Why open source KubeEye

Kubernetes is the de facto standard for container orchestering. Despite its elegant architecture and powerful capabilities, Kubernetes has a number of problems and hidden problems that cluster administrators and Yaml engineers can’t handle on a daily basis.

• The infrastructure daemon process is faulty. The NTP service is interrupted.
• Hardware problems: For example, the CPU, memory, or disk is abnormal.
• Kernel problems: kernel deadlock, corrupted file system;
• Container runtime problem: The runtime daemon is not responsive;
• …

There are many more such problems, and these hidden exceptions are invisible to the control plane of the cluster, so Kubernetes will continue to schedule pods to the exception node, thus putting the cluster and the running application at great risk for security and stability.

What is a KubeEye

KubeEye is an open source automated cluster inspection tool designed to detect problems on Kubernetes, such as application configuration errors, unhealthy cluster components, and node issues. Developed using the Go language based on Polaris and Nod-Problem-Detector, KubeEye has built in a series of exception detection rules. In addition to predefined rules, it also supports custom rules.

What can KubeEye do

• Discover and detect problems of Kubernetes cluster control plane, including kube-apiserver/ Kube-controller-Manager/ETCD, etc.
• Help you detect Kubernetes node problems, including memory /CPU/ disk pressure, unexpected kernel error logs, etc.
• Validate your workloads against industry best practices to the YAML specification to help you keep your cluster stable.

Architecture diagram

KubeEye retrieves cluster diagnostic data by invoking the Kubernetes API by routinely matching key error messages in the log with the rules of the container syntax. See Architecture.

Built-in check items

Yes/no	Check the item	describe
Square root	ETCDHealthStatus	If etCD is up and running
Square root	ControllerManagerHealthStatus	If kubernetes kube-controller-Manager is up and running
Square root	SchedulerHealthStatus	If kubernetes kube-schedule is up and running
Square root	NodeMemory	If the node memory usage exceeds the threshold
Square root	DockerHealthStatus	If Docker is working properly
Square root	NodeDisk	If the node disk usage exceeds the threshold
Square root	KubeletHealthStatus	If Kubelet is active and running properly
Square root	NodeCPU	If the CPU usage of a node exceeds the threshold
Square root	NodeCorruptOverlay2	Overlay2 unavailable
Square root	NodeKernelNULLPointer	The node shows NotReady
Square root	NodeDeadlock	A deadlock is a phenomenon in which two or more processes wait for each other while competing for resources.
Square root	NodeOOM	Monitor processes that consume too much memory, especially those that consume too much memory very fast, and the kernel will kill them to prevent them from running out of memory
Square root	NodeExt4Error	Failed to mount Ext4
Square root	NodeTaskHung	Check whether the number of processes in state D exceeds 120s
Square root	NodeUnregisterNetDevice	Checking the Corresponding network
Square root	NodeCorruptDockerImage	Check the Docker image
Square root	NodeAUFSUmountHung	Check the storage
Square root	NodeDockerHung	Docker hang Docker hang
Square root	PodSetLivenessProbe	If you set a livenessProbe for each container in the POD
Square root	PodSetTagNotSpecified	Mirror address does not declare label or label is up to date
Square root	PodSetRunAsPrivileged	Running Pod in privileged mode means that Pod can access the host’s resources and kernel functions
Square root	PodSetImagePullBackOff	Pod cannot pull out the image correctly, so you can pull out the image manually on the corresponding node
Square root	PodSetImageRegistry	Check whether the mirror form is in the appropriate warehouse
Square root	PodSetCpuLimitsMissing	No CPU resource limit declared
Square root	PodNoSuchFileOrDirectory	Enter the container to check whether the corresponding file exists
Square root	PodIOError	This is usually due to file IO performance bottlenecks
Square root	PodNoSuchDeviceOrAddress	Checking the Corresponding network
Square root	PodInvalidArgument	Checking corresponding storage
Square root	PodDeviceOrResourceBusy	Check the corresponding directory and PID
Square root	PodFileExists	Check existing files
Square root	PodTooManyOpenFiles	Number of open file/socket connections exceeded system setting
Square root	PodNoSpaceLeftOnDevice	Check the usage of disks and inodes
Square root	NodeApiServerExpiredPeriod	The ApiServer certificate will be checked if the expiration date is less than 30 days
Square root	PodSetCpuRequestsMissing	CPU resource request value not declared
Square root	PodSetHostIPCSet	Setting the Host IP address
Square root	PodSetHostNetworkSet	Setting the Host Network
Square root	PodHostPIDSet	Setting the HOST PID
Square root	PodMemoryRequestsMiss	No memory resource request value declared
Square root	PodSetHostPort	Setting a Host Port
Square root	PodSetMemoryLimitsMissing	No memory resource limit value is declared
Square root	PodNotReadOnlyRootFiles	The file system is not set to read-only
Square root	PodSetPullPolicyNotAlways	The mirror pull strategy is not always the case
Square root	PodSetRunAsRootAllowed	Execute the command as the root user
Square root	PodDangerousCapabilities	You have risky choices in features such as ALL/SYS_ADMIN/NET_ADMIN
Square root	PodlivenessProbeMissing	No statement ReadinessProbe
Square root	privilegeEscalationAllowed	Allow privilege escalation
	NodeNotReadyAndUseOfClosedNetworkConnection	http 2-max-streams-per-connection
	NodeNotReady	Cannot start ContainerManager Cannot set property TasksAccounting or unknown property

Note: Unmarked projects are under development

How to use

• Install KubeEye on the machine

  • Download the pre-built executable from Releases.
  • Or you can build from source code

  git clone https://github.com/kubesphere/kubeeye.git
  cd kubeeye 
  make install
  Copy the code

• [Optional] Install the Node-problem-detector

Note: This line will install NPD on your cluster and is only needed if you want detailed reports. ke install npd

• KubeEye performs automatic inspection:

root@node1:# ke diag NODENAME SEVERITY HEARTBEATTIME REASON MESSAGE node18 Fatal 2020-11-19T10:32:03+08:00 NodeStatusUnknown Kubelet stopped posting node status. node19 Fatal 2020-11-19T10:31:37+08:00 NodeStatusUnknown Kubelet stopped posting node status. node2 Fatal 2020-11-19T10:31:14+08:00 NodeStatusUnknown Kubelet stopped posting node status. node3 Fatal 2020-11-27T17:36:53+08:00 KubeletNotReady Container runtime not ready: RuntimeReady=false reason:DockerDaemonNotReady message:docker: failed to get docker version: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? The NAME SEVERITY TIME MESSAGE scheduler Fatal T17:2020-11-27 09:59 + 08:00 Get http://127.0.0.1:10251/healthz: Dial the TCP 127.0.0.1:10251: connect: Connection refused etcd Fatal T17:2020-11-27 0... + 08:00 Get https://192.168.13.8:2379/health: Dial the TCP 192.168.13.8:2379: connect: Connection refused NAMESPACE SEVERITY PODNAME EVENTTIME REASON MESSAGE Default Warning Node3.164b53D23ea79FC7 2020-11-27T17:37:34+08:00 ContainerGCFailed rpc error: code = Unknown desc = Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? Default Warning Node3.164 B553CA5740AAE 2020-11-27T18:03:31+08:00 FreeDiskSpaceFailed failed to garbage collect required amount of images. Wanted to free 5399374233 bytes, but freed 416077545 bytes default Warning nginx-b8ffcf679-q4n9v.16491643e6b68cd7 2020-11-27T17:09:24+08:00 Failed Error: ImagePullBackOff Default Warning Node3.164B5861E041A60E 2020-11-27T19:01:09+08:00 SystemOOM SystemOOM Encountered, victim process: stress, pid: 16713 Default Warning Node3.164B58660F8D4590 2020-11-27T19:01:27+08:00 OOMKilling Out of Memory: Kill process 16711 (stress) score 205 or sacrifice child Killed process 16711 (stress), UID 0, total-vm:826516kB, anon-rss:819296kB, file-rss:0kB, Shmem - RSS: 0 KB insights - agent Warning workloads - 1606467120.164 b519ca8c67416 T16 2020-11-27:57:05 + 08:00 DeadlineExceeded Job was active longer than specified deadline kube-system Warning calico-node-zvl9t.164b3dc50580845d 2020-11-27T17:09:35+08:00 DNSConfigForming Nameserver limits were exceeded, some nameservers have been omitted, the applied nameserver line is: 100.64.11.3 114.114.114.114.114 119.29.29.29 kube-system Warning KUbe-proxy-4bnn7.164b3dc4f4C4125d 2020-11-27t17:09:09 +08:00  DNSConfigForming Nameserver limits were exceeded, some nameservers have been omitted, the applied nameserver line is: 100.64.11.3 114.114.114.114 119.29.29.29 kube- System Warning Nodelocaldns-2zbhh.164b3dc4f42d358b 2020-11-27T17:09:14+08:00 DNSConfigForming Nameserver limits were exceeded, some nameservers have been omitted, the applied nameserver line is: 100.64.11.3 114.114.114.114 119.29.29.29 NAMESPACE SEVERITY NAME KIND TIME MESSAGE Kube-system Warning node-problem-detector DaemonSet 2020-11-27T17:09:59+08:00 [livenessProbeMissing runAsPrivileged] kube-system Warning calico-node DaemonSet 2020-11-27T17:09:59+08:00 [runAsPrivileged cpuLimitsMissing] kube-system Warning nodelocaldns DaemonSet 2020-11-27T17:09:59+08:00 [cpuLimitsMissing runAsPrivileged] default Warning nginx Deployment 2020-11-27T17:09:59+08:00 [cpuLimitsMissing livenessProbeMissing tagNotSpecified] insights-agent Warning workloads CronJob 2020-11-27T17:09:59+08:00 [livenessProbeMissing] insights-agent Warning cronjob-executor Job 2020-11-27T17:09:59+08:00 [livenessProbeMissing] kube-system Warning calico-kube-controllers Deployment 2020-11-27T17:09:59+08:00 [cpuLimitsMissing livenessProbeMissing] kube-system Warning coredns Deployment 2020-11-27T17:09:59+08:00 [cpuLimitsMissing]Copy the code

Refer to the FAQ to optimize your cluster.

Add a custom check rule

In addition to the pre-defined inspection items and rules mentioned above, KubeEye also supports custom inspection rules. Here is an example:

Add a custom NPD check rule

• Install the NPD commandke install npd
• Configmap kube-system/ nod-problem-detector -config

kubectl edit cm -n kube-system node-problem-detector-config
Copy the code

• You can add exception logs under the configMap rules. The rules follow regular expressions.

Customize best practice rules

• Prepare a rule yamL, for example, the following rule will validate your Pod specification to ensure that the image only comes from the authorized registry.

checks:
  imageFromUnauthorizedRegistry: warning

customChecks:
  imageFromUnauthorizedRegistry:
    promptMessage: When the corresponding rule does not match. Show that image from an unauthorized registry.
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          not:
            pattern: ^quay.io
Copy the code

• Save the above rules as YAML, such as rule-.yaml.

• Run KubeEye with rule-.yaml.

root:# ke diag -f rule.yaml --kubeconfig ~/.kube/config NAMESPACE SEVERITY NAME KIND TIME MESSAGE default Warning nginx Deployment 2020-11-27T17:18:31+08:00 [imageFromUnauthorizedRegistry] kube-system Warning node-problem-detector DaemonSet  2020-11-27T17:18:31+08:00 [livenessProbeMissing runAsPrivileged] kube-system Warning calico-node DaemonSet 2020-11-27T17:18:31+08:00 [cpuLimitsMissing runAsPrivileged] kube-system Warning calico-kube-controllers Deployment 2020-11-27T17:18:31+08:00 [cpuLimitsMissing livenessProbeMissing] kube-system Warning nodelocaldns DaemonSet 2020-11-27T17:18:31+08:00 [runAsPrivileged cpuLimitsMissing] default Warning nginx Deployment 2020-11-27T17:18:31+08:00 [livenessProbeMissing cpuLimitsMissing] kube-system Warning coredns Deployment 2020-11-27T17:18:31+08:00 [cpuLimitsMissing]Copy the code

Roadmap

• Fine-grained inspection items are supported. For example, the cluster responds slowly
• Cluster inspection reports can be generated based on inspection results
• Cluster inspection reports can be exported to CSV or HTML files

What other features would you like KubeEye to offer? Please come to Github and submit your suggestions or requests

GitHub: github.com/kubesphere/…

Refer to the link

KubeEye Release:github.com/kubesphere/…

KubeEye FAQ documentation: github.com/kubesphere/…

Node-Problem-Detector:github.com/kubernetes/…

About KubeSphere

KubeSphere is a container hybrid cloud built on top of Kubernetes to provide full-stack IT automation capabilities and simplify DevOps workflows for enterprises.

KubeSphere has been adopted by thousands of enterprises at home and abroad such as Aqara Smart Home, Bentley Life, Sina, PICC Life insurance, Huaxia Bank, PUDONG Development Silicon Valley Bank, Sichuan Airlines, Sinopharm Group, Webank, Zijininsurance, Radore, ZaloPay and so on. KubeSphere provides an operational-friendly, wizard-like interface and rich enterprise-class functionality, It includes multi-cloud and multi-cluster management, Kubernetes resource management, DevOps (CI/CD), application lifecycle management, Service Mesh, multi-tenant management, monitoring logs, alarm notification, storage and network management, GPU support, etc. Help enterprises quickly build a powerful and rich container cloud platform.

IO/KubeSphere GitHub: github.com/kubesphere/…