Skip to content

Commit

Permalink
Merge pull request #279 from derailed/rel_v0.20.0
Browse files Browse the repository at this point in the history
Relealse v0.20.0
  • Loading branch information
derailed authored Feb 17, 2024
2 parents 52a5610 + 7db93f1 commit 941a9db
Show file tree
Hide file tree
Showing 386 changed files with 18,463 additions and 13,539 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,4 @@ popeye
.idea
spinach.yml
/kind
/spinach-me
11 changes: 0 additions & 11 deletions .gitpod.yml

This file was deleted.

3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
NAME := popeye
PACKAGE := github.com/derailed/$(NAME)
VERSION := v0.11.3
VERSION := v0.20.0
GIT := $(shell git rev-parse --short HEAD)
DATE := $(shell date +%FT%T%Z)
IMG_NAME := derailed/popeye
Expand All @@ -9,6 +9,7 @@ IMAGE := ${IMG_NAME}:${VERSION}
default: help

test: ## Run all tests
@go clean --testcache
@go test ./...

cover: ## Run test coverage suite
Expand Down
417 changes: 271 additions & 146 deletions README.md

Large diffs are not rendered by default.

Binary file removed assets/html_report.png
Binary file not shown.
Binary file removed assets/nikita.jpg
Binary file not shown.
Binary file added assets/screens/console.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/screens/html.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/screens/json.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/screens/pop-dash.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes
File renamed without changes
26 changes: 26 additions & 0 deletions change_logs/release_v0.12.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/popeye_logo.png" align="right" width="200" height="auto"/>

# Release v0.12.0

## Notes

Thank you to all that contributed with flushing out issues and enhancements for Popeye! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close. Your support, kindness and awesome suggestions to make Popeye better is as ever very much noticed and appreciated!

This project offers a GitHub Sponsor button (over here 👆). As you well know this is not pimped out by big corps with deep pockets. If you feel `Popeye` is saving you cycles diagnosing potential cluster issues please consider sponsoring this project!! It does go a long way in keeping our servers lights on and beers in our fridge.

Also if you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer)

---

## Feature Release!

---

## Resolved Issues

* [#259](https://github.com/derailed/popeye/issues/259) Checking Kubernetes clusters fails because v1/PodSecurityPolicy is checked
* [#229](https://github.com/derailed/popeye/issues/229) Timestamp on the report

---

<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/imhotep_logo.png" width="32" height="auto"/>&nbsp; © 2024 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0)
149 changes: 149 additions & 0 deletions change_logs/release_v0.20.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/popeye_logo.png" align="right" width="200" height="auto"/>

# Release v0.20.0

## Notes

Thank you to all that contributed with flushing out issues and enhancements for Popeye! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close. Your support, kindness and awesome suggestions to make Popeye better is as ever very much noticed and appreciated!

This project offers a GitHub Sponsor button (over here 👆). As you well know this is not pimped out by big corps with deep pockets. If you feel `Popeye` is saving you cycles diagnosing potential cluster issues please consider sponsoring this project!! It does go a long way in keeping our servers lights on and beers in our fridge.

Also if you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer)

---

## ♫ Sounds Behind The Release ♭

🏹💕 Happy belated Valentines 💕🏹

* [Glory Box - Portishead](https://www.youtube.com/watch?v=NVuRbwnav_Y)
* [Funny Valentine - Elvis Costello](https://www.youtube.com/watch?v=ni3DjM8wcds)
* [Cause We've Ended As Lovers - Jeff Beck](https://www.youtube.com/watch?v=VC02wGj5gPw)

---

## 🎉 Feature Release 🥳

Popeye just got a new spinach formula and pipe!

😳 This is a big one! 😳

> NOTE! 🫣 Paint is still fresh on this deal and I might have broken stuff in the process ;(
> Please help us vet this drop to help us solidify and make Popeye better for all of us.
> Thank you!!
Splendid! So what changed?

### Biffs'em If You Got'em!

As of this drop, Popeye linters family got extended. The following linters were added/extended:

* Cronjobs
* Jobs
* Gateway-Classes
* Gateways
* HTTPRoutes
* NetworkPolicies (Beefed up!)

### New Spinach Formula!

The SpinachYAML configuration changed and won't be compatible with previous versions.
The new format provides for global exclusions and linters specific ones.
Please see the docs for the gory details but in short this is what a spinach file now looks like:

```yaml
popeye:
allocations:
cpu:
underPercUtilization: 200
overPercUtilization: 50
memory:
underPercUtilization: 200
overPercUtilization: 50

# [!!NEW!!] Specify global exclusions for fqn, codes, labels, annotations
excludes:
global:
# Exclude kube-system ns for all linters.
fqns: [rx:^kube-system]
# Exclude these workload labels for all linters.
labels:
app: [blee, bozo]

# [!!NEW!!] Linters exclude section
linters:
# [!!NEW!!] use the R from GVR resource specification to name the linter
statefulsets:
# [!!NEW!!] Exclude codes via regexp ie skip 101, 1000,...
codes: ["rx:^10"]
instances:
# Skip scan for a particular FQN aka namespace/res-name
- fqns: [default/prom-alertmanager]
codes: [106]

pods:
codes: ["306", "rx:^11"]
instances:
- fqns: [rx:^default/prom]
- fqns: [rx:^default/graf]
# [!!NEW!!] Skip using either labels or annotations and/or specific codes
- labels:
app: [blee, blah, zorg]
codes: [300]
- fqns: [rx:^default/pappi]
codes: [300, 102, 306]
containers: [c1]

resources:
node:
limits:
cpu: 90
memory: 80
pod:
limits:
cpu: 80
memory: 75
restarts: 3

overrides:
- code: 1502
severity: 3

registries:
- quay2.io
- docker1.io
```
### Popeye The Prom Queen?
Additionally, we've updated Popeye's prometheus metrics to provide more scan insights and signals. Please see the docs for details.
. `popeye_severity_total` [gauge] tracks various counts based on severity.
. `popeye_code_total` [gauge] tracks counts by Popeye's linter codes.
. `popeye_linter_tally_total` [gauge] tracks counts per linters.
. `popeye_report_errors_total` [gauge] tracks scan errors totals.
. `popeye_cluster_score` [gauge] tracks scan report scores.

---

## Resolved Issues

. [#265](https://github.com/derailed/popeye/issues/265) additional/fine grained prometheus metrics
. [#237](https://github.com/derailed/popeye/issues/237) Support multiple outputs at once
. [#235](https://github.com/derailed/popeye/issues/235) --lint level does not affect html output
. [#232](https://github.com/derailed/popeye/issues/232) Metrics get overridden when using the same Pushgateway for multiple k8s clusters
. [#231](https://github.com/derailed/popeye/issues/231) wrong warning: [POP-107] No resource limits defined
. [#230](https://github.com/derailed/popeye/issues/230) APIs: metrics.k8s.io/v1beta1: the server is currently unable to handle the request
. [#214](https://github.com/derailed/popeye/issues/214) [POP-1100] No pods match service selector - should not be detected for ExternalName service type
. [#213](https://github.com/derailed/popeye/issues/213) Ingress extensions/v1beta1 deprecated (and deleted in k8s v1.22) is not detected ONLY in kube-metriques namespace
. [#212](https://github.com/derailed/popeye/issues/212) Ingress networking.k8s.io/v1beta1 deprecated since k8s v1.19 and deleted in k8s v1.22, is not detected ONLY in specific namespace name as kube-metriques
. [#209](https://github.com/derailed/popeye/issues/209) POP-403 - PodSecurityPolicy (PSP) k8s v1.21 deprecation - k8s v1.25 deletion - not detected
. [#202](https://github.com/derailed/popeye/issues/202) False positive on NetworkPolicy using a catch all namespaceSelector
. [#163](https://github.com/derailed/popeye/issues/163) popeye 0.9.0 with K8S 1.21.0 bug on PodDisruptionBudget - Wrong default API
. [#125](https://github.com/derailed/popeye/issues/125) info/error/warning messages to the metrics sent to prometheus
. [#97](https://github.com/derailed/popeye/issues/97) Add support for explicitly sanitizing jobs to popeye
. [#59](https://github.com/derailed/popeye/issues/59) StatefulSet incorrectly determines apiVersio

---

<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/imhotep_logo.png" width="32" height="auto"/>&nbsp; © 2024 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0)
72 changes: 29 additions & 43 deletions cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
package cmd

import (
"errors"
"fmt"
"os"
"path/filepath"
Expand All @@ -26,7 +25,7 @@ var (
flags = config.NewFlags()
rootCmd = &cobra.Command{
Use: execName(),
Short: "A Kubernetes Cluster sanitizer and linter",
Short: "A Kubernetes Cluster resource linter",
Long: `Popeye scans your Kubernetes clusters and reports potential resource issues.`,
Run: doIt,
}
Expand All @@ -48,14 +47,12 @@ func init() {
// Execute root command
func Execute() {
if err := rootCmd.Execute(); err != nil {
bomb(fmt.Sprintf("Exec failed %s", err))
return
}
}

// Doit runs the scans and lints pass over the specified cluster.
func doIt(cmd *cobra.Command, args []string) {
zerolog.SetGlobalLevel(zerolog.DebugLevel)

defer func() {
if err := recover(); err != nil {
printMsgLogo("DOH", "X", report.ColorOrangish, report.ColorRed)
Expand All @@ -66,34 +63,33 @@ func doIt(cmd *cobra.Command, args []string) {
}
}()

zerolog.SetGlobalLevel(zerolog.DebugLevel)
clearScreen()
if err := checkFlags(); err != nil {
bomb(fmt.Sprintf("%v", err))
}
bomb(flags.Validate())
flags.StandAlone = true
popeye, err := pkg.NewPopeye(flags, &log.Logger)
if err != nil {
bomb(fmt.Sprintf("Popeye configuration load failed %v", err))
}
if e := popeye.Init(); e != nil {
bomb(e.Error())
bomb(fmt.Errorf("popeye configuration load failed %w", err))
}
errCount, score, err := popeye.Sanitize()
bomb(popeye.Init())

errCount, score, err := popeye.Lint()
if err != nil {
bomb(err.Error())
bomb(err)
}

if flags.ForceExitZero != nil && *flags.ForceExitZero {
os.Exit(0)
}

if errCount > 0 || (flags.MinScore != nil && score < *flags.MinScore) {
os.Exit(1)
}
}

func bomb(msg string) {
panic(fmt.Sprintf("💥 %s\n", report.Colorize(msg, report.ColorRed)))
func bomb(err error) {
if err == nil {
return
}
panic(fmt.Sprintf("💥 %s\n", report.Colorize(err.Error(), report.ColorRed)))
}

func initPopeyeFlags() {
Expand All @@ -115,7 +111,7 @@ func initPopeyeFlags() {

rootCmd.Flags().StringVarP(flags.Output, "out", "o",
"standard",
"Specify the output type (standard, jurassic, yaml, json, html, junit, prometheus, score)",
"Specify the output type (standard, jurassic, yaml, json, html, junit, score)",
)

rootCmd.Flags().BoolVarP(flags.Save, "save", "",
Expand All @@ -125,25 +121,25 @@ func initPopeyeFlags() {

rootCmd.Flags().StringVarP(flags.OutputFile, "output-file", "",
"",
"Specify the name of the saved output file",
"Specify the file name to persist report to disk",
)

rootCmd.Flags().StringVarP(flags.S3Bucket, "s3-bucket", "",
rootCmd.Flags().StringVarP(flags.S3.Bucket, "s3-bucket", "",
"",
"Specify to which S3 bucket you want to save the output file",
)
rootCmd.Flags().StringVarP(flags.S3Region, "s3-region", "",
rootCmd.Flags().StringVarP(flags.S3.Region, "s3-region", "",
"",
"Specify an s3 compatible region when the s3-bucket option is enabled",
)
rootCmd.Flags().StringVarP(flags.S3Endpoint, "s3-endpoint", "",
rootCmd.Flags().StringVarP(flags.S3.Endpoint, "s3-endpoint", "",
"",
"Specify an s3 compatible endpoint when the s3-bucket option is enabled",
)

rootCmd.Flags().StringVarP(flags.InClusterName, "cluster-name", "",
"",
"Specificy a cluster name when running popeye in cluster",
"Specify a cluster name when running popeye in cluster",
)

rootCmd.Flags().StringVarP(flags.LintLevel, "lint", "l",
Expand All @@ -163,7 +159,7 @@ func initPopeyeFlags() {

rootCmd.Flags().BoolVarP(flags.AllNamespaces, "all-namespaces", "A",
false,
"Sanitize all namespaces",
"When present, runs linters for all namespaces",
)

rootCmd.Flags().StringVarP(flags.Spinach, "file", "f",
Expand All @@ -173,7 +169,7 @@ func initPopeyeFlags() {

rootCmd.Flags().StringSliceVarP(flags.Sections, "sections", "s",
[]string{},
"Specifies which resources to include in the scan ie -s po,svc",
"Specify which resources to include in the scan ie -s po,svc",
)
}

Expand Down Expand Up @@ -276,35 +272,25 @@ func initFlags() {
)

rootCmd.Flags().StringVar(
flags.PushGateway.Address,
"pushgateway-address",
flags.PushGateway.URL,
"push-gtwy-url",
"",
"Address of pushgateway e.g. http://localhost:9091",
"Prometheus pushgateway address e.g. http://localhost:9091",
)
rootCmd.Flags().StringVar(
flags.PushGateway.BasicAuth.User,
"pushgateway-user",
"push-gtwy-user",
"",
"BasicAuth username for pushgateway",
"Prometheus pushgateway auth username",
)
rootCmd.Flags().StringVar(
flags.PushGateway.BasicAuth.Password,
"pushgateway-password",
"push-gtwy-password",
"",
"BasicAuth password for pushgateway",
"Prometheus pushgateway auth password",
)
}

func checkFlags() error {
if flags.OutputFormat() == report.PrometheusFormat && *flags.PushGateway.Address == "" {
return errors.New("Please set pushgateway-address and auth if necessary")
}
if !*flags.Save && *flags.OutputFile != "" {
return errors.New("Please set '--save' flag to use 'output-file'.")
}
return nil
}

// ----------------------------------------------------------------------------
// Helpers...

Expand Down
Loading

0 comments on commit 941a9db

Please sign in to comment.