commit d5bb54cc8eafbddf98c940fa50c110cd35ff038c Author: Christian Nicolai Date: Fri Dec 13 11:19:14 2019 +0100 Fiat lux diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3c4dfe0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,187 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. diff --git a/Pipfile b/Pipfile new file mode 100644 index 0000000..cfd4e22 --- /dev/null +++ b/Pipfile @@ -0,0 +1,14 @@ +[[source]] +url = 'https://pypi.python.org/simple' + +[requires] +python_version = '3.8' + +[packages] +pyyaml = '*' +requests = '*' + +[dev-packages] +rope = '*' +pylint = '*' +yapf = '*' diff --git a/Pipfile.lock b/Pipfile.lock new file mode 100644 index 0000000..03a30d7 --- /dev/null +++ b/Pipfile.lock @@ -0,0 +1,153 @@ +{ + "_meta": { + "hash": { + "sha256": "dba3ebb339150511f91075ab30df27c809a6fee8c82646a583a5a92aaf121c6f" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.8" + }, + "sources": [ + { + "url": "https://pypi.python.org/simple" + } + ] + }, + "default": { + "certifi": { + "hashes": [ + "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3", + "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f" + ], + "version": "==2019.11.28" + }, + "chardet": { + "hashes": [ + "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", + "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + ], + "version": "==3.0.4" + }, + "idna": { + "hashes": [ + "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", + "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" + ], + "version": "==2.8" + }, + "pyyaml": { + "hashes": [ + "sha256:0e7f69397d53155e55d10ff68fdfb2cf630a35e6daf65cf0bdeaf04f127c09dc", + "sha256:2e9f0b7c5914367b0916c3c104a024bb68f269a486b9d04a2e8ac6f6597b7803", + "sha256:35ace9b4147848cafac3db142795ee42deebe9d0dad885ce643928e88daebdcc", + "sha256:38a4f0d114101c58c0f3a88aeaa44d63efd588845c5a2df5290b73db8f246d15", + "sha256:483eb6a33b671408c8529106df3707270bfacb2447bf8ad856a4b4f57f6e3075", + "sha256:4b6be5edb9f6bb73680f5bf4ee08ff25416d1400fbd4535fe0069b2994da07cd", + "sha256:7f38e35c00e160db592091751d385cd7b3046d6d51f578b29943225178257b31", + "sha256:8100c896ecb361794d8bfdb9c11fce618c7cf83d624d73d5ab38aef3bc82d43f", + "sha256:c0ee8eca2c582d29c3c2ec6e2c4f703d1b7f1fb10bc72317355a746057e7346c", + "sha256:e4c015484ff0ff197564917b4b4246ca03f411b9bd7f16e02a2f586eb48b6d04", + "sha256:ebc4ed52dcc93eeebeae5cf5deb2ae4347b3a81c3fa12b0b8c976544829396a4" + ], + "version": "==5.2" + }, + "requests": { + "hashes": [ + "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", + "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" + ], + "version": "==2.22.0" + }, + "urllib3": { + "hashes": [ + "sha256:a8a318824cc77d1fd4b2bec2ded92646630d7fe8619497b142c84a9e6f5a7293", + "sha256:f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e48b0745" + ], + "version": "==1.25.7" + } + }, + "develop": { + "astroid": { + "hashes": [ + "sha256:71ea07f44df9568a75d0f354c49143a4575d90645e9fead6dfb52c26a85ed13a", + "sha256:840947ebfa8b58f318d42301cf8c0a20fd794a33b61cc4638e28e9e61ba32f42" + ], + "version": "==2.3.3" + }, + "isort": { + "hashes": [ + "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1", + "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd" + ], + "version": "==4.3.21" + }, + "lazy-object-proxy": { + "hashes": [ + "sha256:0c4b206227a8097f05c4dbdd323c50edf81f15db3b8dc064d08c62d37e1a504d", + "sha256:194d092e6f246b906e8f70884e620e459fc54db3259e60cf69a4d66c3fda3449", + "sha256:1be7e4c9f96948003609aa6c974ae59830a6baecc5376c25c92d7d697e684c08", + "sha256:4677f594e474c91da97f489fea5b7daa17b5517190899cf213697e48d3902f5a", + "sha256:48dab84ebd4831077b150572aec802f303117c8cc5c871e182447281ebf3ac50", + "sha256:5541cada25cd173702dbd99f8e22434105456314462326f06dba3e180f203dfd", + "sha256:59f79fef100b09564bc2df42ea2d8d21a64fdcda64979c0fa3db7bdaabaf6239", + "sha256:8d859b89baf8ef7f8bc6b00aa20316483d67f0b1cbf422f5b4dc56701c8f2ffb", + "sha256:9254f4358b9b541e3441b007a0ea0764b9d056afdeafc1a5569eee1cc6c1b9ea", + "sha256:9651375199045a358eb6741df3e02a651e0330be090b3bc79f6d0de31a80ec3e", + "sha256:97bb5884f6f1cdce0099f86b907aa41c970c3c672ac8b9c8352789e103cf3156", + "sha256:9b15f3f4c0f35727d3a0fba4b770b3c4ebbb1fa907dbcc046a1d2799f3edd142", + "sha256:a2238e9d1bb71a56cd710611a1614d1194dc10a175c1e08d75e1a7bcc250d442", + "sha256:a6ae12d08c0bf9909ce12385803a543bfe99b95fe01e752536a60af2b7797c62", + "sha256:ca0a928a3ddbc5725be2dd1cf895ec0a254798915fb3a36af0964a0a4149e3db", + "sha256:cb2c7c57005a6804ab66f106ceb8482da55f5314b7fcb06551db1edae4ad1531", + "sha256:d74bb8693bf9cf75ac3b47a54d716bbb1a92648d5f781fc799347cfc95952383", + "sha256:d945239a5639b3ff35b70a88c5f2f491913eb94871780ebfabb2568bd58afc5a", + "sha256:eba7011090323c1dadf18b3b689845fd96a61ba0a1dfbd7f24b921398affc357", + "sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4", + "sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0" + ], + "version": "==1.4.3" + }, + "mccabe": { + "hashes": [ + "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42", + "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f" + ], + "version": "==0.6.1" + }, + "pylint": { + "hashes": [ + "sha256:3db5468ad013380e987410a8d6956226963aed94ecb5f9d3a28acca6d9ac36cd", + "sha256:886e6afc935ea2590b462664b161ca9a5e40168ea99e5300935f6591ad467df4" + ], + "version": "==2.4.4" + }, + "rope": { + "hashes": [ + "sha256:6b728fdc3e98a83446c27a91fc5d56808a004f8beab7a31ab1d7224cecc7d969", + "sha256:c5c5a6a87f7b1a2095fb311135e2a3d1f194f5ecb96900fdd0a9100881f48aaf", + "sha256:f0dcf719b63200d492b85535ebe5ea9b29e0d0b8aebeb87fe03fc1a65924fdaf" + ], + "version": "==0.14.0" + }, + "six": { + "hashes": [ + "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd", + "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66" + ], + "version": "==1.13.0" + }, + "wrapt": { + "hashes": [ + "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1" + ], + "version": "==1.11.2" + }, + "yapf": { + "hashes": [ + "sha256:712e23c468506bf12cadd10169f852572ecc61b266258422d45aaf4ad7ef43de", + "sha256:cad8a272c6001b3401de3278238fdc54997b6c2e56baa751788915f879a52fca" + ], + "version": "==0.29.0" + } + } +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..e59e16d --- /dev/null +++ b/README.md @@ -0,0 +1,91 @@ +# kube-stale-resources + +This is a utility to detect stale resources in [Kubernetes](https://kubernetes.io/) clusters between resources from YAML manifests supplied via local file or stdin (target state) and a Kubernetes cluster (live state). +All resources that exist in the live state but not in the target state are considered *stale* as they deviate from the intended state of the Kubernetes cluster (closed world assumption). It is intended as a complement to [kubectl diff](https://kubernetes.io/blog/2019/01/14/apiserver-dry-run-and-kubectl-diff/). + +Using a blacklist you can ignore resources from the live state from the comparison so they are not considered *stale* even though they do not exist in the given target state. This is useful when those resources are created by Kubernetes itself (e.g. the `kubernetes` service in the default namespace), managed by the Kubernetes cluster provider or another tool outside the scope. + +A use case for `kube-stale-resources` is using it alongside `kubectl diff` on locally present YAML manifests so `kubectl diff` can detect newly created Kubernetes resources and changes to those resources and `kube-stale-resources` can alert the user on stale resources that should be deleted from the cluster. + +Limitations: + +- currently only works on namespaced resources +- currently requires explicit `metadata.namespace` field even for resources in default namespace +- requires unauthenticated HTTP(S) access to Kubernetes apiserver, e.g. via `kubectl proxy` +- only accounts for `apiVersion` deprecations up until Kubernetes 1.16 + + +## Usage + +You need Python 3.8 or higher. + +Assuming you have a properly setup `.kube/config` (e.g. using [minikube](https://github.com/kubernetes/minikube) after a successful `minikube start`) running: + +```bash +kubectl proxy & + +# ignore minikube resources +cat < blacklist.txt +^kubernetes-dashboard:.*$ +^default:events.k8s.io/v1beta1:Event:minikube..*$ +EOF + +# orderly created resource using YAML manifest in e.g. git +cat < version-controlled-resources.yml +--- +apiVersion: v1 +kind: Service +metadata: + name: foo + namespace: default +spec: + type: ClusterIP + ports: + - port: 80 + name: http + targetPort: 80 + selector: + app: foo +EOF +kubectl apply -f version-controlled-resources.yml + +# on-the-fly created resource using imperative command +kubectl create service clusterip bar --tcp='8080:8080' + +cat version-controlled-resources.yml | python kube-stale-resources.py -f - --blacklist blacklist.txt +``` + +This should yield a similar output to as we ignored what minikube sets up by default (e.g. the whole `kubernetes-dashboard` namespace): + +``` +Reading blacklist file blacklist.txt... +Retrieving target state... +Retrieving live state from http://localhost:8001... +Live dynamic configmaps that are not in target (stale): +.. 0 entries + +Live resources w/o dynamic configmaps that are not in target (stale): + default:v1:Service:bar +.. 1 entries +``` + +Run `python kube-stale-resources.py -h` for full list of options. + + +## Blacklisting + +Example blacklist file for a cluster on [GKE](https://cloud.google.com/kubernetes-engine/) that also uses [cert-manager](https://github.com/jetstack/cert-manager): + +``` +^.*:v1:ResourceQuota:gke-resource-quotas$ +^default:v1:LimitRange:limits$ + +^.*:certmanager.k8s.io/v1alpha1:Order:.*$ +``` + +In general a blacklist file contains one regular expression per line that are matched against a string of format `:::` for each resource. + + +## License + +kube-stale-resources is licensed under the Apache License, Version 2.0. See [LICENSE](LICENSE) for more information diff --git a/kube-stale-resources.py b/kube-stale-resources.py new file mode 100644 index 0000000..3af5ff9 --- /dev/null +++ b/kube-stale-resources.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python + +import argparse +import re +import sys + +import requests +import yaml + +from typing import (List, Any, Dict, Tuple, IO) +K8sResourceIdentifier = Tuple[str, str, str, str] + +HEADERS = {"Content-Type": "application/json"} + +BLACKLIST_REGEXS = [ + # Kubernetes inherent blacklist (should apply to every k8s cluster out there) + r'^.*:apps/v1:ControllerRevision:.*$', + r'^.*:apps/v1:ReplicaSet:.*$', + r'^.*:batch/v1:Job:.*-\d{10,}$', # jobs created by cron jobs with unix timestamp suffix + r'^.*:metrics.k8s.io/v1beta1:PodMetrics:.*$', + r'^.*:v1:Endpoints:.*$', + r'^.*:v1:Event:.*$', + r'^.*:v1:Pod:.*$', + r'^.*:v1:Secret:.*-token-\S{5}$', # secrets with token for service accounts + r'^.*:v1:ServiceAccount:default$', + r'^default:v1:Service:kubernetes$', + r'^kube-node-lease:.*$', + r'^kube-public:.*$', + r'^kube-system:.*$', + + # GKE specific parts (should apply to every GKE-managed k8s cluster) + # '^.*:v1:ResourceQuota:gke-resource-quotas$', + # '^default:v1:LimitRange:limits$, +] + + +def get_live_namespaced_resources(url: str) -> List[K8sResourceIdentifier]: + result = [] + + # merges https://kubernetes.io/docs/reference/using-api/#api-groups + + # legacy API group + apiVersions = requests.get(url + '/api', headers=HEADERS).json()['versions'] + for apiVersion in apiVersions: + apiResources = requests.get(url + '/api/' + apiVersion, headers=HEADERS).json()['resources'] + for apiResource in apiResources: + if not ('list' in apiResource['verbs'] and apiResource['namespaced']): + continue + + items = requests.get(url + '/api/' + apiVersion + '/' + apiResource['name'], + headers=HEADERS).json()['items'] + for item in items: + result.append( + (item['metadata']['namespace'], apiVersion, apiResource['kind'], item['metadata']['name'])) + + # named API groups + apiGroups = requests.get(url + '/apis', headers=HEADERS).json()['groups'] + for apiGroup in apiGroups: + + apiResources = requests.get(url + '/apis/' + apiGroup['preferredVersion']['groupVersion'], + headers=HEADERS).json()['resources'] + for apiResource in apiResources: + if not ('list' in apiResource['verbs'] and apiResource['namespaced']): + continue + + if apiGroup['preferredVersion']['groupVersion'] == 'extensions/v1beta1' and apiResource['kind'] != 'Ingress': + # everything else in extensions/v1beta1 should be migrated to the preferred version + # except ingresses, see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ + continue + + items = requests.get(url + '/apis/' + apiGroup['preferredVersion']['groupVersion'] + '/' + + apiResource['name'], + headers=HEADERS).json()['items'] + for item in items: + result.append((item['metadata']['namespace'], apiGroup['preferredVersion']['groupVersion'], + apiResource['kind'], item['metadata']['name'])) + + return result + + +def get_target_namespaced_resources(stream: IO) -> List[K8sResourceIdentifier]: + result = [] + + target_documents = list(yaml.load_all(stream, Loader=yaml.SafeLoader)) + for document in target_documents: + if not document: + continue + if not 'namespace' in document['metadata']: + continue + + result.append( + (document['metadata']['namespace'], document['apiVersion'], document['kind'], document['metadata']['name'])) + + return result + + +def get_compact_resource_identifiers(tuples: List[K8sResourceIdentifier]) -> List[str]: + return [namespace + ':' + apiVersion + ':' + kind + ':' + name for namespace, apiVersion, kind, name in tuples] + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Utility to detect k8s configuration drift.') + + parser.add_argument('-f', + dest='target_manifests_file', + required=True, + help='File path (or - for stdin) to read Kubernetes manifests from for target state.') + parser.add_argument('--url', + dest='k8s_apiserver_url', + default='http://localhost:8001', + help='URL of Kubernetes apiserver to retrieve live state.') + parser.add_argument('--blacklist', + dest='blacklist_file', + help='File path to read blacklist regex entries from that will be used to filter live state.') + + args = parser.parse_args() + + blacklist_regexs = [] + blacklist_regexs += BLACKLIST_REGEXS + + if args.blacklist_file: + print(f'Reading blacklist file {args.blacklist_file}...') + with open(args.blacklist_file, 'r') as f: + blacklist_regexs += filter(lambda x: not re.match(r'^\s*$', x), f.read().split('\n')) + + print('Retrieving target state...') + if args.target_manifests_file == '-': + target_tuples = get_target_namespaced_resources(sys.stdin) + else: + with open(args.target_manifests_file, 'r') as f: + target_tuples = get_target_namespaced_resources(f) + + print(f'Retrieving live state from {args.k8s_apiserver_url}...') + raw_live_strings = get_compact_resource_identifiers(get_live_namespaced_resources(args.k8s_apiserver_url)) + + live_strings = list(filter(lambda s: not re.match('|'.join(blacklist_regexs), s), raw_live_strings)) + + starget = set(get_compact_resource_identifiers(target_tuples)) + slive = set(live_strings) + + print('Live dynamic configmaps that are not in target (stale):') + counter = 0 + for x in sorted(list(slive - starget)): + if re.match('^.*:v1:ConfigMap:.*-[a-z0-9]{10}', x): + counter += 1 + print(' ' + x) + print("..", counter, "entries") + + print() + print('Live resources w/o dynamic configmaps that are not in target (stale):') + counter = 0 + for x in sorted(list(slive - starget)): + if not re.match('^.*:v1:ConfigMap:.*-[a-z0-9]{10}', x): + counter += 1 + print(' ' + x) + print("..", counter, "entries")