by 运行时依赖
安装命令
点击复制技能文档
Namespace Governance Audit 在 Kubernetes 命名空间间审计并强制执行组织标准。 本技能检查缺失的资源配额、无上限的限制范围、缺失的网络策略、过度宽松的 RBAC 绑定、标签合规性及废弃命名空间,输出可操作的修复步骤与推荐策略清单。
使用场景: “audit namespaces”、“namespace governance”、“check resource quotas”、“review RBAC”、“namespace cleanup”、“enforce labels”、“namespace policy compliance”
Commands
- audit —— 检查所有命名空间的策略合规性
Step 1 – 枚举命名空间并收集元数据 # 列出所有命名空间及其标签与年龄 kubectl get namespaces -o json | python3 -c " import json, sys from datetime import datetime, timezone ns_list = json.load(sys.stdin) print(f\"{'NAMESPACE':<30} {'AGE_DAYS':>8} {'LABELS':>6} {'HAS_OWNER':>9}\") print('-' 60) for ns in ns_list['items']: name = ns['metadata']['name'] labels = ns['metadata'].get('labels', {}) created = datetime.fromisoformat(ns['metadata']['creationTimestamp'].replace('Z','+00:00')) age = (datetime.now(timezone.utc) - created).days has_owner = 'team' in labels or 'owner' in labels print(f\"{name:<30} {age:>8} {len(labels):>6} {str(has_owner):>9}\") "
Step 2 – 检查 ResourceQuotas # 查找无 ResourceQuota 的命名空间 echo "=== 缺少 ResourceQuota 的命名空间 ===" ALL_NS=$(kubectl get ns -o jsonpath='{.items[].metadata.name}') for ns in $ALL_NS; do count=$(kubectl get resourcequota -n "$ns" --no-headers 2>/dev/null | wc -l) if [ "$count" -eq 0 ]; then case "$ns" in kube-system|kube-public|kube-node-lease) continue;; esac echo " 缺失: $ns" fi done # 显示现有配额及使用率 echo "" echo "=== 现有配额使用率 ===" kubectl get resourcequota --all-namespaces -o custom-columns=\ NAMESPACE:.metadata.namespace,\ NAME:.metadata.name,\ CPU_USED:.status.used.requests\\.cpu,\ CPU_HARD:.status.hard.requests\\.cpu,\ MEM_USED:.status.used.requests\\.memory,\ MEM_HARD:.status.hard.requests\\.memory
Step 3 – 检查 LimitRanges # 查找无 LimitRange 的命名空间 echo "=== 缺少 LimitRange 的命名空间 ===" for ns in $ALL_NS; do count=$(kubectl get limitrange -n "$ns" --no-headers 2>/dev/null | wc -l) if [ "$count" -eq 0 ]; then case "$ns" in kube-system|kube-public|kube-node-lease) continue;; esac echo " 缺失: $ns(Pod 可无限申请资源)" fi done
Step 4 – 检查 NetworkPolicies # 无 NetworkPolicy 的命名空间(默认全放行) echo "=== 缺少任何 NetworkPolicy 的命名空间 ===" for ns in $ALL_NS; do count=$(kubectl get networkpolicy -n "$ns" --no-headers 2>/dev/null | wc -l) if [ "$count" -eq 0 ]; then case "$ns" in kube-system|kube-public|kube-node-lease) continue;; esac pod_count=$(kubectl get pods -n "$ns" --no-headers 2>/dev/null | wc -l) echo " 开放: $ns($pod_count 个 Pod,允许所有流量)" fi done
Step 5 – RBAC 审查 # 查找过于宽泛的 RoleBindings(命名空间级 cluster-admin、通配规则) echo "=== 高风险 RBAC 绑定 ===" kubectl get rolebindings,clusterrolebindings --all-namespaces -o json | python3 -c " import json, sys data = json.load(sys.stdin) risky = [] for item in data['items']: ns = item['metadata'].get('namespace', 'cluster-wide') name = item['metadata']['name'] role_ref = item.get('roleRef', {}) subjects = item.get('subjects', []) role_name = role_ref.get('name', '') if role_name == 'cluster-admin': for s in subjects: risky.append(f\" 严重: {ns}/{name} 向 {s.get('kind','?')}/{s.get('name','?')} 授予 cluster-admin\") for s in subjects: if s.get('name') == 'default' and s.get('kind') == 'ServiceAccount': risky.append(f\" 警告: {ns}/{name} 将角色绑定到 default SA(应使用专用 SA)\") for r in risky[:50]: print(r) if not risky: print(' 未发现明显高风险绑定。') "
Step 6 – 标签合规 # 检查命名空间是否具备必需标签 REQUIRED_LABELS=("team" "environment" "cost-center") echo "=== 标签合规性 ===" kubectl get ns -o json | python3 -c " import json, sys required = ['team', 'environment', 'cost-center'] ns_list = json.load(sys.stdin) skip = {'kube-system', 'kube-public', 'kube-node-lease', 'default'} for ns in ns_list['items']: name = ns['metadata']['name'] if name in skip: continue labels = set(ns['metadata'].get('labels', {}).keys()) missing = [r for r in required if r not in labels] if missing: print(f\" {name}: 缺失标签: {', '.join(missing)}\") "
报告模板: