$ kubectl krew install view-allocations Updated the local copy of plugin index. Installing plugin: view-allocations Installed plugin: view-allocations \ | Use this plugin: | kubectl view-allocations | Documentation: | https://github.com/davidB/kubectl-view-allocations / WARNING: You installed plugin "view-allocations" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
這個工具算是幫你把 description 的資訊再次整理,舉例來說我們準備了一個 pull image 會失敗的案例,這時候我們用 status 這個指令來試試看
1 2 3 4 5 6 7 8 9 10 11 12 13
$ kubectl krew install status Updated the local copy of plugin index. Installing plugin: status Installed plugin: status \ | Use this plugin: | kubectl status | Documentation: | https://github.com/bergerx/kubectl-status / WARNING: You installed plugin "status" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
安裝完畢後我們針對一個失敗的 pod 來使用 kubectl status pod xxxx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
$ kubectl status pod pull-fail
Pod/pull-fail -n default, created 2m ago Pending Burstable PodScheduled -> Initialized -> Not ContainersReady -> Not Ready Ready ContainersNotReady, containers with unready status: [getting-started] for 2m ContainersReady ContainersNotReady, containers with unready status: [getting-started] for 2m Standalone POD. Containers: getting-started (hwchiu/netutils-qq) Waiting ErrImagePull: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed Events: Scheduled 2m ago from default-scheduler: Successfully assigned default/pull-fail to kind-worker Pulling 28s ago (x4 over 1m) from kubelet,kind-worker: Pulling image "hwchiu/netutils-qq" Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Failed to pull image "hwchiu/netutils-qq": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/hwchiu/netutils-qq:latest": failed to resolve reference "docker.io/hwchiu/netutils-qq:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed Failed 28s ago (x4 over 1m) from kubelet,kind-worker: Error: ErrImagePull BackOff 13s ago (x6 over 1m) from kubelet,kind-worker: Back-off pulling image "hwchiu/netutils-qq" Failed 13s ago (x6 over 1m) from kubelet,kind-worker: Error: ImagePullBackOff
上面可以看到一些資訊,譬如說
PodScheduled -> Initialized -> Not ContainersReady -> Not Ready Pod 失敗是因為卡在 ContainersReady 這個狀態會失敗,導致最後整個 Pod 沒有成功
Standalone POD 這個 Pod 本身沒有任何的 StatefulSet/ReplicaSet,而是獨立的 Pod
$ kubectl krew install access-matrix Updated the local copy of plugin index. Installing plugin: access-matrix Installed plugin: access-matrix \ | Use this plugin: | kubectl access-matrix | Documentation: | https://github.com/corneliusweig/rakkess | Caveats: | \ | | Usage: | | kubectl access-matrix | | kubectl access-matrix for pods | / / WARNING: You installed plugin "access-matrix" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
此外也可以透過 --sa 等指令來切換不同的 service account,所以可以看到下列的範例,用不同的使用者去看權限,我預設的使用者有幾乎無敵的權限,什麼都可以執行。如果是系統上 kube-system:namespace-controller 則只能 LIST/DELETE。
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a kubectl-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.