┌──[root@vms81.liruilongs.github.io]-[~/ansible] └─$kubectl score score k8s-daemonset-create/*.yaml apps/v1/DaemonSet myds1 💥 [CRITICAL] Container Security Context ReadOnlyRootFilesystem · nginx -> Container has no configured security context Set securityContext to run the container in a more secure context. [CRITICAL] Container Resources · nginx -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · nginx -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · nginx -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · nginx -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Container Security Context User Group ID · nginx -> Container has no configured security context Set securityContext to run the container in a more secure context. ..........
┌──[root@vms81.liruilongs.github.io]-[~/kustomize] └─$kubectl kustomize ./ | kubectl score score - apps/v1/Deployment web 💥 [CRITICAL] Container Resources · nginx-web -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · nginx-web -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · nginx-web -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · nginx-web -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Container Ephemeral Storage Request and Limit · nginx-web -> Ephemeral Storage limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.ephemeral-storage [CRITICAL] Container Security Context User Group ID · nginx-web -> Container has no configured security context Set securityContext to run the container in a more secure context. 。。。。。。。。
现有集群的分析
可以通过下面的命令对 现有的集群的 API 对应 的 YAML 文件进行分析
1 2 3 4 5 6 7 8 9 10
┌──[root@vms81.liruilongs.github.io]-[~/awx-operator] └─$kubectl api-resources --verbs=list --namespaced -o name | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" | kubectl score score - apps/v1/DaemonSet calico-node in kube-system 💥 [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. .............