kube-score is a tool that performs static code analysis of your Kubernetes object definitions.
The output is a list of recommendations of what you can improve to make your application more secure and resilient.
You can test kube-score out in the browser with the online demo (source).
Pre-built releases can be downloaded from the GitHub releases, from Docker Hub, or with homebrew:
brew install kube-score/tap/kube-scoreFor a full list of checks, see README_CHECKS.md.
- Container limits (should be set)
- Pod is targeted by a
NetworkPolicy, both egress and ingress rules are recommended - Deployments and StatefulSets should have a
PodDisruptionPolicy - Deployments and StatefulSets should have host PodAntiAffinity configured
- Container probes, both readiness and liveness checks should be configured, and should not be identical
- Container securityContext, run as high number user/group, do not run as root or with privileged root fs
- Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)
kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found.
The trigger level can be changed to warning with the --exit-one-on-warning argument.
The input to kube-score should be all applications that you deploy to the same namespace for the best result.
helm template my-app | kube-score score -kube-score score my-app/*.yamlkube-score score my-app/deployment.yaml my-app/service.yamlUsage of kube-score:
kube-score [action] --flags
Actions:
score Checks all files in the input, and gives them a score and recommendations
list Prints a CSV list of all available score checks
version Print the version of kube-score
help Print this message
Flags for score:
--enable-optional-test strings Enable an optional test, can be set multiple times
--exit-one-on-warning Exit with code 1 in case of warnings
--help Print help
--ignore-container-cpu-limit Disables the requirement of setting a container CPU limit
--ignore-container-memory-limit Disables the requirement of setting a container memory limit
--ignore-test strings Disable a test, can be set multiple times
--output-format string Set to 'human', 'json' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
-v, --verbose count Enable verbose output, can be set multiple times for increased verbosity.
Tests can be ignored in the whole run of the program, with the --ignore-test flag.
A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object.
The value should be a comma separated string of the test IDs.
Example:
Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.
apiVersion: v1
kind: Service
metadata:
name: node-port-service-with-ignore
namespace: foospace
annotations:
kube-score/ignore: service-type
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: NodePortkube-score requires Go 1.11 or later to build. Clone this repository, and then:
# Build the project
go build github.com/zegl/kube-score/cmd/kube-score
# Run all tests
go test -v github.com/zegl/kube-score/...Do you want to help out? Take a look at the Contributing Guidelines for more info. š¤©