Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
Table of Contents
- Jetstack Preflight
Preflight was originally designed to automate Jetstack's production readiness assessments. These are consulting sessions in which a Jetstack engineer inspects a customer's cluster to suggest improvements and identify configuration issues. The product of this assessment is a report which describes any problems and offers remediation advice.
While these assessments have provided a lot of value to many customers, with a complex system like Kubernetes it's hard to thoroughly check everything. Automating the checks allows them to be more comprehensive and much faster.
The automation also allows the checks to be run repeatedly, meaning they can be deployed in-cluster to provide continuous configuration checking.
This enables new interesting use cases as policy compliance audits.
Policies for cluster configuration are encoded into "Preflight Packages".
Preflight Packages are a very thin wrapper around OPA's policies. A package is made of Rego files (OPA's high-level declarative language) and a Policy Manifest.
The Policy Manifest is a YAML file intended to add metadata to the rules, so the tool can display useful information when a rule doesn't pass.
Since the logic in these packages is just Rego, you can add tests to your policies and use OPA's command line to run them (see OPA Policy Testing tutorial).
Additionally, Preflight has a built-in linter for packages:
preflight package lint <path to package>
Use Preflight locally
You can compile Preflight by running
make build. It will create the binary in
preflight.yaml configuration file (you can take inspiration from the ones in
Run Preflight (by default it looks for
You can try
./examples/pods.preflight.yaml without having to change a line, if you have your kubeconfig (
~/.kube/config) pointing to a working cluster.
preflight check --config-file=./examples/pods.preflight.yaml
You will see a CLI formatted report if everything goes well. Also, you will get a JSON report in
If you want to visualice the report in your browser, you can access preflight.jetstack.io and load the JSON report. This is a static website. Your report is not being uploaded to any server. Everything happens in your browser.