Checking for Kubernetes best practices in your cluster

There are several best practices that you should follow on your Kubernetes deployments to ensure the best performance and resilience for your applications. You can use the kube-advisor tool to look for deployments that aren't following those suggestions.

About kube-advisor

The kube-advisor tool is a single container designed to be run on your cluster. It queries the Kubernetes API server for information about your deployments and returns a set of suggested improvements.

The kube-advisor tool can report on resource request and limits missing in PodSpecs for Windows applications as well as Linux applications, but the kube-advisor tool itself must be scheduled on a Linux pod. You can schedule a pod to run on a node pool with a specific OS using a node selector in the pod's configuration.

Note

The kube-advisor tool is supported by Microsoft on a best-effort basis. Issues and suggestions should be filed on GitHub.

Running kube-advisor

To run the tool on a cluster that is configured for Kubernetes role-based access control (Kubernetes RBAC), using the following commands. The first command creates a Kubernetes service account. The second command runs the tool in a pod using that service account and configures the pod for deletion after it exits.

kubectl apply -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml

kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"serviceAccountName\": \"kube-advisor\" } }" --namespace default

If you aren't using Kubernetes RBAC, you can run the command as follows:

kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never

Within a few seconds, you should see a table describing potential improvements to your deployments.

Kube-advisor output

Checks performed

The tool validates several Kubernetes best practices, each with their own suggested remediation.

Resource requests and limits

Kubernetes supports defining resource requests and limits on pod specifications. The request defines the minimum CPU and memory required to run the container. The limit defines the maximum CPU and memory that should be allowed.

By default, no requests or limits are set on pod specifications. This can lead to nodes being overscheduled and containers being starved. The kube-advisor tool highlights pods without requests and limits set.

Cleaning up

If your cluster has Kubernetes RBAC enabled, you can clean up the ClusterRoleBinding after you've run the tool using the following command:

kubectl delete -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml

If you are running the tool against a cluster that is not Kubernetes RBAC-enabled, no cleanup is required.

Next steps