本文将於赛後同步刊登於笔者部落格
有兴趣学习更多 Kubernetes/DevOps/Linux 相关的资源的读者,欢迎前往阅读
更多相关科技的技术分享,欢迎追踪 矽谷牛的耕田笔记
上篇文章中我们介绍了 kubectl plugin 的系统与生态系,後来我们使用 krew 这个工具来管理各式各样的 kubectl plugin
因此本篇就从里面挑选一些 plugin 试试看。
我们这边可以随便挑一些 plugin 来玩看看
$ kubectl krew install view-allocations
Updated the local copy of plugin index.
Installing plugin: view-allocations
Installed plugin: view-allocations
\
| Use this plugin:
| kubectl view-allocations
| Documentation:
| https://github.com/davidB/kubectl-view-allocations
/
WARNING: You installed plugin "view-allocations" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
这边要注意,因为我们安装的都是 kubectl plugin
所以最後执行的时候不需要补上 krew
,譬如我们上面安装 view-allocations
,安装完毕後直接执行 kubectl view-allocations
来看
View-allocations 是一个用来显示系统上所有 有设定 resource 限定的资源
数量都列出来,可以帮助你评估当前每个节点上总共有多少 CPU/Memory,然後上面运行的资源目前总共要求多少,百分比多少。
要注意的是,如果你的 Pod 没有用 resource limited 去限制,就不会出现在系统上
$ kubectl view-allocations
Resource Requested %Requested Limit %Limit Allocatable Free
cpu 1050.0m 9% 300.0m 2% 12.0 10.9
├─ kind-control-plane 850.0m 21% 100.0m 2% 4.0 3.1
│ ├─ coredns-6955765f44-l4z47 100.0m 0.0
│ ├─ coredns-6955765f44-zb5xx 100.0m 0.0
│ ├─ kindnet-czpsv 100.0m 100.0m
│ ├─ kube-apiserver-kind-control-plane 250.0m 0.0
│ ├─ kube-controller-manager-kind-control-plane 200.0m 0.0
│ └─ kube-scheduler-kind-control-plane 100.0m 0.0
├─ kind-worker 100.0m 2% 100.0m 2% 4.0 3.9
│ └─ kindnet-sbqxd 100.0m 100.0m
└─ kind-worker2 100.0m 2% 100.0m 2% 4.0 3.9
└─ kindnet-sw5mq 100.0m 100.0m
ephemeral-storage 0.0 0% 0.0 0% 581.5Gi 581.5Gi
├─ kind-control-plane 0.0 0% 0.0 0% 193.8Gi 193.8Gi
├─ kind-worker 0.0 0% 0.0 0% 193.8Gi 193.8Gi
└─ kind-worker2 0.0 0% 0.0 0% 193.8Gi 193.8Gi
memory 290.0Mi 1% 490.0Mi 1% 46.9Gi 46.4Gi
├─ kind-control-plane 190.0Mi 1% 390.0Mi 2% 15.6Gi 15.3Gi
│ ├─ coredns-6955765f44-l4z47 70.0Mi 170.0Mi
│ ├─ coredns-6955765f44-zb5xx 70.0Mi 170.0Mi
│ └─ kindnet-czpsv 50.0Mi 50.0Mi
├─ kind-worker 50.0Mi 0% 50.0Mi 0% 15.6Gi 15.6Gi
│ └─ kindnet-sbqxd 50.0Mi 50.0Mi
└─ kind-worker2 50.0Mi 0% 50.0Mi 0% 15.6Gi 15.6Gi
└─ kindnet-sw5mq 50.0Mi 50.0Mi
pods 0.0 0% 0.0 0% 330.0 330.0
├─ kind-control-plane 0.0 0% 0.0 0% 110.0 110.0
├─ kind-worker 0.0 0% 0.0 0% 110.0 110.0
└─ kind-worker2 0.0 0% 0.0 0% 110.0 110.0
这个工具我个人认为还满好用的,毕竟可以帮你显示出当前系统上运算资源所使用的 CPU/Memory 等使用量,这些使用量可以用来帮助开发者判断要如何设定相关的资源限制。
这套工具相对简单,就是帮你切换预设的 namespace,减少每次输入指令的时候都要一直透过 -n|--namespace
来指定特定的 namespace。
$ kubectl krew install change-ns
Updated the local copy of plugin index.
Installing plugin: change-ns
Installed plugin: change-ns
\
| Use this plugin:
| kubectl change-ns
| Documentation:
| https://github.com/juanvallejo/kubectl-ns
/
WARNING: You installed plugin "change-ns" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
$ kubectl change-ns kube-system
namespace changed to "kube-system"
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
coredns-6955765f44-l4z47 1/1 Running 0 2d13h
coredns-6955765f44-zb5xx 1/1 Running 0 2d13h
etcd-kind-control-plane 1/1 Running 0 2d13h
kindnet-czpsv 1/1 Running 0 2d13h
kindnet-sbqxd 1/1 Running 0 2d13h
kindnet-sw5mq 1/1 Running 0 2d13h
kube-apiserver-kind-control-plane 1/1 Running 0 2d13h
kube-controller-manager-kind-control-plane 1/1 Running 0 2d13h
kube-proxy-4b5rl 1/1 Running 0 2d13h
kube-proxy-nrspx 1/1 Running 0 2d13h
kube-proxy-skfm5 1/1 Running 0 2d13h
kube-scheduler-kind-control-plane 1/1 Running 0 2d13h
类似的工具还有ctx
,可以帮切换不同的 kubeconfig context
,让你更方便的於多个 Kubernetes Cluster 中切换
这个工具算是帮你把 description 的资讯再次整理,举例来说我们准备了一个 pull image
会失败的案例,这时候我们用 status
这个指令来试试看
$ kubectl krew install status
Updated the local copy of plugin index.
Installing plugin: status
Installed plugin: status
\
| Use this plugin:
| kubectl status
| Documentation:
| https://github.com/bergerx/kubectl-status
/
WARNING: You installed plugin "status" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
安装完毕後我们针对一个失败的 pod 来使用 kubectl status pod xxxx
$ kubectl status pod pull-fail
Pod/pull-fail -n default, created 2m ago Pending Burstable
PodScheduled -> Initialized -> Not ContainersReady -> Not Ready
Ready ContainersNotReady, containers with unready status: [getting-started] for 2m
ContainersReady ContainersNotReady, containers with unready status: [getting-started] for 2m
Standalone POD.
Containers:
getting-started (hwchiu/netutils-qq) Waiting ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Events:
Scheduled 2m ago from default-scheduler: Successfully assigned default/pull-fail to kind-worker
Pulling 28s ago (x4 over 1m) from kubelet,kind-worker: Pulling image "hwchiu/netutils-qq"
Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Failed to pull image "hwchiu/netutils-qq": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Error: ErrImagePull
BackOff 13s ago (x6 over 1m) from kubelet,kind-worker: Back-off pulling image "hwchiu/netutils-qq"
Failed 13s ago (x6 over 1m) from kubelet,kind-worker: Error: ImagePullBackOff
上面可以看到一些资讯,譬如说
ContainersReady
这个状态会失败,导致最後整个 Pod 没有成功除了 Pod 之外, Status 也可以用来看其他的资源,有兴趣可以玩看看
接下来这个工具主要是用来列出当前使用者对於系统上的全部 Resource的权限资讯
,主要是该使用者对於特定资源上的不同动词 (Get/Update/List/Delete) 等是否可以执行
$ kubectl krew install access-matrix
Updated the local copy of plugin index.
Installing plugin: access-matrix
Installed plugin: access-matrix
\
| Use this plugin:
| kubectl access-matrix
| Documentation:
| https://github.com/corneliusweig/rakkess
| Caveats:
| \
| | Usage:
| | kubectl access-matrix
| | kubectl access-matrix for pods
| /
/
WARNING: You installed plugin "access-matrix" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
此外也可以透过 --sa
等指令来切换不同的 service account
,所以可以看到下列的范例,用不同的使用者去看权限,我预设的使用者有几乎无敌的权限,什麽都可以执行。如果是系统上 kube-system:namespace-controller
则只能 LIST/DELETE。
除了这四个动词之外,其实还有很多动词可以用,只是预设情况下只会列出这四个
$ kubectl access-matrix --sa kube-system:namespace-controller
NAME LIST CREATE UPDATE DELETE
apiservices.apiregistration.k8s.io ✔ ✖ ✖ ✔
bindings ✖
certificatesigningrequests.certificates.k8s.io ✔ ✖ ✖ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✖ ✖ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✖ ✖ ✔
componentstatuses ✔
configmaps ✔ ✖ ✖ ✔
controllerrevisions.apps ✔ ✖ ✖ ✔
cronjobs.batch ✔ ✖ ✖ ✔
csidrivers.storage.k8s.io ✔ ✖ ✖ ✔
.....
$ kubectl access-matrix
NAME LIST CREATE UPDATE DELETE
apiservices.apiregistration.k8s.io ✔ ✔ ✔ ✔
bindings ✔
certificatesigningrequests.certificates.k8s.io ✔ ✔ ✔ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
componentstatuses ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csidrivers.storage.k8s.io ✔ ✔ ✔ ✔
最後来看一个跟安全性有关的 plugin
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a
kubectl
-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.
接下来示范怎麽用(假设已经安装完毕)
$ kubectl starboard init
$ kubectl create deployment nginx --image nginx:1.16
先透过 starboard
去初始化相关资源,接者我们部署一个 nginx:1.16
的容器到系统中
$ kubectl starboard find vulnerabilities deployment/nginx
$ kubectl starboard get vulnerabilities deployment/nginx
....
summary:
criticalCount: 0
highCount: 4
lowCount: 93
mediumCount: 34
noneCount: 0
unknownCount: 0
vulnerabilities:
- description: Missing input validation in the ar/tar implementations of APT before
version 2.1.2 could result in denial of service when processing specially
crafted deb files.
fixedVersion: 1.8.2.1
installedVersion: 1.8.2
layerID: ""
links:
- https://bugs.launchpad.net/bugs/1878177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3810
- https://github.com/Debian/apt/issues/111
- https://github.com/julian-klode/apt/commit/de4efadc3c92e26d37272fd310be148ec61dcf36
- https://lists.debian.org/debian-security-announce/2020/msg00089.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
- https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
- https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
- https://usn.ubuntu.com/4359-1/
- https://usn.ubuntu.com/4359-2/
- https://usn.ubuntu.com/usn/usn-4359-1
- https://usn.ubuntu.com/usn/usn-4359-2
resource: apt
severity: MEDIUM
title: ""
vulnerabilityID: CVE-2020-3810
...
可以看到上面有很多讯息,列出当前 image 上有哪些潜在的 CVE,如果觉得这样看起来实在不讨喜,可以使用 starboard-octant-plugin 这个整合专案,把上述的报告用 UI 的方式视觉话呈现出来,譬如说下图(下图节录自 starboard-octant-plugin 官方 Repo)
到这边为止,我们介绍了一些有趣的 Kubectl plugin,当然这些 plugin 本身也都是一个独立的执行档案,所以其实就算不透过 kubectl 来执行也是没问题的,所有个工具都可以独立使用。透过 krew 只是我们可以更方便的搜寻到有哪些 plugin 可以用,实务上要怎麽执行都是个人喜欢,方便,操作顺畅即可。
Krew 上面的工具非常多,使用上可以都可以尝试看看,也因为这样才有办法找到真的对自己日常工作有帮助的好帮手
<<: OK集#27-白话文Excel-求状元、榜眼及探花的large
工程师太师了: 第7.5话 杂记: 注解是程序语言中用来解释程序码中的部分,可增加程序的可读性、可维...
上一篇介绍的日志纪录主要用来找错误与优化改善问题方面,而今天的日志内容会跟MYSQL数据恢复&am...
终於要从 Beginner 迈向 Intermediate 了。 这次的讲者讲话好清楚,转 1.75...
您的订阅是我制作影片的动力 订阅点这里~ 影片程序码 ## 应用一: 分群补数值 #### libr...
昨天我们创好大致上的架构了,现在我们要来做abc三个跳转页面 a.php <?php if(i...