Skip to content

Commit

Permalink
Extend control_plane.configuration_status PaaS check
Browse files Browse the repository at this point in the history
Add services.kubelet.config PaaS check.

Generate manifests, kubelet config in dry run mode and compare with stored configs.

Added custom merging and comparing of kubelet-config and kube-proxy ConfigMaps

Added generating of kubelet-config in dry run mode for Kubernetes >= 1.26

Rework `kubernetes.admission` check.
  • Loading branch information
ilia1243 committed Feb 9, 2024
1 parent 0c8c654 commit 4fea911
Show file tree
Hide file tree
Showing 5 changed files with 524 additions and 203 deletions.
28 changes: 24 additions & 4 deletions documentation/Kubecheck.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ This section provides information about the Kubecheck functionality.
- [201 Kubelet Status](#201-kubelet-status)
- [202 Nodes pid_max](#202-nodes-pid_max)
- [203 Kubelet Version](#203-kubelet-version)
- [233 Kubelet Configuration](#233-kubelet-configuration)
- [234 kube-proxy Configuration](#234-kube-proxy-configuration)
- [205 System Packages Versions](#205-system-packages-version)
- [205 CRI Versions](#205-cri-versions)
- [205 HAproxy Version](#205-haproxy-version)
Expand Down Expand Up @@ -381,8 +383,11 @@ The task tree is as follows:
* configuration
* kubelet
* status
* configuration
* pid_max
* version
* configuration
kube-proxy:
* configuration
* packages
* system
* recommended_versions
Expand Down Expand Up @@ -455,7 +460,7 @@ This test checks the status of the Kubelet service on all hosts in the cluster w

##### 202 Nodes pid_max

*Task*: `services.kubelet.configuration`
*Task*: `services.kubelet.pid_max`

This test checks that kubelet `maxPods` and `podPidsLimit` are correctly aligned with kernel `pid_max`.

Expand All @@ -465,6 +470,19 @@ This test checks that kubelet `maxPods` and `podPidsLimit` are correctly aligned

This test checks the Kubelet version on all hosts in a cluster.

##### 233 Kubelet Configuration

*Task*: `services.kubelet.configuration`

This test checks the consistency of the /var/lib/kubelet/config.yaml configuration
with `kubelet-config` ConfigMap and with the inventory.

##### 234 kube-proxy Configuration

*Task*: `services.kube-proxy.configuration`

This test checks the consistency of the `kube-proxy` ConfigMap with the inventory.

##### 204 Container Runtime Configuration Check

*Task*: `services.container_runtime.configuration`
Expand Down Expand Up @@ -640,13 +658,15 @@ This test verifies ETCD health.

*Task*: `control_plane.configuration_status`

This test verifies the consistency of the configuration (image version, `extra_args`, `extra_volumes`) of static pods of Control Plain like `kube-apiserver`, `kube-controller-manager` and `kube-scheduler`.
This test verifies the consistency of the configuration of static pods of Control Plain
for `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, and `etcd`.

##### 221 Control Plane Health Status

*Task*: `control_plane.health_status`

This test verifies the health of static pods `kube-apiserver`, `kube-controller-manager` and `kube-scheduler`.
This test verifies the health of static pods `kube-apiserver`, `kube-controller-manager`,
`kube-scheduler`, and `etcd`.

##### 222 Default Services Configuration Status

Expand Down
12 changes: 8 additions & 4 deletions kubemarine/admission.py
Original file line number Diff line number Diff line change
Expand Up @@ -584,6 +584,13 @@ def update_finalized_inventory(cluster: KubernetesCluster, inventory_to_finalize
return inventory_to_finalize


def generate_pss(cluster: KubernetesCluster) -> str:
defaults = cluster.inventory["rbac"]["pss"]["defaults"]
exemptions = cluster.inventory["rbac"]["pss"]["exemptions"]
return Template(utils.read_internal(admission_template))\
.render(defaults=defaults, exemptions=exemptions)


def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]:
if group.cluster.inventory['rbac']['admission'] != "pss":
return None
Expand All @@ -592,11 +599,8 @@ def copy_pss(group: NodeGroup) -> Optional[RunnersGroupResult]:
group.cluster.log.debug("Pod security disabled, skipping pod admission installation...")
return None

defaults = group.cluster.inventory["rbac"]["pss"]["defaults"]
exemptions = group.cluster.inventory["rbac"]["pss"]["exemptions"]
# create admission config from template and cluster.yaml
admission_config = Template(utils.read_internal(admission_template))\
.render(defaults=defaults,exemptions=exemptions)
admission_config = generate_pss(group.cluster)

# put admission config on every control-planes
group.cluster.log.debug(f"Copy admission config to {admission_path}")
Expand Down
7 changes: 7 additions & 0 deletions kubemarine/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,13 @@ def get_unified_diff(old: str, new: str, fromfile: str = '', tofile: str = '') -
return None


def get_yaml_diff(old: str, new: str, fromfile: str = '', tofile: str = '') -> Optional[str]:
if yaml.safe_load(old) == yaml.safe_load(new):
return None

return get_unified_diff(old, new, fromfile, tofile)


def isipv(address: str, versions: List[int]) -> bool:
return ipaddress.ip_network(address).version in versions

Expand Down
Loading

0 comments on commit 4fea911

Please sign in to comment.