7c240e5828
* added sonatype nancy vulnerability scanning Signed-off-by: Parship Chowdhury <i.am.parship@gmail.com> * fix 1 Signed-off-by: Parship Chowdhury <i.am.parship@gmail.com> * fix 2 Signed-off-by: Parship Chowdhury <i.am.parship@gmail.com> * vulnerability check fixed Signed-off-by: Parship Chowdhury <i.am.parship@gmail.com> --------- Signed-off-by: Parship Chowdhury <i.am.parship@gmail.com> |
||
|---|---|---|
| .github/workflows | ||
| cmd | ||
| docs | ||
| pkg | ||
| testdata | ||
| .gitignore | ||
| .golangci.yml | ||
| .krew.yaml | ||
| .nancy-ignore | ||
| LICENSE | ||
| Makefile | ||
| OWNERS | ||
| README.md | ||
| go.list | ||
| go.mod | ||
| go.sum | ||
| version.sh | ||
README.md
Kruise-tools
kubectl plugin for OpenKruise
Kruise-tools provides commandline tools for kruise features, such as kubectl-kruise, which is a standard plugin of kubectl.
Install
Install via Krew
-
Krew itself is a kubectl plugin that is installed and updated via Krew (yes, Krew self-hosts). First, install krew.
-
Run
kubectl krew install kruiseto install kruise plugin via Krew. -
Then you can use it with
kubectl-kruiseorkubectl kruise.
$ kubectl-kruise --help
# or
$ kubectl kruise --help
Install manually
-
You can simply download the binary from the releases page. Currently
linux,darwin(OS X),windowswithx86_64andarm64are provided. If you are using some other systems or architectures, you have to download the source code and executemake buildto build the binary. -
Extract and move it to system PATH.
$ tar xvf kubectl-kruise-darwin-amd64.tar.gz
$ mv darwin-amd64/kubectl-kruise /usr/local/bin/
- Then you can use it with
kubectl-kruiseorkubectl kruise.
$ kubectl-kruise --help
# or
$ kubectl kruise --help
Upgrade
Upgrade via krew
Run kubectl krew upgrade kruise to upgrade kruise plugin via Krew.
Upgrade manually
Same to install manually.
Usage
completion
To load auto completions:
Bash:
$ source <(kubectl-kruise completion bash)
Zsh:
# If shell completion is not already enabled in your environment,
# you will need to enable it. You can execute the following once:
$ echo "autoload -U compinit; compinit" >> ~/.zshrc
# To load completions for each session, execute once:
$ kubectl-kruise completion zsh > "${fpath[1]}/_kubectl-kruise"
Fish:
$ kubectl-kruise completion fish | source
PowerShell:
PS> kubectl-kruise completion powershell | Out-String | Invoke-Expression
### expose
Take a workload(e.g. deployment, cloneset), service or pod and expose it as a new Kubernetes Service.
```bash
$ kubectl kruise expose cloneset nginx --port=80 --target-port=8000
scale
Set a new size for a Deployment, ReplicaSet, CloneSet, or Advanced StatefulSet.
$ kubectl kruise scale --replicas=3 cloneset nginx
It equals to kubectl scale --replicas=3 cloneset nginx.
rollout
Available commands: history, pause, restart, resume, status, undo, approve.
$ kubectl kruise rollout undo cloneset/nginx
# built-in statefulsets
$ kubectl kruise rollout status statefulsets/sts1
# kruise statefulsets
$ kubectl kruise rollout status statefulsets.apps.kruise.io/sts2
# approve a kruise rollout resource named "rollout-demo" in "ns-demo" namespace
$ kubectl kruise rollout approve rollout/rollout-demo -n ns-demo`
# undo a kruise rollout resource
$ kubectl kruise rollout undo rollout/rollout-demo
# Fast rollback during blue-green release (will go back to a previous step with no traffic and most replicas)
$ kubectl kruise rollout undo rollout/rollout-demo --fast
set
Available commands: env, image, resources, selector, serviceaccount, subject.
$ kubectl kruise set env cloneset/nginx STORAGE_DIR=/local
$ kubectl kruise set image cloneset/nginx busybox=busybox nginx=nginx:1.9.1
migrate
Currently it supports migrate from Deployment to CloneSet.
# Create an empty CloneSet from an existing Deployment.
$ kubectl kruise migrate CloneSet --from Deployment -n default --dst-name deployment-name --create
# Create a same replicas CloneSet from an existing Deployment.
$ kubectl kruise migrate CloneSet --from Deployment -n default --dst-name deployment-name --create --copy
# Migrate replicas from an existing Deployment to an existing CloneSet.
$ kubectl-kruise migrate CloneSet --from Deployment -n default --src-name cloneset-name --dst-name deployment-name --replicas 10 --max-surge=2
scaledown
Scaledown a cloneset with selective Pods.
# Scale down 2 with selective pods
$ kubectl kruise scaledown cloneset/nginx --pods pod-a,pod-b
It will decrease replicas=replicas-2 of this cloneset and delete the specified pods.
exec
Exec working sidecar container of pod when sidecarset is hot-upgrade.
# Get output from running 'date' command in working sidecar container from pod mypod
kubectl kruise exec mypod -S sidecar-container -- date
# Switch to raw terminal mode, sends stdin to 'bash' in working sidecar container from cloneset myclone
# and sends stdout/stderr from 'bash' back to the client
kubectl kruise exec clone/myclone -S sidecar-container -it -- bash
TODO
kubectl kruise migrate
- migrate [options]
kubectl-kruise migrate demo
kubectl kruise migrate CloneSet --from Deployment --src-name deployment-demo --dst-name cloneset-demo --create --copy
kubectl kruise rollout for CloneSet workload
- undo
- history
- status
- pause
- resume
- restart
kubectl kruise rollout for Advanced StatefulSet
- undo
- history
- status
- restart
kubectl kruise expose for CloneSet workload
- kubectl kruise expose cloneset demo-clone --port=80 --target-port=8000
kubectl kruise set SUBCOMMAND [options] for CloneSet
- kubectl kruise set image cloneset/abc
- kubectl kruise set env cloneset/abc
- kubectl kruise set serviceaccount cloneset/abc
- kubectl kruise set resources cloneset/abc
kubectl kruise set SUBCOMMAND [options] for Advanced StatefulSet
- kubectl kruise set image asts/abc
- kubectl kruise set env asts/abc
- kubectl kruise set serviceaccount asts/abc
- kubectl kruise set resources asts/abc
kubectl kruise autoscale SUBCOMMAND [options]
- kubectl kruise autoscale
Security
This project includes automated vulnerability scanning to ensure the security of dependencies.
Vulnerability Scanning
We use two complementary tools to scan for vulnerabilities in our Go dependencies:
- Nancy by Sonatype - Comprehensive dependency scanning against the Sonatype OSS Index
- govulncheck - Official Go vulnerability scanner with call graph analysis to reduce false positives
CI/CD Security Integration
Security scans are automatically run:
- On every push to
masterandrelease*branches - On every pull request
- Daily at 2 AM UTC via scheduled workflow
Handling Vulnerabilities
If vulnerabilities are found:
- Review the vulnerability report - Check if the vulnerability affects your usage
- Update dependencies - Upgrade to a non-vulnerable version if available
- Apply workarounds - If no update is available, consider alternative approaches
- Temporary exclusions - For false positives or accepted risks, add the CVE ID to
.nancy-ignore
Excluding Vulnerabilities
To exclude specific vulnerabilities from Nancy scans, add the CVE ID or OSS Index ID to the .nancy-ignore file:
# Example: Exclude a specific CVE
CVE-2021-12345
# Example: Exclude by OSS Index ID
9eb9a5bc-8310-4104-bf85-3a820d28ba79
Running Security Scans Locally
To run vulnerability scans locally:
# Install tools
go install github.com/sonatype-nexus-community/nancy@latest
go install golang.org/x/vuln/cmd/govulncheck@latest
# Run Nancy scan
go list -json -deps ./... > go.list
nancy sleuth --loud
# Run govulncheck
govulncheck ./...
Contributing
We encourage you to help out by reporting issues, improving documentation, fixing bugs, or adding new features.