domino_admin_toolkit.checks.test_kernel_vulnerabilities module
Description: Checks cluster nodes for known kernel vulnerabilities Result: Per-node table showing kernel version and OS; flags nodes with vulnerable kernels.
- pydantic model domino_admin_toolkit.checks.test_kernel_vulnerabilities.KernelVulnerabilityAnalyzer
Bases:
AnalyzerBase- Fields:
- analyze(data)
Analyzes the provided data and returns a list of CheckResult instances.
- Return type:
- Args:
data (Dict[str, Any]): The data to be analyzed. The structure depends on the analyzer’s implementation.
- Returns:
List[CheckResult]: A list containing the results of the analysis.
- Raises:
NotImplementedError: If this method is not implemented by subclasses.
- name: ClassVar[str] = 'KernelVulnerabilityAnalyzer'
- class domino_admin_toolkit.checks.test_kernel_vulnerabilities.KernelVulnerabilityRule(name, os_patterns, version_is_bad, reference_url)
Bases:
object
- domino_admin_toolkit.checks.test_kernel_vulnerabilities.node_kernel_data(k8s_client)
Collect per-node kernel info from the cluster.
- domino_admin_toolkit.checks.test_kernel_vulnerabilities.test_kernel_vulnerabilities(node_kernel_data)
Description: Checks all cluster nodes for known kernel vulnerabilities.
- Failure Conditions:
A node’s kernel version matches a known vulnerable range for its OS.
- Troubleshooting Steps:
Identify affected nodes via the table output and confirm kernel version with: kubectl get nodes -o wide
Check the node pool and determine if a newer AMI or OS image is available.
For RHEL/CentOS nodes, upgrade the kernel past 3.10.0-1062.4.1.el7.
For Amazon Linux nodes, upgrade past 5.10.177-158.645.amzn2.
- Resolution Steps:
Cordon and drain the affected node: kubectl cordon <node> && kubectl drain <node>
Terminate the node and allow the autoscaler to provision a replacement with a patched image.
Verify the replacement node shows a safe kernel version in this check.
Required Permissions: Platform admin / kubectl access