https://youtu.be/hxMQMu922m8

If you’ve been navigating the waters of Kubernetes, you know how challenging it is. Not only are there a lot of moving parts, your pod and container configuration files can become quite complicated. When those manifests grow in size, you could easily overlook a configuration option which could be costly.

Think about it this way: A poorly configured Kubernetes manifest could lead to security issues or could even cost you money–especially when you’re deploying your pods on a cloud-hosted service like AWS or Google Cloud, where you pay for services used. Misconfigure a pod and it might use too much in the way of one or more resources–there goes your monthly budget.

Why not take the time to lint your configuration files? Because that can be time consuming.

However, there’s an easier way. With the help of the kube-score tool, you can test your YAML files for things like:

  • Ingress targets a Service
  • CronJobs have a configured deadline
  • All pods have resource limits and requests set
  • All pods have the same requests as limits on resources set
  • All pods have the same CPU requests as limits set
  • An explicit non-latest tag is used
  • The pullPolicy is set to Always
  • All StatefulSets are targeted by a PDB

The full list of checks can be found here.

The tool is incredibly easy to use and the output will help you tighten up your YAML files so there aren’t gaping security holes or malformed resources.

How do you use this handy tool? Let me show you.

SEE: Kubernetes security guide (free PDF) (TechRepublic)

What you’ll need

  • A running instance of Kubernetes
  • A user with sudo privileges

How to install kube-score

This is quite easy, because kube-score comes as a simple binary file. I’ll be demonstrating on Ubuntu Server 20.04. To install kube-score on this platform, log in to the server and download the necessary file with the command:

wget https://github.com/zegl/kube-score/releases/download/v1.10.1/kube-score_1.10.1_linux_amd64.tar.gz

Note: Make sure to check the kube-score release page to ensure you’re downloading the latest version.

Unpack the tar file with the command:

tar xvzf kube-score_1.10.1_linux_amd64.tar.gz

You should now see the kube-score file in the current working directory. Let’s move that with the command:

sudo mv kube-score /usr/local/bin

You’re ready to score your manifests.

How to use kube-score

Using kube-score is incredibly easy. Let’s say you have the file test.yaml you want to check. Change into the directory housing the test.yaml file and issue the command:

kube-score score test.yaml

The output will list WARNING or CRITICAL for any problems it finds (Figure A).

Figure A

The output of kube-score against my test YAML file.

At this point, you can clearly see what configurations need attention in your YAML file. Make sure you address those issues before deploying.

If you have running containers or pods, you can run kube-score against them with the command:

kubectl api-resources --verbs=list --namespaced -o name | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" | kube-score score -

You’ll probably find considerably more output this way (Figure B).

Figure B

Using kube-score against running containers within a Kubernetes cluster.

Of course, kube-score isn’t perfect and it might not run the specific checks you need–make sure to look through the full checklist to see if it’s complete enough for you. Even if it doesn’t check for everything you need, kube-score will be much better at validating your YAML files than a manual check, especially if you have complex and numerous manifests.

Give kube-score a try and see if it doesn’t make your kubernetes deployments a bit more secure and reliable.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.


Image: Jack Wallen

Subscribe to the Cloud Insider Newsletter

This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays

Subscribe to the Cloud Insider Newsletter

This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays