check-gke-ingress

command
v1.27.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 18, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

README

Overview

check-gke-ingress is a CLI to inspect ingress misconfiguration in GKE clusters.

Build and install

Install with makefile

Before this, you will need to have docker installed and docker daemon started. Also, you will need to know your machine archtecture. You can learn your machine architecture using uname -m, and find the corresponding GOARCH value here.

For linux machine:

make build CONTAINER_BINARIES="check-gke-ingress" ARCH=<your-arch>
sudo chmod +x bin/<your-arch>/check-gke-ingress
sudo mv bin/<your-arch>/check-gke-ingress /usr/local/bin

For Macbook:

sudo make build OS="darwin" CONTAINER_BINARIES="check-gke-ingress" ARCH=<your-arch>
sudo chmod +x .go/bin/darwin_<your-arch>/check-gke-ingress
sudo mv .go/bin/darwin_<your-arch>/check-gke-ingress /usr/local/bin
Install with go build

Before this, you will need to have Go installed.

cd cmd/check-gke-ingress
go build
sudo chmod +x check-gke-ingress
sudo mv check-gke-ingress /usr/local/bin

Usage

Prerequisites

Before running the binary, make sure you have your gcloud and GKE cluster authenticated:

gcloud auth application-default login
gcloud container clusters get-credentials name-of-your-cluster
Check all ingress

You can run the command after installation

check-gke-ingress

By default, check-gke-ingress will inspect all ingresses of the GKE cluster in current kubectl config. It will print all check results in json format like this:

{
  "resources": [
    {
      "kind": "Ingress",
      "namespace": "default",
      "name": "ingress-1",
      "checks": [
        {
          "name": "IngressRuleCheck",
          "message": "IngressRule has no field `http`",
          "result": "FAILED"
        },
        {
          "name": "L7ILBFrontendConfigCheck",
          "message": "Ingress default/ingress-1 is not for L7 internal load balancing",
          "result": "SKIPPED"
        },
        {
          "name": "ServiceExistenceCheck",
          "message": "Service default/svc-1 found",
          "result": "PASSED"
        },
      ]
    },
    {
      "kind": "Ingress",
      "namespace": "test",
      "name": "internal-ingress",
      "checks": [
        {
          "name": "IngressRuleCheck",
          "message": "IngressRule has field `http`",
          "result": "PASSED"
        },
        {
          "name": "L7ILBFrontendConfigCheck",
          "message": "Ingress test/internal-ingress for L7 internal load balancing has a frontendConfig annotation, frontendConfig can only be used with external ingresses",
          "result": "FAILED"
        }
      ]
    }
  ]
}

resources is the list of resources which are inspected by the tool, only ingress is supported in this tool.
kind is the kind of the kubernetes resource being inspected.
namespace is the namespace of the kubernetes resource being inspected.
name is the name of the kubernetes resource being inspected.
checks is the list of checks on the resource.

Check a specific ingress

To inspect a specific ingress, you can add the ingress name you want to check as an argument and specify the namespace of that ingress:

check-gke-ingress <your-ingress-name> --namespace <your-namespace>

The output will be the same as checking all ingresses.

Flags
-k, --kubeconfig string         kubeconfig file to use for Kubernetes config
-c, --context string            context to use for Kubernetes config
-n, --namespace string          only include pods from this namespace

Development

Add new check rules

There are four kinds of check functions defined: ingressCheckFunc, serviceCheckFunc, backendConfigCheckFunc, frontendConfigCheckFunc. To add a new rule for those resources, create a check function accroding to the function type defined in rule.go, and add the new check rule function to the corresponding list defined in ingress.go.

To add new checks for resources other than ingress, service, backendConfig and frontendConfig, you will need to define new function types and new checker structs:

type fooCheckFunc func(c *FooChecker) (string, string, string)

type FooChecker struct {
	// foo client
	client client.Interface
	// Namespace of foo resource 
	namespace string
	// Name of the foo resource 
	name string
	// Foo resource object to be checked
	feConfig *foov1.foo
}

Tests

For each newly added check rule, you will need to add an individual rule test in rule_test.go and update the TestCheckAllIngresses test to include the result check for your new rule.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
app

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL