This InSpec resource pack provides InSpec helpers to validate the spec of any object/resource inside Kubernetes.
At this point, the following Inspec base resources are implemented:
- k8sobjects
- k8sobject
This allows for listing/filtering objects:
describe k8sobjects(api: 'v1', type: 'pods', namespace: 'default', labelSelector: 'run=nginx') do
it { should exist }
...
enddescribe k8sobjects(api: 'v1', type: 'namespaces', labelSelector: 'myns=prod') do
it { should exist }
...
endAnd then for assessing the spec of a specific object:
describe k8sobject(api: 'v1', type: 'pod', namespace: 'default', name: 'my-pod') do
it { should exist }
its('name') { should eq 'my-pod' }
...
endIn order to use file resource against a file inside the pod. This is useful to identify permissions, owner, type etc.. Currently it supports only Linux based containers.
describe k8s_exec_file(path: 'FULLY_QUALIFIED_PATH', pod: 'POD_NAME', namespace: 'NAMESPACE_NAME') do
it { should exist }
it { should be_file }
it { should be_readable }
it { should be_writable }
it { should be_executable.by_user('root') }
it { should be_owned_by 'root' }
its('mode') { should cmp '0644' }
end- Inspec 3.7+ or 4.x+
- InSpec K8s train/backend plugin train-kubernetes
Refer to the sample inspec-k8s profile.
If you run into issues installing via inspec plugin install train-kubernetes, try:
- Running
gem install train-kubernetesbeforeinspec plugin install train-kubernetes. - Ensure the
~/.inspec/plugins.jsonhas"0.1.3"and not"= 0.1.3"for theversionvalue. Modify it by hand if needed. - Ensure you can cleanly install the
k8s-clientgem version0.10.4or greater. e.g.gem install k8s-client -v 0.10.4 - Ensure that only one version of the
excongem is installed. For example,gem list | grep excon. If you see two versions,gem uninstall exconand remove the older version.
Currently maintained by Chef Software, Inc. Originally created by Brad Geesaman.