• Stars
    star
    800
  • Rank 56,950 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

KubeEye aims to find various problems on Kubernetes, such as application misconfiguration, unhealthy cluster components and node problems.

English | ไธญๆ–‡

KubeEye is an inspection tool for Kubernetes. It discovers whether Kubernetes resources (by using OPA ), cluster components, cluster nodes (by using Node-Problem-Detector), and other configurations comply with best practices and makes modification suggestions accordingly.

KubeEye supports custom inspection rules and plugin installation. With KubeEye Operator, you can intuitively view the inspection results and modification suggestions on the web console.

Architecture

KubeEye obtains cluster resource details by using Kubernetes APIs, inspects resource configurations by using inspection rules and plugins, and generates inspection results. The architecture of KubeEye is as follows:

kubeeye-architecture

Install and use KubeEye

  1. Install KubeEye on your machine.

    • Method 1: Download the pre-built executable file from Releases.

    • Method 2: Build from the source code.

    Note: KubeEye files will be generated in /usr/local/bin/ on your machine.

    git clone https://github.com/kubesphere/kubeeye.git
    cd kubeeye
    make installke
  2. (Optional) Install Node-problem-Detector.

    Note: If you need detailed reports, run the following command, and then NPD will be installed on your cluster.

    kubeeye install npd
  3. Run KubeEye to inspect clusters.

Note: The results of KubeEye are sorted by resource kind.

kubeeye audit
KIND          NAMESPACE        NAME                                                           REASON                                        LEVEL    MESSAGE
Node                           docker-desktop                                                 kubelet has no sufficient memory available   warning    KubeletHasNoSufficientMemory
Node                           docker-desktop                                                 kubelet has no sufficient PID available      warning    KubeletHasNoSufficientPID
Node                           docker-desktop                                                 kubelet has disk pressure                    warning    KubeletHasDiskPressure
Deployment    default          testkubeeye                                                                                                                  NoCPULimits
Deployment    default          testkubeeye                                                                                                                  NoReadinessProbe
Deployment    default          testkubeeye                                                                                                                  NotRunAsNonRoot
Deployment    kube-system      coredns                                                                                                               NoCPULimits
Deployment    kube-system      coredns                                                                                                               ImagePullPolicyNotAlways
Deployment    kube-system      coredns                                                                                                               NotRunAsNonRoot
Deployment    kubeeye-system   kubeeye-controller-manager                                                                                            ImagePullPolicyNotAlways
Deployment    kubeeye-system   kubeeye-controller-manager                                                                                            NotRunAsNonRoot
DaemonSet     kube-system      kube-proxy                                                                                                            NoCPULimits
DaemonSet     k          ube-system      kube-proxy                                                                                                            NotRunAsNonRoot
Event         kube-system      coredns-558bd4d5db-c26j8.16d5fa3ddf56675f                      Unhealthy                                    warning   Readiness probe failed: Get "http://10.1.0.87:8181/ready": dial tcp 10.1.0.87:8181: connect: connection refused
Event         kube-system      coredns-558bd4d5db-c26j8.16d5fa3fbdc834c9                      Unhealthy                                    warning   Readiness probe failed: HTTP probe failed with statuscode: 503
Event         kube-system      vpnkit-controller.16d5ac2b2b4fa1eb                             BackOff                                      warning   Back-off restarting failed container
Event         kube-system      vpnkit-controller.16d5fa44d0502641                             BackOff                                      warning   Back-off restarting failed container
Event         kubeeye-system   kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f5fc3229c   Failed                                       warning   Failed to pull image "controller:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for controller, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Event         kubeeye-system   kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f61b28527   Failed                                       warning   Error: ImagePullBackOff
Role          kubeeye-system   kubeeye-leader-election-role                                                                                          CanDeleteResources
ClusterRole                    kubeeye-manager-role                                                                                                  CanDeleteResources
ClusterRole                    kubeeye-manager-role                                                                                                  CanModifyWorkloads
ClusterRole                    vpnkit-controller                                                                                                     CanImpersonateUser
ClusterRole                    vpnkit-controller                                                                                           CanDeleteResources

How KubeEye can help you

  • It inspects cluster resources according to Kubernetes best practices to ensure that clusters run stably.
  • It detects the control plane problems of the cluster, including kube-apiserver, kube-controller-manager, and etcd.
  • It detects node problems, including memory, CPU, disk pressure, and unexpected kernel error logs.

Checklist

Yes/No Check Item Description Severity
โœ… PrivilegeEscalationAllowed Privilege escalation is allowed. danger
โœ… CanImpersonateUser The Role/ClusterRole can impersonate users. warning
โœ… CanModifyResources The Role/ClusterRole can delete Kubernetes resources. warning
โœ… CanModifyWorkloads The Role/ClusterRole can modify Kubernetes resources. warning
โœ… NoCPULimits No CPU limits are set. danger
โœ… NoCPURequests No CPU resources are reserved. danger
โœ… HighRiskCapabilities High-risk features, such as ALL, SYS_ADMIN, and NET_ADMIN, are enabled. danger
โœ… HostIPCAllowed HostIPC is set to true. danger
โœ… HostNetworkAllowed HostNetwork is set to true. danger
โœ… HostPIDAllowed HostPID is set to true. danger
โœ… HostPortAllowed HostPort is set to true. danger
โœ… ImagePullPolicyNotAlways The image pull policy is not set to always. warning
โœ… ImageTagIsLatest The image tag is latest. warning
โœ… ImageTagMiss The image tag is missing. danger
โœ… InsecureCapabilities Insecure options are missing, such as KILL, SYS_CHROOT, and CHOWN. danger
โœ… NoLivenessProbe Liveless probe is not set. warning
โœ… NoMemoryLimits No memory limits are set. danger
โœ… NoMemoryRequests No memory resources are reserved. danger
โœ… NoPriorityClassName Resource scheduling priority is not set. ignore
โœ… PrivilegedAllowed Pods are running in the privileged mode. danger
โœ… NoReadinessProbe Readiness probe is not set. warning
โœ… NotReadOnlyRootFilesystem readOnlyRootFilesystem is not set to true. warning
โœ… NotRunAsNonRoot runAsNonRoot is not set to true. warning
โœ… CertificateExpiredPeriod The certificate expiry date of the API Server is less than 30 days. danger
โœ… EventAudit Events need to be audited. warning
โœ… NodeStatus Node status needs to be checked. warning
โœ… DockerStatus Docker status needs to be checked. warning
โœ… KubeletStatus kubelet status needs to be checked. warning

Add your own inspection rules

Add custom OPA rules

  1. Create a directory for storing OPA rules.

    mkdir opa
  2. Add custom OPA rule files.

    Note:

    • OPA rule for checking workloads: The package name must be kubeeye_workloads_rego.
    • OPA rule for checking RBAC settings: The package name must be kubeeye_RBAC_rego.
    • OPA rule for checking node settings: The package name must be kubeeye_nodes_rego.
  3. To check whether the image registry address complies with rules, save the following rules to imageRegistryRule.rego

package kubeeye_workloads_rego

deny[msg] {
    resource := input
    type := resource.Object.kind
    resourcename := resource.Object.metadata.name
    resourcenamespace := resource.Object.metadata.namespace
    workloadsType := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
    workloadsType[type]

    not workloadsImageRegistryRule(resource)

    msg := {
        "Name": sprintf("%v", [resourcename]),
        "Namespace": sprintf("%v", [resourcenamespace]),
        "Type": sprintf("%v", [type]),
        "Message": "ImageRegistryNotmyregistry"
    }
}

workloadsImageRegistryRule(resource) {
    regex.match("^myregistry.public.kubesphere/basic/.+", resource.Object.spec.template.spec.containers[_].image)
}
  1. Run KubeEye with custom rules.

Note: Kubeeye will read all files ending with .rego in the directory.

root:# kubeeye audit -p ./opa
NAMESPACE     NAME              KIND          MESSAGE
default       nginx1            Deployment    [ImageRegistryNotmyregistry NotReadOnlyRootFilesystem NotRunAsNonRoot]
default       nginx11           Deployment    [ImageRegistryNotmyregistry PrivilegeEscalationAllowed HighRiskCapabilities HostIPCAllowed HostPortAllowed ImagePullPolicyNotAlways ImageTagIsLatest InsecureCapabilities NoPriorityClassName PrivilegedAllowed NotReadOnlyRootFilesystem NotRunAsNonRoot]
default       nginx111          Deployment    [ImageRegistryNotmyregistry NoCPULimits NoCPURequests ImageTagMiss NoLivenessProbe NoMemoryLimits NoMemoryRequests NoPriorityClassName NotReadOnlyRootFilesystem NoReadinessProbe NotRunAsNonRoot]

Add custom NPD rules

  1. Run the following command to change the ConfigMap:

    kubectl edit ConfigMap node-problem-detector-config -n kube-system 
  2. Run the following command to restart NPD:

    kubectl rollout restart DaemonSet node-problem-detector -n kube-system

KubeEye Operator

What is KubeEye Operator

KubeEye Operator is an inspection platform for Kubernetes. It manages KubeEye to regularly inspect clusters and generate inspection results.

How KubeEye Operator can help you

  • It records inspection results by using CR and provide a web page for you to intuitively view and compare cluster inspection results.
  • It provides more plugins.
  • It provides more detailed modification suggestions.

Deploy KubeEye Operator

kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye.yaml
kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye_insights.yaml

Obtain the inspection results

kubectl get clusterinsight -o yaml
apiVersion: v1
items:
- apiVersion: kubeeye.kubesphere.io/v1alpha1
  kind: ClusterInsight
  metadata:
    name: clusterinsight-sample
    namespace: default
  spec:
    auditPeriod: 24h
  status:
    auditResults:
      auditResults:
      - resourcesType: Node
        resultInfos:
        - namespace: ""
          resourceInfos:
          - items:
            - level: warning
              message: KubeletHasNoSufficientMemory
              reason: kubelet has no sufficient memory available
            - level: warning
              message: KubeletHasNoSufficientPID
              reason: kubelet has no sufficient PID available
            - level: warning
              message: KubeletHasDiskPressure
              reason: kubelet has disk pressure
            name: kubeeyeNode

Contributors โœจ

Thanks goes to these wonderful people (emoji key):


ruiyaoOps

๐Ÿ’ป ๐Ÿ“–

Forest

๐Ÿ“–

zryfish

๐Ÿ“–

shaowenchen

๐Ÿ“–

pixiake

๐Ÿ“–

pengfei

๐Ÿ“–

Harsh Thakur

๐Ÿ’ป

leonharetd

๐Ÿ’ป

panzhen6668

๐Ÿ’ป

Zhengyi Lai

๐Ÿ’ป

This project follows the all-contributors specifications. Contributions of any kind are welcome!

Related Documents

More Repositories

1

kubesphere

The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management โŽˆ ๐Ÿ–ฅ โ˜๏ธ
Go
12,855
star
2

kubekey

Install Kubernetes/K3s only, both Kubernetes/K3s and KubeSphere, and related cloud-native add-ons, it supports all-in-one, multi-node, and HA ๐Ÿ”ฅ โŽˆ ๐Ÿณ
Go
2,027
star
3

console

KubeSphere Console is the web-based UI for KubeSphere clusters.
JavaScript
567
star
4

ks-installer

Install KubeSphere on existing Kubernetes cluster
Jinja
531
star
5

notification-manager

K8s native notification management with multi-tenancy support
Go
224
star
6

kube-events

K8s Event Exporting, Filtering and Alerting in Multi-Tenant Environment
Go
180
star
7

ks-devops

This is a cloud-native application that focuses on the DevOps area.
Go
158
star
8

community

KubeSphere Community
125
star
9

devops-java-sample

SpringBoot demo for DevOps on KubeSphere
Java
117
star
10

helm-charts

Source & Repo of https://charts.kubesphere.io/main & https://charts.kubesphere.io/test
Mustache
97
star
11

kube-design

Kube Design for KubeSphere Console
JavaScript
96
star
12

tower

Proxy for multiple Kubernetes cluster communication
Go
92
star
13

website

KubeSphere website and documentation
SCSS
80
star
14

devops-agent

Agents for Kubesphere DevOps
Dockerfile
66
star
15

s2ioperator

Operator for Source to image
Go
41
star
16

devops-maven-sample

Java
36
star
17

alert

Go
27
star
18

logsidecar-injector

A MutatingAdmissionWebhook that adds a sidecar to your pod. This sidecar is just for forwarding file log on the volume.
Go
26
star
19

ks-jenkins

Jenkins distribution for Kubesphere
Python
24
star
20

dev-guide

A set of development guidelines for KubeSphere developers.
HTML
19
star
21

s2irun

Run s2i in pod
Go
18
star
22

monitoring-dashboard

Custom Metrics Monitoring Dashboard for Apps on KubeSphere
Go
16
star
23

s2i-java-container

Java S2I Builder image
Shell
15
star
24

event-rule-engine

Go
12
star
25

storageclass-accessor

The storageclass-accessor webhook is an HTTP callback which responds to admission requests.
Go
10
star
26

tutorial

KubeSphere tutorial repo, include samples code, docs etc.
Shell
10
star
27

client-go

Go
9
star
28

devops-go-sample

Go
8
star
29

image-sync-config

8
star
30

im

A general identity management system
Go
8
star
31

api

Go
7
star
32

ksbuilder

A CLI tool helps you to manage the development of kubesphere extensions
Go
7
star
33

s2i-java-runtimeImage

a java runtime image for s2i
Shell
5
star
34

alert-adapter

Go
5
star
35

s2i-python-container

Shell
5
star
36

pvc-autoresizer

pvc-autoresizer resizes PersistentVolumeClaims (PVCs) when the free amount of storage is below the threshold.
Go
5
star
37

test-infra

Dockerfile
4
star
38

prometheus-example-app

Smarty
4
star
39

devops-python-sample

devops-python-sample for Kubesphere
Python
4
star
40

kubeeye-console

TypeScript
3
star
41

sonargo

Go
3
star
42

cluster-api-provider-qingcloud

The QingCloud provider implementation of the Cluster Management API
Go
3
star
43

create-ks-project

A CLI tool enables you to quickly set up a KubeSphere Console extension project.
TypeScript
3
star
44

s2i-nodejs-container

Shell
3
star
45

alertmanager-kit

alertmanager-kit encapsulates the interface to alertmanager in a neat way.
Go
3
star
46

ks-prometheus

Jsonnet
2
star
47

aks-kubesphere-linux

KubeSphere on Azure AKS
2
star
48

openpitrix-jobs

Go
2
star
49

container-common-scripts

Shell
2
star
50

s2i-binary-container

Dockerfile
1
star
51

devops-docs-sample

JavaScript
1
star
52

springboot-sample

Java
1
star
53

extension-samples

JavaScript
1
star
54

s2i-base-container

Shell
1
star
55

artwork

๐ŸŽจKubeSphere-related logos and artwork
1
star
56

.github

1
star
57

kubeocean-api

Go
1
star
58

kubectl

kubectl docker image used in kubesphere.
Dockerfile
1
star
59

design-prototypes

Design prototypes for kubesphere console.
HTML
1
star