Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
Table of Contents
Preflight was originally designed to automate Jetstack's production readiness assessments. These are consulting sessions in which a Jetstack engineer inspects a customer's cluster to suggest improvements and identify configuration issues. The product of this assessment is a report which describes any problems and offers remediation advice.
While these assessments have provided a lot of value to many customers, with a complex system like Kubernetes it's hard to thoroughly check everything. Automating the checks allows them to be more comprehensive and much faster.
The automation also allows the checks to be run repeatedly, meaning they can be deployed in-cluster to provide continuous configuration checking. This enables new interesting use cases as policy compliance audits.
The Preflight Agent uses data gatherers to collect required data from Kubernetes and cloud provider APIs before formatting it as JSON for analysis. Once data has been collected, it is sent to the configured backend.
To run the Agent locally you can run:
preflight agent --agent-config-file ./path/to/agent/config/file.yamlTo run a version from master:
go run main.go agent --agent-config-file ./path/to/agent.yamlYou can find the example agent file here.
You might also want to run a local echo server to monitor requests the agent sends:
go run main.go echoPolicies for cluster configuration are encoded into Preflight packages. You can find some examples in ./preflight-packages.
Each package focuses on a different aspect of the cluster. For example, the
gke_basic package
provides rules for the configuration of a GKE cluster, and the
pods package provides rules for the
configuration of Kubernetes Pods.
A Preflight package consists of a Policy Manifest and a Rego package.
The Policy Manifest is a YAML file that specifies a package's rules. It gives descriptions of the rules and remediation advice, so the tool can display useful information when a rule doesn't pass.
Rego is OPA's high-level declarative language for specifying rules. Rego rules can be defined in multiples files grouped into logical Rego packages.
Anyone can create new Preflight packages to perform their own checks. The Preflight docs include a guide on how to write packages.
Preflight binaries and bundles, which include a binary and all the packages in this repo, can be downloaded from the releases page.
You can compile Preflight by running make build. It will create the binary in
builds/preflight.
Create your preflight.yaml configuration file. There is full configuration
documentation available, as well as several example
files in ./examples.
By default Preflight looks for a configuration at ./preflight.yaml. Once this
is set up, run a Preflight check like so:
preflight check
You can try the Pods example
./examples/pods.preflight.yaml
without having to change a line,
if your kubeconfig is located at ~/.kube/config and
is pointing to a working cluster.
preflight check --config-file=./examples/pods.preflight.yaml
You will see a CLI formatted report if everything goes well. Also, you will get
a JSON report in ./output.
If you want to visualise the report in your browser, you can access the Preflight Web UI and load the JSON report. This is a static website. Your report is not being uploaded to any server. Everything happens in your browser.
You can give it a try without even running the tool, since we provide some report examples, gke.json, andpods.json, ready to be loaded into the Preflight Web UI.
Preflight can be installed in-cluster to run continuous checks. See the Installation Manual: Preflight In-Cluster.