From 9b46c48c3e718ef01377e2acd51ece2a98b87bf2 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Fri, 5 Apr 2024 18:15:28 +0530 Subject: [PATCH] kuberhealthy-trivy-enhance-readme --- README.md | 31 ++++++++++++ docs/CONFIGURATION_HEALTHCHECK.md | 82 +++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 docs/CONFIGURATION_HEALTHCHECK.md diff --git a/README.md b/README.md index f9ce3923..9a0d2cc4 100644 --- a/README.md +++ b/README.md @@ -233,6 +233,37 @@ The TTL value is customizable, empowering you to define the specific duration af To guide you through the process of setting up a TTL, [please follow these steps](docs/CONFIGURATION_TTL.md) +#### Customizing Security Scanning + +KubViz enables you to perform cluster scans, image scans, and SBOM creation in CycloneDX format. Utilizing this scan, vulnerabilities can be identified. + +You can customize the security scans by changing the chart values. + +- To [Disable](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L186) the cluster scan you can pass 0 or empty string + +```yaml +schedule: + enabled: true + trivyclusterscanInterval: 0 +... +``` +- For changing the interval, pass the interval time + +```yaml +schedule: + enabled: true + trivyclusterscanInterval: "@every 24h" +... +``` + +Same you can change for [image-scan](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L184) and [sbom](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L185) + +## Health Check + +You can run different types of checks against your Kubernetes cluster to detect any issues or potential problems before they cause any downtime or service disruptions. Check will run in the background and sends data to kubviz. After analysing the data from dashboard you can take corrective action quickly, if any issues are detected. + +Please check the [configuration](docs/CONFIGURATION_HEALTHCHECK.md) for health checks + ## Use Cases ### Cluster Event Tracking diff --git a/docs/CONFIGURATION_HEALTHCHECK.md b/docs/CONFIGURATION_HEALTHCHECK.md new file mode 100644 index 00000000..4c056750 --- /dev/null +++ b/docs/CONFIGURATION_HEALTHCHECK.md @@ -0,0 +1,82 @@ +## Introduction + +All health checks are enabled by default upon installing the KubViz agent. They are automatically included, but if you don't need them, you can disable them. + +```yaml +kuberhealthy: + enabled: false +... +``` + +## Types of Checks + +Check Name | Description | +------ | -------- | +Daemonset check | Ensures daemonsets can be successfully deployed | +DNS status check | Checks for failures with DNS, including resolving within the cluster and outside of the cluster | +Deployment check | Ensures that a Deployment and Service can be provisioned, created, and serve traffic within the Kubernetes cluster | +Image pull check | Verifies that an image can be pulled from an image repository | +Pod status check | Checks for unhealthy pod statuses in a target namespace | +Pod restart | Checks for excessive pod restarts in any namespace | +Resource quota check | Checks if resource quotas (CPU & memory) are available | + +## Configuration + +- Daemonset, Deployment, and DNS checks are enabled by default. + +- Pod Status, Pod Restart, Image Pull, and Resource Quota checks need to be manually enabled. + +```yaml +check: + podRestarts: + enabled: true +... +``` + +```yaml + podStatus: + enabled: true +... +``` + +```yaml + imagePullCheck: + enabled: true +... +``` + +```yaml + resourceQuota: + enabled: true +... +``` + +### Additional configuration for image-pull check + +1. Pull the test image from docker hub + +```bash +docker pull kuberhealthy/test-check +``` + +2. Push this image on the repository you need tested. + +```bash +docker push my.repository/repo/test-check +``` + +- The pod is designed to attempt a pull of the test image from the remote repository (never from local). If the image is unavailable, an error will be reported to the API + +### Additional configuration for resource quota check + +This check tests if namespace resource quotas CPU and memory are under a specified threshold or percentage. + +You need to add the namespaces to the 'WHITELIST'. + +```yaml + extraEnvs: + BLACKLIST: "default" + WHITELIST: "kube-system,kubviz" +... +``` +