Last active
February 10, 2023 14:25
-
-
Save clarkezone/aad101d9e485eaced13a869f11ab7d96 to your computer and use it in GitHub Desktop.
Flattened manifest and kubescore results
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: pocketshorten | |
--- | |
apiVersion: v1 | |
data: | |
config.yaml: | | |
# redacted | |
kind: ConfigMap | |
metadata: | |
labels: | |
environment: development | |
name: staging-cloudflare-pocketshorten-configs-t59t8gk79m | |
namespace: pocketshorten | |
--- | |
apiVersion: v1 | |
data: | |
CONFIG: /pocketshorten.json | |
LOGLEVEL: debug | |
URL: http://pb-service:8080 | |
kind: ConfigMap | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: staging-psconfig-97d62mcgd7 | |
namespace: pocketshorten | |
--- | |
apiVersion: v1 | |
data: | |
pocketshorten.json: | | |
{ | |
"values": [ | |
["key1", "value1", "group", "2006-01-02T15:04:05-0700"], | |
["key2", "value2", "", "2006-01-02T15:04:05-0700"], | |
["key3", "value3", "", "2006-01-02T15:04:05-0700"], | |
["tm", "https://techmeme.com", "sites", "2006-01-02T15:04:05-0700"], | |
["hn", "https://news.ycombinator.com", "sites", "2006-01-02T15:04:05-0700"] | |
] | |
} | |
kind: ConfigMap | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: staging-vipconfig-t6t6b29kf6 | |
namespace: pocketshorten | |
--- | |
apiVersion: v1 | |
data: | |
cert.pem: | | |
# redacted | |
kind: Secret | |
metadata: | |
labels: | |
environment: development | |
name: staging-cloudflare-pocketshorten-cert-c7fg2g7hgc | |
namespace: pocketshorten | |
type: Opaque | |
--- | |
apiVersion: v1 | |
data: | |
#redacted | |
kind: Secret | |
metadata: | |
labels: | |
environment: development | |
name: staging-cloudflare-pocketshorten-creds-2d79d9d2hb | |
namespace: pocketshorten | |
type: Opaque | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: staging-pocketshorten-metrics-service | |
namespace: pocketshorten | |
spec: | |
ports: | |
- name: metrics | |
port: 8095 | |
selector: | |
app: pocketshorten-viper | |
environment: development | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: staging-pocketshorten-service | |
namespace: pocketshorten | |
spec: | |
ports: | |
- port: 8090 | |
selector: | |
app: pocketshorten-viper | |
environment: development | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: pocketshorten-tunnel | |
environment: development | |
name: staging-tunnel-metrics | |
namespace: pocketshorten | |
spec: | |
ports: | |
- name: tunnelmetrics | |
port: 2000 | |
selector: | |
app: pocketshorten-tunnel | |
environment: development | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
environment: development | |
name: staging-cloudflared-tunnel | |
namespace: pocketshorten | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: pocketshorten-tunnel | |
environment: development | |
template: | |
metadata: | |
labels: | |
app: pocketshorten-tunnel | |
environment: development | |
spec: | |
containers: | |
- args: | |
- tunnel | |
- --config | |
- /etc/cloudflared/config/config.yaml | |
- --metrics | |
- 0.0.0.0:2000 | |
- run | |
image: cloudflare/cloudflared:2023.2.1 | |
livenessProbe: | |
failureThreshold: 1 | |
httpGet: | |
path: /ready | |
port: 2000 | |
initialDelaySeconds: 10 | |
periodSeconds: 10 | |
name: cloudflared | |
ports: | |
- containerPort: 2000 | |
name: tunnel-port | |
volumeMounts: | |
- mountPath: /etc/cloudflared/config | |
name: tunnel-config | |
readOnly: true | |
- mountPath: /etc/cloudflared | |
name: tunnel-cert-volume | |
readOnly: true | |
- mountPath: /etc/cloudflared/creds | |
name: tunnel-creds-volume | |
readOnly: true | |
volumes: | |
- name: tunnel-cert-volume | |
secret: | |
secretName: staging-cloudflare-pocketshorten-cert-c7fg2g7hgc | |
- name: tunnel-creds-volume | |
secret: | |
secretName: staging-cloudflare-pocketshorten-creds-2d79d9d2hb | |
- configMap: | |
name: staging-cloudflare-pocketshorten-configs-t59t8gk79m | |
name: tunnel-config | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
name: staging-pocketshorten-viper | |
namespace: pocketshorten | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: pocketshorten-viper | |
environment: development | |
strategy: | |
type: Recreate | |
template: | |
metadata: | |
labels: | |
app: pocketshorten-viper | |
environment: development | |
spec: | |
containers: | |
- args: | |
- servefrontend | |
- --config=/pocketshorten.json | |
env: | |
- name: LOGLEVEL | |
valueFrom: | |
configMapKeyRef: | |
key: LOGLEVEL | |
name: staging-psconfig-97d62mcgd7 | |
- name: CONFIG | |
valueFrom: | |
configMapKeyRef: | |
key: CONFIG | |
name: staging-psconfig-97d62mcgd7 | |
image: registry.hub.docker.com/clarkezone/pocketshorten:0.0.3 | |
imagePullPolicy: Always | |
name: pocketshorten-viper | |
ports: | |
- containerPort: 8090 | |
- containerPort: 8095 | |
volumeMounts: | |
- mountPath: /pocketshorten.json | |
name: vipconf | |
subPath: pocketshorten.json | |
volumes: | |
- configMap: | |
name: staging-vipconfig-t6t6b29kf6 | |
name: vipconf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubectl kustomize k8s/layered_viper/overlay/staging > /tmp/pocketshorten_layered_staging_merged.yaml | |
kubectl score /tmp/pocketshorten_layered_staging_merged.yaml | |
apps/v1/Deployment staging-cloudflared-tunnel in pocketshorten 💥 | |
[CRITICAL] Container Resources | |
· cloudflared -> CPU limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu | |
· cloudflared -> Memory limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory | |
· cloudflared -> CPU request is not set | |
Resource requests are recommended to make sure that the application can start and run | |
without crashing. Set resources.requests.cpu | |
· cloudflared -> Memory request is not set | |
Resource requests are recommended to make sure that the application can start and run | |
without crashing. Set resources.requests.memory | |
[CRITICAL] Container Image Pull Policy | |
· cloudflared -> ImagePullPolicy is not set to Always | |
It's recommended to always set the ImagePullPolicy to Always, to make sure that the | |
imagePullSecrets are always correct, and to always get the image you want. | |
[CRITICAL] Container Ephemeral Storage Request and Limit | |
· cloudflared -> Ephemeral Storage limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set | |
resources.limits.ephemeral-storage | |
[CRITICAL] Container Security Context ReadOnlyRootFilesystem | |
· cloudflared -> Container has no configured security context | |
Set securityContext to run the container in a more secure context. | |
[CRITICAL] Pod NetworkPolicy | |
· The pod does not have a matching NetworkPolicy | |
Create a NetworkPolicy that targets this pod to control who/what can communicate with this | |
pod. Note, this feature needs to be supported by the CNI implementation used in the | |
Kubernetes cluster to have an effect. | |
[CRITICAL] Pod Probes | |
· Container is missing a readinessProbe | |
A readinessProbe should be used to indicate when the service is ready to receive traffic. | |
Without it, the Pod is risking to receive traffic before it has booted. It's also used | |
during rollouts, and can prevent downtime if a new version of the application is failing. | |
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md | |
[CRITICAL] Container Security Context User Group ID | |
· cloudflared -> Container has no configured security context | |
Set securityContext to run the container in a more secure context. | |
[CRITICAL] Deployment has PodDisruptionBudget | |
· No matching PodDisruptionBudget was found | |
It's recommended to define a PodDisruptionBudget to avoid unexpected downtime during | |
Kubernetes maintenance operations, such as when draining a node. | |
[WARNING] Deployment has host PodAntiAffinity | |
· Deployment does not have a host podAntiAffinity set | |
It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from | |
being scheduled on the same node. This increases availability in case the node becomes | |
unavailable. | |
apps/v1/Deployment staging-pocketshorten-viper in pocketshorten 💥 | |
[CRITICAL] Container Resources | |
· pocketshorten-viper -> CPU limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu | |
· pocketshorten-viper -> Memory limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory | |
· pocketshorten-viper -> CPU request is not set | |
Resource requests are recommended to make sure that the application can start and run | |
without crashing. Set resources.requests.cpu | |
· pocketshorten-viper -> Memory request is not set | |
Resource requests are recommended to make sure that the application can start and run | |
without crashing. Set resources.requests.memory | |
[CRITICAL] Container Ephemeral Storage Request and Limit | |
· pocketshorten-viper -> Ephemeral Storage limit is not set | |
Resource limits are recommended to avoid resource DDOS. Set | |
resources.limits.ephemeral-storage | |
[CRITICAL] Container Security Context ReadOnlyRootFilesystem | |
· pocketshorten-viper -> Container has no configured security context | |
Set securityContext to run the container in a more secure context. | |
[CRITICAL] Pod NetworkPolicy | |
· The pod does not have a matching NetworkPolicy | |
Create a NetworkPolicy that targets this pod to control who/what can communicate with this | |
pod. Note, this feature needs to be supported by the CNI implementation used in the | |
Kubernetes cluster to have an effect. | |
[CRITICAL] Pod Probes | |
· Container is missing a readinessProbe | |
A readinessProbe should be used to indicate when the service is ready to receive traffic. | |
Without it, the Pod is risking to receive traffic before it has booted. It's also used | |
during rollouts, and can prevent downtime if a new version of the application is failing. | |
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md | |
[CRITICAL] Container Security Context User Group ID | |
· pocketshorten-viper -> Container has no configured security context | |
Set securityContext to run the container in a more secure context. | |
[CRITICAL] Deployment has PodDisruptionBudget | |
· No matching PodDisruptionBudget was found | |
It's recommended to define a PodDisruptionBudget to avoid unexpected downtime during | |
Kubernetes maintenance operations, such as when draining a node. | |
[WARNING] Deployment has host PodAntiAffinity | |
· Deployment does not have a host podAntiAffinity set | |
It's recommended to set a podAntiAffinity that stops multiple pods from a deployment from | |
being scheduled on the same node. This increases availability in case the node becomes | |
unavailable. | |
v1/Service staging-pocketshorten-metrics-service in pocketshorten ✅ | |
v1/Service staging-pocketshorten-service in pocketshorten ✅ | |
v1/Service staging-tunnel-metrics in pocketshorten ✅ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment