本文将於赛後同步刊登於笔者部落格
有兴趣学习更多 Kubernetes/DevOps/Linux 相关的资源的读者，欢迎前往阅读
更多相关科技的技术分享，欢迎追踪 矽谷牛的耕田笔记

上篇文章中我们介绍了 kubectl plugin 的系统与生态系，後来我们使用 krew 这个工具来管理各式各样的 kubectl plugin

因此本篇就从里面挑选一些 plugin 试试看。

View Allocations

我们这边可以随便挑一些 plugin 来玩看看

$ kubectl krew install view-allocations
Updated the local copy of plugin index.
Installing plugin: view-allocations
Installed plugin: view-allocations
\
 | Use this plugin:
 |      kubectl view-allocations
 | Documentation:
 |      https://github.com/davidB/kubectl-view-allocations
/
WARNING: You installed plugin "view-allocations" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.
   

这边要注意，因为我们安装的都是 kubectl plugin 所以最後执行的时候不需要补上 krew ，譬如我们上面安装 view-allocations，安装完毕後直接执行 kubectl view-allocations来看

View-allocations 是一个用来显示系统上所有 有设定 resource 限定的资源 数量都列出来，可以帮助你评估当前每个节点上总共有多少 CPU/Memory，然後上面运行的资源目前总共要求多少，百分比多少。

要注意的是，如果你的 Pod 没有用 resource limited 去限制，就不会出现在系统上

$ kubectl view-allocations
 Resource                                           Requested  %Requested    Limit  %Limit  Allocatable     Free
  cpu                                                 1050.0m          9%   300.0m      2%         12.0     10.9
  ├─ kind-control-plane                                850.0m         21%   100.0m      2%          4.0      3.1
  │  ├─ coredns-6955765f44-l4z47                       100.0m                  0.0
  │  ├─ coredns-6955765f44-zb5xx                       100.0m                  0.0
  │  ├─ kindnet-czpsv                                  100.0m               100.0m
  │  ├─ kube-apiserver-kind-control-plane              250.0m                  0.0
  │  ├─ kube-controller-manager-kind-control-plane     200.0m                  0.0
  │  └─ kube-scheduler-kind-control-plane              100.0m                  0.0
  ├─ kind-worker                                       100.0m          2%   100.0m      2%          4.0      3.9
  │  └─ kindnet-sbqxd                                  100.0m               100.0m
  └─ kind-worker2                                      100.0m          2%   100.0m      2%          4.0      3.9
     └─ kindnet-sw5mq                                  100.0m               100.0m
  ephemeral-storage                                       0.0          0%      0.0      0%      581.5Gi  581.5Gi
  ├─ kind-control-plane                                   0.0          0%      0.0      0%      193.8Gi  193.8Gi
  ├─ kind-worker                                          0.0          0%      0.0      0%      193.8Gi  193.8Gi
  └─ kind-worker2                                         0.0          0%      0.0      0%      193.8Gi  193.8Gi
  memory                                              290.0Mi          1%  490.0Mi      1%       46.9Gi   46.4Gi
  ├─ kind-control-plane                               190.0Mi          1%  390.0Mi      2%       15.6Gi   15.3Gi
  │  ├─ coredns-6955765f44-l4z47                       70.0Mi              170.0Mi
  │  ├─ coredns-6955765f44-zb5xx                       70.0Mi              170.0Mi
  │  └─ kindnet-czpsv                                  50.0Mi               50.0Mi
  ├─ kind-worker                                       50.0Mi          0%   50.0Mi      0%       15.6Gi   15.6Gi
  │  └─ kindnet-sbqxd                                  50.0Mi               50.0Mi
  └─ kind-worker2                                      50.0Mi          0%   50.0Mi      0%       15.6Gi   15.6Gi
     └─ kindnet-sw5mq                                  50.0Mi               50.0Mi
  pods                                                    0.0          0%      0.0      0%        330.0    330.0
  ├─ kind-control-plane                                   0.0          0%      0.0      0%        110.0    110.0
  ├─ kind-worker                                          0.0          0%      0.0      0%        110.0    110.0
  └─ kind-worker2                                         0.0          0%      0.0      0%        110.0    110.0

这个工具我个人认为还满好用的，毕竟可以帮你显示出当前系统上运算资源所使用的 CPU/Memory 等使用量，这些使用量可以用来帮助开发者判断要如何设定相关的资源限制。

change-ns

这套工具相对简单，就是帮你切换预设的 namespace，减少每次输入指令的时候都要一直透过 -n|--namespace 来指定特定的 namespace。

$ kubectl krew install change-ns
Updated the local copy of plugin index.
Installing plugin: change-ns
Installed plugin: change-ns
\
 | Use this plugin:
 |      kubectl change-ns
 | Documentation:
 |      https://github.com/juanvallejo/kubectl-ns
/
WARNING: You installed plugin "change-ns" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.
$ kubectl change-ns kube-system
namespace changed to "kube-system"
$ kubectl get pods
NAME                                         READY   STATUS    RESTARTS   AGE
coredns-6955765f44-l4z47                     1/1     Running   0          2d13h
coredns-6955765f44-zb5xx                     1/1     Running   0          2d13h
etcd-kind-control-plane                      1/1     Running   0          2d13h
kindnet-czpsv                                1/1     Running   0          2d13h
kindnet-sbqxd                                1/1     Running   0          2d13h
kindnet-sw5mq                                1/1     Running   0          2d13h
kube-apiserver-kind-control-plane            1/1     Running   0          2d13h
kube-controller-manager-kind-control-plane   1/1     Running   0          2d13h
kube-proxy-4b5rl                             1/1     Running   0          2d13h
kube-proxy-nrspx                             1/1     Running   0          2d13h
kube-proxy-skfm5                             1/1     Running   0          2d13h
kube-scheduler-kind-control-plane            1/1     Running   0          2d13h

类似的工具还有ctx ，可以帮切换不同的 kubeconfig context，让你更方便的於多个 Kubernetes Cluster 中切换

Status

这个工具算是帮你把 description 的资讯再次整理，举例来说我们准备了一个 pull image 会失败的案例，这时候我们用 status 这个指令来试试看

$ kubectl krew install status
Updated the local copy of plugin index.
Installing plugin: status
Installed plugin: status
\
 | Use this plugin:
 |      kubectl status
 | Documentation:
 |      https://github.com/bergerx/kubectl-status
/
WARNING: You installed plugin "status" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

安装完毕後我们针对一个失败的 pod 来使用 kubectl status pod xxxx

$ kubectl status pod pull-fail

Pod/pull-fail -n default, created 2m ago Pending Burstable
  PodScheduled -> Initialized -> Not ContainersReady -> Not Ready
    Ready ContainersNotReady, containers with unready status: [getting-started] for 2m
    ContainersReady ContainersNotReady, containers with unready status: [getting-started] for 2m
  Standalone POD.
  Containers:
    getting-started (hwchiu/netutils-qq) Waiting ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
  Events:
    Scheduled 2m ago from default-scheduler: Successfully assigned default/pull-fail to kind-worker
    Pulling 28s ago (x4 over 1m) from kubelet,kind-worker: Pulling image "hwchiu/netutils-qq"
    Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Failed to pull image "hwchiu/netutils-qq": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
    Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Error: ErrImagePull
    BackOff 13s ago (x6 over 1m) from kubelet,kind-worker: Back-off pulling image "hwchiu/netutils-qq"
    Failed 13s ago (x6 over 1m) from kubelet,kind-worker: Error: ImagePullBackOff

上面可以看到一些资讯，譬如说

1. PodScheduled -> Initialized -> Not ContainersReady -> Not Ready
   Pod 失败是因为卡在 ContainersReady 这个状态会失败，导致最後整个 Pod 没有成功
2. Standalone POD
   这个 Pod 本身没有任何的 StatefulSet/ReplicaSet，而是独立的 Pod
3. Containers: 底下就是一些详细讯息，譬如为什麽会失败
4. Events: 这个 Pod 的一些事件资讯

除了 Pod 之外， Status 也可以用来看其他的资源，有兴趣可以玩看看

access-matrix

接下来这个工具主要是用来列出当前使用者对於系统上的全部 Resource的权限资讯，主要是该使用者对於特定资源上的不同动词 (Get/Update/List/Delete) 等是否可以执行

$ kubectl krew install access-matrix
Updated the local copy of plugin index.
Installing plugin: access-matrix
Installed plugin: access-matrix
\
 | Use this plugin:
 |      kubectl access-matrix
 | Documentation:
 |      https://github.com/corneliusweig/rakkess
 | Caveats:
 | \
 |  | Usage:
 |  |   kubectl access-matrix
 |  |   kubectl access-matrix for pods
 | /
/
WARNING: You installed plugin "access-matrix" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

此外也可以透过 --sa 等指令来切换不同的 service account，所以可以看到下列的范例，用不同的使用者去看权限，我预设的使用者有几乎无敌的权限，什麽都可以执行。如果是系统上 kube-system:namespace-controller 则只能 LIST/DELETE。

除了这四个动词之外，其实还有很多动词可以用，只是预设情况下只会列出这四个

$ kubectl access-matrix --sa kube-system:namespace-controller
NAME                                                          LIST  CREATE  UPDATE  DELETE
apiservices.apiregistration.k8s.io                            ✔     ✖       ✖       ✔
bindings                                                            ✖
certificatesigningrequests.certificates.k8s.io                ✔     ✖       ✖       ✔
clusterrolebindings.rbac.authorization.k8s.io                 ✔     ✖       ✖       ✔
clusterroles.rbac.authorization.k8s.io                        ✔     ✖       ✖       ✔
componentstatuses                                             ✔
configmaps                                                    ✔     ✖       ✖       ✔
controllerrevisions.apps                                      ✔     ✖       ✖       ✔
cronjobs.batch                                                ✔     ✖       ✖       ✔
csidrivers.storage.k8s.io                                     ✔     ✖       ✖       ✔
.....
$ kubectl access-matrix
NAME                                                          LIST  CREATE  UPDATE  DELETE
apiservices.apiregistration.k8s.io                            ✔     ✔       ✔       ✔
bindings                                                            ✔
certificatesigningrequests.certificates.k8s.io                ✔     ✔       ✔       ✔
clusterrolebindings.rbac.authorization.k8s.io                 ✔     ✔       ✔       ✔
clusterroles.rbac.authorization.k8s.io                        ✔     ✔       ✔       ✔
componentstatuses                                             ✔
configmaps                                                    ✔     ✔       ✔       ✔
controllerrevisions.apps                                      ✔     ✔       ✔       ✔
cronjobs.batch                                                ✔     ✔       ✔       ✔
csidrivers.storage.k8s.io                                     ✔     ✔       ✔       ✔

starboard

最後来看一个跟安全性有关的 plugin

Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a kubectl-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.

接下来示范怎麽用(假设已经安装完毕)

$ kubectl starboard init
$ kubectl create deployment nginx --image nginx:1.16

先透过 starboard 去初始化相关资源，接者我们部署一个 nginx:1.16 的容器到系统中

$ kubectl starboard find vulnerabilities deployment/nginx 
$ kubectl starboard get vulnerabilities deployment/nginx
....
    summary:
      criticalCount: 0
      highCount: 4
      lowCount: 93
      mediumCount: 34
      noneCount: 0
      unknownCount: 0
    vulnerabilities:
    - description: Missing input validation in the ar/tar implementations of APT before
        version 2.1.2 could result in denial of service when processing specially
        crafted deb files.
      fixedVersion: 1.8.2.1
      installedVersion: 1.8.2
      layerID: ""
      links:
      - https://bugs.launchpad.net/bugs/1878177
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
      - https://github.com/Debian/apt/issues/111
      - https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
      - https://lists.debian.org/debian-security-announce/2020/msg00089.html
      - https://lists.fedoraproject.org/archives/list/[email protected]/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
      - https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
      - https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
      - https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
      - https://usn.ubuntu.com/4359-1/
      - https://usn.ubuntu.com/4359-2/
      - https://usn.ubuntu.com/usn/usn-4359-1
      - https://usn.ubuntu.com/usn/usn-4359-2
      resource: apt
      severity: MEDIUM
      title: ""
      vulnerabilityID: CVE-2020-3810
...

可以看到上面有很多讯息，列出当前 image 上有哪些潜在的 CVE，如果觉得这样看起来实在不讨喜，可以使用 starboard-octant-plugin 这个整合专案，把上述的报告用 UI 的方式视觉话呈现出来，譬如说下图(下图节录自 starboard-octant-plugin 官方 Repo)

到这边为止，我们介绍了一些有趣的 Kubectl plugin，当然这些 plugin 本身也都是一个独立的执行档案，所以其实就算不透过 kubectl 来执行也是没问题的，所有个工具都可以独立使用。透过 krew 只是我们可以更方便的搜寻到有哪些 plugin 可以用，实务上要怎麽执行都是个人喜欢，方便，操作顺畅即可。

Krew 上面的工具非常多，使用上可以都可以尝试看看，也因为这样才有办法找到真的对自己日常工作有帮助的好帮手