v0.4.0

Release v0.4.0

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

I am super excited about this drop and hope you will be too! Lot's of changes and features but also more opportunities for breakage. So please proceed with caution and please do file issues so we can all gain from the improvements.

Spinach Boosts Memory?

Until now Popeye did not really handle any kind of sanitizer run histories. We've added a --save option that allows sanitizer runs to be persisted to disk.

# Perform a cluster blee sanitization and persists results to disk.
popeye -A  --save

Junit Output

Some folks had requested a junit flavored output for integration with CI/CD tools like Jenkins. To this end, we've provided a new formatter to output sanitizer reports as Junit flavored XML.

In order to enable the report, use the following argument:

popeye -o junit

NOTE: This is an experimental feature and subject to change based on users feedback!

Codes

We've refactored the sanitizer report to now include sanitizer codes. Each report section have a different set of codes depending on the sanitization checks. For instance, code POP-106 No resource defined will now be indicated in the report. We will document the various codes, their meanings and resolutions once we've got a chance to vet the changes and make sure we're all happy with the new reports!

On this note, and an interesting side effect, you can now change the code severity level in your spinach config file. There has been some reports, voicing a need to change the message severity based on your cluster policies. That said, I would warn against it, as the end goal here is to come up with a set of standard best practices across all clusters. The reason we' ve decided to open this up a bit was so that we can zero in as a community for clusters best practices. So I will ask, that if you do feel the urge to modify a sanitizer code severity, you file an issue so that we can discuss as a group and come up with the best directives so we can all endup with a winner. This is a total backdoor for improving your clusters score without changing any manifests...

Here is a sample spinach.yml config to override a code severity:

# Severities: Ok: 0, Info: 1, Warn: 2, Error: 3
popeye:
  codes:
    206:
     severity: 2 # Set severity level to Warn vs Info if No pod DisruptionBudget is set.

Security Now!

In this drop we've also added a few security rules as sanitizer checks. This is just the beginning of a long journey but you should start seeing a few security checks in your reports.

As a results Popeye will notify if the following conditions are true on your clusters:

1. Running Pods using the default ServiceAccount
2. Running containers as root
3. Warning about mounting API server certs on pods.

We're going to be more active in this area in the next few drops so please let us know which checks might be most useful so we can prioritize accordingly.

Mo' Resources

In this release we've added a few new resources to the sanitization pass. Some checks are still primitive we will improve on that soon.

1. DaemonSet
2. ReplicaSet
3. Ingress
4. PodSecurityPolicy
5. NetworkPolicy

Linux Brewed!

Sadly, we're are still having issues deploying Popeye as a snap ;( Though we're hopeful these will be resolved soon, we've decided to offer a brewed version of Popeye as an alternate for our Linux friends.

brew install derailed/popeye/popeye

1.6 Deprecations

Saving the best for last! As you might be aware K8s 1.6 release is going to remove some resource api group version in the schema. Cluster admins/operators are going to need to not only change their application manifests but also update their applications dependencies. This is going to most likely cause some disturbance in the force. No worries Popeye has your back!

In this drop, we've added some very basic checks for potential use of the deprecated APIs. Since Popeye looks at a live cluster and what is actually deployed and running, the sanitizers will alert you of potential deprecation problems before you update your entire Kubernetes cluster to 1.6.

Popeye sanitizers will warn you on deprecated resource api groups on the following:

1. extensions/v1beta1 or apps/v1beta1 or apps/v1beta2 for DaemonSet, Deployment, StatefulSet, ReplicaSet
2. extensions/v1beta1.Ingress
3. extensions/v1beta1.PodSecurityPolicy
4. extensions/v1beta1.NetworkPolicy

NOTE! It is possible that Popeye might not cover 100% of the cases as Helm charts or operators implementation might bypass the basic checks Popeye is relying on to determine a resource api group version.

We hope you will find these features useful and timely in helping in the migration.

I think that's a wrap for this drop. Please be mindful that a lot of code changes happened here and some breakage might occur. Please help us zero in and file issues should you experience incorrect reports. Thank you!!

---

Resolved Bugs

• Issue #43
• Issue #42
• Issue #35

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.13

Release v0.3.13

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Add over-allocs flag

Popeye is designed to report sanitization on a live cluster. As such when a cluster is mainly idle, the over allocation report may yield false positives. To this end, we've added a --over-allocs option to the CLI to opt-in over allocations reports. By default this option will be off, hence no over cpu/memory allocations will be reported. This now gives you an option to report allocation based on cluster load.

---

Resolved Bugs

• Issue #39

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.12

Release v0.3.12

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Bug and Maintenance release.

---

Resolved Bugs

• Issue #38

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.11

Release v0.3.11

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

---

Resolved Bugs

• Issue #37

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.10

Release v0.3.10

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

PodDisruptionBugdet

Added check for pbs. The sanitizer will report usage and possible misconfiguration if PodDiscruptionBudgets are available on the cluster.

---

Resolved Bugs

• Issue #34
• Issue #21

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.8

Release v0.3.8

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Bugs and clean up...

---

Resolved Bugs

• Issue #33

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.7

Release v0.3.7

Notes

Thank you so much for your support and suggestions to make Popeye better!!

If you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Spinach Config Reloaded!

BREAKING CHANGE!

As of this release the spinach.yml format has changed slightly. There is now a new exludes section that allows one to exclude any Kubernetes resources from the sanitizer run. A resource is identified by a resource kind and a fully qualified resource name ie namespace/resource_name. For example a pod named fred-1234 in namespace blee FQN will be blee/fred-1234. This provides for differentiating fred/p1 and blee/p1. For cluster wide resources, FQN=name. Exclude rules can have either a straight string match or a regular expression. In the later case the regular expression must be indicated using the rx: prefix.

NOTE! Please thread carefully here with your regex as more resources than expected may get excluded from the report via a loose regex rule. When your cluster resources change, this could lead to rendering sanitization sub-optimal. Once in a while it might be a good idea to run Popeye Config less to make sure you're trapping any new issues with your clusters...

Here is an example spinach file as it stands in this release:

popeye:
  allocations:
    cpu:
      over: 200
      under: 50
    memory:
      over: 200
      under: 50

  # New excludes section now provides for excluding any resources scanned by Poppeye.
  excludes:
    # Exclude any configmaps within namespace fred that ends with a version#
    configmap:
      - rx:fred*\.v\d+
    # Exclude kube-system + any namespace the start with either kube or istio
    namespace:
      - kube-public
      - rx:kube
      - rx:istio
    # Exclude node named n1 from the scan.
    node:
      - n1
    # Exclude any pods that start with nginx or contains -telemetry
    pod:
      - rx:nginx
      - rx:.*-telemetry
    # Exclude any service containing -dash in their name.
    service:
      - rx:*-dash

  # Node...
  node:
    limits:
      cpu:    90
      memory: 80

  # Pod...
  pod:
    limits:
      cpu:    80
      memory: 75
    restarts: 3

NOTE: Malformed regex issues will be surfaced in the logs! Please use popeye version for logs location.

---

Resolved Bugs

• Issue #30
• Issue #32

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.6

Release v0.3.6

Notes

Thank you so much for your support and suggestions to make Popeye better!!

Also if you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Spinach Exclude

The exclude section of the yaml now supports regular expresions. In order to designate a regular expression matcher your exclude must start with rx:. Here are some examples:

exclude:
  # Exclude pod named blee.
  - blee
  # Exclude all pod name that start with nginx.
  - rx:nginx
  # Exclude all pod that contain -duh ie blee-duh and fred-duh.
  - rx:.*-duh

NOTE: Malformed regex issues will be surfaced in the logs! Please use popeye version for logs location.

Performance part Duh

In my speed up excitements, I've spaced checking for clusters that don't currently support metrics. This yield to an npe ;(. This should now be resolved. Sorry about this waffle thin disruption in the force!

---

Resolved Bugs

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.5

Release v0.3.5

Notes

Thank you so much for your support and suggestions to make Popeye better!!

Also if you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Perfomance Pass

Added a caching layer to improve sanitization report generation. This is a first pass of many but looks like 2X improvement over previous release. Yeah!

---

Resolved Bugs

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0

v0.3.4

Release v0.3.4

Notes

Thank you so much for your support and suggestions to make Popeye better!!

Also if you dig this tool, please make some noise on social! @kitesurfer

---

Change Logs

Spring Cleaning!

Lost of work happened under the hood in this release. Mainly refactoring, bugs and cleanup items. If you notice any breakage from the previous release, please file an issue so we can improve Popeye. Thank you!

---

Resolved Bugs

• Issue #25

---

  © 2019 Imhotep Software LLC. All materials licensed under Apache v2.0