Skip to content

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.

License

Notifications You must be signed in to change notification settings

gruzchik/kube-score

 
 

Repository files navigation

kube-score

Go Report Card Test Go Releases GitHub stars Downloads License


kube-score is a tool that performs static code analysis of your Kubernetes object definitions.

The output is a list of recommendations of what you can improve to make your application more secure and resilient.

You can test kube-score out in the browser with the online demo (source).

Installation

kube-score is easy to install, and is available from the following sources:

Distribution Command / Link
Pre-built binaries for macOS, Linux, and Windows GitHub releases
Docker docker pull zegl/kube-score (Docker Hub)
Homebrew (macOS and Linux) brew install kube-score
Krew (macOS and Linux) kubectl krew install score

Sponsors

Your company here?

Checks

For a full list of checks, see README_CHECKS.md.

  • Container limits (should be set)
  • Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
  • Deployments and StatefulSets should have a PodDisruptionPolicy
  • Deployments and StatefulSets should have host PodAntiAffinity configured
  • Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in README_PROBES.md.
  • Container securityContext, run as high number user/group, do not run as root or with privileged root fs. Read more in README_SECURITYCONTEXT.md.
  • Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

Example output

Usage in CI

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

Example with Helm

helm template my-app | kube-score score -

Example with Kustomize

kustomize build . | kube-score score -

Example with static YAMLs

kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yaml

Example with an existing cluster

kubectl api-resources --verbs=list --namespaced -o name \
  | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \
  | kube-score score -

Example with Docker

docker run -v $(pwd):/project zegl/kube-score:latest score my-app/*.yaml

Configuration

Usage of kube-score:
kube-score [action] --flags

Actions:
	score	Checks all files in the input, and gives them a score and recommendations
	list	Prints a CSV list of all available score checks
	version	Print the version of kube-score
	help	Print this message

Flags for score:
      --disable-ignore-checks-annotations   Set to true to disable the effect of the 'kube-score/ignore' annotations
      --disable-optional-checks-annotations Set to true to disable the effect of the 'kube-score/enable' annotations
      --enable-optional-test strings        Enable an optional test, can be set multiple times
      --exit-one-on-warning                 Exit with code 1 in case of warnings
      --help                                Print help
      --ignore-container-cpu-limit          Disables the requirement of setting a container CPU limit
      --ignore-container-memory-limit       Disables the requirement of setting a container memory limit
      --ignore-test strings                 Disable a test, can be set multiple times
      --kubernetes-version string           Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default "v1.18")
  -o, --output-format string                Set to 'human', 'json', 'ci' or 'sarif'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. Sarif output allows for easier integration with CI platforms. (default "human")
      --output-version string               Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.
  -v, --verbose count                       Enable verbose output, can be set multiple times for increased verbosity.

Ignoring a test

Tests can be ignored in the whole run of the program, with the --ignore-test flag.

A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object. The value should be a comma-separated string of the test IDs.

Example:

Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.

apiVersion: v1
kind: Service
metadata:
  name: node-port-service-with-ignore
  namespace: foospace
  annotations:
    kube-score/ignore: service-type
spec:
  selector:
    app: my-app
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
  type: NodePort

Enabling an optional test

Optional tests can be enabled in the whole run of the program, with the --enable-optional-test flag.

A test can also be enabled on a per-object basis, by adding the annotation kube-score/enable to the object. The value should be a comma-separated string of the test IDs.

Example:

Testing this object will enable the container-seccomp-profile test. Also, multiple tests defined by kube-score/ignore are also ignored at the same.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: optional-test-manifest-deployment
  labels:
    app: optional-test-manifest
  annotations:
    kube-score/ignore: pod-networkpolicy,container-resources,container-image-pull-policy,container-security-context-privileged,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem,container-ephemeral-storage-request-and-limit
    kube-score/enable: container-seccomp-profile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: optional-test-manifest
  template:
    metadata:
      labels:
        app: optional-test-manifest
    spec:
      containers:
      - name: optional-test-manifest
        image: busybox:1.34
        command:
        - /bin/sh
        - -c
        - date; env; tail -f /dev/null

Building from source

kube-score requires Go 1.21 or later to build. Clone this repository, and then:

# Build the project
go build ./cmd/kube-score

# Run all tests
go test -v ./...

Contributing?

Do you want to help out? Take a look at the Contributing Guidelines for more info. 🤩

Dependencies

Project Version
go.dev ^1.21

Made by

About

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 86.6%
  • JavaScript 5.1%
  • CSS 3.3%
  • TypeScript 2.0%
  • Dockerfile 1.4%
  • Shell 1.2%
  • Other 0.4%