LinuxCommandLibrary

popeye

Analyze Kubernetes cluster resources and configurations

TLDR

Scan the current Kubernetes cluster

$ popeye
copy

Scan a specific namespace
$ popeye [[-n|--namespace]] [namespace]
copy

Scan specific Kubernetes context
$ popeye --context [context]
copy

Use a spinach configuration file for scanning
$ popeye [[-f|--file]] [spinach.yaml]
copy

SYNOPSIS

popeye [flags]

PARAMETERS

--all-namespaces
    Scans all namespaces in the cluster.

--clearance-threshold
    Specifies the minimum score considered 'clean'. Defaults to 75

--config
    Path to the Popeye configuration file. Allows customization of checks.

--context
    The name of the kubeconfig context to use.

--exclude
    Comma-separated list of checks to exclude from the scan.

--include
    Comma-separated list of checks to include in the scan.

--kubeconfig
    Path to the kubeconfig file. Defaults to ~/.kube/config.

--log-level
    Defines logging level. The allowed values are: panic, fatal, error, warn, info, debug, trace (default "info")

--output
    Output format. Supported formats are: text (default), yaml, json, junit

--select-namespaces
    Comma-separated list of namespaces to scan.

--version
    Prints the version information.

DESCRIPTION

Popeye is a command-line utility designed to scan live Kubernetes clusters and report on potential issues. It focuses on identifying misconfigurations, suboptimal resource usage, and adherence to best practices. It uses a series of predefined checks, similar to linters for code, to analyze various Kubernetes resources (Deployments, Services, Pods, etc.). Popeye aims to help users proactively identify and resolve problems before they impact their applications.
The tool provides a scored assessment of the cluster health, highlighting critical, warning, and informational issues. It is designed to be non-intrusive, primarily reading cluster state and not modifying any resources.
Popeye results provide recommendations for improving resource utilization, security, and overall cluster stability. This allows administrators and developers to quickly identify areas needing attention and remediate them.

CAVEATS

Popeye requires sufficient RBAC permissions to read Kubernetes resources. Without adequate permissions, the scan results may be incomplete or inaccurate. It is also important to note that Popeye only *identifies* potential issues, it does not automatically fix them.
It is also important to keep popeye updated with latest versions, and to test the checks, before pushing to the production environment.

CONFIGURATION

Popeye can be configured using a YAML file. This allows customizing the checks performed, setting thresholds, and excluding specific namespaces or resources.

SECURITY CONSIDERATIONS

It is crucial to run Popeye with appropriate RBAC permissions, following the least privilege principle. Only grant the necessary permissions for the tool to read resources, avoiding write or delete permissions.

HISTORY

Popeye was created to address the growing complexity of Kubernetes deployments. As clusters scale and the number of deployed applications increases, identifying misconfigurations becomes more challenging. Popeye helps streamline this process by automating the identification of potential problems. Its development focused on providing a user-friendly, non-invasive tool that can be easily integrated into existing workflows.

SEE ALSO

kubectl(1)

Copied to clipboard