popeye
Analyze Kubernetes cluster resources and configurations
TLDR
Scan the current Kubernetes cluster
Scan a specific namespace
Scan specific Kubernetes context
Use a spinach configuration file for scanning
SYNOPSIS
popeye [flags]
PARAMETERS
--all-namespaces
Scans all namespaces in the cluster.
--clearance-threshold
Specifies the minimum score considered 'clean'. Defaults to 75
--config
Path to the Popeye configuration file. Allows customization of checks.
--context
The name of the kubeconfig context to use.
--exclude
Comma-separated list of checks to exclude from the scan.
--include
Comma-separated list of checks to include in the scan.
--kubeconfig
Path to the kubeconfig file. Defaults to ~/.kube/config.
--log-level
Defines logging level. The allowed values are: panic, fatal, error, warn, info, debug, trace (default "info")
--output
Output format. Supported formats are: text (default), yaml, json, junit
--select-namespaces
Comma-separated list of namespaces to scan.
--version
Prints the version information.
DESCRIPTION
Popeye is a command-line utility designed to scan live Kubernetes clusters and report on potential issues. It focuses on identifying misconfigurations, suboptimal resource usage, and adherence to best practices. It uses a series of predefined checks, similar to linters for code, to analyze various Kubernetes resources (Deployments, Services, Pods, etc.). Popeye aims to help users proactively identify and resolve problems before they impact their applications.
The tool provides a scored assessment of the cluster health, highlighting critical, warning, and informational issues. It is designed to be non-intrusive, primarily reading cluster state and not modifying any resources.
Popeye results provide recommendations for improving resource utilization, security, and overall cluster stability. This allows administrators and developers to quickly identify areas needing attention and remediate them.
CAVEATS
Popeye requires sufficient RBAC permissions to read Kubernetes resources. Without adequate permissions, the scan results may be incomplete or inaccurate. It is also important to note that Popeye only *identifies* potential issues, it does not automatically fix them.
It is also important to keep popeye updated with latest versions, and to test the checks, before pushing to the production environment.
CONFIGURATION
Popeye can be configured using a YAML file. This allows customizing the checks performed, setting thresholds, and excluding specific namespaces or resources.
SECURITY CONSIDERATIONS
It is crucial to run Popeye with appropriate RBAC permissions, following the least privilege principle. Only grant the necessary permissions for the tool to read resources, avoiding write or delete permissions.
HISTORY
Popeye was created to address the growing complexity of Kubernetes deployments. As clusters scale and the number of deployed applications increases, identifying misconfigurations becomes more challenging. Popeye helps streamline this process by automating the identification of potential problems. Its development focused on providing a user-friendly, non-invasive tool that can be easily integrated into existing workflows.
SEE ALSO
kubectl(1)