Skip to content
/ kube-score Public
forked from zegl/kube-score

Kubernetes object static code analysis

License

MIT license
0 stars 179 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

josesimon/kube-score

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
.circleci
.circleci
 
 
cmd/kube-score
cmd/kube-score
 
 
score
score
 
 
scorecard
scorecard
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
podspecer.go
podspecer.go
 
 

Repository files navigation

kube-score

kube-score is a tool that does static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resiliant.

Installation

Download

Pre-built releases can be downloaded from the Github Releases page, or from Docker Hub.

Building from source

kube-score requires go in version 1.11.+ with go modules. To install kube-score into your local gobin path run the following commands:

go get github.com/zegl/kube-score
cd $GOPATH/src/github.com/zegl/kube-score/
GO111MODULE=on go install github.com/zegl/kube-score/cmd/kube-score

Checks

  • Container limits (should be set)
  • Container image tag (should not be :latest)
  • Container image pull policy (should be Always)
  • Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
  • Container probes, both readiness and liveness checks should be configured, and should not be identical
  • Container securityContext, run as high number user/group, do not run as root or with privileged root fs
  • Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

Example output

Usage in CI

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

Example with Helm

helm template my-app | kube-score -

Example with static yamls

kube-score my-app/*.yaml
kube-score my-app/deployment.yaml my-app/service.yaml

Configuration

Usage: kube-score [--flag1 --flag2] file1 file2 ...

Use "-" as filename to read from STDIN.

Usage of ./kube-score:
      --exit-one-on-warning          Exit with code 1 in case of warnings
      --help                         Print help
      --ignore-container-cpu-limit   Disables the requirement of setting a container CPU limit
      --ignore-test strings          Disable a test, can be set multiple times
      --output-format string         Set to 'human' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
      --threshold-ok int             The score threshold for treating an score as OK. Must be between 1 and 10 (inclusive). Scores graded below this threshold are WARNING or CRITICAL. (default 10)
      --threshold-warning int        The score threshold for treating a score as WARNING. Grades below this threshold are CRITICAL. Must be between 1 and 10 (inclusive). (default 5)
      --v                            Verbose output

About

Kubernetes object static code analysis

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages

  • Go 99.5%
  • Dockerfile 0.5%