sensu-plugins-kubernetes 0.0.1 → 0.1.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    YzEzYTU0MzBhOWY3ZDRkZTNlYTIyMmEyOTIwYmQwYjA1Y2QxMzVjZQ==
+    ZGI5NmFlZDdkYjgyNGZiNjUwYTk3MGM1Y2M4OWQ1ZmZhY2Q5MmUwMw==
   data.tar.gz: !binary |-
-    NGY2YTVmMWE5MGI3YTExZjIwZmE1ZTA2NWIzMmZiYmI1MWM1ZmYwYg==
+    Njk1NGYyNTU0YjUxZmZkNGI5NjFiMTgzNTNhNjJiNDVlMTIzMTRhYw==
 SHA512:
   metadata.gz: !binary |-
-    M2VkZTE3OThlNTUzNTM2NmI1ZWYxYWY1ODFkMDUzYTc3OWY3M2RhMzgzMzQz
-    ZWRhZDcyYTYyNzYxMzFmNWFkOWQ1MzY4OTRlOWIzNDZhNDdhMWJhNGU1ZDA4
-    ZTI5ZTU5MDg5MzBhODljZmQwMDk3ZTRmYjFlNDY3OTI1Y2YwNjY=
+    YjNlOGZhZjFlOTRiNTBmMTBkODlhNTAzYWI3NWFkYTg0YjhiMTNiNmQzODFi
+    NTk0ZDlhNWQxYTkwN2M1M2M5NTcwMTgxNTZiNjZkODkyZThmMWVlNDFiMjJj
+    NWZmMTAwMWI2NzRmNzMyZmVkMmNhNWRhZDdmYTY5NTI1MDYzMWU=
   data.tar.gz: !binary |-
-    ZjI0Y2U2NjU1ZWNlMDVlZDE3MTQ1YmY5YWVlNjFlNzdkMmUxNWJlNDIxMWZh
-    YWY3MmNmOGQ5NmEwMTJlYzdmMWY5NmE1NzU1NTY0YzNjOTJjOTRiYmU5N2M0
-    MDlhMTFhNTY1NmNhYzE1ZjExZmFiYmJlMzZlOTlmODBhMTA1MTI=
+    N2MxZjNiZmQ2YWM5N2UzYmY4NTMzYTczZTI3YjQzODg4YjYxZjBjZmYzNTVj
+    YThiYjBjYjU1ODQwMDlmNzdjNGYwY2ZjNDMzMmJiZmI3ZTIyNzNjNDUxNWZj
+    YmEwNzcyM2VhNTBiNjk2ODRkN2I2ZTQ5MjY0NzMxZjYxMzU1YTQ=

data/CHANGELOG.md

@@ -5,6 +5,23 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
 
 ## [Unreleased]
 
+## [0.1.0] - 2016-05-15
+### Added
+- Added flag to ignore namespaces in check-kube-pods-pending
+- check-kube-service-available.rb: Will not mark a service is failed if any needed pod is running and ready
+- check-kube-service-available.rb: Added options to allow of pod pending for given time to be counted as valid
+- Factored all checks to share a common base class for connecting to Kubernetes
+- Added flags to specify certificate authority and Kubernetes bearer token
+- Added flags to specify client certificate/key and in-cluster support
+- Support for Ruby 2.3
+
+### Fixed
+- check-kube-service-available.rb: Fixed scope issue in main block that would cause a nil error
+
+### Changed
+- Update to Rubocop 0.40 and cleanup
+- Update to kubeclient 1.1.3
+
 ## 0.0.1 - 2016-03-03
 ### Added
 - initial release

data/README.md

@@ -14,18 +14,158 @@ This provides functionality to check node and pod status as well as api and serv
 - bin/check-kube-apiserver-available.rb
 - bin/check-kube-pods-pending.rb
 - bin/check-kube-service-available.rb
-- bin check/kube-pods-runtime.rb
+- bin/check-kube-pods-runtime.rb
 - bin/handler-kube-pod.rb
 
 ## Usage
+
+**check-kube-nodes-ready.rb**
+```
+Usage: check-kube-nodes-ready.rb (options)
+        --ca-file CA-FILE            CA file to verify API server cert
+        --cert CERT-FILE             Client cert to present
+        --key KEY-FILE               Client key for the client cert
+        --in-cluster                 Use service account authentication
+    -p, --password PASSWORD          If user is passed, also pass a password
+    -s, --api-server URL             URL to API server
+    -t, --token TOKEN                Bearer token for authorization
+        --token-file TOKEN-FILE      File containing bearer token for authorization
+    -u, --user USER                  User with access to API
+    -v, --api-version VERSION        API version
+```
+
+**check-kube-apiserver-available.rb**
+```
+Usage: check-kube-apiserver-available.rb (options)
+        --ca-file CA-FILE            CA file to verify API server cert
+        --cert CERT-FILE             Client cert to present
+        --key KEY-FILE               Client key for the client cert
+        --in-cluster                 Use service account authentication
+    -p, --password PASSWORD          If user is passed, also pass a password
+    -s, --api-server URL             URL to API server
+    -t, --token TOKEN                Bearer token for authorization
+        --token-file TOKEN-FILE      File containing bearer token for authorization
+    -u, --user USER                  User with access to API
+```
+
+**check-kube-pods-pending.rb**
+```
+Usage: check-kube-pods-pending.rb (options)
+        --ca-file CA-FILE            CA file to verify API server cert
+        --cert CERT-FILE             Client cert to present
+        --key KEY-FILE               Client key for the client cert
+        --in-cluster                 Use service account authentication
+        --password PASSWORD          If user is passed, also pass a password
+    -s, --api-server URL             URL to API server
+        --token TOKEN                Bearer token for authorization
+        --token-file TOKEN-FILE      File containing bearer token for authorization
+    -u, --user USER                  User with access to API
+    -v, --api-version VERSION        API version
+    -n NAMESPACES,                   Exclude the specified list of namespaces
+        --exclude-namespace
+    -t, --timeout TIMEOUT            Threshold for pods to be in the pending state
+    -f, --filter FILTER              Selector filter for pods to be checked
+    -p, --pods PODS                  List of pods to check
+    -r, --restart COUNT              Threshold for number of restarts allowed
+```
+
+**check-kube-service-available.rb**
+```
+Usage: check-kube-service-available.rb (options)
+        --ca-file CA-FILE            CA file to verify API server cert
+        --cert CERT-FILE             Client cert to present
+        --key KEY-FILE               Client key for the client cert
+        --in-cluster                 Use service account authentication
+        --password PASSWORD          If user is passed, also pass a password
+    -s, --api-server URL             URL to API server
+    -t, --token TOKEN                Bearer token for authorization
+        --token-file TOKEN-FILE      File containing bearer token for authorization
+    -u, --user USER                  User with access to API
+    -v, --api-version VERSION        API version
+    -p, --pending SECONDS            Time (in seconds) a pod may be pending for and be valid
+    -l, --list SERVICES              List of services to check (required)
+```
+
+**check-kube-pods-runtime.rb**
+```
+Usage: check-kube-pods-runtime.rb (options)
+        --ca-file CA-FILE            CA file to verify API server cert
+        --cert CERT-FILE             Client cert to present
+        --key KEY-FILE               Client key for the client cert
+        --in-cluster                 Use service account authentication
+        --password PASSWORD          If user is passed, also pass a password
+    -s, --api-server URL             URL to API server
+    -t, --token TOKEN                Bearer token for authorization
+        --token-file TOKEN-FILE      File containing bearer token for authorization
+    -u, --user USER                  User with access to API
+    -v, --api-version VERSION        API version
+    -c, --critical COUNT             Threshold for Pods to be critical
+    -f, --filter FILTER              Selector filter for pods to be checked
+    -p, --pods PODS                  List of pods to check
+    -w, --warn TIMEOUT               Threshold for pods to be in the pending state
+```
+
+**handler-kube-pod.rb**
 ```
-check-kube-nodes-ready.rb -s SERVER -v API_VERSION
-check-kube-apiserver-available.rb -s SERVER
-check-kube-pods-pending.rb -s SERVER
-check-kube-service-available.rb -s SERVER  -l SERVICE1,SERVICE2
+Usage: handler-kube-pod.rb (options)
+    -j, --json JSONCONFIG            Configuration name
 ```
+
+`JSONCONFIG` defaults to `k8s`.
+
+```
+{
+    "k8s": {
+        "server": "https://kubernetes/",
+        "version": "v1",
+        "incluster": false,
+        "ca_file": "/certs/ca.crt.pem",
+        "client_cert_file": "/certs/client.crt.pem",
+        "client_key_file": "/private/client.key.pem",
+        "username": "alice",
+        "password": "secret",
+        "token": "incomprehensible.token.string",
+        "token_file": "/secret/token"
+    }
+}
+```
+
+`api_server` and `api_version` can still be used for backwards compatibility,
+but `server` and `version` will take precedence.
+
 ## Installation
 
 [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
 
 ## Notes
+
+Of the Kubernetes connection options:
+```
+--api-server URL             URL to API server
+--api-version VERSION        API version
+--in-cluster                 Use service account authentication
+--ca-file CA-FILE            CA file to verify API server cert
+--cert CERT-FILE             Client cert to present
+--key KEY-FILE               Client key for the client cert
+--user USER                  User with access to API
+--password PASSWORD          If user is passed, also pass a password
+--token TOKEN                Bearer token for authorization
+--token-file TOKEN-FILE      File containing bearer token for authorization
+```
+Only the API server option is required, however it does default to the `KUBERNETES_MASTER` environment variable, or you can use the in-cluster option. The other options are to be used as needed.
+
+The default API version is `v1`.
+
+The in-cluster option provides defaults for:
+- The server URL, using the `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` environment variables.
+- The API CA file, using the service account CA file if it exists. (`/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`)
+- The API token, using the service account token file. (`/var/run/secrets/kubernetes.io/serviceaccount/token`)
+
+If the Kubernetes API provides a server certificate, it is only validated if a CA file is provided.
+
+The client certificate and client private key are optional, but if one is provided then the other must also be provided.
+
+Only one of the authentication methods (user, token, or token file) can be used.
+For example, using a username and a token, or a token and a token file, will produce an error.
+
+If the 'user' authentication method is used, a password must also be provided.

data/bin/check-kube-apiserver-available.rb

@@ -16,8 +16,15 @@
 #   gem: kube-client
 #
 # USAGE:
-# -s SERVER - The kubernates SERVER
-# -v VERSION - The kubernates api VERSION. Defaults to v1
+# -s, --api-server URL             URL to API server
+#     --in-cluster                 Use service account authentication
+#     --ca-file CA-FILE            CA file to verify API server cert
+#     --cert CERT-FILE             Client cert to present
+#     --key KEY-FILE               Client key for the client cert
+# -u, --user USER                  User with access to API
+# -p, --password PASSWORD          If user is passed, also pass a password
+# -t, --token TOKEN                Bearer token for authorization
+#     --token-file TOKEN-FILE      File containing bearer token for authorization
 #
 # LICENSE:
 #   Kel Cecil <kelcecil@praisechaos.com>
@@ -25,31 +32,25 @@
 #   for details.
 #
 
-require 'sensu-plugin/check/cli'
-require 'net/http'
-require 'uri'
+require 'sensu-plugins-kubernetes/cli'
 
-class ApiServerIsAvailable < Sensu::Plugin::Check::CLI
-  option :api_server,
-         description: 'URL to API server',
-         short: '-s URL',
-         long: '--api-server',
-         default: ENV['KUBERNETES_MASTER']
+class ApiServerIsAvailable < Sensu::Plugins::Kubernetes::CLI
+  @options = Sensu::Plugins::Kubernetes::CLI.options.reject { |k| k == :api_version }
 
   def run
-    cli = ApiServerIsAvailable.new
-    api_server = cli.config[:api_server]
-    uri = URI.parse "#{api_server}/healthz"
-
-    begin
-      response = Net::HTTP.get_response(uri)
-    rescue
-      warning 'Host is unavailable'
-    end
-
-    if response.code.include? '200'
+    if healthy?
       ok 'Kubernetes API server is available'
     end
     critical 'Kubernetes API server is unavailable'
   end
+
+  # TODO: replace this method when it's added to kubeclient
+  def healthy?
+    client.handle_exception do
+      client.create_rest_client('/healthz').get(client.headers)
+    end
+    true
+  rescue KubeException
+    false
+  end
 end

data/bin/check-kube-nodes-ready.rb

@@ -16,8 +16,16 @@
 #   gem: kube-client
 #
 # USAGE:
-# -s SERVER - The kubernates SERVER
-# -v VERSION - The kubernates api VERSION. Defaults to v1
+# -s, --api-server URL             URL to API server
+# -v, --api-version VERSION        API version. Defaults to 'v1'
+#     --in-cluster                 Use service account authentication
+#     --ca-file CA-FILE            CA file to verify API server cert
+#     --cert CERT-FILE             Client cert to present
+#     --key KEY-FILE               Client key for the client cert
+# -u, --user USER                  User with access to API
+# -p, --password PASSWORD          If user is passed, also pass a password
+# -t, --token TOKEN                Bearer token for authorization
+#     --token-file TOKEN-FILE      File containing bearer token for authorization
 #
 # LICENSE:
 #   Kel Cecil <kelcecil@praisechaos.com>
@@ -25,34 +33,12 @@
 #   for details.
 #
 
-require 'sensu-plugin/check/cli'
-require 'json'
-require 'kubeclient'
+require 'sensu-plugins-kubernetes/cli'
 
-class AllNodesAreReady < Sensu::Plugin::Check::CLI
-  option :api_server,
-         description: 'URL to API server',
-         short: '-s URL',
-         long: '--api-server',
-         default: ENV['KUBERNETES_MASTER']
-
-  option :api_version,
-         description: 'API version',
-         short: '-v VERSION',
-         long: '--api-version',
-         default: 'v1'
+class AllNodesAreReady < Sensu::Plugins::Kubernetes::CLI
+  @options = Sensu::Plugins::Kubernetes::CLI.options.dup
 
   def run
-    cli = AllNodesAreReady.new
-    api_server = cli.config[:api_server]
-    api_version = cli.config[:api_version]
-
-    begin
-      client = Kubeclient::Client.new(api_server, api_version)
-    rescue
-      warning 'Unable to connect to Kubernetes API server'
-    end
-
     failed_nodes = []
     client.get_nodes.each do |node|
       item = node.status.conditions.detect { |condition| condition.type == 'Ready' }
@@ -67,5 +53,7 @@ class AllNodesAreReady < Sensu::Plugin::Check::CLI
       ok 'All nodes are reporting as ready'
     end
     critical "Nodes are not ready: #{failed_nodes.join(' ')}"
+  rescue KubeException => e
+    critical 'API error: ' << e.message
   end
 end

data/bin/check-kube-pods-pending.rb

@@ -16,11 +16,23 @@
 #   gem: kube-client
 #
 # USAGE:
-# -s SERVER - The kubernates SERVER
-# -p PODS - Optional, list of specific pods to check. Defaults to all
-# -t TIMEOUT - The timeout in seconds to warn on
-# -r COUNT - The number of restarts to warn on
-# -f FILTER - The selector filter to use to determine the pods to check
+# -s, --api-server URL             URL to API server
+# -v, --api-version VERSION        API version. Defaults to 'v1'
+#     --in-cluster                 Use service account authentication
+#     --ca-file CA-FILE            CA file to verify API server cert
+#     --cert CERT-FILE             Client cert to present
+#     --key KEY-FILE               Client key for the client cert
+# -u, --user USER                  User with access to API
+#     --password PASSWORD          If user is passed, also pass a password
+#     --token TOKEN                Bearer token for authorization
+#     --token-file TOKEN-FILE      File containing bearer token for authorization
+# -n NAMESPACES,                   Exclude the specified list of namespaces
+#     --exclude-namespace
+# -t, --timeout TIMEOUT            Threshold for pods to be in the pending state
+# -f, --filter FILTER              Selector filter for pods to be checked
+# -p, --pods PODS                  Optional list of pods to check.
+#                                  Defaults to 'all'
+# -r, --restart COUNT              Threshold for number of restarts allowed
 #
 # NOTES:
 # => The filter used for the -f flag is in the form key=value. If multiple
@@ -32,22 +44,10 @@
 #   for details.
 #
 
-require 'sensu-plugin/check/cli'
-require 'json'
-require 'kubeclient'
+require 'sensu-plugins-kubernetes/cli'
 
-class AllPodsAreReady < Sensu::Plugin::Check::CLI
-  option :api_server,
-         description: 'URL to API server',
-         short: '-s URL',
-         long: '--api-server',
-         default: ENV['KUBERNETES_MASTER']
-
-  option :api_version,
-         description: 'API version',
-         short: '-v VERSION',
-         long: '--api-version',
-         default: 'v1'
+class AllPodsAreReady < Sensu::Plugins::Kubernetes::CLI
+  @options = Sensu::Plugins::Kubernetes::CLI.options.dup
 
   option :pod_list,
          description: 'List of pods to check',
@@ -74,26 +74,23 @@ class AllPodsAreReady < Sensu::Plugin::Check::CLI
          short: '-f FILTER',
          long: '--filter'
 
-  def run
-    cli = AllPodsAreReady.new
-    api_server = cli.config[:api_server]
-    api_version = cli.config[:api_version]
-
-    begin
-      client = Kubeclient::Client.new(api_server, api_version)
-    rescue
-      warning 'Unable to connect to Kubernetes API server'
-    end
+  option :exclude_namespace,
+         description: 'Exclude the specified list of namespaces',
+         short: '-n NAMESPACES',
+         long: '--exclude-namespace',
+         proc: proc { |a| a.split(',') },
+         default: ''
 
+  def run
     pods_list = []
     failed_pods = []
     restarted_pods = []
     pods = []
-    if cli.config[:pod_filter].nil?
-      pods_list = parse_list(cli.config[:pod_list])
+    if config[:pod_filter].nil?
+      pods_list = parse_list(config[:pod_list])
       pods = client.get_pods
     else
-      pods = client.get_pods(label_selector: cli.config[:pod_filter].to_s)
+      pods = client.get_pods(label_selector: config[:pod_filter].to_s)
       if pods.empty?
         unknown 'The filter specified resulted in 0 pods'
       end
@@ -101,18 +98,19 @@ class AllPodsAreReady < Sensu::Plugin::Check::CLI
     end
     pods.each do |pod|
       next if pod.nil?
+      next if config[:exclude_namespace].include?(pod.metadata.namespace)
       next unless pods_list.include?(pod.metadata.name) || pods_list.include?('all')
       # Check for pending state
       if pod.status.phase == 'Pending'
         pod_stamp = Time.parse(pod.metadata.creationTimestamp)
-        if (Time.now.utc - pod_stamp.utc).to_i > cli.config[:pending_timeout]
+        if (Time.now.utc - pod_stamp.utc).to_i > config[:pending_timeout]
           failed_pods << pod.metadata.name
         end
       end
       # Check restarts
       next if pod.status.containerStatuses.nil?
       pod.status.containerStatuses.each do |container|
-        if container.restartCount.to_i > cli.config[:restart_count]
+        if container.restartCount.to_i > config[:restart_count]
           restarted_pods << container.name
         end
       end
@@ -121,12 +119,14 @@ class AllPodsAreReady < Sensu::Plugin::Check::CLI
     if failed_pods.empty? && restarted_pods.empty?
       ok 'All pods are reporting as ready'
     elsif failed_pods.empty?
-      critical "Pods  exceeded restart threshold: #{restarted_pods.join(' ')}"
+      critical "Pods exceeded restart threshold: #{restarted_pods.join(' ')}"
     elsif restarted_pods.empty?
-      critical "Pods  exceeded pending threshold: #{failed_pods.join(' ')}"
+      critical "Pods exceeded pending threshold: #{failed_pods.join(' ')}"
     else
       critical "Pod restart and pending thresholds exceeded, pending: #{failed_pods.join(' ')} restarting: #{restarted_pods.join(' ')}"
     end
+  rescue KubeException => e
+    critical 'API error: ' << e.message
   end
 
   def parse_list(list)

data/bin/check-kube-pods-runtime.rb

@@ -16,10 +16,20 @@
 #   gem: kube-client
 #
 # USAGE:
-# -s SERVER - The kubernates SERVER
-# -p PODS - REQUIRED, list of specific pods to check. Defaults to all
-# -w WARN - The time in seconds to warn on
-# -c CRIT - The time in seconds to flag as critical
+# -s, --api-server URL             URL to API server
+# -v, --api-version VERSION        API version. Defaults to 'v1'
+#     --in-cluster                 Use service account authentication
+#     --ca-file CA-FILE            CA file to verify API server cert
+#     --cert CERT-FILE             Client cert to present
+#     --key KEY-FILE               Client key for the client cert
+# -u, --user USER                  User with access to API
+#     --password PASSWORD          If user is passed, also pass a password
+#     --token TOKEN                Bearer token for authorization
+#     --token-file TOKEN-FILE      File containing bearer token for authorization
+# -c, --critical COUNT             Threshold for Pods to be critical
+# -f, --filter FILTER              Selector filter for pods to be checked
+# -p, --pods PODS                  List of pods to check
+# -w, --warn TIMEOUT               Threshold for pods to be in the pending state
 #
 # LICENSE:
 #   Barry Martin <nyxcharon@gmail.com>
@@ -27,22 +37,10 @@
 #   for details.
 #
 
-require 'sensu-plugin/check/cli'
-require 'json'
-require 'kubeclient'
+require 'sensu-plugins-kubernetes/cli'
 
-class PodRuntime < Sensu::Plugin::Check::CLI
-  option :api_server,
-         description: 'URL to API server',
-         short: '-s URL',
-         long: '--api-server',
-         default: ENV['KUBERNETES_MASTER']
-
-  option :api_version,
-         description: 'API version',
-         short: '-v VERSION',
-         long: '--api-version',
-         default: 'v1'
+class PodRuntime < Sensu::Plugins::Kubernetes::CLI
+  @options = Sensu::Plugins::Kubernetes::CLI.options.dup
 
   option :pod_list,
          description: 'List of pods to check',
@@ -68,27 +66,17 @@ class PodRuntime < Sensu::Plugin::Check::CLI
          proc: proc(&:to_i)
 
   def run
-    cli = PodRuntime.new
-    api_server = cli.config[:api_server]
-    api_version = cli.config[:api_version]
-
-    begin
-      client = Kubeclient::Client.new(api_server, api_version)
-    rescue
-      warning 'Unable to connect to Kubernetes API server'
-    end
-
     pods_list = []
     pods = []
     warn = false
     crit = false
     message = ''
 
-    if cli.config[:pod_filter].nil?
-      pods_list = parse_list(cli.config[:pod_list])
+    if config[:pod_filter].nil?
+      pods_list = parse_list(config[:pod_list])
       pods = client.get_pods
     else
-      pods = client.get_pods(label_selector: cli.config[:pod_filter].to_s)
+      pods = client.get_pods(label_selector: config[:pod_filter].to_s)
       pods_list = ['all']
     end
 
@@ -100,11 +88,11 @@ class PodRuntime < Sensu::Plugin::Check::CLI
       pod_stamp = Time.parse(pod.status.startTime)
       runtime = (Time.now.utc - pod_stamp.utc).to_i
 
-      if !cli.config[:critical_timeout].nil? && runtime > cli.config[:critical_timeout]
-        message << "#{pod.metadata.name} exceeds threshold #{cli.config[:critical_timeout]} "
+      if !config[:critical_timeout].nil? && runtime > config[:critical_timeout]
+        message << "#{pod.metadata.name} exceeds threshold #{config[:critical_timeout]} "
         crit = true
-      elsif !cli.config[:warn_timeout].nil? && runtime > cli.config[:warn_timeout]
-        message << "#{pod.metadata.name} exceeds threshold #{cli.config[:warn_timeout]} "
+      elsif !config[:warn_timeout].nil? && runtime > config[:warn_timeout]
+        message << "#{pod.metadata.name} exceeds threshold #{config[:warn_timeout]} "
         warn = true
       end
     end
@@ -116,6 +104,8 @@ class PodRuntime < Sensu::Plugin::Check::CLI
     else
       ok 'All pods within threshold'
     end
+  rescue KubeException => e
+    critical 'API error: ' << e.message
   end
 
   def parse_list(list)

data/bin/check-kube-service-available.rb

@@ -16,8 +16,18 @@
 #   gem: kube-client
 #
 # USAGE:
-# -s SERVER - The kube server to use
-# -l SERVICES - The comma delimited list of services to check
+# -s, --api-server URL             URL to API server
+# -v, --api-version VERSION        API version. Defaults to 'v1'
+#     --in-cluster                 Use service account authentication
+#     --ca-file CA-FILE            CA file to verify API server cert
+#     --cert CERT-FILE             Client cert to present
+#     --key KEY-FILE               Client key for the client cert
+# -u, --user USER                  User with access to API
+#     --password PASSWORD          If user is passed, also pass a password
+#     --token TOKEN                Bearer token for authorization
+#     --token-file TOKEN-FILE      File containing bearer token for authorization
+# -l, --list SERVICES              List of services to check (required)
+# -p, --pending SECONDS            Time (in seconds) a pod may be pending for and be valid
 #
 # NOTES:
 #
@@ -27,22 +37,11 @@
 #   for details.
 #
 
-require 'sensu-plugin/check/cli'
-require 'json'
-require 'kubeclient'
+require 'sensu-plugins-kubernetes/cli'
+require 'time'
 
-class AllServicesUp < Sensu::Plugin::Check::CLI
-  option :api_server,
-         description: 'URL to API server',
-         short: '-s URL',
-         long: '--api-server',
-         default: ENV['KUBERNETES_MASTER']
-
-  option :api_version,
-         description: 'API version',
-         short: '-v VERSION',
-         long: '--api-version',
-         default: 'v1'
+class AllServicesUp < Sensu::Plugins::Kubernetes::CLI
+  @options = Sensu::Plugins::Kubernetes::CLI.options.dup
 
   option :service_list,
          description: 'List of services to check',
@@ -50,18 +49,15 @@ class AllServicesUp < Sensu::Plugin::Check::CLI
          long: '--list',
          required: true
 
-  def run
-    cli = AllServicesUp.new
-    api_server = cli.config[:api_server]
-    api_version = cli.config[:api_version]
+  option :pendingTime,
+         description: 'Time (in seconds) a pod may be pending for and be valid',
+         short: '-p SECONDS',
+         long: '--pending',
+         default: 0,
+         proc: proc(&:to_i)
 
-    begin
-      client = Kubeclient::Client.new(api_server, api_version)
-    rescue
-      warning 'Unable to connect to Kubernetes API server'
-    end
-
-    services = parse_list(cli.config[:service_list])
+  def run
+    services = parse_list(config[:service_list])
     failed_services = []
     s = client.get_services
     s.each do |a|
@@ -81,10 +77,26 @@ class AllServicesUp < Sensu::Plugin::Check::CLI
       end
       # Make sure our pod is running
       next if pod.nil?
+      pod_available = false
       pod.each do |p|
-        unless p.status.phase.include?('Running')
-          failed_services << p.metadata.name
+        case p.status.phase
+        when 'Pending'
+          next if p.status.startTime.nil?
+          if (Time.now - Time.parse(p.status.startTime)).to_i < config[:pendingTime]
+            pod_available = True
+            break
+          end
+        when 'Running'
+          p.status.conditions.each do |c|
+            next unless c.type == 'Ready'
+            if c.status == 'True'
+              pod_available = true
+              break
+            end
+            break if pod_available
+          end
         end
+        failed_services << p.metadata.name if pod_available == false
       end
     end
 
@@ -97,6 +109,8 @@ class AllServicesUp < Sensu::Plugin::Check::CLI
     else
       critical "Some services could not be checked: #{services.join(' ')}"
     end
+  rescue KubeException => e
+    critical 'API error: ' << e.message
   end
 
   def parse_list(list)

data/bin/handler-kube-pod.rb

@@ -17,7 +17,7 @@
 #   gem: kube-client
 #
 # USAGE:
-# -j JSONCONFIG - The config file to us
+# -j JSONCONFIG - The settings section to use
 #
 # NOTES:
 #
@@ -28,26 +28,32 @@
 #
 
 require 'sensu-handler'
-require 'kubeclient'
-require 'json'
+require 'sensu-plugins-kubernetes/client'
 
 class KubePod < Sensu::Handler
+  include Sensu::Plugins::Kubernetes::Client
+
   option :json_config,
-         description: 'Configuration name',
+         description: 'Configuration section name',
          short: '-j JSONCONFIG',
          long: '--json JSONCONFIG',
          default: 'k8s'
 
-  def api_server
-    get_setting('api_server') || ENV['KUBERNETES_MASTER']
-  end
-
-  def api_version
-    get_setting('api_version') || 'v1'
-  end
-
-  def get_setting(name)
-    settings[config[:json_config]][name]
+  def client_config
+    defaults = {
+      server: ENV['KUBERNETES_MASTER'],
+      version: 'v1'
+    }
+    h = settings[config[:json_config]]
+    if h.is_a?(Hash)
+      # Maintain backwards compatibility
+      h[:server] ||= h[:api_server]
+      h[:version] ||= h[:api_version]
+      # And merge
+      defaults.merge!(h)
+    else
+      defaults
+    end
   end
 
   def handle
@@ -55,8 +61,10 @@ class KubePod < Sensu::Handler
     response = api_request(:DELETE, '/clients/' + @event['client']['name']).code
     deletion_status(response)
     begin
-      client = Kubeclient::Client.new(api_server, api_version)
+      client = kubeclient(client_config)
       client.delete_pod @event['client']['name']
+    rescue ArgumentError => e
+      puts "[Kube Pod] Invalid settings: #{e.message}"
     rescue KubeException => e
       puts "[Kube Pod] KubeException: #{e.message}"
     rescue Exception => e # rubocop:disable Lint/RescueException

data/lib/sensu-plugins-kubernetes/cli.rb

@@ -0,0 +1,96 @@
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-kubernetes/client.rb'
+
+module Sensu
+  module Plugins
+    # Namespace for the Kubernetes sensu-plugin.
+    module Kubernetes
+      # Abstract base class for a Sensu check that also provides
+      # Kubernetes client connection support.
+      class CLI < Sensu::Plugin::Check::CLI
+        include Sensu::Plugins::Kubernetes::Client
+
+        option :api_server,
+               description: 'URL to API server',
+               short: '-s URL',
+               long: '--api-server',
+               default: ENV['KUBERNETES_MASTER']
+
+        option :api_version,
+               description: 'API version',
+               short: '-v VERSION',
+               long: '--api-version',
+               default: 'v1'
+
+        option :api_incluster,
+               description: 'Use service account authentication',
+               long: '--in-cluster',
+               boolean: true,
+               default: false
+
+        option :api_ca_file,
+               description: 'CA file to verify API server cert',
+               long: '--ca-file CA-FILE',
+               default: nil
+
+        option :api_client_cert,
+               description: 'Client cert to present',
+               long: '--cert CERT-FILE',
+               default: nil
+
+        option :api_client_key,
+               description: 'Client key for the client cert',
+               long: '--key KEY-FILE',
+               default: nil
+
+        option :api_user,
+               description: 'User with access to API',
+               short: '-u USER',
+               long: '--user',
+               default: nil
+
+        option :api_password,
+               description: 'If user is passed, also pass a password',
+               short: '-p PASSWORD',
+               long: '--password',
+               default: nil
+
+        option :api_token,
+               description: 'Bearer token for authorization',
+               short: '-t TOKEN',
+               long: '--token',
+               default: nil
+
+        option :api_token_file,
+               description: 'File containing bearer token for authorization',
+               long: '--token-file TOKEN-FILE',
+               default: nil
+
+        attr_reader :client
+
+        # Initializes the Sensu check by creating a Kubernetes client
+        # from the given options and will report a critical error if
+        # those arguments are incorrect.
+        def initialize
+          super()
+          begin
+            @client = kubeclient(
+              server: config[:api_server],
+              version: config[:api_version],
+              incluster: config[:api_incluster],
+              ca_file: config[:api_ca_file],
+              client_cert_file: config[:api_client_cert],
+              client_key_file: config[:api_client_key],
+              username: config[:api_user],
+              password: config[:api_password],
+              token: config[:api_token],
+              token_file: config[:api_token_file]
+            )
+          rescue ArgumentError => e
+            critial e.message
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sensu-plugins-kubernetes/client.rb

@@ -0,0 +1,126 @@
+require 'kubeclient'
+require 'uri'
+
+module Sensu
+  module Plugins
+    # Namespace for the Kubernetes sensu-plugin.
+    module Kubernetes
+      # A mixin module that provides Kubernetes client (kubeclient) support.
+      module Client
+        # The location of the service account provided CA.
+        # (if the cluster is configured to provide it)
+        INCLUSTER_CA_FILE =
+          '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'.freeze
+
+        # The location of the service account provided authentication token.
+        INCLUSTER_TOKEN_FILE =
+          '/var/run/secrets/kubernetes.io/serviceaccount/token'.freeze
+
+        # Creates a new Kubeclient::Client instance using the given SSL
+        # and authentication options (if any)
+        #
+        # @param [Hash] options The Kubernetes API connection details.
+        # @option options [String] :server URL to API server
+        # @option options [String] :version API version
+        # @option options [Boolean] :incluster
+        #   Use service account authentication if true
+        # @option options [String] :ca_file
+        #   CA file used to verify API server certificate
+        # @option options [String] :client_cert_file
+        #   Client certificate file to present
+        # @option options [String] :client_key_file
+        #   Client private key file for the client certificate
+        # @option options [String] :username
+        #   Username with access to API
+        # @option options [String] :password
+        #   If a username is passed, also pass a password
+        # @option options [String] :token
+        #   The bearer token for Kubernetes authorization
+        # @option options [String] :token_file
+        #   A file containing the bearer token for Kubernetes authorization
+        #
+        # @raise [ArgumentError] If an invalid option, or combination of options, is given.
+        # @raise [Errono::*] If there is a problem reading the client certificate or private key file.
+        # @raise [OpenSSL::X509::CertificateError] If there is a problem with the client certificate.
+        # @raise [OpenSSL::PKey::RSAError] If there is a problem with the client private key.
+        def kubeclient(options = {})
+          raise(ArgumentError, 'options must be a hash') unless options.is_a?(Hash)
+
+          api_server = options[:server]
+          api_version = options[:version]
+
+          ssl_options = {
+            ca_file: options[:ca_file]
+          }
+          auth_options = {
+            username: options[:username],
+            password: options[:password],
+            bearer_token: options[:token],
+            bearer_token_file: options[:token_file]
+          }
+
+          if [:client_cert_file, :client_key_file].count { |k| options[k] } == 1
+            raise ArgumentError, 'SSL requires both client cert and client key'
+          end
+
+          if options[:client_cert_file]
+            begin
+              ssl_options[:client_cert] = OpenSSL::X509::Certificate.new(File.read(options[:client_cert_file]))
+            rescue => e
+              raise e, "Unable to read client certificate: #{e}", e.backtrace
+            end
+          end
+
+          if options[:client_key_file]
+            begin
+              ssl_options[:client_key] = OpenSSL::PKey::RSA.new(File.read(options[:client_key_file]))
+            rescue => e
+              raise e, "Unable to read client key: #{e}", e.backtrace
+            end
+          end
+
+          if options[:incluster]
+            # Provide in-cluster defaults, if not already specified
+            # (following the kubernetes incluster config code, more or less)
+
+            # api-server
+            # TODO: use in-cluster DNS ??
+            if api_server.nil?
+              host = ENV['KUBERNETES_SERVICE_HOST']
+              port = ENV['KUBERNETES_SERVICE_PORT']
+              if host.nil? || port.nil?
+                raise ArgumentError, 'unable to load in-cluster configuration,'\
+                     ' KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT'\
+                     ' must be defined'
+              end
+              api_server = URI::HTTPS.build(host: host, port: port, path: '/api')
+            end
+
+            # ca file, but only if it exists
+            if ssl_options[:ca_file].nil? && File.exist?(INCLUSTER_CA_FILE)
+              # Readability/permission issues should be left to kubeclient
+              ssl_options[:ca_file] = INCLUSTER_CA_FILE
+            end
+
+            # token file
+            if auth_options[:bearer_token_file].nil?
+              auth_options[:bearer_token_file] = INCLUSTER_TOKEN_FILE
+            end
+          end
+
+          ssl_options[:verify_ssl] = ssl_options[:ca_file] ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+
+          begin
+            # new only throws errors on bad arguments
+            Kubeclient::Client.new(api_server, api_version,
+                                   ssl_options: ssl_options,
+                                   auth_options: auth_options)
+          rescue URI::InvalidURIError => e
+            # except for this one, which we'll re-wrap to make catching easier
+            raise ArgumentError, "Invalid API server: #{e}", e.backtrace
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sensu-plugins-kubernetes/version.rb

@@ -1,8 +1,8 @@
 module SensuPluginsKubernetes
   module Version
     MAJOR = 0
-    MINOR = 0
-    PATCH = 1
+    MINOR = 1
+    PATCH = 0
 
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-kubernetes
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-04 00:00:00.000000000 Z
+date: 2016-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: 1.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: 1.1.3
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.37'
+        version: 0.40.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.37'
+        version: 0.40.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -186,6 +186,8 @@ files:
 - bin/check-kube-service-available.rb
 - bin/handler-kube-pod.rb
 - lib/sensu-plugins-kubernetes.rb
+- lib/sensu-plugins-kubernetes/cli.rb
+- lib/sensu-plugins-kubernetes/client.rb
 - lib/sensu-plugins-kubernetes/version.rb
 homepage: https://github.com/sensu-plugins/sensu-plugins-kubernetes
 licenses: