KubeDeckio/KubeBuddy v0.0.23

KubeBuddy v0.0.23

on GitHub

[0.0.23] – 2025-06-18

Added

• Automatic dark mode: The HTML report now respects your browser’s prefers-color-scheme setting and will automatically switch to a dark theme when your system is in dark mode.

• Expanded Storage Checks: Introduced a comprehensive set of new checks to enhance Kubernetes storage monitoring and optimization:

  • PV001: Orphaned Persistent Volumes: Detects Persistent Volumes not bound to any Persistent Volume Claim, helping to reclaim unused storage.
  • PVC002: PVCs Using Default StorageClass: Flags PVCs that implicitly rely on a default storageClassName, encouraging explicit configuration for better clarity and portability.
  • PVC003: ReadWriteMany PVCs on Incompatible Storage: Warns about PVCs requesting ReadWriteMany access mode when the underlying storage is typically block-based and doesn't support concurrent writes from multiple nodes, preventing potential data corruption.
  • PVC004: Unbound Persistent Volume Claims: Flags PVCs stuck in a Pending phase, often indicating issues with the StorageClass, available PVs, or the storage provisioner.
  • SC001: Deprecated StorageClass Provisioners: Identifies StorageClasses using deprecated or legacy in-tree provisioners, recommending migration to CSI drivers for future compatibility.
  • SC002: StorageClass Prevents Volume Expansion: Detects StorageClasses that do not allow volume expansion, which can limit dynamic scaling of stateful applications.
  • SC003: High Cluster Storage Usage: Monitors the overall percentage of used storage across the cluster, alerting when usage exceeds predefined thresholds (80%). Uses Prometheus.

• Expanded Networking Checks: Added several new checks to identify common misconfigurations and security risks in Kubernetes networking:

  • NET005: Ingress Host/Path Conflicts: Detects Ingress resources with overlapping host and path combinations, which can lead to unpredictable traffic routing.
  • NET006: Ingress Using Wildcard Hosts: Flags Ingress resources using wildcard hostnames (*.example.com), which may provide broader access than intended and should be reviewed.
  • NET007: Service TargetPort Mismatch: Identifies Services where the targetPort does not match any containerPort in the backing pods, preventing effective traffic delivery.
  • NET008: ExternalName Service to Internal IP: Highlights ExternalName type Services configured to point to private IP ranges, potentially indicating an unusual or misconfigured internal routing pattern.
  • NET009: Overly Permissive Network Policy: Warns about NetworkPolicies that define policyTypes but lack specific rules (allowing all traffic for that type) or include overly broad ipBlock definitions like 0.0.0.0/0.
  • NET010: Network Policy Overly Permissive IPBlock: Specifically identifies NetworkPolicies that utilize 0.0.0.0/0 in their ipBlock rules, granting unrestricted access which poses a significant security risk.
  • NET011: Network Policy Missing PolicyTypes: Flags NetworkPolicies that do not explicitly define policyTypes, improving clarity and ensuring consistent behavior across different Kubernetes versions and CNI plugins.
  • NET012: Pod HostNetwork Usage: Identifies pods configured with hostNetwork: true, which allows direct access to the node's network interfaces, bypassing Kubernetes network isolation and potentially increasing security risk.

• Pod Density per Node check (NODE003):

  • Calculates pod density as (running pods ÷ max‑pods capacity) × 100.
  • Alerts when percentage crosses warning (80% default) or critical (90% default) thresholds.

• Workload Label Consistency Check (WRK009):

  • Ensures that Deployment selectors match the labels on their Pod templates and that Services targeting those Deployments use consistent label selectors.
  • Helps catch silent routing issues or monitoring mismatches caused by label typos or misalignment.
  • Applies to Deployments and their associated Pods and Services.