KubeEye is an inspection tool for Kubernetes. It discovers whether Kubernetes resources (by using OPA ), cluster components, cluster nodes (by using Node-Problem-Detector), and other configurations comply with best practices and makes modification suggestions accordingly.

KubeEye supports custom inspection rules and plugin installation. With KubeEye Operator, you can intuitively view the inspection results and modification suggestions on the web console.

Architecture

KubeEye obtains cluster resource details by using Kubernetes APIs, inspects resource configurations by using inspection rules and plugins, and generates inspection results. The architecture of KubeEye is as follows:

Install and use KubeEye

  1. Install KubeEye on your machine.
    • Method 1: Download the pre-built executable file from Releases.
    • Method 2: Build from the source code.
    Note: KubeEye files will be generated in /usr/local/bin/ on your machine. git clone https://github.com/kubesphere/kubeeye.git cd kubeeye make installke
  2. (Optional) Install Node-problem-Detector. Note: If you need detailed reports, run the following command, and then NPD will be installed on your cluster. kubeeye install npd
  3. Run KubeEye to inspect clusters.

Note: The results of KubeEye are sorted by resource kind.

kubeeye audit
KIND          NAMESPACE        NAME                                                           REASON                                        LEVEL    MESSAGE
Node                           docker-desktop                                                 kubelet has no sufficient memory available   warning    KubeletHasNoSufficientMemory
Node                           docker-desktop                                                 kubelet has no sufficient PID available      warning    KubeletHasNoSufficientPID
Node                           docker-desktop                                                 kubelet has disk pressure                    warning    KubeletHasDiskPressure
Deployment    default          testkubeeye                                                                                                                  NoCPULimits
Deployment    default          testkubeeye                                                                                                                  NoReadinessProbe
Deployment    default          testkubeeye                                                                                                                  NotRunAsNonRoot
Deployment    kube-system      coredns                                                                                                               NoCPULimits
Deployment    kube-system      coredns                                                                                                               ImagePullPolicyNotAlways
Deployment    kube-system      coredns                                                                                                               NotRunAsNonRoot
Deployment    kubeeye-system   kubeeye-controller-manager                                                                                            ImagePullPolicyNotAlways
Deployment    kubeeye-system   kubeeye-controller-manager                                                                                            NotRunAsNonRoot
DaemonSet     kube-system      kube-proxy                                                                                                            NoCPULimits
DaemonSet     k          ube-system      kube-proxy                                                                                                            NotRunAsNonRoot
Event         kube-system      coredns-558bd4d5db-c26j8.16d5fa3ddf56675f                      Unhealthy                                    warning   Readiness probe failed: Get "http://10.1.0.87:8181/ready": dial tcp 10.1.0.87:8181: connect: connection refused
Event         kube-system      coredns-558bd4d5db-c26j8.16d5fa3fbdc834c9                      Unhealthy                                    warning   Readiness probe failed: HTTP probe failed with statuscode: 503
Event         kube-system      vpnkit-controller.16d5ac2b2b4fa1eb                             BackOff                                      warning   Back-off restarting failed container
Event         kube-system      vpnkit-controller.16d5fa44d0502641                             BackOff                                      warning   Back-off restarting failed container
Event         kubeeye-system   kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f5fc3229c   Failed                                       warning   Failed to pull image "controller:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for controller, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Event         kubeeye-system   kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f61b28527   Failed                                       warning   Error: ImagePullBackOff
Role          kubeeye-system   kubeeye-leader-election-role                                                                                          CanDeleteResources
ClusterRole                    kubeeye-manager-role                                                                                                  CanDeleteResources
ClusterRole                    kubeeye-manager-role                                                                                                  CanModifyWorkloads
ClusterRole                    vpnkit-controller                                                                                                     CanImpersonateUser
ClusterRole                    vpnkit-controller                                                                                           CanDeleteResources

How KubeEye can help you

  • It inspects cluster resources according to Kubernetes best practices to ensure that clusters run stably.
  • It detects the control plane problems of the cluster, including kube-apiserver, kube-controller-manager, and etcd.
  • It detects node problems, including memory, CPU, disk pressure, and unexpected kernel error logs.

Checklist

Yes/NoCheck ItemDescriptionSeverity
PrivilegeEscalationAllowedPrivilege escalation is allowed.danger
CanImpersonateUserThe Role/ClusterRole can impersonate users.warning
CanModifyResourcesThe Role/ClusterRole can delete Kubernetes resources.warning
CanModifyWorkloadsThe Role/ClusterRole can modify Kubernetes resources.warning
NoCPULimitsNo CPU limits are set.danger
NoCPURequestsNo CPU resources are reserved.danger
HighRiskCapabilitiesHigh-risk features, such as ALL, SYS_ADMIN, and NET_ADMIN, are enabled.danger
HostIPCAllowedHostIPC is set to true.danger
HostNetworkAllowedHostNetwork is set to true.danger
HostPIDAllowedHostPID is set to true.danger
HostPortAllowedHostPort is set to true.danger
ImagePullPolicyNotAlwaysThe image pull policy is not set to always.warning
ImageTagIsLatestThe image tag is latest.warning
ImageTagMissThe image tag is missing.danger
InsecureCapabilitiesInsecure options are missing, such as KILL, SYS_CHROOT, and CHOWN.danger
NoLivenessProbeLiveless probe is not set.warning
NoMemoryLimitsNo memory limits are set.danger
NoMemoryRequestsNo memory resources are reserved.danger
NoPriorityClassNameResource scheduling priority is not set.ignore
PrivilegedAllowedPods are running in the privileged mode.danger
NoReadinessProbeReadiness probe is not set.warning
NotReadOnlyRootFilesystemreadOnlyRootFilesystem is not set to true.warning
NotRunAsNonRootrunAsNonRoot is not set to true.warning
CertificateExpiredPeriodThe certificate expiry date of the API Server is less than 30 days.danger
EventAuditEvents need to be audited.warning
NodeStatusNode status needs to be checked.warning
DockerStatusDocker status needs to be checked.warning
KubeletStatuskubelet status needs to be checked.warning

Add your own inspection rules

Add custom OPA rules

Create a directory for storing OPA rules.

mkdir opa

Add custom OPA rule files.

Note:

OPA rule for checking workloads: The package name must be kubeeye_workloads_rego.
OPA rule for checking RBAC settings: The package name must be kubeeye_RBAC_rego.
OPA rule for checking node settings: The package name must be kubeeye_nodes_rego.

To check whether the image registry address complies with rules, save the following rules to imageRegistryRule.rego

package kubeeye_workloads_rego
deny[msg] {
    resource := input
    type := resource.Object.kind
    resourcename := resource.Object.metadata.name
    resourcenamespace := resource.Object.metadata.namespace
    workloadsType := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
    workloadsType[type]

    not workloadsImageRegistryRule(resource)

    msg := {
        "Name": sprintf("%v", [resourcename]),
        "Namespace": sprintf("%v", [resourcenamespace]),
        "Type": sprintf("%v", [type]),
        "Message": "ImageRegistryNotmyregistry"
    }
}

workloadsImageRegistryRule(resource) {
    regex.match("^myregistry.public.kubesphere/basic/.+", resource.Object.spec.template.spec.containers[_].image)
}
  1. Run KubeEye with custom rules.

Note: Kubeeye will read all files ending with .rego in the directory.

root:# kubeeye audit -p ./opa
NAMESPACE     NAME              KIND          MESSAGE
default       nginx1            Deployment    [ImageRegistryNotmyregistry NotReadOnlyRootFilesystem NotRunAsNonRoot]
default       nginx11           Deployment    [ImageRegistryNotmyregistry PrivilegeEscalationAllowed HighRiskCapabilities HostIPCAllowed HostPortAllowed ImagePullPolicyNotAlways ImageTagIsLatest InsecureCapabilities NoPriorityClassName PrivilegedAllowed NotReadOnlyRootFilesystem NotRunAsNonRoot]
default       nginx111          Deployment    [ImageRegistryNotmyregistry NoCPULimits NoCPURequests ImageTagMiss NoLivenessProbe NoMemoryLimits NoMemoryRequests NoPriorityClassName NotReadOnlyRootFilesystem NoReadinessProbe NotRunAsNonRoot]

Add custom NPD rules

  1. Run the following command to change the ConfigMap: kubectl edit ConfigMap node-problem-detector-config -n kube-system
  2. Run the following command to restart NPD: kubectl rollout restart DaemonSet node-problem-detector -n kube-system

KubeEye Operator

What is KubeEye Operator

KubeEye Operator is an inspection platform for Kubernetes. It manages KubeEye to regularly inspect clusters and generate inspection results.

How KubeEye Operator can help you

  • It records inspection results by using CR and provide a web page for you to intuitively view and compare cluster inspection results.
  • It provides more plugins.
  • It provides more detailed modification suggestions.

Deploy KubeEye Operator

kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye.yaml
kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye_insights.yaml

Obtain the inspection results

kubectl get clusterinsight -o yaml
apiVersion: v1
items:
- apiVersion: kubeeye.kubesphere.io/v1alpha1
  kind: ClusterInsight
  metadata:
    name: clusterinsight-sample
    namespace: default
  spec:
    auditPeriod: 24h
  status:
    auditResults:
      auditResults:
      - resourcesType: Node
        resultInfos:
        - namespace: ""
          resourceInfos:
          - items:
            - level: warning
              message: KubeletHasNoSufficientMemory
              reason: kubelet has no sufficient memory available
            - level: warning
              message: KubeletHasNoSufficientPID
              reason: kubelet has no sufficient PID available
            - level: warning
              message: KubeletHasDiskPressure
              reason: kubelet has disk pressure
            name: kubeeyeNode

LEAVE A REPLY

Please enter your comment!
Please enter your name here