Usage
Installation
kubechecks currently only officially supports deployment to a Kubernetes Cluster via Helm.
Requirements
- Kubernetes Cluster
- Github/Gitlab token (for authenticating to the repository)
- ArgoCD
Helm Installation
To get started, add the kubechecks repository to Helm:
Add kubechecks helm chart repo
helm repo add kubechecks https://zapier.github.io/kubechecks/
Once installed, simply run:
helm install kubechecks charts/kubechecks -n kubechecks --create-namespace
Refer to configuration for details about the various options available for customising kubechecks. You must provide the required secrets in some capacity; refer to the chart for more details
Configuration
kubechecks can be configured to meet your specific set up through the use of enviornment variables defined in your provided values.yaml.
The full list of supported environment variables is described below:
| Env Var | Description | Default Value |
|---|---|---|
KUBECHECKS_ARGOCD_API_INSECURE |
Enable to use insecure connections to the ArgoCD API server. | false |
KUBECHECKS_ARGOCD_API_SERVER_ADDR |
ArgoCD API Server Address. | argocd-server |
KUBECHECKS_ARGOCD_API_TOKEN |
ArgoCD API token. | |
KUBECHECKS_ENABLE_CONFTEST |
Set to true to enable conftest policy checking of manifests. | false |
KUBECHECKS_ENABLE_HOOKS_RENDERER |
Render hooks. | true |
KUBECHECKS_ENABLE_KUBECONFORM |
Enable kubeconform checks. | true |
KUBECHECKS_ENABLE_PREUPGRADE |
Enable preupgrade checks. | true |
KUBECHECKS_ENSURE_WEBHOOKS |
Ensure that webhooks are created in repositories referenced by argo. | false |
KUBECHECKS_FALLBACK_K8S_VERSION |
Fallback target Kubernetes version for schema / upgrade checks. | 1.23.0 |
KUBECHECKS_KUBERNETES_CONFIG |
Path to your kubernetes config file, used to monitor applications. | |
KUBECHECKS_LABEL_FILTER |
(Optional) If set, The label that must be set on an MR (as "kubechecks: |
|
KUBECHECKS_LOG_LEVEL |
Set the log output level. One of error, warn, info, debug, trace. | info |
KUBECHECKS_MAX_CONCURRENCT_CHECKS |
Number of concurrent checks to run. | 32 |
KUBECHECKS_MAX_QUEUE_SIZE |
Size of app diff check queue. | 1024 |
KUBECHECKS_MONITOR_ALL_APPLICATIONS |
Monitor all applications in argocd automatically. | false |
KUBECHECKS_OPENAI_API_TOKEN |
OpenAI API Token. | |
KUBECHECKS_OTEL_COLLECTOR_HOST |
The OpenTelemetry collector host. | |
KUBECHECKS_OTEL_COLLECTOR_PORT |
The OpenTelemetry collector port. | |
KUBECHECKS_OTEL_ENABLED |
Enable OpenTelemetry. | false |
KUBECHECKS_PERSIST_LOG_LEVEL |
Persists the set log level down to other module loggers. | false |
KUBECHECKS_POLICIES_LOCATION |
Sets rego policy locations to be used for every check request. Can be common path inside the repos being checked or git urls in either git or http(s) format. | [./policies] |
KUBECHECKS_REPO_REFRESH_INTERVAL |
Interval between static repo refreshes (for schemas and policies). | 5m |
KUBECHECKS_SCHEMAS_LOCATION |
Sets schema locations to be used for every check request. Can be common paths inside the repos being checked or git urls in either git or http(s) format. | [./schemas] |
KUBECHECKS_SHOW_DEBUG_INFO |
Set to true to print debug info to the footer of MR comments. | false |
KUBECHECKS_TIDY_OUTDATED_COMMENTS_MODE |
Sets the mode to use when tidying outdated comments. One of hide, delete. | hide |
KUBECHECKS_VCS_BASE_URL |
VCS base url, useful if self hosting gitlab, enterprise github, etc. | |
KUBECHECKS_VCS_TOKEN |
VCS API token. | |
KUBECHECKS_VCS_TYPE |
VCS type. One of gitlab or github. | gitlab |
KUBECHECKS_WEBHOOK_SECRET |
Optional secret key for validating the source of incoming webhooks. | |
KUBECHECKS_WEBHOOK_URL_BASE |
The endpoint to listen on for incoming PR/MR event webhooks. For example, 'https://checker.mycompany.com'. | |
KUBECHECKS_WEBHOOK_URL_PREFIX |
If your application is running behind a proxy that uses path based routing, set this value to match the path prefix. For example, '/hello/world'. | |
KUBECHECKS_WORST_CONFTEST_STATE |
The worst state that can be returned from conftest. | panic |
KUBECHECKS_WORST_HOOKS_STATE |
The worst state that can be returned from the hooks renderer. | panic |
KUBECHECKS_WORST_KUBECONFORM_STATE |
The worst state that can be returned from kubeconform. | panic |
KUBECHECKS_WORST_PREUPGRADE_STATE |
The worst state that can be returned from preupgrade checks. | panic |