Find out How Sonobuoy Validate and diagnostic your Kubernetes configuration

Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of plugins conformance tests in an accessible and non-destructive manner.

It is a customizable, extendable, and cluster-agnostic way to generate clear, informative reports about your cluster.

Its selective data dumps of Kubernetes resource objects and cluster nodes allow for the following use cases:

  • Integrated end-to-end (e2e) conformance-testing
  • Workload debugging
  • Custom data collection via extensible plugins

Sonobuoy supports 3 Kubernetes minor versions: the current release and 2 minor versions before. Sonobuoy is currently versioned to track the Kubernetes minor version to clarify the support matrix. For example, Sonobuoy v0.14.x would support Kubernetes 1.14.x, 1.13.x, and 1.12.x.

Prerequisites

Plugins

CIS Benchmarks

This plugin utilizes the kube-bench implementation of the CIS security benchmarks. It is technically two plugins; one to run the checks on the master nodes and another to run the checks on the worker nodes.

End-to-End Testing

The Kubernetes end-to-end testing plugin (the e2e plugin) is used to run tests which are maintained by the upstream Kubernetes community in the kubernetes/kubernetes repo.

Systemd-logs

Gather log information from systemd, by chrooting into the node’s filesystem and running journalctl. Used by Sonobuoy for gathering host logs in a Kubernetes cluster.

Kube-hunter

This plugin runs Aqua Security’s kube-hunter. It increases awareness and visibility of security issues in Kubernetes environments.

Who-can

This plugin utilizes the kubectl-who-can project from Aqua Security to produce a report that shows which subjects have RBAC permissions to perform actions (verbs) against resources in the cluster.

Sonobuoy in 10 minutes, presented at Kubernetes Community Meeting 

Leave a Reply

Your email address will not be published. Required fields are marked *