From 8832a9e6cf6fb232df9e994806349c2dfa4cc6df Mon Sep 17 00:00:00 2001 From: derailed Date: Sat, 9 Mar 2024 10:36:06 -0700 Subject: [PATCH] Rel v0.21.0 --- .goreleaser.yml | 2 +- .krew.yaml | 18 ++-- Makefile | 2 +- README.md | 5 ++ change_logs/release_v0.21.0.md | 34 ++++++++ spinach-examples/spinach_aks.yml | 50 +++++++++++ spinach-examples/spinach_eks.yml | 47 +++++++++++ spinach/spinach_aks.yml | 87 ------------------- spinach/spinach_eks.yml | 91 -------------------- spinach/spinach_metakube.yml | 141 ------------------------------- 10 files changed, 150 insertions(+), 327 deletions(-) create mode 100644 change_logs/release_v0.21.0.md create mode 100644 spinach-examples/spinach_aks.yml create mode 100644 spinach-examples/spinach_eks.yml delete mode 100644 spinach/spinach_aks.yml delete mode 100644 spinach/spinach_eks.yml delete mode 100644 spinach/spinach_metakube.yml diff --git a/.goreleaser.yml b/.goreleaser.yml index 7d4366bb..34325b03 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -30,7 +30,7 @@ builds: archives: - name_template: >- {{ .ProjectName }}_ - {{- title .Os }}_ + {{- .Os }}_ {{- if eq .Arch "amd64" }}amd64 {{- else if eq .Arch "386" }}i386 {{- else }}{{ .Arch }}{{ end }} diff --git a/.krew.yaml b/.krew.yaml index 5c8b4685..457ba8a7 100644 --- a/.krew.yaml +++ b/.krew.yaml @@ -25,35 +25,41 @@ spec: matchLabels: os: darwin arch: amd64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Darwin_amd64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_darwin_amd64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: os: darwin arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Darwin_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_darwin_arm64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: os: linux arch: amd64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Linux_amd64.tar.gz" .TagName | indent 6}} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_linux_amd64.tar.gz" .TagName | indent 6}} bin: kubectl-popeye - selector: matchLabels: os: linux arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Linux_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_linux_arm64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: os: windows arch: amd64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Windows_amd64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_windows_amd64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye.exe - selector: matchLabels: os: windows arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Windows_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_windows_amd64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye.exe + - selector: + matchLabels: + os: windows + arch: arm64 + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_windows_arm64.tar.gz" .TagName | indent 6 }} + bin: kubectl-popeye.exe \ No newline at end of file diff --git a/Makefile b/Makefile index a61a6443..63cae1f6 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ NAME := popeye PACKAGE := github.com/derailed/$(NAME) -VERSION := v0.20.5 +VERSION := v0.21.0 GIT := $(shell git rev-parse --short HEAD) DATE := $(shell date +%FT%T%Z) IMG_NAME := derailed/popeye diff --git a/README.md b/README.md index 65942eb9..35124a21 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,11 @@ popeye: - fqns: [blee-ns] codes: [106] # => skip code 106 for namespace blee-ns + # Skip secrets in namespace bozo. + secrets: + instances: + - fqns: [rx:^bozo] + # Configure the pods linter for v1/pods. pods: instances: diff --git a/change_logs/release_v0.21.0.md b/change_logs/release_v0.21.0.md new file mode 100644 index 00000000..798f06ca --- /dev/null +++ b/change_logs/release_v0.21.0.md @@ -0,0 +1,34 @@ + + +# Release v0.21.0 + +## Notes + +Thank you to all that contributed with flushing out issues and enhancements for Popeye! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close. Your support, kindness and awesome suggestions to make Popeye better is as ever very much noticed and appreciated! + +This project offers a GitHub Sponsor button (over here 👆). As you well know this is not pimped out by big corps with deep pockets. If you feel `Popeye` is saving you cycles diagnosing potential cluster issues please consider sponsoring this project!! It does go a long way in keeping our servers lights on and beers in our fridge. + +Also if you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer) + +--- + +## Maintenance Release + +--- + +## Resolved Issues + +. [#293](https://github.com/derailed/popeye/issues/293) Spinach documentation +. [#263](https://github.com/derailed/popeye/issues/263) Fix automated action to push releases to krew + +--- + +## Contributed PRs + +Please give `Big Thanks!` and `ATTA Girls/Boys!` to all the fine contributors for making Popeye better for all of us!! + +* [PR #294](https://github.com/derailed/popeye/pull/294) Krew manifest update + +--- + +  © 2024 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0) diff --git a/spinach-examples/spinach_aks.yml b/spinach-examples/spinach_aks.yml new file mode 100644 index 00000000..a50dca40 --- /dev/null +++ b/spinach-examples/spinach_aks.yml @@ -0,0 +1,50 @@ +# A Sample AKS Popeye configuration. +popeye: + allocations: + cpu: + # Checks if cpu is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if cpu is over allocated by more than 50% at current load. + overPercUtilization: 50 + memory: + # Checks if mem is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if mem is over allocated by more than 50% at current load. + overPercUtilization: 50 + + # Excludes define rules to exampt resources from sanitization + excludes: + global: + fqns: [rx:kube-system] + + linters: + clusterrolebindings: + instances: + - fqns: [rx:system, rx:aks, rx:omsagent] + + clusterroles: + instances: + - fqns: [omsagent-reader, system, admin, edit, view, cluster-admin] + codes: [400] + + resources: + # Nodes specific sanitization + node: + limits: + cpu: 90 + memory: 80 + + # Pods specific sanitization + pod: + limits: + # Fail if cpu is over 80% + cpu: 80 + # Fail if pod mem is over 75% + memory: 75 + # Fail if more than 3 restarts on any pods + restarts: 3 + + # Code specifies a custom severity level ie critical=3, warn=2, info=1 + overrides: + - codes: 206 + severity: 1 diff --git a/spinach-examples/spinach_eks.yml b/spinach-examples/spinach_eks.yml new file mode 100644 index 00000000..fa8dbf43 --- /dev/null +++ b/spinach-examples/spinach_eks.yml @@ -0,0 +1,47 @@ +# A Sample EKS Popeye configuration. +popeye: + allocations: + cpu: + # Checks if cpu is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if cpu is over allocated by more than 50% at current load. + overPercUtilization: 50 + memory: + # Checks if mem is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if mem is over allocated by more than 50% at current load. + overPercUtilization: 50 + + # Excludes define rules to exampt resources from sanitization + excludes: + global: + fqns: [rx:^kube-system,rx:^local-path-storage] + + linters: + clusterroles: + instances: + - fqns: [rx:^eks,rx:^aws-node,rx:^system,admin,edit,view,cluster-admin] + codes: [400] + + resources: + # Nodes specific sanitization + node: + limits: + cpu: 90 + memory: 80 + + # Pods specific sanitization + pod: + limits: + # Fail if cpu is over 80% + cpu: 80 + # Fail if pod mem is over 75% + memory: 75 + # Fail if more than 3 restarts on any pods + restarts: 3 + + + # Code specifies a custom severity level ie critical=3, warn=2, info=1 + overrides: + - codes: 206 + severity: 1 diff --git a/spinach/spinach_aks.yml b/spinach/spinach_aks.yml deleted file mode 100644 index d74248c6..00000000 --- a/spinach/spinach_aks.yml +++ /dev/null @@ -1,87 +0,0 @@ -# A Sample AKS Popeye configuration. -popeye: - allocations: - cpu: - # Checks if cpu is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if cpu is over allocated by more than 50% at current load. - overPercUtilization: 50 - memory: - # Checks if mem is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if mem is over allocated by more than 50% at current load. - overPercUtilization: 50 - # Excludes define rules to exampt resources from sanitization - excludes: - gvrs: - rbac.authorization.k8s.io/v1/clusterrolebindings: - - name: rx:system - - name: rx:aks - - name: rx:omsagent - rbac.authorization.k8s.io/v1/clusterroles: - - name: omsagent-reader - codes: - - 400 - - name: rx:system - codes: - - 400 - - name: admin - codes: - - 400 - - name: edit - codes: - - 400 - - name: view - codes: - - 400 - - name: cluster-admin - codes: - - 400 - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:kube - rbac.authorization.k8s.io/v1/roles: - - name: rx:kube - apps/v1/daemonsets: - - name: rx:kube-system - apps/v1/deployments: - - name: rx:kube-system - apps/v1/replicasets: - - name: rx:kube - networking.k8s.io/v1/networkpolicies: - - name: rx:kube - policy/v1beta1/poddisruptionbudgets: - - name: rx:kube - v1/configmaps: - - name: rx:kube - v1/namespaces: - - name: rx:kube - v1/pods: - - name: rx:kube - v1/serviceaccounts: - - name: rx:kube - v1/secrets: - - name: rx:kube - v1/services: - - name: rx:kube - - resources: - # Nodes specific sanitization - node: - limits: - cpu: 90 - memory: 80 - - # Pods specific sanitization - pod: - limits: - # Fail if cpu is over 80% - cpu: 80 - # Fail if pod mem is over 75% - memory: 75 - # Fail if more than 3 restarts on any pods - restarts: 3 - - # Code specifies a custom severity level ie critical=3, warn=2, info=1 - codes: - 206: - severity: 1 diff --git a/spinach/spinach_eks.yml b/spinach/spinach_eks.yml deleted file mode 100644 index 048d3a07..00000000 --- a/spinach/spinach_eks.yml +++ /dev/null @@ -1,91 +0,0 @@ -# A Sample EKS Popeye configuration. -popeye: - allocations: - cpu: - # Checks if cpu is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if cpu is over allocated by more than 50% at current load. - overPercUtilization: 50 - memory: - # Checks if mem is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if mem is over allocated by more than 50% at current load. - overPercUtilization: 50 - # Excludes define rules to exampt resources from sanitization - excludes: - gvrs: - rbac.authorization.k8s.io/v1/clusterrolebindings: - - name: rx:system - - name: rx:eks - rbac.authorization.k8s.io/v1/clusterroles: - - name: rx:eks - codes: - - 400 - - name: aws-node - codes: - - 400 - - name: rx:system - codes: - - 400 - - name: admin - codes: - - 400 - - name: edit - codes: - - 400 - - name: view - codes: - - 400 - - name: cluster-admin - codes: - - 400 - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:kube - rbac.authorization.k8s.io/v1/roles: - - name: rx:kube - apps/v1/daemonsets: - - name: rx:kube-system - apps/v1/deployments: - - name: rx:kube-system - apps/v1/replicasets: - - name: rx:kube - networking.k8s.io/v1/networkpolicies: - - name: rx:freddy - policy/v1beta1/podsecuritypolicies: - - name: rx:eks - v1/configmaps: - - name: rx:kube - v1/namespaces: - - name: rx:kube - v1/pods: - - name: rx:kube - v1/serviceaccounts: - - name: rx:kube - v1/secrets: - - name: rx:kube - v1/services: - - name: rx:kube - codes: - - 404 - - resources: - # Nodes specific sanitization - node: - limits: - cpu: 90 - memory: 80 - - # Pods specific sanitization - pod: - limits: - # Fail if cpu is over 80% - cpu: 80 - # Fail if pod mem is over 75% - memory: 75 - # Fail if more than 3 restarts on any pods - restarts: 3 - - # Code specifies a custom severity level ie critical=3, warn=2, info=1 - codes: - 206: - severity: 1 diff --git a/spinach/spinach_metakube.yml b/spinach/spinach_metakube.yml deleted file mode 100644 index eed5ad99..00000000 --- a/spinach/spinach_metakube.yml +++ /dev/null @@ -1,141 +0,0 @@ -popeye: - excludes: - gvrs: - v1/serviceaccounts: - # Those are managed by SysEleven - - name: rx:^syseleven - - # We don’t check the kube* service accounts - this is part of the platform - - name: rx:^kube - - name: default/default - codes: - - 400 - - # Exclude some codes for default services - v1/services: - # Those are managed by SysEleven - - name: rx:^syseleven - - # This service is of type NodePort, which is intentional (1104) - - name: default/kubernetes - codes: - - 1104 - - # The ports here are not named yet (1102) - - name: kube-system/kube-dns - codes: - - 1102 - - # The port here is not named yet (1102) - - name: kube-system/node-exporter - codes: - - 1102 - - # We don’t want to check tiller, it’s only here for backwards compatibility to helm2 - - name: kube-system/tiller-deploy - - # We don’t need to check the metrics-server, this is managed by MetaKube - - name: kube-system/metrics-server - - # Exclude Secrets in the system namespaces - v1/secrets: - # Don’t check helm release secrets - - name: rx:sh.helm.release - - - name: rx:^kube - - # Those are managed by SysEleven - - name: rx:^syseleven - - # The default token may be unused - - name: rx:default/default-token - codes: - - 400 - - # RoleBindings for platform services can be excluded - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:^kube - - name: rx:^default/system - - name: default/machine-controller - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Roles for platform services can be excluded - rbac.authorization.k8s.io/v1/roles: - - name: rx:^kube - - name: rx:^default/system - - name: default/machine-controller - - # Those are managed by SysEleven - - name: rx:^syseleven - - # ReplicaSets for platform services can be excluded - v1/replicasets: - - name: rx:^kube - - # Those are managed by SysEleven - - name: rx:^syseleven - - # MetaKube provides you with some SysEleven PodSecurityPolicies that we don’t want to scan here - policy/v1beta1/podsecuritypolicies: - # Those are managed by SysEleven - - name: rx:^syseleven - - # PodDisruptionBudgets for platform services can be excluded - policy/v1beta1/poddisruptionbudgets: - - name: kube-system/coredns - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Pods for platform services can be excluded - v1/pods: - - name: rx:^kube-system/ - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Nodes are platform services and can be excluded - v1/nodes: - - name: rx:.* - - # We don’t want to sanitize the default namespaces: - v1/namespaces: - - name: default - - name: kube-node-lease - - name: kube-public - - name: kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Deployments for platform services can be excluded - apps/v1/deployments: - - name: rx:^kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Daemonsets for platform services can be excluded - apps/v1/daemonsets: - - name: rx:^kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # ConfigMaps for platform services can be excluded - v1/configmaps: - - name: rx:^kube-system - - name: kube-public/cluster-info - - # Those are managed by SysEleven - - name: rx:^syseleven - - rbac.authorization.k8s.io/v1/clusterroles: - - name: rx:.* - codes: - - 400 - - # Those are managed by SysEleven - - name: rx:^syseleven