公司业务全面容器化后，Kubernetes集群的稳定性，可用性就非常重要。如何了解集群的整体运行状态，及时发现集群运行的不稳定性因素变的至关重要。推荐几款集群管理工具，帮助我们定期检查集群状态，排查解决集群异常状态。

工具概述

kube-score: 一款静态代码分析工具，可用于Helm、Kustomize和标准YAML文件
polaris: 一款具有仪表盘的资源分析工具，用于验证webhook或CLI工具
popeye: 用于扫描kubernetes集群并报告配置中的潜在问题

kube-score

GitHub地址: https://github.com/zegl/kube-score

项目支持macOS,Linux和window各个平台,安装简单可以快速上手.

原生YAMLs文件

# docker run -v $(pwd):/project zegl/kube-score:v1.10.0 score --output-format ci templates/deployment-nginx.yaml
[OK] nginx apps/v1/Deployment
[OK] nginx apps/v1/Deployment
[CRITICAL] nginx apps/v1/Deployment: (nginx) ImagePullPolicy is not set to Always
[CRITICAL] nginx apps/v1/Deployment: The pod does not have a matching NetworkPolicy
[OK] nginx apps/v1/Deployment: The pod is not targeted by a service, skipping probe checks.
[CRITICAL] nginx apps/v1/Deployment: (nginx) Container has no configured security context
[CRITICAL] nginx apps/v1/Deployment: (nginx) CPU limit is not set
[CRITICAL] nginx apps/v1/Deployment: (nginx) Memory limit is not set
[CRITICAL] nginx apps/v1/Deployment: (nginx) CPU request is not set
[CRITICAL] nginx apps/v1/Deployment: (nginx) Memory request is not set
[OK] nginx apps/v1/Deployment
[CRITICAL] nginx apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] nginx apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[SKIPPED] nginx apps/v1/Deployment: Skipped because the deployment is not targeted by a HorizontalPodAutoscaler


# docker run -v $(pwd):/project zegl/kube-score:v1.10.0 score templates/deployment-nginx.yaml  
apps/v1/Deployment nginx                                                      💥
    [CRITICAL] Container Image Pull Policy
        · nginx -> ImagePullPolicy is not set to Always
            It's recommended to always set the ImagePullPolicy to Always, to
            make sure that the imagePullSecrets are always correct, and to
            always get the image you want.
    [CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching NetworkPolicy
            Create a NetworkPolicy that targets this pod to control who/what
            can communicate with this pod. Note, this feature needs to be
            supported by the CNI implementation used in the Kubernetes cluster
            to have an effect.
    [CRITICAL] Container Security Context
        · nginx -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
    [CRITICAL] Container Resources
        · nginx -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.cpu
        · nginx -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.memory
        · nginx -> CPU request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.cpu
        · nginx -> Memory request is not set
            Resource requests are recommended to make sure that the application
            can start and run without crashing. Set resources.requests.memory
    [CRITICAL] Deployment has PodDisruptionBudget
        · No matching PodDisruptionBudget was found
            It's recommended to define a PodDisruptionBudget to avoid
            unexpected downtime during Kubernetes maintenance operations, such
            as when draining a node.
    [WARNING] Deployment has host PodAntiAffinity
        · Deployment does not have a host podAntiAffinity set
            It's recommended to set a podAntiAffinity that stops multiple pods
            from a deployment from being scheduled on the same node. This
            increases availability in case the node becomes unavailable.

注释:
–output-format 支持不同的输出格式(human、json、ci,默认为human格式)

其他

还可以配置更加详细的检测参数，可以更加深入了解。

polaris

GitHub地址:https://github.com/FairwindsOps/polaris

官网文档:https://polaris.docs.fairwinds.com/dashboard/

项目支持YAML、Helm、本地二进制文件、Docker等多种运行方式,博客Docker为大家演示效果

docker run -it -d \
  -p 8080:8080 \
  -v ~/kube-config:/opt/app/config quay.io/fairwinds/polaris:1.2 \
  polaris dashboard --kubeconfig /opt/app/config

体验视频: https://youtu.be/dbYYqezmcYg

popeye

官网地址: https://popeyecli.io/
GitHub地址: https://github.com/derailed/popeye/

部署并执行检测

支持Linux, Window及macOS各个平台
支持常见的Kubernetes资源类型,支持清单
支持不同的输出格式,保存位置等等

以Docker启动方式作为说明

docker run --rm -it \
  -v $HOME/.kube:/root/.kube \
  -v /tmp:/tmp \
  quay.io/derailed/popeye --save --out html --output-file report.html

结果说明

报告格式:案例

常见问题:

[POP-100] Untagged docker image in use
[POP-101] Image tagged “latest” in use
[POP-106] No resources requests/limits defined
[POP-107] No resource limits defined
[POP-112] Memory Current/Limit (110Mi/128Mi) reached user 80% threshold (85%)
[POP-206] No PodDisruptionBudget defined
[POP-300] Using “default” ServiceAccount
[POP-301] Connects to API Server? ServiceAccount token is mounted
[POP-302] Pod could be running as root user. Check SecurityContext/Image
[POP-400] Used? Unable to locate resource reference
[POP-403] Deprecated Ingress API group “extensions/v1beta1”. Use “networking.k8s.io/v1beta1” instead
[POP-501] Unhealthy 11 desired but have 3 available
[POP-712] Found only one master node
[POP-708] No node metrics available
[POP-1000] Available
[POP-1100] No pods match service selector
[POP-1105] No associated endpoints
[POP-1120] Unhealthy ReplicaSet 11 desired but have 3 ready

总结

kube-score主要检测YAML文件规范，可以检测YAML中的不规范问题,例如: 镜像tag标识,镜像拉取策略，资源配额缺失，容器安全等各种问题
polaris和popeye功能类似,都支持可视化结果展示,popeye相对而已检测更全部些，都值得推荐

======================================================
希望各位朋友支持一下

领取我的阿里云幸运券,谢谢.
使用腾讯云资源
Linode VPS
搬瓦工VPS
阿里云1888元云产品通用代金券点我
阿里云最新活动全民云计算升级-拼团上云更优惠
今日头条

本文作者：dongsheng
本文地址： https://mds1455975151.github.io/archives/840cb72e.html
版权声明：转载请注明出处！