{"id":311052,"date":"2021-07-29T14:30:07","date_gmt":"2021-07-29T11:30:07","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/"},"modified":"2021-07-29T14:30:07","modified_gmt":"2021-07-29T11:30:07","slug":"how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/","title":{"rendered":"#How to Lint Your Kubernetes Manifests With Kube-Score \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3a092237bf2\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3a092237bf2\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/#Getting_Started\" >Getting Started<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/#What_Does_Kube-Score_Check\" >What Does Kube-Score Check?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/#Optional_Rules\" >Optional Rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/#Managing_Kubernetes_Versions\" >Managing Kubernetes Versions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lint-your-kubernetes-manifests-with-kube-score-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Lint Your Kubernetes Manifests With Kube-Score \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-12986\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/f910560f.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/f910560f.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/f910560f.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic showing the Kube-Score icon\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Kube-Score is a Kubernetes static analysis tool which lints your resources to identify security and reliability issues. Running Kube-Score before you <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly manifests to your cluster can help you identify pain points before they turn into real problems.<\/p>\n<h2 id=\"getting-started\"><span class=\"ez-toc-section\" id=\"Getting_Started\"><\/span>Getting Started<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kube-Score\u2019s offered in several installation formats. Pre-built binaries are available for Windows, macOS, and Linux <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/zegl\/kube-score\/releases\">from GitHub<\/a>. Alternatively, you can use the Brew package manager on macOS (<code>brew install kube-score\/tap\/kube-score<\/code>), or add Kube-Score as a <code>kubectl<\/code> plugin (<code>kubectl krew install score<\/code>).<\/p>\n<p>Run Kube-Score using the <code>kube-score<\/code> command in your terminal. It accepts the path to a Kubernetes YAML manifest file. Wildcards are supported to scan multiple matching files and entire directories.<\/p>\n<p>Kube-Score also works with manifests piped in from standard input. This lets you run the tool against a live Kubernetes cluster. Use <code>kubectl<\/code> to access a resource\u2019s manifest and pipe it into the command. Here\u2019s the recommended way of analyzing your entire cluster:<\/p>\n<pre>kubectl api-resources --verbs=list --namespaced -o name &#13;\n    | xargs -n1 -I{} bash -c \"kubectl get {} --all-namespaces -oyaml &amp;&amp; echo ---\" &#13;\n    | kube-score score -<\/pre>\n<p>This mechanism also facilitates use with Helm charts. Use the <code>helm template<\/code> command to render your chart as a regular Kubernetes manifest. Pipe this output into <code>kube-score<\/code>:<\/p>\n<pre>helm template example-manifest | kube-score score -<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-13022\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/67e1b4e7.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1234\" height=\"708\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Colorized test results are emitted directly to your terminal. Each failed check includes a description of the test and suggestions for possible resolutions. Review the output to identify ways of improving your manifests.<\/p>\n<p>Tests will be marked as either <code>WARNING<\/code> or <code>CRITICAL<\/code>. A critical fail usually requires im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te remediation. Warnings may not need to be resolved, depending on your specific situation.<\/p>\n<p>Human-readable output can be disabled with the <code>--output-format<\/code> flag. Set this to <code>json<\/code> or <code>ci<\/code> to get machine-readable content that\u2019s easily parsed by other tools. The <code>ci<\/code> format is intended to aid consumption by CI\/CD systems, whereas <code>json<\/code> gives you a JSON representation of the regular console output. Kube-Score always exits with a status code of <code>1<\/code> when errors are detected.<\/p>\n<p>If you want to experiment with Kube-Score, you can use the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kube-score.com\/\">live analyzer<\/a> on the project\u2019s website. This lets you write a manifest and observe its scan results in real-time. It\u2019s handy when you\u2019re quickly experimenting with Kube-Score or your manifests.<\/p>\n<h2 id=\"what-does-kube-score-check\"><span class=\"ez-toc-section\" id=\"What_Does_Kube-Score_Check\"><\/span>What Does Kube-Score Check?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kube-Score runs over <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/zegl\/kube-score\/blob\/master\/README_CHECKS.md\">20 different checks<\/a> covering a broad range of security and reliability concerns. These include tests for proper container resource limits, correct use of ingress and egress routes, and configuration of container readiness probes for health checks.<\/p>\n<p>Here are some of the built-in rules:<\/p>\n<ul>\n<li>Prohibit use of the <code>latest<\/code> tag for images.<\/li>\n<li>Ensure each Pod has an image pull policy of <code>Always<\/code>, so that pull secrets are validated on each attempt.<\/li>\n<li>Check Pods have valid probe configurations and network policies.<\/li>\n<li>Check all labels on all resources are valid.<\/li>\n<li>Check for prohibitive Pod anti-affinities which would prevent other Pods from being scheduled to the same worker node.<\/li>\n<li>Check all Services target a valid Pod.<\/li>\n<li>Ensure containers use a read-only root filesystem, without privileged mode.<\/li>\n<\/ul>\n<p>You should refer to the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/zegl\/kube-score\/blob\/master\/README_CHECKS.md\">Kube-Score README<\/a> for an exhaustive list of available checks. In many cases, the default set will be sufficient to give you visibility into the most common manifest problems.<\/p>\n<h2 id=\"optional-rules\"><span class=\"ez-toc-section\" id=\"Optional_Rules\"><\/span>Optional Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some rules are optional and off by default. These are <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>ly subjective cases which could cause unexpected failures if enforced globally.<\/p>\n<p>Optional tests are enabled by passing the <code>--enable-optional-test<\/code> flag to the <code>kube-score<\/code> command. It takes a test ID to add to the scan. Multiple optional tests are activated by repeating the flag.<\/p>\n<pre>kube-score --enable-optional-test container-security-context-user-group-id<\/pre>\n<p>This command runs Kube-Score with an extra test for explicit user and group IDs. The check fails if a Pod runs without manually set user\/group IDs of 1,000 or greater.<\/p>\n<p>You can disable tests in a similar way with the <code>--ignore-test<\/code> flag. This takes a test ID to remove from the scan. In addition, the <code>--ignore-container-cpu-limit<\/code> and <code>--ignore-container-memory-limit<\/code> flags inhibit Kube-Score\u2019s usual insistence that every container possesses manually configured CPU and memory limits.<\/p>\n<h2 id=\"managing-kubernetes-versions\"><span class=\"ez-toc-section\" id=\"Managing_Kubernetes_Versions\"><\/span>Managing Kubernetes Versions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kube-Score currently assumes you\u2019re using Kubernetes v1.18. If you\u2019re running a different version, specify it with the <code>--kubernetes-version<\/code> flag. This informs Kube-Score which checks are actually relevant to your deployment environment. Not specifying the correct version could result in false positives or negatives, giving you an inaccurate picture of your cluster\u2019s resilience.<\/p>\n<p>Kube-Score expects your individual resources to use stable Kubernetes APIs. Any resources referencing beta APIs that have been superseded by a stable version will fail the test.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kube-Score provides simple static analysis for Kubernetes resource manifests. It lets you learn about potential issues before you try to deploy to your cluster. Running Kube-Score as part of your CI pipeline gives you confidence that your resources are correctly configured and your cluster will operate reliably.<\/p>\n<p>For best results, feed Kube-Score all of your resources. It\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/zegl\/kube-score#installation\">most effective<\/a> when its input includes every resource in the same namespace. Otherwise, you might find some issues are overlooked if they appear due to a conflict with another manifest.<\/p>\n<p>Remember that Kube-Score isn\u2019t an exhaustive analysis of your cluster. It\u2019s an assistive tool, not a complete checklist that guarantees a watertight cluster. You should still independently audit your environment to maintain strong security and peak performance. Kube-Score\u2019s best used as a day-to-day utility that increases the safety of individual deployments.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12985\/how-to-lint-your-kubernetes-manifests-with-kube-score\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Lint Your Kubernetes Manifests With Kube-Score \u2013 CloudSavvy IT&#8221; Kube-Score is a Kubernetes static analysis tool which lints your resources to identify security and reliability issues. Running Kube-Score before you apply manifests to your cluster can help you identify pain points before they turn into real problems. Getting Started Kube-Score\u2019s offered in several&#8230;<\/p>\n","protected":false},"author":1,"featured_media":311053,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/f910560f.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-311052","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/311052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=311052"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/311052\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/311053"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=311052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=311052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=311052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}