Compliance Testing with Sonobuoy
PreviousManaging and Securing Container Images in a RegistryNextBacking Up, Restoring, and Migrating Resources with Velero
Last updated
Was this helpful?
Last updated
Was this helpful?
In the nautical world, the word sonobuoy refers to an unmoored sonar buoy equipped with an acoustic receiver and a radio transmitter that emits radio signals when it detects underwater sounds.
If you're on a cloud native voyage in the world of Kubernetes, the word takes on a somewhat similar meaning: Sonobuoy is an open source diagnostic tool that makes it easier to of a Kubernetes cluster by running a set of plug-ins in an accessible and non-destructive manner. The plug-ins include the Kubernetes conformance tests.
As such, Sonobuoy is a customizable, extensible, and cluster-agnostic way to generate clear, informative reports about your cluster — regardless of your deployment details. Sonobuoy is the underlying technology powering the , which was created by the Cloud Native Computing Foundation (CNCF) and is used by every .
Sonobuoy's plug-in model and elective data dumps of Kubernetes resource objects and cluster nodes let you address an expanding set of use cases, including the following:
Integrated end-to-end conformance testing of Kubernetes clusters
Workload debugging
Custom data collection by using extensible plug-ins
Sonobuoy has three main components:
A command-line utility that you use to trigger conformance tests, check status, view activity logs, and retrieve and analyze test results.
An aggregator that runs in a Kubernetes pod to start plug-ins and aggregate their test results.
Plug-ins that execute in ephemeral namespaces with a Sonobuoy sidecar to run specific tests or conformance frameworks.
With a single Sonobuoy command, you can run the same tests that are used to qualify an upstream Kubernetes release. This ability provides strong levels of assurance that your cluster is configured correctly, and you can use the tool to debug configuration problems.
Sonobuoy provides several plug-ins out of the box, including a systemd log collector and the upstream end-to-end Kubernetes conformance test suite. Sonobuoy is the community standard tool for executing conformance tests on a Kubernetes cluster; however, its architecture is designed to accomplish much more.
A custom plug-in can be developed by creating a plug-in definition file that describes how the plug-in is structured and what parameters the plug-in requires. The plug-in then needs to follow a documented API that provides a communication mechanism for Sonobuoy to inform it of the plug-in’s status, including whether it is pending, running, or complete.
This enhanced support for custom plug-ins means that you can easily write and integrate any logic into the workflow that you need; for example, you can write logic that lets you do the following:
Ensure your cluster fulfills your organization’s security requirements.
Test whether your cluster complies with industry standards.
Check availability and connectivity of private, custom resources.
Perform in-cluster benchmarking.
Running critical systems in air-gapped environments, where the system can’t reach out to the Internet, has long been a common practice to limit the attack surface. Although installing Kubernetes in air-gapped environments has been possible since before Kubernetes 1.6, testing those clusters for conformance was difficult. The recent version of Sonobuoy makes it possible to test air-gapped Kubernetes clusters.
The equips you, as a platform operator or system administrator, with the means to develop custom conformance and validation tests for environments before they go into production.
You can easily create a plug-in from a Docker image and run it within Sonobuoy without manually editing any YAML files. You can also easily modify the without editing a YAML file.
The end-to-end Kubernetes test suite can be run to validate your cluster’s state or investment in a custom, ad hoc work around.