From 9b1a63db29995fa1ddc6cc2f55dbf7a05fc154e4 Mon Sep 17 00:00:00 2001 From: Evans Mungai Date: Mon, 21 Jul 2025 15:22:24 +0100 Subject: [PATCH 1/4] feat: add infra-management-tools preflight check Signed-off-by: Evans Mungai --- host/infra-management-tools.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 host/infra-management-tools.yaml diff --git a/host/infra-management-tools.yaml b/host/infra-management-tools.yaml new file mode 100644 index 0000000..ca2d61b --- /dev/null +++ b/host/infra-management-tools.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: troubleshoot.sh/v1beta2 +kind: HostPreflight +metadata: + name: infra-management-tools +spec: + collectors: + - run: + collectorName: "ps-detect-infra-management-tools" + command: "sh" + args: [-c, "ps -ef | grep -E 'puppet|chef-client|cf-agent' | grep -v grep"] + analyzers: + - textAnalyze: + checkName: "Detected Infrastructure Management Tools" + fileName: host-collectors/run-host/ps-detect-infra-management-tools.txt + regex: '\b(puppet|chef-client|cf-agent)\b' + ignoreIfNoFiles: true + outcomes: + - fail: + when: "true" + message: "Infrastructure management tools detected. These tools can modify system configurations needed for kubernetes operation. Check 'host-collectors/run-host/ps-detect-infra-management-tools.txt' in the preflight archive for the list of detected tools. Ensure the tools are either disabled or configured to not interfere with configurations needed for kubernetes operation." + - pass: + when: "false" + message: "No Infrastructure Management tools detected." From c93524c1be47ad21b103880c048be6e6254aa145 Mon Sep 17 00:00:00 2001 From: Evans Mungai Date: Mon, 21 Jul 2025 15:25:02 +0100 Subject: [PATCH 2/4] Warn do not fail Checks are informational and should not report as failures Signed-off-by: Evans Mungai --- host/infra-management-tools.yaml | 2 +- host/security-tools-preflights.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/host/infra-management-tools.yaml b/host/infra-management-tools.yaml index ca2d61b..336fe87 100644 --- a/host/infra-management-tools.yaml +++ b/host/infra-management-tools.yaml @@ -16,7 +16,7 @@ spec: regex: '\b(puppet|chef-client|cf-agent)\b' ignoreIfNoFiles: true outcomes: - - fail: + - warn: when: "true" message: "Infrastructure management tools detected. These tools can modify system configurations needed for kubernetes operation. Check 'host-collectors/run-host/ps-detect-infra-management-tools.txt' in the preflight archive for the list of detected tools. Ensure the tools are either disabled or configured to not interfere with configurations needed for kubernetes operation." - pass: diff --git a/host/security-tools-preflights.yaml b/host/security-tools-preflights.yaml index 8948d2e..5cbbca9 100644 --- a/host/security-tools-preflights.yaml +++ b/host/security-tools-preflights.yaml @@ -26,7 +26,7 @@ spec: regex: '\b(clamav|sophos|esets_daemon|fsav|symantec|mfend|ds_agent|kav|bdagent|s1agent|falcon|illumio|xagt|wdavdaemon|mdatp)\b' ignoreIfNoFiles: true outcomes: - - fail: + - warn: when: "true" message: "Antivirus or network security tools detected. These tools can interfere with kubernetes operation. Check 'host-collectors/run-host/ps-detect-antivirus-and-security-tools.txt' in the preflight archive for the list of detected tools. Ensure the tools are either disabled or configured to not interfere with kubernetes operation." - pass: @@ -36,7 +36,7 @@ spec: checkName: "Detected Security Packages" collectorName: security-tools-packages outcomes: - - fail: + - warn: when: '{{ .IsInstalled }}' message: Package {{ .Name }} is installed. This tool can interfere with kubernetes operation. Ensure the tool is either disabled or configured to not interfere with kubernetes operation. - pass: From afa3146ecd407b70ab4905b0cf5e296ebc1b7f1b Mon Sep 17 00:00:00 2001 From: Evans Mungai Date: Tue, 22 Jul 2025 07:04:01 +0100 Subject: [PATCH 3/4] Add storage checks host preflight using DATA_DIR and STORAGE env vars Signed-off-by: Evans Mungai --- host/storage-checks.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 host/storage-checks.yaml diff --git a/host/storage-checks.yaml b/host/storage-checks.yaml new file mode 100644 index 0000000..0366cc3 --- /dev/null +++ b/host/storage-checks.yaml @@ -0,0 +1,23 @@ +# This preflight checks the available storage space on the data directory. +# Usage: +# DATA_DIR=/opt/data STORAGE=50Gi envsubst < storage-checks.yaml | sudo preflight - --interactive=false + +apiVersion: troubleshoot.sh/v1beta2 +kind: HostPreflight +metadata: + name: storage-checks +spec: + collectors: + - diskUsage: + collectorName: data-dir-disk-usage + path: $DATA_DIR + analyzers: + - diskUsage: + checkName: Data Directory Disk Space + collectorName: data-dir-disk-usage + outcomes: + - fail: + when: 'available < $STORAGE' + message: The filesystem at $DATA_DIR has less than $STORAGE of available storage space needed to for this installation. + - pass: + message: The filesystem at $DATA_DIR has sufficient available space From 4cd1956ac9bdb271396ee07b6dcccc447633d127 Mon Sep 17 00:00:00 2001 From: Evans Mungai Date: Tue, 22 Jul 2025 07:28:14 +0100 Subject: [PATCH 4/4] Add pod capacity check for in-cluster preflight Signed-off-by: Evans Mungai --- in-cluster/check-pod-limits.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 in-cluster/check-pod-limits.yaml diff --git a/in-cluster/check-pod-limits.yaml b/in-cluster/check-pod-limits.yaml new file mode 100644 index 0000000..e7da05e --- /dev/null +++ b/in-cluster/check-pod-limits.yaml @@ -0,0 +1,22 @@ +# This preflight checks the number of nodes in the cluster with 110 pods capacity. +# Usage: +# POD_CAPACITY=110 MIN_NODES=3 envsubst < check-pod-limits.yaml | preflight - + +apiVersion: troubleshoot.sh/v1beta2 +kind: Preflight +metadata: + name: check-pod-limits +spec: + collectors: + - clusterResources: {} + analyzers: + - nodeResources: + checkName: Must have at least $MIN_NODES nodes in the cluster with $POD_CAPACITY pods capacity + filters: + podCapacity: "$POD_CAPACITY" + outcomes: + - fail: + when: "count() < $MIN_NODES" + message: This application requires at least $MIN_NODES nodes with $POD_CAPACITY pods capacity + - pass: + message: This cluster has enough nodes.