protocol (QMP). Apache 2.0 Licensed.
Go
684
star
9

do-agent

Collects system metrics from DigitalOcean Droplets
Go
586
star
10

csi-digitalocean

A Container Storage Interface (CSI) Driver for DigitalOcean Block Storage
Go
565
star
11

vulcan

Vulcan extends Prometheus adding horizontal scalability and long-term storage
Go
531
star
12

digitalocean-cloud-controller-manager

Kubernetes cloud-controller-manager for DigitalOcean (beta)
Go
517
star
13

hacktoberfest

Hacktoberfest - App to manage the annual open-source challenge, used for the 2019 & 2020 seasons.
Ruby
510
star
14

droplet_kit

DropletKit is the official DigitalOcean API client for Ruby.
Ruby
507
star
15

terraform-provider-digitalocean

Terraform DigitalOcean provider
Go
487
star
16

action-doctl

GitHub Actions for DigitalOcean - doctl
JavaScript
454
star
17

ceph_exporter

Prometheus exporter that scrapes meta information about a ceph cluster.
Go
396
star
18

engineering-code-of-conduct

Code of Conduct for DigitalOcean's Engineering Team
289
star
19

go-openvswitch

Go packages which enable interacting with Open vSwitch and related tools. Apache 2.0 Licensed.
Go
282
star
20

kubernetes-sample-apps

Example DigitalOcean Kubernetes workload with service exposed through a DO load-balancer.
Python
252
star
21

marketplace-partners

Image validation, automation, and other tools for DigitalOcean Marketplace Vendors and Custom Image users
Shell
190
star
22

gta

gta: do transitive analysis to find packages whose dependencies have changed
Go
182
star
23

heartbot

A shot of love for your favorite chat client.
CoffeeScript
178
star
24

prometheus-client-c

A Prometheus Client in C
C
154
star
25

marketplace-kubernetes

This repository contains the source code and deployment scripts for Kubernetes-based applications listed in the DigitalOcean Marketplace.
Shell
154
star
26

go-smbios

Package smbios provides detection and access to System Management BIOS (SMBIOS) and Desktop Management Interface (DMI) data and structures. Apache 2.0 Licensed.
Go
152
star
27

kartograph

Kartograph makes it easy to generate and convert JSON. It's intention is to be used for API clients.
Ruby
147
star
28

OpenVPN-Pihole

https://marketplace.digitalocean.com/apps/openvpn-pihole
Shell
146
star
29

captainslog

A Syslog Protocol Parser
Go
136
star
30

resource_kit

Resource Kit provides tools to aid in making API Clients. Such as URL resolving, Request / Response layer, and more.
Ruby
134
star
31

go-workers2

better-go-workers
Go
121
star
32

doks-debug

A Docker image with Kubernetes manifests for investigation and troubleshooting.
Dockerfile
109
star
33

droplet-1-clicks

Packer build scripts for DigitalOcean Marketplace 1-clicks.
Shell
105
star
34

supabase-on-do

HCL
98
star
35

openapi

The OpenAPI v3 specification for DigitalOcean's public API.
JavaScript
97
star
36

container-blueprints

DigitalOcean Kubernetes(DOKS) Solution Blueprints
HCL
92
star
37

sample-dockerfile

⛵ App Platform sample Docker application.
Go
90
star
38

DOKS

Managed Kubernetes designed for simple and cost effective container orchestration.
80
star
39

app_action

Deploy to DigitalOcean Container Registry and App Platform
Go
78
star
40

navigators-guide

Book and code examples that help to build infrastructure on DigitalOcean
Shell
76
star
41

do-operator

The Kubernetes Operator for DigitalOcean
Go
76
star
42

pydo

Official DigitalOcean Python Client based on the DO OpenAPIv3 specification
Python
75
star
43

sample-django

Django sample app for DigitalOcean App Platform
Python
74
star
44

logtalez

logtalez is a minimal command line client (and API) for retrieving log streams from the rsyslog logging daemon over zeromq.
Go
73
star
45

do-markdownit

Markdown-It plugin for the DigitalOcean Community.
JavaScript
71
star
46

databases

66
star
47

sample-nodejs

⛵ App Platform sample Node.js application.
JavaScript
60
star
48

debian-sys-maint-roll-passwd

Script to update password for MySQL user "debian-sys-maint"
Shell
58
star
49

sample-nextjs

⛵ App Platform sample Next.js application.
JavaScript
57
star
50

sample-python

⛵ App Platform sample Python application.
Python
52
star
51

vmtop

Real-time monitoring of KVM/Qemu VMs
Python
52
star
52

kubecon-2022-doks-workshop

HCL
48
star
53

sample-flask

Sample Flask Application to be deployed on DigitalOcean's App Platform
HTML
45
star
54

sample-laravel

⛵ App Platform sample Laravel application.
PHP
43
star
55

pgremapper

CLI tool for manipulating Ceph's upmap exception table.
Go
43
star
56

k8s-staticroute-operator

Create static routes for your k8s nodes using CRDs.
Python
42
star
57

sample-functions-nodejs-qrcode

HTML
39
star
58

tos

DigitalOcean's Terms of Service agreement
37
star
59

sample-monorepo

Sample mono repo app (with multiple components) on the DigitalOcean App Platform.
Go
36
star
60

sample-golang

⛵ App Platform sample Golang application.
Go
36
star
61

droplet-agent

Droplet Agent is the daemon that runs on customer droplets to enable some features such as web console access.
Go
36
star
62

openvswitch_exporter

Command openvswitch_exporter implements a Prometheus exporter for Open vSwitch.
Go
32
star
63

sample-php

⛵ App Platform sample PHP application.
PHP
32
star
64

mastodon-on-kubernetes

Setting up Mastodon on DigitalOcean Kubernetes
HCL
30
star
65

sample-html

⛵ App Platform sample HTML application.
HTML
30
star
66

sample-functions-nodejs-helloworld

JavaScript
30
star
67

sample-functions-python-jokes

Python
30
star
68

flipop

Floating IP Controller for Kubernetes
Go
29
star
69

ansible-collection

DigitalOcean Ansible Collection
Python
28
star
70

sample-functions-golang-helloworld

Go
28
star
71

go-metadata

Go client for the metadata API.
Go
27
star
72

sample-react

⛵ App Platform sample React application.
JavaScript
27
star
73

marketplace-pi-hole-vpn

Pi-hole VPN image for Marketplace with Unbound & Wireguard
Shell
26
star
74

omniauth-digitalocean

DigitalOcean OAuth2 Strategy for OmniAuth
Ruby
26
star
75

github-changelog-generator

A tool to generate changelog entries from GitHub repositories.
Go
25
star
76

sample-functions-python-helloworld

Python
22
star
77

terraform-vault-github-oidc

Terraform module to configure Vault for GitHub OIDC authentication from Action runners.
HCL
22
star
78

sample-push-to-deploy-doks

Push-to-deploy example using DOCR and DOKS
Python
21
star
79

netbox-ip-controller

A Kubernetes controller to import the IP addresses and metadata of pods and services into NetBox.
Go
20
star
80

sample-expressjs

⛵ App Platform sample Express.js application.
19
star
81

terraform-provider-sendgrid

Sendgrid Terraform Provider
Go
19
star
82

sample-nuxtjs

⛵ App Platform sample Nuxt.js application.
Vue
19
star
83

sample-vuejs

⛵ App Platform sample Vue.js application.
Vue
17
star
84

production-ready-kubernetes-workshop

The repository for DigitalOcean's Production Ready Kubernetes Workshop
Python
16
star
85

sample-functions-python-twilio-sms

Sending sms via Twilio
Python
16
star
86

sample-rails

⛵ App Platform sample Ruby on Rails application.
Ruby
15
star
87

sample-functions-php-numberstowords

PHP
15
star
88

sample-functions-php-helloworld

A PHP helloworld sample function for Cloud Functions
PHP
14
star
89

sample-hugo

⛵ App Platform sample Hugo application.
14
star
90

github-pr-resource

Github pull request resource for Concourse
Go
13
star
91

sample-functions-python-sendgrid-email

Sending emails via Sendgrid API
Python
13
star
92

icingaweb2-module-netboximport

Icinga2 Director integration for Netbox
PHP
12
star
93

docker-shipit-engine

Docker image for https://github.com/Shopify/shipit-engine
Ruby
11
star
94

sample-functions-golang-presigned-url

Creating a presigned url for DO's Spaces
Go
10
star
95

digitalocean-ceph-lab

Terraform and Ansible automation to provision and configure a Ceph test environment on DigitalOcean.
HCL
10
star
96

k8s-adoption-journey

Hands-on tutorial for going from Day-1 to production on DigitalOcean Kubernetes. Goes with "Kubernetes Adoption Journey" document.
Python
9
star
97

sample-laravel-api

⛵ App Platform sample Laravel API application.
PHP
9
star
98

gnulib

A mirror of the gnulib portability and testing suite for internal builds that use it as a submodule
C
8
star
99

serverless-jamstack

Contains sample code for a serverless Jamstack tutorial published on docs.digitalocean.com
JavaScript
8
star
100

sample-gatsby

⛵ App Platform sample Gatsby application.
CSS
8
star