kubevious / cli

Kubevious CLI - Prevent Kubernetes disasters at the early stages
https://kubevious.io
Apache License 2.0
51 stars 5 forks source link
k8s kubernetes

Release Issues Slack Twitter Codefresh build status License

Kubevious CLI

Kubevious CLI is an app-centric assurance and validation tool for Kubernetes. It helps modern teams rapidly release cloud-native applications without disasters, costly outages, and compliance violations by validating changes before they even reach the clusters. Kubevious CLI detects and prevents errors(typos, misconfigurations, conflicts, inconsistencies) and violations of best practices. Our secret sauce is based on the ability to validate across multiple manifests, regardless if they are already in the K8s clusters or are yet to be applied. Kubevious CLI can be used as a standalone tool during the active development of YAML manifests and can also be easily integrated into GitOps processes and CI/CD pipelines to validate changes toward live Kubernetes clusters. Kubevious CLI was created based on the experience and the lessons learned from the Kubevious Dashboard project and uses the evolution of its rules framework.

Kubevious CLI Video

✨ Key Capabilities

πŸ”˜ Best Practices Validation

πŸ”˜ Manifest Validation

πŸ”˜ CRDs and Custom Resources

πŸ”˜ Validation Sources

Kubevous CLI validates manifests from a variety of sources:

πŸ“₯ Installation

πŸ‘‡ Option 1: (NPM Package)

If you have Node.js v14 or higher:

$ npm install -g kubevious
$ kubevious guard samples/

πŸ‘‡ Option 2: (Homebrew)

$ brew install kubevious
$ kubevious guard samples/

πŸ‘‡ Option 3: (Precompiled Binaries)

All-in-one executables for Linux, Alpine, Mac OS, and Windows, including x64 and arm64 architectures. Download from the GitHub Releases or install using:

curl https://get.kubevious.io/cli.sh | bash

The script above would download the binary to /usr/local/bin/

Some environments have the /usr/local/bin/ path owned by root, so it may require running like this:

curl https://get.kubevious.io/cli.sh -o install-kubevious.sh && chmod +x install-kubevious.sh && sudo ./install-kubevious.sh && rm install-kubevious.sh

πŸ‘‡ Option 4: (In a Docker container)

Run in a container:

$ docker run --rm kubevious/cli --help

Validate the entire manifests directory:

$ docker run --rm -v ${PWD}/samples:/src kubevious/cli guard /src

Validate manifests from pipe stream:

$ cat manifests.yaml | docker run --rm -i kubevious/cli guard --stream

πŸ‘‡ Option 5: (CI/CD Integration)

Kubevious CLI Integrates with modern CI/CD platforms. Learn more here.

πŸƒ Usage and Use Cases

Try it yourself:

$ git clone https://github.com/kubevious/cli.git kubevious-cli.git
$ cd kubevious-cli.git/samples

πŸ’‚ Guard - Comprehensive Cross-Manifest Semantical Validation

The guard command performs linting of YAML syntax & API correctness and checks for violations of best-practices rules.

πŸ”˜ Validate single K8s manifest

Will complain about not being able to find the corresponding application matching the label selector:

$ kubevious guard pepsi/service.yaml

πŸ“œ [ClusterRule] service-selector-ref
   🌐 WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
   ❌ Rule failed
   Violations:
      ❌ Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
         πŸ“„ FILE: pepsi/service.yaml
         πŸ”΄ Could not find Applications for Service

πŸ”˜ Validate multiple K8s manifests

Passing the Deployment along with the Service would help the validation pass:

$ kubevious guard pepsi/service.yaml pepsi/deployment.yaml

πŸ“œ [ClusterRule] service-selector-ref
   🌐 WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
   βœ… Rule passed
   Passed:
      βœ… Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
         πŸ“„ FILE: pepsi/service.yaml

πŸ”˜ Validate manifests toward live K8s cluster

Alternatively, if the dependent Deployment is already present in the K8s cluster, the Service can be validated against the live K8s cluster:

$ kubevious guard pepsi/service.yaml --live-k8s

πŸ“œ [ClusterRule] service-selector-ref
   🌐 WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
   βœ… Rule passed
   Passed:
      βœ… Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
         πŸ“„ FILE: pepsi/service.yaml

Although changing pod labels in pepsi/deployment.yaml would break the Service label selector, even though the correct Deployment is already in the K8s cluster:

spec:
  selector:
    matchLabels:
      app: emailserviceX      # label is inconsistent with Service label selector
  template:
    metadata:
      labels:
        app: emailserviceX    # label is inconsistent with Service label selector
$ kubevious guard pepsi/service.yaml pepsi/deployment.yaml --live-k8s

πŸ“œ [ClusterRule] service-selector-ref
   🌐 WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
   ❌ Rule failed
   Violations:
      ❌ Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
         πŸ“„ FILE: pepsi/service.yaml
         πŸ”΄ Could not find Applications for Service

βœ… Lint - Validation of YAML syntax, K8s schema, and CRD/CR

The guard command performs linting underneath, so the guard users don't need to run lint separately.

πŸ”˜ Checking for API correctness:

$ kubevious lint invalid-service-1.yaml
ℹ️  Linting against Kubernetes Version: 1.25.2

❌ πŸ“„ FILE: invalid-service-1.yaml
   ❌ API: v1, Kind: Service, Name: db
      ❌ Required property "port" missing under "/spec/ports/0"

πŸ”˜ Linting against particular K8s version

$ kubevious lint hpa.yaml --k8s-version 1.21
ℹ️  Linting against Kubernetes Version: 1.21.14

❌ πŸ“„ FILE: hpa.yaml
   ❌ Namespace: ordering, API: autoscaling/v2, Kind: HorizontalPodAutoscaler, Name: orderservice
      πŸ”΄ Unknown API Resource. apiVersion: autoscaling/v2, kind: HorizontalPodAutoscaler.
$ kubevious lint hpa.yaml --k8s-version 1.23
ℹ️  Linting against Kubernetes Version: 1.23.12

βœ… πŸ“„ FILE: hpa.yaml
   βœ… Namespace: ordering, API: autoscaling/v2, Kind: HorizontalPodAutoscaler, Name: orderservice

πŸ”˜ Ignoring unknown resources

$ kubevious lint istio-gateway.yaml --ignore-unknown

⚠️  πŸ“„ FILE: istio-gateway.yaml
   ⚠️  Namespace: hipster, API: networking.istio.io/v1alpha3, Kind: Gateway, Name: frontend-gateway
      ⚠️  Unknown API Resource. apiVersion: networking.istio.io/v1alpha3, kind: Gateway.

βœ… Lint Succeeded.

πŸ”˜ Validate Against Live K8s Cluster with CRDs

$ kubevious lint istio-gateway.yaml --live-k8s
ℹ️  Linting against Kubernetes Version: v1.24.0

βœ… πŸ“„ FILE: data/istio-gateway.yaml
   βœ… Namespace: hipster, API: networking.istio.io/v1alpha3, Kind: Gateway, Name: frontend-gateway

πŸ”˜ Validate Custom Resource and Corresponding CRD

$ kubevious lint cr-good.yaml crd.yaml
ℹ️  Linting against Kubernetes Version: 1.25.2

βœ… πŸ“„ FILE: cr-good.yaml
   βœ… Namespace: coke, API: example.com/v1alpha1, Kind: MyPlatform, Name: test-dotnet-app

βœ… πŸ“„ FILE: crd.yaml
   βœ… API: apiextensions.k8s.io/v1, Kind: CustomResourceDefinition, Name: myplatforms.example.com

☸️ Validating Helm Charts

Kubevious CLI executes the Helm template whenever a Helm chart is discovered.

$ kubevious guard path-to-helm-chart-directory

It is also possible to pass remote Helm repos to validate

$ helm repo add traefik https://helm.traefik.io/traefik
$ kubevious guard @helm@traefik/traefik

Use values to specify Helm overrides file and inline values

$ kubevious guard @helm@traefik/traefik@values=overrides/prod.yaml@set=persistence.enabled=true
Supported Helm parameters: Key Description
values Path to Helm overrides path
namespace The namespace
release-name The release name
crds Possible values: "include" or "skip"
set Inline value overrides "key=value"

☸️ Validating Kustomize Templates

Kubevious CLI executes Kustomize build as soon as it discovers kustomization.yaml files. Every files within that directory will be ignored.

$ kubevious guard path-to-kustomize-directory-or-file

🩻 Troubleshoot Live Cluster

The tool can be used to troubleshoot existing clusters and manifests:

kubevious guard --live-k8s --include-remote-targets --namespace default

πŸ•Ή Input from a Variety of Sources

πŸ”˜ Multiple Directories

$ kubevious guard sveltos/ pepsi/

πŸ”˜ Stream Input

Primary usage is to validate template outputs such as Helm Charts, Kuztomize, Carvel, etc.

$ ytt -f my-app/ | kubevious guard --stream

❌ β™’ STREAM: stream
   ❌ Namespace: default, API: traefik.containo.us/v1alpha1, Kind: IngressRoute, Name: release-name-traefik-dashboard
      πŸ”΄ Unknown API Resource. apiVersion: traefik.containo.us/v1alpha1, kind: IngressRoute.

Also can pass additional manifests, such as CRDs, Rules, etc., for validation along with the steam input.

$ ytt -f my-app/ | kubevious guard --stream https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/crds/ingressroute.yaml

βœ… Guard Succeeded.

πŸ“¦ Running Inside a Container

πŸ”˜ Validate the Entire Directory

Mount a local directory to /src in the container. The rest of the arguments are the same.

$ docker run --rm -v ${PWD}/pepsi:/src kubevious/cli guard /src
❌ Guard Failed

πŸ”˜ Validate Files

The directory must be mounted to /src in the container to validate individual files. Can pass file names in the command line arguments.

$ docker run --rm -v ${PWD}/pepsi:/src kubevious/cli guard /src/service.yaml /src/deployment.yaml
βœ… Guard Succeeded.

πŸ”˜ Stream Input

Don't forget the -i argument.

$ helm template traefik/traefik | docker run --rm -i kubevious/cli guard --stream

❌ β™’ STREAM: stream
   ❌ Namespace: default, API: traefik.containo.us/v1alpha1, Kind: IngressRoute, Name: release-name-traefik-dashboard
      πŸ”΄ Unknown API Resource. apiVersion: traefik.containo.us/v1alpha1, kind: IngressRoute.

Passing CRDs as input would fix the issue:

$ helm template traefik/traefik | docker run --rm -i kubevious/cli guard --stream https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/crds/ingressroute.yaml

βœ… Guard Succeeded.

πŸͺ Git Pre-Commit Hook

You can get guard and lint commands to execute whenever changes to the GitOps repo are made. Kubevious uses the pre-commit project to set up pre-commit hooks. For convenience, there are commands to install hooks:

$ kubevious install-git-hook guard
   ℹ️  Repository: /Users/django/example.git
   ℹ️  PreCommit Config File: /Users/django/example.git/.pre-commit-config.yaml
   ℹ️  Hook Repo: https://github.com/kubevious/cli
   ℹ️  Hook ID: kubevious-guard

βœ… Install Git Hook Succeeded.
   Now you can run: 
     $> cd /Users/django/example.git
     $> git add .pre-commit-config.yaml
     $> pre-commit autoupdate

or

$ kubevious install-git-hook lint

✍️ Writing Custom Rules

Kubevious rules are expressed in a domain-specific language called Kubik. A great way to start writing your own rules is to learn from the community-driven rules library.

☎️ Support

Need help writing custom rules or policies? Need help with integration into your CI/CD platforms? Or urgently need a new feature or bug fix? Reach out to us at support@kubevious.io

πŸ’¬ Slack

Join the Kubevious Slack workspace to chat with Kubevious developers and users. This is a good place to learn about Kubevious, ask questions, and share your experiences.

πŸ—οΈ Contributing

We invite your participation through issues and pull requests! You can peruse the contributing guidelines.

πŸ›οΈ Governance

The Kubevious project is created by AUTHORS. Governance policy is yet to be defined.

πŸš€ Roadmap

Kubevious maintains a public roadmap, which provides priorities and future capabilities we are planning on adding to Kubevious.

πŸ”­ Kubevious Project

Learn more about the Kubevious projects in the root repository: https://github.com/kubevious/kubevious

πŸ“œ License

Kubevious CLI is an open-source project licensed under the Apache License, Version 2.0.