Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add plugin section #214

Merged
merged 4 commits into from
Apr 18, 2023
Merged

docs: add plugin section #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d70f606
docs: update clusterscan and clusterissues examples
matheusfm Apr 18, 2023
9844bb9
docs: update input description of docs workflow
matheusfm Apr 18, 2023
5dcdb79
docs: add scanner plugins section
matheusfm Apr 18, 2023
2d7cb8e
docs: update scanner plugins section
matheusfm Apr 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/docs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ on:
workflow_dispatch:
inputs:
version:
description: 'Version (e.g. "v0.4")'
description: 'Version (e.g. "v0.5")'
type: string
required: true
latest:
Expand Down
51 changes: 40 additions & 11 deletions docs/cluster-scan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ metadata:
spec:
clusterRef:
name: mycluster
schedule: "0 */1 * * *"
schedule: "0 * * * *" # at minute 0 past every hour
EOF
```

Expand Down Expand Up @@ -67,13 +67,31 @@ Listing the `ClusterScans`, the information of the last scans are available:
kubectl get clusterscan -o wide
```
```
NAME CLUSTER SCHEDULE SUSPEND PLUGINS LAST STATUS LAST SCHEDULE LAST SUCCESSFUL ISSUES READY AGE NEXT SCHEDULE
mycluster mycluster 0 */1 * * * false popeye Complete 12m 14m 21 True 32d 2022-06-27T23:00:00Z
NAME CLUSTER SCHEDULE SUSPEND PLUGINS LAST STATUS LAST SCHEDULE LAST SUCCESSFUL ISSUES READY SAAS AGE NEXT SCHEDULE
mycluster mycluster 0 * * * * false marvin,popeye Complete 13s 1s 34 True OK 39s 2023-04-18T14:00:00Z
```

The `LAST STATUS` column represents the status (Active, Complete or Failed) of the last **scan**
The `LAST STATUS` column represents the status (`Active`, `Complete` or `Failed`) of the last **scan**
that was scheduled at the time represented by `LAST SCHEDULE` column.

## Scanner plugins

Zora uses CLI tools as plugins to scan the clusters.

Currently, there are two available plugins:
[Marvin](https://github.com/undistro/marvin) and [Popeye](https://github.com/derailed/popeye).
Both plugins are used by default in `ClusterScans`.

!!! info
To list the available plugins, run the following command:
```
kubectl get plugins -n zora-system
```

Marvin is the official [Undistro](https://undistro.io) plugin that scans a k8s cluster
by performing [CEL (Common Expression Language)](https://github.com/google/cel-spec) expressions.
Similarly, Popeye is a widely used open-source tool for k8s cluster scanning.

## List cluster issues

Once the cluster is successfully scanned,
Expand All @@ -83,13 +101,21 @@ the reported issues are available in `ClusterIssue` resources:
kubectl get clusterissues -l cluster=mycluster
```
```
NAME CLUSTER ID MESSAGE SEVERITY CATEGORY AGE
mycluster-pop-102-27557035 mycluster POP-102 No probes defined Medium Container 4m8s
mycluster-pop-105-27557035 mycluster POP-105 Liveness probe uses a port#, prefer a named port Low Container 4m8s
mycluster-pop-106-27557035 mycluster POP-106 No resources requests/limits defined Medium Container 4m8s
mycluster-pop-1100-27557035 mycluster POP-1100 No pods match service selector High Service 4m8s
mycluster-pop-306-27557035 mycluster POP-306 Container could be running as root user. Check SecurityContext/Image Medium Security 4m8s
mycluster-pop-500-27557035 mycluster POP-500 Zero scale detected Medium Workloads 4m8s
NAME CLUSTER ID MESSAGE SEVERITY CATEGORY AGE
mycluster-m-102-18e887d99ccb mycluster M-102 Privileged container High Security 100s
mycluster-m-103-18e887d99ccb mycluster M-103 Insecure capabilities High Security 100s
mycluster-m-104-18e887d99ccb mycluster M-104 HostPath volume High Security 100s
mycluster-m-105-18e887d99ccb mycluster M-105 Not allowed hostPort High Security 100s
mycluster-m-111-18e887d99ccb mycluster M-111 Not allowed volume type Low Security 100s
mycluster-m-112-18e887d99ccb mycluster M-112 Allowed privilege escalation Medium Security 100s
mycluster-m-113-18e887d99ccb mycluster M-113 Container could be running as root user Medium Security 100s
mycluster-m-115-18e887d99ccb mycluster M-115 Not allowed seccomp profile Low Security 100s
mycluster-m-201-18e887d99ccb mycluster M-201 Application credentials stored in configuration files High Security 100s
mycluster-m-300-18e887d99ccb mycluster M-300 Root filesystem write allowed Low Security 100s
mycluster-pop-102-c6d6b0eefab4 mycluster POP-102 No probes defined Medium Container 103s
mycluster-pop-106-c6d6b0eefab4 mycluster POP-106 No resources requests/limits defined Medium Container 103s
mycluster-pop-605-c6d6b0eefab4 mycluster POP-605 If ALL HPAs are triggered, cluster memory capacity will match or exceed threshold Medium HorizontalPodAutoscaler 103s
mycluster-pop-710-c6d6b0eefab4 mycluster POP-710 Node Memory threshold reached Medium Node 103s
```

It's possible filter issues by cluster, issue ID, severity and category
Expand All @@ -107,6 +133,9 @@ kubectl get clusterissues -l cluster=mycluster,severity=High

# only issues reported by the last scan from mycluster
kubectl get clusterissues -l cluster=mycluster,scanID=fa4e63cc-5236-40f3-aa7f-599e1c83208b

# issues reported from marvin plugin
kubectl get clusterissues -l plugin=marvin
```

!!! tip "Why is it an issue?"
Expand Down