Skip to content
Automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA)
Go HCL Makefile Other
Branch: master
Clone or download
Latest commit a757934 Dec 6, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
api Add badges Dec 5, 2019
cmd
deployment
docs Add new overlay Dec 5, 2019
examples Use Location instead of Zone for gke datagatherer configuration Nov 19, 2019
hack Add ci-test and ci-build targets Dec 3, 2019
pkg Add badges Dec 5, 2019
preflight-packages/examples.jetstack.io Add sample pods package Nov 15, 2019
.gitignore Add new overlay Dec 5, 2019
Dockerfile Add docker image, cronjob and a lot of docs Nov 15, 2019
LICENSE
Makefile Push canary docker image Dec 6, 2019
OWNERS Create OWNERS file Nov 7, 2019
README.md Highlight path in readme Dec 6, 2019
go.mod Add ci-test and ci-build targets Dec 3, 2019
go.sum Add ci-test and ci-build targets Dec 3, 2019
main.go Add first Preflight cli Nov 11, 2019

README.md

Build Status Go Report Card

Jetstack Preflight

Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).

Table of Contents

Background

Preflight was originally designed to automate Jetstack's production readiness assessments. These are consulting sessions in which a Jetstack engineer inspects a customer's cluster to suggest improvements and identify configuration issues. The product of this assessment is a report which describes any problems and offers remediation advice.

While these assessments have provided a lot of value to many customers, with a complex system like Kubernetes it's hard to thoroughly check everything. Automating the checks allows them to be more comprehensive and much faster.

The automation also allows the checks to be run repeatedly, meaning they can be deployed in-cluster to provide continuous configuration checking.

This enables new interesting use cases as policy compliance audits.

Preflight Packages

Policies for cluster configuration are encoded into "Preflight Packages".

You can find some examples in ./preflight-packages and you can also write your own Preflight Packages.

Preflight Packages are a very thin wrapper around OPA's policies. A package is made of Rego files (OPA's high-level declarative language) and a Policy Manifest.

The Policy Manifest is a YAML file intended to add metadata to the rules, so the tool can display useful information when a rule doesn't pass.

Since the logic in these packages is just Rego, you can add tests to your policies and use OPA's command line to run them (see OPA Policy Testing tutorial).

Additionally, Preflight has a built-in linter for packages:

preflight package lint <path to package>

Install Preflight

Use Preflight locally

You can compile Preflight by running make build. It will create the binary in builds/preflight.

Create your preflight.yaml configuration file (you can take inspiration from the ones in ./examples).

Run Preflight (by default it looks for ./preflight.yaml)

preflight check

You can try ./examples/pods.preflight.yaml without having to change a line, if you have your kubeconfig (~/.kube/config) pointing to a working cluster.

preflight check --config-file=./examples/pods.preflight.yaml

You will see a CLI formatted report if everything goes well. Also, you will get a JSON report in ./output.

If you want to visualice the report in your browser, you can access preflight.jetstack.io and load the JSON report. This is a static website. Your report is not being uploaded to any server. Everything happens in your browser.

You can give it a try without even running the tool, since we provide some report examples (gke.json, pods.json) ready to be loaded in preflight.jetstack.io.

Preflight In-Cluster with periodic checks

See Installation Manual: Preflight In-Cluster.

You can’t perform that action at this time.