• Stars
    star
    1,113
  • Rank 41,718 (Top 0.9 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes PreUpGrade (Checker)

Deprecations AKA KubePug - Pre UpGrade (Checker)

Build Status Go Report Card kubepug

Kubepug

KubePug/Deprecations is intended to be a kubectl plugin, which:

  • Downloads a data.json generated containing Kubernetes APIs deprecation information
  • Verifies the current Kubernetes cluster or input files checking whether exists objects in this deprecated API Versions, allowing the user to check before migrating

Features

  • Can run against a Kubernetes cluster, using kubeconfig or the current cluster
  • Can run against a different set of manifest/files
  • Allows specifying the target Kubernetes version to be validated
  • Provides the replacement API that should be used
  • Informs the version that the API was deprecated or deleted, based on the target cluster version

How to use it as a krew plugin

Just run kubectl krew install deprecations

How to use it with Helm

If you want to verify the generated manifests by Helm, you can run the program as following:

helm template -f values.yaml .0 | kubepug --k8s-version v1.22.0 --input-file=-

Change the arguments in kubepug program (and Helm template!) as desired!

How to Use it as a standalone program

Download the correct version from Releases page.

After that, the command can be used just as kubectl, but with the following flags:

$ kubepug --help
[...]
Flags:
      --cluster string           The name of the kubeconfig cluster to use
      --context string           The name of the kubeconfig context to use
      --database string          Sets the generated database location. Can be remote file or local (default "https://kubepug.xyz/data/data.json")
      --error-on-deleted         If a deleted object is found, the program will exit with return code 1 instead of 0. Defaults to false
      --error-on-deprecated      If a deprecated object is found, the program will exit with return code 1 instead of 0. Defaults to false
      --filename string          Name of the file the results will be saved to, if empty it will display to stdout
      --format string            Format in which the list will be displayed [stdout, plain, json, yaml] (default "stdout")
  -h, --help                     help for kubepug
      --input-file string        Location of a file or directory containing k8s manifests to be analized
      --k8s-version string       Which kubernetes release version (https://github.com/kubernetes/kubernetes/releases) should be used to validate objects. Defaults to master (default "master")
      --kubeconfig string        Path to the kubeconfig file to use for CLI requests.
      --tls-server-name string   Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
  -v, --verbosity string         Log level: debug, info, warn, error, fatal, panic (default "warning")

Checking a Kubernetes Cluster

You can check the status of a running cluster with the following command.

$ kubepug --k8s-version=v1.22 # Will verify the current context against v1.22 version
[...]
RESULTS:
Deprecated APIs:
PodSecurityPolicy found in policy/v1beta1
	 ├─ Deprecated at: 1.21
	 ├─ PodSecurityPolicy governs the ability to make requests that affect the Security Contextthat will be applied to a pod and container.Deprecated in 1.21.
		-> OBJECT: restrictive namespace: default

Deleted APIs:
	 APIs REMOVED FROM THE CURRENT VERSION AND SHOULD BE MIGRATED IMMEDIATELY!!
Ingress found in extensions/v1beta1
	 ├─ Deleted at: 1.22
	 ├─ Replacement: networking.k8s.io/v1/Ingress
	 ├─ Ingress is a collection of rules that allow inbound connections to reach theendpoints defined by a backend. An Ingress can be configured to give servicesexternally-reachable urls, load balance traffic, terminate SSL, offer namebased virtual hosting etc.DEPRECATED - This group version of Ingress is deprecated by networking.k8s.io/v1beta1 Ingress. See the release notes for more information.
		-> OBJECT: bla namespace: blabla

Putting Kubepug in your CI / Checking input files

You can verify files with the following:

$ kubepug --input-file=./deployment/ --error-on-deleted --error-on-deprecated

With the command above

  • The data.json from https://kubepug.xyz/data/data.json will be used
  • All YAML files (excluding subdirectories) will be verified
  • The program will exit with an error if deprecated or deleted objects are found.

Air-gapped environment

This happens when you have a secure environment that does not have an internet connectivity.

The data.json file is generated every hour, based on the latest stable version of Kubernetes API. You can download it from https://kubepug.xyz/data/data.json and move it to a safe location.

Then run kubepug pointing to the location of this file:

kubepug --k8s-version=v1.22 --database=location/of/your/data.json

Building your own data.json file

Steps to follow:

  1. Clone/Download this repository, and build the container on generator/ directory
git clone https://github.com/rikatz/kubepug
docker build -t generator -f generator/Dockerfile generator
  1. Generate the data.json
docker run generator > data.json

Generator uses the latest stable Kubernetes API version, if you want the latest dev version you should run as:

docker run -e VERSION=master generator > data.json
  1. Securely move the json file to your Air-Gapped environment, to the folder of your choosing. This folder will be used by kubepug.

  2. Execute kubepug with the option database, like this

kubepug --k8s-version=v1.22 --database=location/of/your/data.json

Example of Usage in CI with Github Actions

name: Sample CI Workflow
# This workflow is triggered on pushes to the repository.
on: [push]
env:
  HELM_VERSION: "v3.9.0"
  K8S_TARGET_VERSION: "v1.22.0"

jobs:
 api-deprecations-test:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out repo
        uses: actions/checkout@v2

      - uses: azure/setup-helm@v1
        with:
          version: $HELM_VERSION
        id: install

      - uses: cpanato/[email protected]

      - name: Run Kubepug with your Helm Charts Repository
        run: |
          find charts -mindepth 1 -maxdepth 1 -type d | xargs -t -n1 -I% /bin/bash -c 'helm template % --api-versions ${K8S_TARGET_VERSION} | kubepug --error-on-deprecated --error-on-deleted --k8s-version ${K8S_TARGET_VERSION} --input-file /dev/stdin'

Screenshot

Kubepug

References

As I've used this project to learn Go and also some Kubernetes client-go some parts of this plugin are based in Caio Begotti's Pod-Tree, Ahmet Balkan kubectl-tree and Bitnami Kubecfg

Logo based in Mão vetor criado por freepik - br.freepik.com

More Repositories

1

kubeconna-2023

Kubecon NA 2023 - Breaking your Cluster - This is a WIP!!!!
Makefile
29
star
2

spoa-modsecurity-python

This is a ModSecurity v3 HAProxy SPOA (Stream Processing Offloading Agent) written in Python.
Python
13
star
3

vk-jails

Virtual Kubelet - FreeBSD Jails
Go
9
star
4

go-jailsbsd

Library to create and remove FreeBSD in Go language
Go
7
star
5

go-modsecurity

Go Modsecurity Library - Extracted from https://github.com/Freeaqingme/diato
Go
7
star
6

py-ingress-controller

Demo project of a really simple ingress Controller in Python
Python
6
star
7

acme-solver

gRPC Backend for CoreDNS that answers for challenges of cert-manager
Go
5
star
8

falco-network-operator

Controller that generates falco rules based on Network Policies.
Go
4
star
9

ingress-security-agent

A common security agent for Kubernetes Ingress
Go
3
star
10

nft-go

Repo to test and benchmark nft in C vs nft with go libraries
Go
3
star
11

helm-chart-fixer

Helm chart fixer for ingress nginx
Go
2
star
12

coraza-grpc

Coraza gRPC Handler - a gRPC server that receives requests and responses and return a decision
Go
2
star
13

rikatz.github.io

Site
HTML
2
star
14

kpng-ipvs-backend

kpng using IPVS Backend
Go
2
star
15

cert-expiration-verifier

Cert-manager Certificate Expiration Verifier to be used on k8s infra
Go
2
star
16

njs-experiments

My Nginx NJS Experiments
JavaScript
2
star
17

graylog-openstack-extractor

Repository containing the Openstack Extractor
1
star
18

rtl1090-exporter

RTL1090 Exporter written in Rust
Rust
1
star
19

spoe-modsecurity-go

This is a SPOE Agent of ModSecurity for HAProxy written in Go and wrapping into libmodsecurity. This is in a really early stage and should not be used in production (or beta, or staging, or development). I mean, right now use if you're curious or want to help
Go
1
star
20

kubecp-in-kube

Kubernetes Control Plane insite another Kubernetes Cluster
1
star