Services Showcase About Blog

Kubernetes object linting with popeye
Picture of Alan Christie.
Alan Christie 2023-02-27
Automation Kubernetes
POST

Try using popeye, a Kubernetes Cluster Sanitizer, to help lint objects deployed to Kubernetes to detect misconfigurations, and give you some feedback on compliance with community best practices.

It seems that half the fun with software development today is creating fun new framework names, simply to give you an opportunity to create a neat product logo. Popeye makes you smile as a framework but also provides you with some valuable insight into potential flaws in your Kubernetes object configurations.

It’s essentially a linter for Kubernetes objects and we’ve been experimenting with it for our own deployments.

You can throw popeye at your cluster “raw” but you might be disappointed with the noise it produces, even with what you might consider to be “sensibly configured” objects. Nevertheless install it and run it on one of your namespaces to see what it throws up.

Armed with a Kubernetes configuration file you could run popeye on the my-namespace namespace with the following command: -

$ popeye --kubeconfig ~/k8s-config/my-config --namespace my-namespace

If your namespace has a Service object you might see output like this: -

SERVICES (5 SCANNED)                                                              E:0 W:5 I:0 OK:0 0%%
=====================================================================================================
  · data-manager-api-test/database..................................................................W
    W [POP-1109] Only one associated endpoint.
  · data-manager-api-test/dm-api....................................................................W
    W [POP-1109] Only one associated endpoint.
  · data-manager-api-test/instance-11c71cd0-3226-4989-a06c-45dfd80f5d9c.............................W
    I [POP-1102] Use of target port #8888 for service port TCP:8888-tcp:8888. Prefer named port.
    W [POP-1109] Only one associated endpoint.
  · data-manager-api-test/moldb-database............................................................W
    I [POP-1102] Use of target port #5432 for service port TCP::5432. Prefer named port.
    W [POP-1109] Only one associated endpoint.
  · data-manager-api-test/rabbitmq..................................................................W
    W [POP-1109] Only one associated endpoint.

It complains a lot.

Most of the above is warning you that there’s only one receiver for the endpoint (only one Pod when you should probably have more than one). Don’t despair - this is where popeye’s spinach files come in.

The spinach configuration file is essentially its lint configuration.

The spinach file is a YAML file that allows you to fine-control popeye’s response. For the above you could silence all the Only one associated endpoint. warnings with a spinach file like this: -

---
popeye:
  excludes:
    v1/services:
    - name: rx:data-manager-api-test
      codes:
      - 1109

If this is stored in the file my-spinach.yaml you would re-run popeye with: -

$ popeye --kubeconfig ~/k8s-config/my-config --namespace my-namespace --file my-spinach.yaml

To see the reduced output: -

SERVICES (5 SCANNED)                                                              E:0 W:0 I:2 OK:0 0%%
=====================================================================================================
  · data-manager-api-test/instance-11c71cd0-3226-4989-a06c-45dfd80f5d9c.............................I
    I [POP-1102] Use of target port #8888 for service port TCP:8888-tcp:8888. Prefer named port.
    W [POP-1109] Only one associated endpoint.
  · data-manager-api-test/moldb-database............................................................I
    I [POP-1102] Use of target port #5432 for service port TCP::5432. Prefer named port.

And then further reduce the output by limiting it to warnings (or errors) with: -

$ popeye --kubeconfig ~/k8s-config/my-config --namespace my-namespace --file my-spinach.yaml --lint warning

To, finally, get this output: -

SERVICES (2 SCANNED)                                                            E:0 W:0 I:0 OK:2 100%%
=====================================================================================================
  · Nothing to report.

Obviously it’s bad form to silence warnings, so most of your work might be adjusting your deployment to remove them, rather than using spinach to hide them. But this was just a brief tutorial for what appears to be a really useful tool.

latest posts
2024-06-17
Kubernetes PreStop Lifecycle Hooks
2024-02-01
Molecule depiction in Squonk
2024-01-29
Squonk job execution
2023-08-04
A kubernetes volume replicator
2023-07-31
Squonk2 launch
by year
2024
Kubernetes PreStop Lifecycle Hooks Molecule depiction in Squonk Squonk job execution
2023
A kubernetes volume replicator Squonk2 launch Fixing a broken etcd cluster AWS ParallelCluster v3 Custom Images Migrating to AWS ParallelCluster v3 Kubernetes object linting with popeye
2021
Installing Keycloak on Django Rest Framework Virtual screening with Parallel Cluster and Nextflow Smaller Containers - Part 4 GitHub Actions for container images
2020
Fragment Network REST API Cookie-cutting Ansible Kubernetes Projects Deploying container images from a private GitLab registry Fragment network basics Fragment network intro Redirecting to www with an nginx ingress Installing Kubernetes with Pharos Virtual screening for SARS-Cov-2 main protease inhibitors
2019
RDKit Docker Images for Centos8 Fragnet search webinar Fragment network webinar
2018
Cavities and Frankenstein molecules Building machine images with Packer Python and the Jenkins API Smaller Containers - Part 3 Applying the build process to the deployment Smaller Containers - Part 2 What is a Good Test Coverage Target? Smaller Containers - Part 1 Blog Introduction
by category
Blog
Blog Introduction
Containers
Smaller Containers - Part 4 GitHub Actions for container images Deploying container images from a private GitLab registry RDKit Docker Images for Centos8 Smaller Containers - Part 3 Smaller Containers - Part 2 Smaller Containers - Part 1
Software design
What is a Good Test Coverage Target?
Automation
AWS ParallelCluster v3 Custom Images Migrating to AWS ParallelCluster v3 Kubernetes object linting with popeye GitHub Actions for container images Cookie-cutting Ansible Kubernetes Projects Installing Kubernetes with Pharos Building machine images with Packer Python and the Jenkins API Applying the build process to the deployment
IaC
AWS ParallelCluster v3 Custom Images Migrating to AWS ParallelCluster v3 Building machine images with Packer Applying the build process to the deployment
Docking
Virtual screening with Parallel Cluster and Nextflow Virtual screening for SARS-Cov-2 main protease inhibitors Cavities and Frankenstein molecules
Fragment network
Fragment Network REST API Fragment network basics Fragment network intro Virtual screening for SARS-Cov-2 main protease inhibitors Fragnet search webinar Fragment network webinar
Kubernetes
Kubernetes PreStop Lifecycle Hooks A kubernetes volume replicator Fixing a broken etcd cluster Kubernetes object linting with popeye Cookie-cutting Ansible Kubernetes Projects Deploying container images from a private GitLab registry Redirecting to www with an nginx ingress Installing Kubernetes with Pharos
Web
Redirecting to www with an nginx ingress
Ansible
Cookie-cutting Ansible Kubernetes Projects
Python
Installing Keycloak on Django Rest Framework
Squonk
Molecule depiction in Squonk Squonk job execution Squonk2 launch