Displays the RBAC access matrix for server resources.
Have you ever wondered what access you have to the provided Kubernetes cluster? For a single resource, you can use kubectl auth can-i List deployment, but maybe you’re looking for a complete overview? That’s what it does. It lists the current user and access rights for all server resources, similar tokubectl auth can-i --list。
Installation
1
kubectl krew install access-matrix
use
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Review access to cluster-scoped resources $ kubectl access-matrix
kubectl-cost is a kubectl plugin that provides simple CLI access to Kubernetes cost allocation metrics through the kubeccost API. It allows developers, DevOps, and others to quickly determine the cost and efficiency of Kubernetes workloads.
The deployment completion is displayed as follows:
NAME: kubecost
LAST DEPLOYED: Sat Nov 27 13:44:30 2021
NAMESPACE: kubecost
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
--------------------------------------------------Kubecost has been successfully installed. When pods are Ready, you can enable port-forwarding with the following command:
kubectl port-forward --namespace kubecost deployment/kubecost-cost-analyzer 9090
Next, navigate to http://localhost:9090 in a web browser.
Having installation issues? View our Troubleshooting Guide at http://docs.kubecost.com/troubleshoot-install
Install the kubectl cost
1
kubectl krew install cost
use
The use can be viewed directly through the browser:
Check for deprecated objects in the cluster. It is generally used to check before upgrading the K8S. Also called KubePug
Installation
1
kubectl krew install deprecations
use
It is also simple to use and execute kubectl deprecations That’s it, and as shown below, it tells you which APIs have been deprecated and makes it easy to plan for your K8S upgrade.
$ kubectl deprecations W1127 16:04:58.641429 28561 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+ W1127 16:04:58.664058 28561 warnings.go:70] v1 ComponentStatus is deprecated in v1.19+ W1127 16:04:59.622247 28561 warnings.go:70] apiregistration.k8s.io/v1beta1 APIService is deprecated in v1.19+, unavailable in v1.22+; use apiregistration.k8s.io/v1 APIService W1127 16:05:00.777598 28561 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition W1127 16:05:00.808486 28561 warnings.go:70] extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress RESULTS: Deprecated APIs:
PodSecurityPolicy found in policy/v1beta1 ├─ PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21. -> GLOBAL: kube-prometheus-stack-admission -> GLOBAL: loki-grafana-test -> GLOBAL: loki-promtail -> GLOBAL: loki -> GLOBAL: loki-grafana -> GLOBAL: prometheus-operator-grafana-test -> GLOBAL: prometheus-operator-alertmanager -> GLOBAL: prometheus-operator-grafana -> GLOBAL: prometheus-operator-prometheus -> GLOBAL: prometheus-operator-prometheus-node-exporter -> GLOBAL: prometheus-operator-kube-state-metrics -> GLOBAL: prometheus-operator-operator -> GLOBAL: kubecost-grafana -> GLOBAL: kubecost-cost-analyzer-psp
ComponentStatus found in /v1 ├─ ComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+ -> GLOBAL: controller-manager -> GLOBAL: scheduler
Deleted APIs:
It can also be used in conjunction with CI processes:
$ kubectl kubesec-scan statefulset loki -n loki-stack scanning statefulset loki in namespace loki-stack kubesec.io score: 4 ----------------- Advise1. .spec .volumeClaimTemplates[] .spec .accessModes | index("ReadWriteOnce") 2. containers[] .securityContext .runAsNonRoot == true Force the running image to run as a non-root user to ensure least privilege 3. containers[] .securityContext .capabilities .drop Reducing kernel capabilities available to a container limits its attack surface 4. containers[] .securityContext .runAsUser > 10000 Run as a high-UID user to avoid conflicts with the host's user table 5. containers[] .securityContext .capabilities .drop | index("ALL") Drop all capabilities and add only those required to reduce syscall attack surface
Scan the cluster for potential resource issues. It is the popeye that the K9S is also using.
Popeye is a utility that scans Kubernetes clusters in real time and reports potential issues with deployed resources and configurations. It cleans up the cluster based on what has been deployed, not what is on disk. By scanning the cluster, it detects misconfigurations and helps you ensure that best practices are in place to avoid future headaches. It aims to reduce the cognitive overload that people face when operating Kubernetes clusters in the wild. Also, if your cluster uses a metrics server, it reports that the allocated resources are more or below the allocated resources and attempts to warn you when the cluster runs out of capacity.
Popeye is a read-only tool that doesn’t change any of your Kubernetes resources in any way!
PODS (7 SCANNED) 💥 0 😱 7 🔊 0 ✅ 0 0٪ ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ · loki-stack/loki-0..............................................................................😱 🔊 [POP-206] No PodDisruptionBudget defined. 😱 [POP-301] Connects to API Server? ServiceAccount token is mounted. 🐳 loki 😱 [POP-106] No resources requests/limits defined. · loki-stack/loki-grafana-8bffbb679-szdpj........................................................😱 🔊 [POP-206] No PodDisruptionBudget defined. 😱 [POP-301] Connects to API Server? ServiceAccount token is mounted. 🐳 grafana 😱 [POP-106] No resources requests/limits defined. 🔊 [POP-105] Liveness probe uses a port#, prefer a named port. 🔊 [POP-105] Readiness probe uses a port#, prefer a named port. 🐳 grafana-sc-datasources 😱 [POP-106] No resources requests/limits defined. · loki-stack/loki-promtail-5d5h8.................................................................😱 🔊 [POP-206] No PodDisruptionBudget defined. 😱 [POP-301] Connects to API Server? ServiceAccount token is mounted. 😱 [POP-302] Pod could be running as root user. Check SecurityContext/image. 🐳 promtail 😱 [POP-106] No resources requests/limits defined. 😱 [POP-103] No liveness probe. 😱 [POP-306] Container could be running as root user. Check SecurityContext/Image.
SUMMARY ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ Your cluster score: 80 -- B o .-'-. o __| B `\ o `-,-`--._ `\ [] .->' a `|-' `=/ (__/_ / \_, ` _) `----; |
Provides an overview of resource requests, limits, and usage.
This is a simple CLI that provides an overview of resource requests, limits, and utilization in a Kubernetes cluster. It attempts to combine the best parts of the output from kubectl top and kubectl describe into one easy-to-use CLI that focuses on cluster resources.
Installation
1
kubectl krew install resource-capacity
use
The following example is to look at node, you can also look at pod, filter by label, and sort and other functions.
It is highly recommended that a previous POD network problem was analyzed with this help. It uses tcpdump and wireshark to initiate remote packet capture on the pod
Kubernetes tail。 Log streams for all containers that match the pod. Match pods by service, replicaset, deployment, and so on. Adjust to changing clusters – When pods fall in or out of selection, they will be added or removed from the log.
Reverse tunnel between the cluster and your own machine.
It allows you to expose machines as services in a cluster, or expose them to specific deployments. The purpose of this project is to provide a holistic solution to this particular problem (accessing local machines from Kubernetes pods).
Installation
1
kubectl krew install tunnel
use
The following command will allow pods in the cluster to access your local web application (listening on port 8000) over http (i.e. Kubernetes applications can send requests to myapp:8000)
1 2
ktunnel expose myapp 80:8000 ktunnel expose myapp 80:8000 -r #deployment & service will be reused if exists or they will be created
kubectl (Kubernetes CLI) plugin, just like kubectl runs with rsync.
It creates temporary pods and syncs local files to the desired container and executes any commands.
For example, this can be used to build and run your local project in Kubernetes with more resources, required architecture, etc., while using your preferred editor locally.