Driftmower automatically scans and monitors your container images for version updates and security issues.
Run a quick scan and display results in the terminal.
docker run -it --rm \
-v ~/.kube:/root/.kube:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
codemowers/driftmower:latest stdoutStart the web interface for interactive monitoring.
docker run -it --rm \
-v ~/.kube:/root/.kube:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8080:8080 \
codemowers/driftmower:latest \
web --host 0.0.0.0Deploy Driftmower using Docker Compose.
services:
web:
image: codemowers/driftmower:latest
command:
- web
- --host
- 0.0.0.0
volumes:
- ~/.kube:/root/.kube:ro
- /var/run/docker.sock:/var/run/docker.sock
environment:
- KUBECONFIG=/root/.kube/config
- HOME=/root
stdin_open: true
tty: trueDeploy Driftmower on Kubernetes.
cat << EOF | kubectl apply -f -
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: driftmower-dashboard
namespace: kube-system
labels:
app: driftmower-dashboard
spec:
replicas: 1
selector:
matchLabels:
app: driftmower-dashboard
template:
metadata:
labels:
app: driftmower-dashboard
spec:
serviceAccountName: driftmower-dashboard
containers:
- name: driftmower-dashboard
image: codemowers/driftmower:latest
args:
- web
- --host
- 0.0.0.0
ports:
- containerPort: 8080
name: http
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
name: driftmower-dashboard
namespace: kube-system
spec:
selector:
app: driftmower-dashboard
ports:
- port: 80
targetPort: 8080
type: ClusterIP
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: driftmower-dashboard
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: driftmower-dashboard
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: driftmower-dashboard
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: driftmower-dashboard
subjects:
- kind: ServiceAccount
name: driftmower-dashboard
namespace: kube-systemEOFUse codemowers.io/auto-upgrade: nightly and codemowers.io/auto-upgrade: weekends annotation on Pods to enable automatic upgrades via Kubernetes CronJobs. For this feature you need to loosen the image tag, eg use `:2` or `:3.4`:
Run upgrade process in a Docker container.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
codemowers/driftmower:latest upgrade nightly weekendsCreate a Kubernetes Job for one-time upgrades.
cat << EOF | kubectl apply -f -
---
apiVersion: batch/v1
kind: Job
metadata:
name: driftmower-upgrade
namespace: kube-system
spec:
template:
spec:
serviceAccountName: driftmower
containers:
- name: driftmower
image: codemowers/driftmower:latest
command:
- upgrade
- nightly
- weekends
restartPolicy: Never
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: driftmower-dashboard
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: driftmower-dashboard
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: driftmower-dashboard
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: driftmower-dashboard
subjects:
- kind: ServiceAccount
name: driftmower-dashboard
namespace: kube-systemEOFSchedule automatic upgrades with CronJob. Pods with codemowers.io/auto-upgrade: "nightly" annotation will be upgraded during nightly maintenance windows.
cat << EOF | kubectl apply -f -
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: driftmower-upgrade
namespace: kube-system
spec:
schedule: "0 2 * * *" # Daily at 2 AM
jobTemplate:
spec:
template:
spec:
serviceAccountName: driftmower
containers:
- name: driftmower
image: codemowers/driftmower:latest
command: ["python", "-m", "src.main", "upgrade", "nightly"]
restartPolicy: Never
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: driftmower-dashboard
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: driftmower-dashboard
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: driftmower-dashboard
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: driftmower-dashboard
subjects:
- kind: ServiceAccount
name: driftmower-dashboard
namespace: kube-systemEOF