kube-score
dumb-init
kube-score | dumb-init | |
---|---|---|
8 | 10 | |
2,588 | 6,705 | |
- | 0.6% | |
8.0 | 0.0 | |
23 days ago | about 1 month ago | |
Go | Python | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kube-score
- GitHub - zegl/kube-score: Kubernetes object analysis with recommendations for improved reliability and security
-
What should readiness & liveness probe actually check for?
This is taken from: https://github.com/zegl/kube-score/blob/master/README_PROBES.md and I have read the same opinions elsewhere.
-
How do you take care of your manifests?
A developer's workflow should anyway deploy to a real, or close-to-production Kubernetes cluster before opening a merge request with the finished change. That means the developer definitely sees upfront if the manifest is super wrong. Tools like kube-score (which is quite opinionated), kubeval or OPA rules can help in addition to keep things consistent and secure. For such a developer workflow, I recommend Skaffold since it mostly just wraps Docker, kubectl and the templating tool you're using (e.g. kustomize/helm).
- Kube-Score v1.14
- kube-score v1.14 – Kubernetes object analysis with recommendations for improved reliability and security
-
Securing Kubernetes Deployments
apps/v1/Deployment semaphore-demo-ruby-kubernetes 💥 [CRITICAL] Container Resources · semaphore-demo-ruby-kubernetes -> CPU limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu · semaphore-demo-ruby-kubernetes -> Memory limit is not set Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory · semaphore-demo-ruby-kubernetes -> CPU request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.cpu · semaphore-demo-ruby-kubernetes -> Memory request is not set Resource requests are recommended to make sure that the application can start and run without crashing. Set resources.requests.memory [CRITICAL] Container Image Pull Policy · semaphore-demo-ruby-kubernetes -> ImagePullPolicy is not set to Always It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want. [CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod. Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster to have an effect. [CRITICAL] Pod Probes · Container is missing a readinessProbe A readinessProbe should be used to indicate when the service is ready to receive traffic. Without it, the Pod is risking to receive traffic before it has booted. It's also used during rollouts, and can prevent downtime if a new version of the application is failing. More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md [CRITICAL] Container Security Context · semaphore-demo-ruby-kubernetes -> Container has no configured security context Set securityContext to run the container in a more secure context. v1/Service semaphore-demo-ruby-kubernetes-lb ✅
-
Top 20 useful k8s tools
Link : https://github.com/zegl/kube-score
dumb-init
-
Fargate: catching docker stopping
I think you are on the right track in thinking it’s a signal handling issue. You mentioned using some “bash scripts”, have you tried something like dumb-init?
-
"systemd doesn't follow Unix philosophy "
At the other extreme, there's dumb-init - it implements the special pid-1 behaviors and acts as a wrapper around the one script you want to run. It's ideal for containers or virtual machines that don't need user logins or more than one service.
-
What should readiness & liveness probe actually check for?
Oh, and another thing. Many containers launch their main process from a shell script. When this happens, the shell script receives the SIGTERM event, not the application. Your shell script MUST relay SIGTERM events back to the main process, and it doesn’t happen by default. You can use a shell script wrapper, like dumb-init (https://github.com/yelp/dumb-init), as your entry point if you need to use a shell script on container startup.
-
Distro balls
It's a plus because Gentoo fully supports the choice of Systemd or OpenRC. It also has minit, dumb-init, sysvinit, cinit in tree for the more adventurous. No one was calling the AUR bloat, the parent comment just mentions that Gentoo has an equivalent project, GURU.
- How to make containers handle the SIGTERM signal which makes K8s terminate application gracefully?
- Show HN: EnvKey 2.0 – End-To-End Encrypted Environments (now open source)
-
`COPY –chmod` reduced the size of my container image by 35%
, but I prefer to not have to make this assumption and use an init system instead.
[1]: https://github.com/Yelp/dumb-init
-
Systemd by Example
> It has no init system.
Apologies that I can't link directly to the "--init" flag but docker actually does have an init, it's just (err, was?) compiled into the binary: https://docs.docker.com/engine/reference/commandline/run/#op...
My recollection is that it either adopted, or inspired, https://github.com/Yelp/dumb-init#readme which folks used to put into their Dockerfile as the init system back in the day
Folks (ahem, I'm looking at you, eks-anywhere[0]) who bundle systemd into a docker container are gravely misguided, and the ones which do so for the ability to launch sshd alongside the actual container's main process are truly, truly lost
0: https://github.com/aws/eks-anywhere/issues/838#issuecomment-...
-
Question: How to handle events to safely terminate a Node.js inside Docker container
You can use something like dumb-init which is designed to correctly handle signals
- Docker e Nodejs - Dockerizando sua aplicação com boas praticas
What are some alternatives?
polaris - Validation of best practices in your Kubernetes clusters
tini - A tiny but valid `init` for containers
popeye - 👀 A Kubernetes cluster resource sanitizer
docker-centos7-systemd-unpriv - Dockerfile for CentOS7 with Systemd in unprivileged mode
kubeconform - A FAST Kubernetes manifests validator, with support for Custom Resources!
eks-anywhere - Run Amazon EKS on your own infrastructure 🚀
datree - Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
systemd - The systemd System and Service Manager
kubeval - Validate your Kubernetes configuration files, supports multiple Kubernetes versions
compiling-containers
polaris - Shopify’s design system to help us work together to build a great experience for all of our merchants.
ko - Build and deploy Go applications