Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of plugins conformance tests in an accessible and non-destructive manner.
It is a customizable, extendable, and cluster-agnostic way to generate clear, informative reports about your cluster.
Its selective data dumps of Kubernetes resource objects and cluster nodes allow for the following use cases:
- Integrated end-to-end (e2e) conformance-testing
- Workload debugging
- Custom data collection via extensible plugins
Sonobuoy supports 3 Kubernetes minor versions: the current release and 2 minor versions before. Sonobuoy is currently versioned to track the Kubernetes minor version to clarify the support matrix. For example, Sonobuoy v0.14.x would support Kubernetes 1.14.x, 1.13.x, and 1.12.x.
- Access to an up-and-running Kubernetes cluster. If you do not have a cluster, we recommend following the AWS Quickstart for Kubernetes instructions.
- An admin
kubeconfigfile, and the KUBECONFIG environment variable set.
- For some advanced workflows it may be required to have
kubectlinstalled. See installing via Homebrew (MacOS) or building the binary (Linux).
sonobuoy imagessubcommand requires Docker to be installed. See installing Docker.
This plugin utilizes the kube-bench implementation of the CIS security benchmarks. It is technically two plugins; one to run the checks on the master nodes and another to run the checks on the worker nodes.
The Kubernetes end-to-end testing plugin (the e2e plugin) is used to run tests which are maintained by the upstream Kubernetes community in the kubernetes/kubernetes repo.
Gather log information from systemd, by chrooting into the node’s filesystem and running journalctl. Used by Sonobuoy for gathering host logs in a Kubernetes cluster.
This plugin runs Aqua Security’s kube-hunter. It increases awareness and visibility of security issues in Kubernetes environments.
This plugin utilizes the kubectl-who-can project from Aqua Security to produce a report that shows which subjects have RBAC permissions to perform actions (verbs) against resources in the cluster.
Sonobuoy in 10 minutes, presented at Kubernetes Community Meeting