search

kubernetes / kops

Kubernetes Operations (kOps) - Production Grade k8s Installation, Upgrades and Management
https://kops.sigs.k8s.io/
Apache License 2.0
15.97k stars 4.65k forks source link

New Command Proposal - kops audit #1743

Closed krisnova closed 7 years ago

krisnova commented 7 years ago

Proposal for a new kops cobra command

kops audit

Which would essentially allow us to run some sort of validation against some resource. Use cases I can think of

1. kops audit account

This would essentially audit an account (say an AWS account for instance) and validate that the account appears set up correctly and ready to use with kops. This could be used a pre-emptive check for a new AWS account, and could provide valuable feedback for users trying to set up their account for the first time.

2. kops audit limits

(This might be a subcomponent of 1)

This would start to use the (debatably helpful) DescribeAccountAttributes endpoint and do some algebra behind the scenes to see what kops can and can't create in an account based on limits. This would be useful to users who are creating/destroying clusters in the same account often and a need a way to measure how full their accounts are (measured in terms of kops clusters)

EG: You have N instances available, and that would yield X clusters at Z size

3. kops audit cluster

We could port toolbox dump into kops audit cluster. This would essentially do the exact same thing, but follow a more natural hierarchy.

Note that the actual implementation here is up for discussion, and we don't have to create a new command. We might even consider renaming audit to something a tad more appropriate.. say kops describe * for instance..

Thoughts:

1. We could have levels of output

  1. Okay
  2. Warning
  3. Critical
  4. Failure

Where each level could be formatted accordingly.. and we could display information based on the level of severity

2. We can suggest best practices

In the terms of versioning the state store like https://github.com/kubernetes/kops/issues/1123 we could offer a warning, or a critical report on things like this that will discourage bad practices.

3. Output

This feels analogous to a GET workflow.. so we should probably support spitting out data in a friendly format. EG: -oyaml

yissachar commented 7 years ago

It seems confusing to have both kops audit and kops validate; they sound like they do similar things.

What would be the difference between the output of kops audit cluster and kops validate cluster?

Note that I already find kops validate to be confusingly named. I had no idea what it did until I ran it, and it just dumped my cluster status. kops describe would seem to be a better name for that command. I'm not sure if it's too late to rename or not...

chrislovecnm commented 7 years ago

@yissachar run kops toolbox dump :) <- it gives you what is running

kops validate cluster <- it gives you that k8s is running

yissachar commented 7 years ago

@kris-nova @chrislovecnm @justinsb I think the conclusion from the call was that we would either:

  1. Leave kops validate as-is and potentially have it take over the audit commands when they are added, e.g. kops validate account.
  2. Come up with an alternate name for kops validate before 1.5 drops (tall order!).

Is this correct?

chrislovecnm commented 7 years ago
  1. I think is out of scope ... kops validate cluster will stay as is :)
r351574nc3 commented 7 years ago

@kris-nova I should have known you would be responsible for cobra.Command-er image