Tabbatar da Kubernetes YAML akan mafi kyawun ayyuka da manufofi

Lura. fassara: Tare da haɓaka adadin saitunan YAML don mahallin K8s, buƙatar tabbatarwa ta atomatik yana ƙara zama cikin gaggawa. Marubucin wannan bita ba kawai ya zaɓi hanyoyin da ake da su don wannan aikin ba, amma kuma ya yi amfani da Deployment a matsayin misali don ganin yadda suke aiki. Ya zama mai ba da labari sosai ga masu sha'awar wannan batu.

TL, DR: Wannan labarin ya kwatanta kayan aiki guda shida na tsaye don ingantawa da kimanta fayilolin Kubernetes YAML akan mafi kyawun ayyuka da buƙatu.

Kubernetes ayyukan aiki yawanci ana bayyana su ta hanyar takaddun YAML. Ɗaya daga cikin matsalolin YAML shine wahalar tantance ƙuntatawa ko dangantaka tsakanin fayilolin bayyananni.

Idan muna buƙatar tabbatar da cewa duk hotunan da aka tura zuwa gungu sun fito daga amintaccen rajista fa?

Ta yaya zan iya hana aikewa da abubuwan da basu da PodDisruptionBudgets daga aika zuwa gungu?

Haɗuwa da gwaji a tsaye yana ba ku damar gano kurakurai da ƙetare manufofin a matakin ci gaba. Wannan yana ƙara garantin cewa ma'anar albarkatu daidai ne kuma amintacce, kuma yana ba da yuwuwar cewa aikin samarwa zai bi mafi kyawun ayyuka.

Za a iya raba yanayin yanayin duban fayil ɗin Kubernetes a tsaye zuwa nau'ikan masu zuwa:

• API ɗin masu inganci. Kayan aiki a cikin wannan rukunin suna duba bayyanar YAML daidai da buƙatun sabar Kubernetes API.
• Shirye-shiryen gwaji. Kayan aiki daga wannan rukunin suna zuwa tare da shirye-shiryen gwaje-gwaje don tsaro, yarda da mafi kyawun ayyuka, da sauransu.
• Masu tabbatar da al'ada. Wakilan wannan rukunin suna ba ku damar ƙirƙirar gwaje-gwaje na al'ada a cikin yaruka daban-daban, misali, Rego da Javascript.

A cikin wannan labarin za mu kwatanta da kwatanta kayan aiki guda shida daban-daban:

1. kubeval;
2. kube-score;
3. config-lint;
4. tagulla;
5. gamuwa;
6. Polaris

To, bari mu fara!

Duba Ƙarfafawa

Kafin mu fara kwatanta kayan aikin, bari mu ƙirƙiri wasu bayanan da za mu gwada su.

Bayanin da ke ƙasa ya ƙunshi kurakurai da yawa da rashin bin kyawawan ayyuka: nawa za ku iya samu?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Za mu yi amfani da wannan YAML don kwatanta kayan aiki daban-daban.

Bayanin da ke sama base-valid.yaml da sauran manifestos daga wannan labarin za a iya samu a Git wuraren ajiya.

Bayanin yana bayyana aikace-aikacen gidan yanar gizo wanda babban aikinsa shine amsa tare da sakon "Hello World" zuwa tashar jiragen ruwa 5678. Ana iya tura shi tare da umarni mai zuwa:

kubectl apply -f hello-world.yaml

Kuma don haka - duba aikin:

kubectl port-forward svc/http-echo 8080:5678

Yanzu je zuwa http://localhost:8080 kuma tabbatar da cewa aikace-aikacen yana aiki. Amma yana bin mafi kyawun ayyuka? Mu duba.

1. Kubeval

A zuciyar kubeval Manufar ita ce duk wani hulɗa tare da Kubernetes yana faruwa ta hanyar REST API. A wasu kalmomi, zaku iya amfani da tsarin API don bincika ko YAML da aka bayar ya dace da shi. Bari mu kalli misali.

umarnin shigarwa kubeval suna samuwa akan gidan yanar gizon aikin.

A lokacin rubuta ainihin labarin, akwai nau'in 0.15.0.

Da zarar an shigar, bari mu ciyar da shi bayanan da ke sama:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Idan yayi nasara, kubeval zai fita tare da lambar fita 0. Kuna iya duba ta kamar haka:

$ echo $?
0

Yanzu bari mu gwada kubeval tare da bayyanar daban:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Za a iya gano matsalar da ido? Mu kaddamar:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# проверим код возврата
$ echo $?
1

Ba a tabbatar da albarkatun ba.

Ƙaddamarwa ta amfani da sigar API apps/v1, dole ne ya haɗa da zaɓi wanda yayi daidai da alamar kwafsa. Bayanin da ke sama bai haɗa da mai zaɓi ba, don haka kubeval ya ba da rahoton kuskure kuma ya fita tare da lambar mara sifili.

Ina mamakin abin da zai faru idan na yi kubectl apply -f da wannan ma'anar?

To, bari mu gwada:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Wannan shine ainihin kuskuren da kubeval yayi gargadi akai. Kuna iya gyara ta ta ƙara mai zaɓe:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Amfanin kayan aikin kamar kubeval shine kurakurai irin waɗannan ana iya kama su da wuri a cikin zagayowar turawa.

Bugu da kari, waɗannan cak ɗin ba sa buƙatar samun dama ga gungu; ana iya yin su ta layi.

Ta hanyar tsoho, kubeval yana bincika albarkatun da sabon tsarin Kubernetes API. Koyaya, a mafi yawan lokuta kuna iya buƙatar bincika takamaiman sakin Kubernetes. Ana iya yin wannan ta amfani da tuta --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Lura cewa dole ne a ƙayyade sigar a cikin tsari Major.Minor.Patch.

Don jerin nau'ikan da ake tallafawa tabbatarwa, da fatan za a duba Tsarin JSON akan GitHub, wanda kubeval ke amfani da shi don tabbatarwa. Idan kuna buƙatar kunna kubeval a layi, zazzage tsarin kuma saka wurin wurin su ta amfani da tuta --schema-location.

Baya ga fayilolin YAML guda ɗaya, kubeval kuma yana iya aiki tare da kundayen adireshi da stdin.

Bugu da kari, Kubeval cikin sauƙin haɗawa cikin bututun CI. Waɗanda ke son gudanar da gwaje-gwaje kafin aike da bayyanarsu zuwa gungu za su ji daɗin sanin cewa kubeval yana goyan bayan tsarin fitarwa uku:

1. Rubutun bayyane;
2. JSON;
3. Gwada Komai Protocol (TAP).

Kuma ana iya amfani da kowane nau'i na nau'in don ƙarin nazarin abubuwan fitarwa don samar da taƙaitaccen sakamakon nau'in da ake so.

Ɗaya daga cikin abubuwan da ke haifar da kubeval shine cewa a halin yanzu ba zai iya bincika ma'anar Ma'anar Albarkatun Al'ada (CRDs). Koyaya, yana yiwuwa a saita kubeval yi watsi da su.

Kubeval babban kayan aiki ne don dubawa da kimanta albarkatu; Duk da haka, ya kamata a jaddada cewa cin nasarar gwajin ba ya tabbatar da cewa albarkatun sun dace da mafi kyawun ayyuka.

Alal misali, yin amfani da tag latest a cikin akwati baya bin mafi kyawun ayyuka. Koyaya, kubeval baya ɗaukar wannan kuskure kuma baya bayar da rahoto. Wato tabbatar da irin wannan YAML zai cika ba tare da gargadi ba.

Amma idan kuna son kimanta YAML kuma ku gano cin zarafi kamar alamar latest? Ta yaya zan bincika fayil ɗin YAML akan mafi kyawun ayyuka?

2. Kube-score

Kube-score yayi nazarin YAML yana bayyana kuma yana kimanta su akan ginannen gwaje-gwaje. An zaɓi waɗannan gwaje-gwajen bisa jagororin tsaro da mafi kyawun ayyuka, kamar:

• Gudun akwati ba a matsayin tushen ba.
• Samuwar duba lafiyar kwafsa.
• Saita buƙatu da iyakoki don albarkatu.

Dangane da sakamakon gwajin, an bayar da sakamako uku: OK, Saurara и M.

Kuna iya gwada Kube-score akan layi ko shigar dashi cikin gida.

A lokacin rubuta ainihin labarin, sabon sigar kube-score shine 1.7.0.

Bari mu gwada shi a bayyanuwanmu base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  · http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  · The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  · Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  · http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  · http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  · http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  · http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  · http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  · No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  · Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

YAML ya wuce gwaje-gwajen kubeval, yayin da kube-maki ke nuna lahani masu zuwa:

• Ba a saita rajistan shirye-shiryen ba.
• Babu buƙatu ko iyaka don albarkatun CPU da ƙwaƙwalwar ajiya.
• Ba a kayyade kasafin kuɗaɗɗen katsalandan ba.
• Babu ka'idojin rabuwa (anti-dangantaka) don ƙara yawan samuwa.
• Akwatin yana gudana azaman tushen.

Waɗannan duk mahimman bayanai ne game da gazawar da ke buƙatar magancewa don yin aiki mafi inganci da aminci.

tawagar kube-score yana nuna bayanai a cikin nau'i-nau'i na mutum wanda ya haɗa da kowane irin cin zarafi Saurara и M, wanda ke taimakawa da yawa yayin ci gaba.

Wadanda ke son yin amfani da wannan kayan aiki a cikin bututun CI na iya ba da damar ƙarin fitarwa ta amfani da tuta --output-format ci (a wannan yanayin, ana kuma nuna gwaje-gwaje tare da sakamakon OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Mai kama da kubeval, kube-score yana dawo da lambar fita mara sifili lokacin da gwajin da ya gaza. M. Hakanan zaka iya kunna sarrafa irin wannan don Saurara.

Bugu da ƙari, yana yiwuwa a bincika albarkatun don bin ka'idodin API daban-daban (kamar a cikin kubeval). Koyaya, wannan bayanin yana da hardcoded a cikin kube-score kanta: ba za ku iya zaɓar wani nau'in Kubernetes na daban ba. Wannan iyakancewa na iya zama babbar matsala idan kuna da niyyar haɓaka gungun ku ko kuma idan kuna da gungu da yawa tare da nau'ikan K8s daban-daban.

lura da cewa tuni akwai batun tare da shawara don gane wannan damar.

Ana iya samun ƙarin bayani game da kube-score a official website.

Gwajin Kube-score babban kayan aiki ne don aiwatar da mafi kyawun ayyuka, amma menene idan kuna buƙatar yin canje-canje ga gwajin ko ƙara ƙa'idodin ku? Kaico, ba za a iya yin hakan ba.

Kube-score ba ya ƙarewa: ba za ku iya ƙara manufofi a ciki ba ko daidaita su.

Idan kuna buƙatar rubuta gwaje-gwaje na al'ada don tabbatar da bin ka'idodin kamfani, zaku iya amfani da ɗayan kayan aikin guda huɗu masu zuwa: config-lint, copper, conftest, ko polaris.

3.Config-lint

Config-lint kayan aiki ne don inganta YAML, JSON, Terraform, fayilolin sanyi na CSV da bayyanar Kubernetes.

Kuna iya shigar da shi ta amfani da shi umarnin akan gidan yanar gizon aikin.

Sakin na yanzu kamar lokacin rubuta ainihin labarin shine 1.5.0.

Config-lint bashi da ginanniyar gwaje-gwaje don tabbatar da bayyanar Kubernetes.

Don gudanar da kowane gwaje-gwaje, kuna buƙatar ƙirƙirar ƙa'idodi masu dacewa. An rubuta su a cikin fayilolin YAML da ake kira "rulesets" (dokokin), kuma suna da tsari mai zuwa:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список правил

(rule.yaml)

Bari mu kara nazarinsa sosai:

• filin type Ƙayyade irin nau'in saitin config-lint zai yi amfani da shi. Don K8s ya bayyana wannan shine koyaushe Kubernetes.
• A cikin filin files Baya ga fayilolin da kansu, zaku iya saka directory.
• filin rules an yi nufin saita gwajin mai amfani.

Bari mu ce kuna son tabbatar da cewa hotuna a cikin Ƙaddamarwa koyaushe ana zazzage su daga amintaccen ma'ajiya kamar my-company.com/myapp:1.0. Dokar config-lint da ke yin irin wannan rajistan zai yi kama da haka:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Dole ne kowace doka ta kasance tana da halaye masu zuwa:

• id - mai gano ƙa'idar ta musamman;
• severity - Zai iya zama KASAWA, Saurara и NON_COMPLIANT;
• message - idan an keta doka, ana nuna abubuwan da ke cikin wannan layi;
• resource - nau'in albarkatun da wannan doka ta shafi;
• assertions - jerin sharuɗɗan da za a tantance dangane da wannan albarkatu.

A cikin mulkin sama assertion karkashin sunan every bincika cewa duk kwantena suna cikin Ƙaddamarwa (key: spec.templates.spec.containers) yi amfani da amintattun hotuna (watau farawa da my-company.com/).

Cikakken ka'idojin yayi kama da haka:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Don gwada gwajin, bari mu ajiye shi azaman check_image_repo.yaml. Bari mu bincika fayil ɗin base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

cak ya kasa. Yanzu bari mu duba bayyanuwa mai zuwa tare da ma'ajin hoto daidai:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Muna gudanar da gwajin iri ɗaya tare da bayanin da ke sama. Ba a sami matsala ba:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint wani tsari ne mai ban sha'awa wanda ke ba ku damar ƙirƙirar gwaje-gwajen ku don tabbatar da bayyanar Kubernetes YAML ta amfani da YAML DSL.

Amma idan kuna buƙatar ƙarin dabaru da gwaje-gwaje? Shin YAML ba ta da iyaka ga wannan? Idan za ku iya ƙirƙirar gwaje-gwaje a cikin cikakken yaren shirye-shirye fa?

4. Tagulla

Copper V2 tsari ne don tabbatar da bayyanawa ta amfani da gwaje-gwaje na al'ada (mai kama da daidaitawa-lint).

Koyaya, ya bambanta da na ƙarshe saboda baya amfani da YAML don siffanta gwaje-gwaje. Ana iya rubuta gwaje-gwaje a cikin JavaScript maimakon. Copper yana ba da ɗakin karatu tare da kayan aikin yau da kullun, wanda ke taimaka maka karanta bayanai game da abubuwan Kubernetes da rahoton kurakurai.

Ana iya samun matakan shigar da Copper a ciki takardun shaida.

2.0.1 shine sabon sakin wannan kayan aiki a lokacin rubuta ainihin labarin.

Kamar config-lint, Copper bashi da ginanniyar gwaje-gwaje. Mu rubuta daya. Bari a duba cewa turawa suna amfani da hotunan kwantena na musamman daga amintattun ma'ajiya kamar my-company.com.

Ƙirƙiri fayil check_image_repo.js tare da abun ciki mai zuwa:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Yanzu don gwada bayyanar mu base-valid.yaml, yi amfani da umarnin copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

A bayyane yake cewa tare da taimakon jan ƙarfe za ku iya yin ƙarin gwaje-gwaje masu rikitarwa - misali, bincika sunayen yanki a cikin Ingress yana bayyana ko kin yarda da kwas ɗin da ke gudana a cikin gata.

Copper yana da ayyuka daban-daban da aka gina a ciki:

• DockerImage yana karanta ƙayyadadden fayil ɗin shigarwa kuma ya ƙirƙira wani abu tare da halaye masu zuwa:
  • name - sunan hoton,
  • tag - alamar hoto,
  • registry - rajistar hoto,
  • registry_url - yarjejeniya (https://) da kuma yin rajistar hoto,
  • fqin - cikakken wurin hoton.
• aiki findByName yana taimakawa wajen nemo albarkatu ta nau'in da aka bayar (kind) da suna (name) daga fayil ɗin shigarwa.
• aiki findByLabels yana taimakawa wajen nemo albarkatu ta takamaiman nau'in (kind) da labels (labels).

Kuna iya duba duk ayyukan sabis da ake da su a nan.

Ta hanyar tsoho yana loda duk shigar da fayil YAML zuwa ma'auni $$ kuma yana ba da shi don yin rubutun (wasu sananniyar dabara ga waɗanda ke da ƙwarewar jQuery).

Babban fa'idar Copper a bayyane yake: ba kwa buƙatar ƙware yare na musamman kuma kuna iya amfani da fasalulluka na JavaScript daban-daban don ƙirƙirar gwaje-gwajen ku, kamar haɗaɗɗiyar kirtani, ayyuka, da sauransu.

Hakanan ya kamata a lura cewa nau'in Copper na yanzu yana aiki tare da nau'in ES5 na injin JavaScript, ba ES6 ba.

Ana samun cikakkun bayanai a gidan yanar gizon aikin hukuma.

Koyaya, idan ba kwa son JavaScript da gaske kuma kun fi son yaren da aka tsara musamman don ƙirƙirar tambayoyi da bayyana manufofi, ya kamata ku kula da conftest.

5.Conftest

Conftest tsari ne don gwada bayanan sanyi. Hakanan ya dace don gwadawa / tabbatar da bayyanar Kubernetes. Ana bayyana gwaje-gwaje ta amfani da yaren tambaya na musamman Rego.

Kuna iya shigar da conftest ta amfani da umarninda aka jera akan gidan yanar gizon aikin.

A lokacin rubuta ainihin labarin, sabon sigar da aka samu shine 0.18.2.

Kama da config-lint da jan karfe, conftest yana zuwa ba tare da wani ginannen gwaje-gwaje ba. Mu gwada shi mu rubuta manufofinmu. Kamar yadda yake a cikin misalan da suka gabata, za mu bincika ko an ɗauki hotunan kwantena daga tushe mai tushe.

Ƙirƙiri directory conftest-checks, kuma a ciki akwai fayil mai suna check_image_registry.rego tare da abun ciki mai zuwa:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Yanzu bari mu gwada base-valid.yaml ta hanyar conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Gwajin da ake hasashen ya gaza saboda Hotunan sun fito ne daga wani tushe mara amana.

A cikin fayil ɗin Rego muna ayyana toshe deny. Ana ɗaukar gaskiyarta a matsayin cin zarafi. Idan tubalan deny da yawa, conftest yana bincika su ba tare da juna ba, kuma ana ɗaukar gaskiyar kowane tubalan a matsayin cin zarafi.

Baya ga fitarwa ta asali, conftest yana goyan bayan JSON, TAP da tsarin tebur - fasalin mai matukar amfani idan kuna buƙatar shigar da rahotanni a cikin bututun CI da ke akwai. Kuna iya saita tsarin da ake so ta amfani da tuta --output.

Don sauƙaƙa don gyara manufofin, conftest yana da tuta --trace. Yana fitar da alamar yadda conftest ke rarraba takamaiman fayilolin manufofin.

Za a iya buga manufofin gasa kuma a raba su a cikin rajistar OCI (Open Container Initiative) azaman kayan tarihi.

Kungiyoyi push и pull ba ka damar buga wani kayan tarihi ko maido da kayan tarihi na yanzu daga wurin yin rajista mai nisa. Bari mu gwada buga manufofin da muka ƙirƙira zuwa wurin rajistar Docker na gida ta amfani da conftest push.

Fara rajistar Docker na gida:

$ docker run -it --rm -p 5000:5000 registry

A wata tashar tashar, je zuwa kundin adireshi da kuka ƙirƙira a baya conftest-checks kuma gudanar da umarni mai zuwa:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Idan umarnin ya yi nasara, za ku ga sako kamar haka:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Yanzu ƙirƙiri adireshi na wucin gadi kuma gudanar da umarni a ciki conftest pull. Zai sauke kunshin da aka ƙirƙira ta umarnin da ya gabata:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ƙarƙashin shugabanci zai bayyana a cikin kundin adireshin wucin gadi policydauke da fayil ɗin manufofin mu:

$ tree
.
└── policy
  └── check_image_registry.rego

Ana iya gudanar da gwaje-gwaje kai tsaye daga ma'ajiya:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Abin takaici, DockerHub ba a tallafawa har yanzu. Don haka yi la'akari da kanku mai sa'a idan kuna amfani Registry Container Azure (ACR) ko rajistar ku.

Tsarin kayan tarihi iri ɗaya ne da Bude fakitin Agent Policy (OPA), wanda ke ba ku damar amfani da conftest don gudanar da gwaje-gwaje daga fakitin OPA data kasance.

Kuna iya ƙarin koyo game da raba manufofin da sauran fasalulluka na conftest a gidan yanar gizon aikin hukuma.

6. Polaris

Kayan aiki na ƙarshe da za a tattauna a wannan labarin shine Polaris. (Sanarwar sa ta bara mu an riga an fassara shi - kusan fassara)

Ana iya shigar da Polaris a cikin tari ko amfani da shi a yanayin layin umarni. Kamar yadda ƙila kuka yi tsammani, yana ba ku damar yin nazarin abubuwan bayyanar Kubernetes.

Lokacin aiki cikin yanayin layin umarni, ana samun gwaje-gwajen da aka gina a ciki wanda ya rufe wurare kamar tsaro da mafi kyawun ayyuka (mai kama da kube-score). Bugu da kari, zaku iya ƙirƙirar naku gwaje-gwaje (kamar a cikin config-lint, jan ƙarfe da conftest).

A wasu kalmomi, Polaris ya haɗu da fa'idodin nau'ikan kayan aiki guda biyu: tare da ginanniyar gwaje-gwaje da na al'ada.

Don shigar da Polaris a yanayin layin umarni, yi amfani umarnin akan gidan yanar gizon aikin.

A lokacin rubuta ainihin labarin, akwai sigar 1.0.3.

Da zarar shigarwa ya cika za ku iya gudanar da polaris akan bayyanar base-valid.yaml tare da umarni mai zuwa:

$ polaris audit --audit-path base-valid.yaml

Zai fitar da kirtani a tsarin JSON tare da cikakken bayanin gwaje-gwajen da aka yi da sakamakon su. Fitowar zata sami tsari mai zuwa:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* длинный список */
  ]
}

Akwai cikakken fitarwa a nan.

Kamar kube-score, Polaris yana gano batutuwa a wuraren da bayyanar ba ta dace da mafi kyawun ayyuka ba:

• Babu gwajin lafiyar kwasfa.
• Ba a kayyade alamun hotuna na akwati ba.
• Akwatin yana gudana azaman tushen.
• Ba a ƙayyade buƙatun da iyaka don ƙwaƙwalwar ajiya da CPU ba.

Kowace gwaji, dangane da sakamakonta, an sanya ma'aunin mahimmanci: gargadi ko hadari. Don ƙarin koyo game da samuwan ginanniyar gwaje-gwaje, da fatan za a duba takardun.

Idan ba a buƙatar cikakkun bayanai, kuna iya ƙayyade tuta --format score. A wannan yanayin, Polaris zai fitar da lamba daga 1 zuwa 100 - Ci (wato kima):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Mafi kusancin maki shine 100, mafi girman matakin yarjejeniya. Idan ka duba lambar fita na umarnin polaris audit, ya zama daidai da 0.

Karfi polaris audit Kuna iya dakatar da aiki tare da lambar mara sifili ta amfani da tutoci biyu:

• Flag --set-exit-code-below-score yana ɗaukar azaman gardama ƙiman kofa a cikin kewayon 1-100. A wannan yanayin, umarnin zai fita tare da lambar fita 4 idan makin yana ƙasa da bakin kofa. Wannan yana da fa'ida sosai idan kuna da takamaiman ƙimar kofa (ce 75) kuma kuna buƙatar karɓar faɗakarwa idan maki ya faɗi ƙasa.
• Flag --set-exit-code-on-danger zai sa umarnin ya gaza tare da lamba 3 idan ɗayan gwajin haɗari ya gaza.

Yanzu bari mu yi ƙoƙarin ƙirƙirar gwaji na al'ada wanda ke bincika ko an ɗauki hoton daga amintaccen ma'ajiya. An ƙayyade gwaje-gwaje na al'ada a cikin tsarin YAML, kuma an kwatanta gwajin kanta ta amfani da JSON Schema.

snippet code YAML mai zuwa yana bayyana sabon gwajin da ake kira checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Bari mu dubi shi da kyau:

• successMessage - za a buga wannan layin idan an kammala gwajin cikin nasara;
• failureMessage - za a nuna wannan saƙon idan an gaza;
• category - yana nuna ɗaya daga cikin rukunan: Images, Health Checks, Security, Networking и Resources;
• target--- yana ƙayyade irin nau'in abu (spec) ana amfani da gwaji. Ƙididdiga masu yiwuwa: Container, Pod ko Controller;
• Gwajin kanta an ƙayyade a cikin abu schema amfani da tsarin JSON. Mabuɗin kalmar a cikin wannan gwajin ita ce pattern ana amfani dashi don kwatanta tushen hoton da wanda ake buƙata.

Don gudanar da gwajin da ke sama, kuna buƙatar ƙirƙirar tsarin Polaris mai zuwa:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Bari mu rarraba fayil ɗin:

• A cikin filin checks an tsara gwaje-gwaje da matakin mahimmancinsu. Tun da yana da kyawawa don karɓar gargaɗi lokacin da aka ɗauki hoto daga tushen da ba a amince da shi ba, mun saita matakin a nan danger.
• Gwajin kanta checkImageRepo sannan kayi rijista a cikin abun customChecks.

Ajiye fayil ɗin azaman custom_check.yaml. Yanzu za ku iya gudu polaris audit tare da bayyanar YAML wanda ke buƙatar tabbatarwa.

Mu gwada ma'anar mu base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

tawagar polaris audit Gwajin mai amfani da aka ƙayyade kawai ya yi aiki kuma ya kasa.

Idan kun gyara hoton zuwa my-company.com/http-echo:1.0, Polaris zai kammala cikin nasara. An riga an shigar da ma'anar tare da canje-canje wuraren ajiyadon haka zaku iya duba umarnin da ya gabata akan bayanan image-valid-mycompany.yaml.

Yanzu tambaya ta taso: yadda ake gudanar da gwaje-gwajen da aka gina tare da na al'ada? Sauƙi! Kuna buƙatar ƙara ginanniyar abubuwan gano gwaji a cikin fayil ɗin daidaitawa. A sakamakon haka, zai ɗauki nau'i mai zuwa:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Akwai misalin cikakken fayil ɗin daidaitawa a nan.

Duba bayyani base-valid.yamlta amfani da ginanniyar gwaje-gwaje na al'ada, zaku iya amfani da umarnin:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Polaris yana haɓaka gwaje-gwajen da aka gina tare da na al'ada, ta haka yana haɗa mafi kyawun duniyoyin biyu.

A gefe guda, rashin iya amfani da yarukan da suka fi ƙarfi kamar Rego ko JavaScript na iya zama ƙayyadadden abin da zai hana ƙirƙirar ƙarin gwaje-gwaje na zamani.

Ana samun ƙarin bayani game da Polaris a gidan yanar gizon aikin.

Takaitaccen

Yayin da akwai kayan aikin da yawa don dubawa da kimanta fayilolin Kubernetes YAML, yana da mahimmanci a sami cikakkiyar fahimtar yadda za a tsara gwaje-gwajen da kuma aiwatar da su.

Alal misali, Idan kun ɗauki alamun Kubernetes yana tafiya ta cikin bututun mai, kubeval na iya zama mataki na farko a cikin irin wannan bututun.. Zai saka idanu ko ma'anar abu ya dace da tsarin Kubernetes API.

Da zarar an kammala irin wannan bita, mutum zai iya ci gaba zuwa ƙarin nagartattun gwaje-gwaje, kamar yarda da daidaitattun ayyuka mafi kyau da takamaiman manufofi. Wannan shine inda kube-score da Polaris zasu zo da amfani.

Ga waɗanda ke da ƙayyadaddun buƙatu kuma suna buƙatar keɓance gwaje-gwaje daki-daki, jan ƙarfe, config-lint da conftest zai dace..

Conftest da config-lint suna amfani da YAML don ayyana gwaje-gwaje na al'ada, kuma jan ƙarfe yana ba ku dama ga cikakken yaren shirye-shirye, yana mai da shi kyakkyawan zaɓi mai kyau.

A gefe guda, yana da daraja amfani da ɗayan waɗannan kayan aikin kuma, sabili da haka, ƙirƙirar duk gwaje-gwaje da hannu, ko fifita Polaris kuma ƙara kawai abin da ake buƙata zuwa gare shi? Babu cikakkiyar amsa ga wannan tambayar.

Teburin da ke ƙasa yana ba da taƙaitaccen bayanin kowane kayan aiki:

Kayan aiki
Manufar
shortcomings
Gwajin mai amfani

kubeval
Yana tabbatar da YAML yana nunawa akan takamaiman sigar tsarin API
Ba za a iya aiki tare da CRD ba
Babu

kube-score
Yana nazarin YAML yana bayyana akan mafi kyawun ayyuka
Ba za a iya zaɓar nau'in Kubernetes API ɗin ku don bincika albarkatun ba
Babu

jan karfe
Tsarin gabaɗaya don ƙirƙirar gwaje-gwajen JavaScript na al'ada don bayyanar YAML
Babu ginanniyar gwaje-gwaje. Takaddun shaida mara kyau
A

config-lint
Tsarin gabaɗaya don ƙirƙirar gwaje-gwaje a cikin takamaiman harshe na yanki da aka saka a cikin YAML. Yana goyan bayan tsari iri-iri (misali Terraform)
Babu shirye-shiryen gwaje-gwaje. Ƙididdiga da ayyuka da aka gina a ciki bazai isa ba
A

cin amana
Tsarin ƙirƙira naku gwaje-gwaje ta amfani da Rego (harshen tambaya na musamman). Yana ba da damar raba manufofi ta hanyar daurin OCI
Babu ginanniyar gwaje-gwaje. Dole ne in koyi Rego. Ba a tallafawa Docker Hub lokacin buga manufofin
A

Polaris
Reviews YAML bayyana a kan daidaitattun ayyuka. Yana ba ku damar ƙirƙirar naku gwaje-gwaje ta amfani da JSON Schema
Ƙarfin gwaji bisa JSON Schema bazai isa ba
A

Saboda waɗannan kayan aikin ba su dogara ga samun dama ga gungu na Kubernetes ba, suna da sauƙin shigarwa. Suna ba ku damar tace fayilolin tushe da ba da amsa mai sauri ga mawallafin buƙatun ja a cikin ayyukan.

PS daga mai fassara

Karanta kuma a kan shafinmu:

• «An gabatar da Polaris don kiyaye gungu na Kubernetes lafiya";
• «Vim tare da tallafin YAML don Kubernetes";
• «7 mafi kyawun ayyuka don amfani da kwantena bisa ga Google".

source: www.habr.com