[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Easily check your clusters for use of deprecated APIs

License

Notifications You must be signed in to change notification settings

doitintl/kube-no-trouble

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kubent (Kube-No-Trouble) logo

Easily check your clusters for use of deprecated APIs

Kubernetes 1.16 is slowly starting to roll out, not only across various managed Kubernetes offerings, and with that come a lot of API deprecations1.

Kube No Trouble (kubent) is a simple tool to check whether you're using any of these API versions in your cluster and therefore should upgrade your workloads first, before upgrading your Kubernetes cluster.

This tool will be able to detect deprecated APIs depending on how you deploy your resources, as we need the original manifest to be stored somewhere. In particular following tools are supported:

  • file - local manifests in YAML or JSON
  • kubectl - uses the kubectl.kubernetes.io/last-applied-configuration annotation
  • Helm v3 - uses Helm manifests stored as Secrets or ConfigMaps directly in individual namespaces

Additional resources:

Install

Run the following command in your terminal to install kubent using a shell script:

sh -c "$(curl -sSL https://git.io/install-kubent)"

(Unless specified the script will download latest version and unpack to /usr/local/bin/).

Note: Do not run random scripts from strangers on the internet. Read what the above script does first.

Manual Installation

You can download the latest release for your cpu architectures and operating system. You can then place it on your path.

We currently maintain, the following operating systems and cpu architectures:

  • Linux amd64
  • Linux arm64
  • Darwin amd64
  • Darwin arm64
  • Windows amd64

Historically Windows on arm, has not received the best support. If this changes we may add it.

Third-Party Installation

Please note that third-party installation methods are maintained by the community. The packages may not always be up-to-date with the latest releases of kubent.

Homebrew

kubent is available as a formula on Homebrew. If you're using macOS or Linux, you can run the following command to install kubent:

brew install kubent

Scoop

kubent is available for Scoop as an app. Install kubent by running:

scoop install kubent

Usage

Configure Kubectl's current context to point to your cluster, kubent will look for the kube .config file in standard locations (you can point it to custom location using the -k switch).

kubent will collect resources from your cluster and report on found issues.

Please note that you need to have sufficient permissions to read Secrets in the cluster in order to use Helm* collectors.

$./kubent
6:25PM INF >>> Kube No Trouble `kubent` <<<
6:25PM INF Initializing collectors and retrieving data
6:25PM INF Retrieved 103 resources from collector name=Cluster
6:25PM INF Retrieved 0 resources from collector name="Helm v3"
6:25PM INF Loaded ruleset name=deprecated-1-16.rego
6:25PM INF Loaded ruleset name=deprecated-1-20.rego
__________________________________________________________________________________________
>>> 1.16 Deprecated APIs <<<
------------------------------------------------------------------------------------------
KIND         NAMESPACE     NAME                    API_VERSION
Deployment   default       nginx-deployment-old    apps/v1beta1
Deployment   kube-system   event-exporter-v0.2.5   apps/v1beta1
Deployment   kube-system   k8s-snapshots           extensions/v1beta1
Deployment   kube-system   kube-dns                extensions/v1beta1
__________________________________________________________________________________________
>>> 1.20 Deprecated APIs <<<
------------------------------------------------------------------------------------------
KIND      NAMESPACE   NAME           API_VERSION
Ingress   default     test-ingress   extensions/v1beta1

Arguments

You can list all the configuration options available using --help switch:

$./kubent -h
Usage of ./kubent:
  -A, --additional-annotation strings   additional annotations that should be checked to determine the last applied config
  -a, --additional-kind strings         additional kinds of resources to report in Kind.version.group.com format
  -c, --cluster                         enable Cluster collector (default true)
  -x, --context string                  kubeconfig context
  -e, --exit-error                      exit with non-zero code when issues are found
  -f, --filename strings                manifests to check, use - for stdin
      --helm3                           enable Helm v3 collector (default true)
  -k, --kubeconfig string               path to the kubeconfig file
  -l, --log-level string                set log level (trace, debug, info, warn, error, fatal, panic, disabled) (default "info")
  -o, --output string                   output format - [text|json|csv] (default "text")
  -O, --output-file string        output file, use - for stdout (default "-")
  -t, --target-version string           target K8s version in SemVer format (autodetected by default)
  -v, --version                         prints the version of kubent and exits
  • --additional-annotation Check additional annotations for the last applied configuration. This can be useful if a resource was applied with a tool other than kubectl. The flag can be used multiple times.

  • -a, --additional-kind Tells kubent to flag additional custom resources when found in the specified version. The flag can be used multiple times. The expected format is full Kind.version.group.com form - e.g. -a ManagedCertificate.v1.networking.gke.io.

  • -x, --context Select context from kubeconfig file (current-context from the file is used by default).

  • -k, --kubeconfig Path to kubeconfig file to use. This takes precedence over KUBECONFIG environment variable, which is also supported and can contain multiple paths, and default ~/.kube/config.

  • -t, --target-version kubent will try to detect K8S cluster version and display only relevant findings. This flag allows to override this version for scenarios like use in CI with the file collector only, when detection from an actual cluster is not possible. Expected format is major.minor[.patch], e.g. 1.16 or 1.16.3.

Docker Image

We also publish official container image, which can be found at: ghcr.io/doitintl/kube-no-trouble:latest (also available tagged with each individual release version).

To run locally, you'll need to provide credentials, e.g. by sharing your kubectl config:

$ docker run -it --rm \
    -v "${HOME}/.kube/config:/.kubeconfig" \
    ghcr.io/doitintl/kube-no-trouble:latest \
    -k /.kubeconfig

You can use kubectl run to run inside a K8S cluster, as a one-off. In that case the credentials will be picked up via the pod's service account from the environment, but you'll want to grant relevant permissions first (see docs/k8s-sa-and-role-example.yaml):

$ kubectl run kubent --restart=Never --rm -i --tty \
    --image ghcr.io/doitintl/kube-no-trouble:latest \
    --overrides='{"spec": {"serviceAccount": "kubent"}}'

Use in CI

Exit codes

kubent will by default return 0 exit code if the program succeeds, even if it finds deprecated resources, and non-zero exit code if there is an error during runtime. Because all info output goes to stderr, it's easy to check in shell if any issues were found:

test -z "$(kubent)"                 # if stdout output is empty, means no issues were found
                                    # equivalent to [ -z "$(kubent)" ]

It's actually better so split this into two steps, in order to differentiate between runtime error and found issues:

if ! OUTPUT="$(kubent)"; then       # check for non-zero return code first
  echo "kubent failed to run!"
elif [ -n "${OUTPUT}" ]; then       # check for empty stdout
  echo "Deprecated resources found"
fi

You can also use --exit-error (-e) flag, which will make kubent to exit with non-zero return code (200) in case any issues are found.

Alternatively, use the json output and smth. like jq to check if the result is empty:

kubent -o json | jq -e 'length == 0'

Scanning all files in directory

If you want to scan all files in a given directory, you can use the following shell snippet:

FILES=($(ls *.yaml)); kubent ${FILES[@]/#/-f} --helm3=false -c=false

Development

The simplest way to build kubent is:

# Clone the repository
git clone https://github.com/doitintl/kube-no-trouble.git
cd kube-no-trouble/
# Build
go build -o bin/kubent ./...

Otherwise there's Makefile

$ make
make
all                            Clean, build and pack
help                           Prints list of tasks
build                          Build binary
generate                       Go generate
release-artifacts              Create release artifacts
clean                          Clean build artifacts

Issues and Contributions

Please open any issues and/or PRs against github.com/doitintl/kube-no-trouble repository. See our contribution guide for more details