Peb yuav siv YAML no los sib piv cov cuab yeej sib txawv.
Qhov saum toj no manifesto base-valid.yaml thiab lwm yam manifestos los ntawm kab lus no tuaj yeem pom hauv Git repositories.
Lub manifest piav qhia txog lub vev xaib uas nws lub luag haujlwm tseem ceeb yog los teb nrog "Nyob Zoo Ntiaj Teb" cov lus rau chaw nres nkoj 5678. Nws tuaj yeem siv tau nrog cov lus txib hauv qab no:
kubectl apply -f hello-world.yaml
Thiab yog li ntawd - xyuas cov haujlwm:
kubectl port-forward svc/http-echo 8080:5678
Tam sim no mus rau http://localhost:8080 thiab paub meej tias daim ntawv thov ua haujlwm. Tab sis nws puas ua raws li kev coj ua zoo tshaj? Cia peb kuaj.
1. Kub
Hauv plawv kub Lub tswv yim yog tias kev sib cuam tshuam nrog Kubernetes tshwm sim los ntawm nws qhov REST API. Hauv lwm lo lus, koj tuaj yeem siv API schema los xyuas seb qhov muab YAML ua raws li nws. Cia peb saib ib qho piv txwv.
Koj tuaj yeem pom qhov teeb meem ntawm qhov muag? Cia peb pib:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Cov peev txheej tsis raug txheeb xyuas.
Kev xa tawm siv API version apps/v1, yuav tsum muaj ib tug selector uas phim lub pod daim ntawv lo. Cov manifest saum toj no tsis suav nrog tus xaiv, yog li kubeval qhia txog qhov yuam kev thiab tawm nrog tus lej tsis yog xoom.
Kuv xav tias yuav ua li cas yog tias kuv ua kubectl apply -f nrog no manifesto?
Zoo, cia peb sim:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Qhov no yog qhov yuam kev uas kubeval ceeb toom txog. Koj tuaj yeem txhim kho qhov no los ntawm kev ntxiv tus xaiv:
Cov txiaj ntsig ntawm cov cuab yeej zoo li kubeval yog qhov yuam kev zoo li no tuaj yeem ntes tau thaum ntxov ntawm lub voj voog xa mus.
Tsis tas li ntawd, cov tshev no tsis tas yuav nkag mus rau pawg; lawv tuaj yeem ua tau offline.
Los ntawm lub neej ntawd, kubeval tshawb xyuas cov peev txheej tiv thaiv Kubernetes API schema tshiab. Txawm li cas los xij, feem ntau koj yuav tsum tau kuaj xyuas qhov tshwj xeeb Kubernetes tso tawm. Qhov no tuaj yeem ua tiav siv tus chij --kubernetes-version:
Ib qho ntawm qhov tsis zoo ntawm kubeval yog tias tam sim no nws tsis tuaj yeem kuaj xyuas kev ua raws li Kev Cai Cov Lus Txhais (CRDs). Txawm li cas los xij, nws muaj peev xwm configure kubeval tsis quav ntsej lawv.
Kubeval yog lub cuab yeej zoo rau kev tshuaj xyuas thiab ntsuas cov peev txheej; Txawm li cas los xij, nws yuav tsum tau hais tias kev xeem dhau tsis tau lees tias cov peev txheej ua raws li cov kev coj ua zoo tshaj plaws.
Piv txwv li, siv tag latest hauv ib lub thawv tsis ua raws li kev coj ua zoo tshaj plaws. Txawm li cas los xij, kubeval tsis xav tias qhov no yog qhov yuam kev thiab tsis qhia nws. Ntawd yog, kev txheeb xyuas ntawm YAML yuav ua tiav yam tsis muaj lus ceeb toom.
Tab sis yuav ua li cas yog tias koj xav ntsuas YAML thiab txheeb xyuas qhov ua txhaum cai zoo li lub cim latest? Kuv yuav txheeb xyuas cov ntaub ntawv YAML li cas tiv thaiv kev coj ua zoo tshaj?
Thaum lub sijhawm sau thawj tsab xov xwm, qhov tseeb version ntawm kube-score yog 1.7.0.
Cia peb sim nws ntawm peb qhov manifest base-valid.yaml:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
Tsis muaj kev thov lossis txwv rau CPU cov peev txheej thiab nco.
Pod cuam tshuam pob nyiaj siv tsis tau teev tseg.
Tsis muaj kev cai sib cais (anti-affinity) kom ua kom muaj txaus.
Lub thawv khiav raws li hauv paus.
Cov no yog tag nrho cov ntsiab lus siv tau hais txog qhov tsis txaus uas yuav tsum tau hais los ua kom Kev Tshaj Tawm tau zoo dua thiab txhim khu kev qha.
pab neeg kube-score nthuav qhia cov ntaub ntawv hauv tib neeg-nyeem tau nrog rau txhua hom kev ua txhaum cai CEEB TOOM ΠΈ TXHEEJ TXHEEM, uas pab ntau heev thaum lub sij hawm kev loj hlob.
Cov neeg uas xav siv cov cuab yeej no nyob rau hauv CI pipeline tuaj yeem ua kom cov zis ntau compressed siv tus chij --output-format ci (nyob rau hauv cov ntaub ntawv no, kev ntsuam xyuas nrog cov txiaj ntsig tau tshwm sim OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Zoo ib yam li kubeval, kube-cov qhab nia rov qab tsis yog xoom tawm code thaum muaj qhov kev xeem uas ua tsis tiav TXHEEJ TXHEEM. Koj tseem tuaj yeem pab ua kom zoo sib xws rau CEEB TOOM.
Tsis tas li ntawd, nws tuaj yeem tshawb xyuas cov peev txheej rau kev ua raws li API versions sib txawv (xws li kubeval). Txawm li cas los xij, cov ntaub ntawv no yog hardcoded hauv kube-score nws tus kheej: koj tsis tuaj yeem xaiv qhov sib txawv ntawm Kubernetes. Qhov kev txwv no tuaj yeem yog qhov teeb meem loj yog tias koj npaj siab yuav hloov kho koj pawg lossis yog tias koj muaj ntau pawg nrog cov sib txawv ntawm K8s.
Xav paub ntau ntxiv txog kube-score tuaj yeem nrhiav tau ntawm official website.
Kube-cov qhab nia xeem yog ib qho cuab yeej zoo rau kev siv cov kev coj ua zoo tshaj plaws, tab sis yuav ua li cas yog tias koj xav tau hloov pauv los yog ntxiv koj cov cai? Alas, qhov no ua tsis tau.
Kube-cov qhab nia tsis tuaj yeem txuas ntxiv: koj tsis tuaj yeem ntxiv cov cai rau nws lossis kho lawv.
Yog tias koj yuav tsum tau sau cov kev ntsuas kev cai los txheeb xyuas kev ua raws li lub tuam txhab cov cai, koj tuaj yeem siv ib qho ntawm plaub yam nram qab no: config-lint, tooj liab, confest, lossis polaris.
Cia peb hais tias koj xav kom paub tseeb tias cov duab hauv Deployment yeej ib txwm rub tawm los ntawm qhov chaw cia siab xws li my-company.com/myapp:1.0. Txoj cai config-lint uas ua raws li daim tshev yuav zoo li no:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml)
Txhua txoj cai yuav tsum muaj cov yam ntxwv hauv qab no:
id - tus cim tshwj xeeb ntawm txoj cai;
severity - Tej zaum Ua tsis tiav, CEEB TOOM ΠΈ NON_COMPLIANT;
message - yog tias ib txoj cai raug ua txhaum cai, cov ntsiab lus ntawm kab no tau tshwm sim;
Nyob rau hauv txoj cai saum toj no assertion hu ua every txheeb xyuas tias tag nrho cov ntim khoom nyob rau hauv Deployment (key: spec.templates.spec.containers) siv cov duab ntseeg siab (piv txwv li pib nrog my-company.com/).
2.0.1 yog qhov kev tso tawm tshiab kawg ntawm qhov kev siv hluav taws xob no thaum lub sijhawm sau cov ntawv thawj.
Zoo li config-lint, tooj liab tsis muaj kev sim ua hauv. Wb sau ib. Cia nws xyuas tias kev xa tawm siv cov thawv ntim khoom tshwj xeeb los ntawm cov chaw cia siab xws li my-company.com.
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Tam sim no sim peb qhov manifest base-valid.yaml, siv cov lus txib copper validate:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Ntxiv rau qhov kev tso tawm ua ntej, confest txhawb JSON, TAP thiab lub rooj hom - ib qho tseem ceeb heev yog tias koj xav tau embed cov ntaub ntawv rau hauv CI pipeline uas twb muaj lawm. Koj tuaj yeem teeb tsa hom ntawv xav tau siv tus chij --output.
Txhawm rau ua kom yooj yim rau kev debug cov cai, confest muaj tus chij --trace. Nws outputs ib tug kab ntawm yuav ua li cas confest parses cov cai teev cov ntaub ntawv.
Cov cuab yeej kawg uas yuav tau tham hauv kab lus no yog Polaris. (Nws tshaj tawm xyoo tas los peb twb txhais - kwv yees. txhais lus)
Polaris tuaj yeem ntsia tau rau hauv ib pawg lossis siv hauv hom kab hais kom ua. Raws li koj tau twv, nws tso cai rau koj txheeb xyuas Kubernetes manifests.
Thaum khiav hauv hom kab hais kom ua, cov kev ntsuam xyuas ua tau muaj nyob rau hauv cov cheeb tsam xws li kev ruaj ntseg thiab kev coj ua zoo tshaj plaws (zoo ib yam li kube-score). Tsis tas li ntawd, koj tuaj yeem tsim koj tus kheej cov kev xeem (xws li hauv config-lint, tooj liab thiab confest).
Hauv lwm lo lus, Polaris sib txuas cov txiaj ntsig ntawm ob pawg ntawm cov cuab yeej: nrog kev sim ua thiab kev cai.
Chij --set-exit-code-on-danger yuav ua rau cov lus txib ua tsis tiav nrog code 3 yog tias ib qho ntawm qhov kev ntsuam xyuas txaus ntshai tsis ua tiav.
Tam sim no cia peb sim ua qhov kev ntsuam xyuas kev cai uas kuaj xyuas seb cov duab puas raug coj los ntawm qhov chaw cia siab. Kev ntsuas kev cai tau teev tseg hauv YAML hom, thiab qhov kev sim nws tus kheej tau piav qhia siv JSON Schema.
YAML code snippet hauv qab no piav qhia txog qhov kev xeem tshiab hu ua checkImageRepo:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Cia peb ua tib zoo saib nws:
successMessage - kab no yuav raug luam tawm yog tias qhov kev xeem ua tiav;
failureMessage - Cov lus no yuav raug qhia thaum ua tsis tiav;
pab neeg polaris audit khiav tsuas yog cov neeg siv kev xeem teev saum toj no thiab nws ua tsis tau.
Yog koj kho cov duab rau my-company.com/http-echo:1.0, Polaris yuav ua kom tiav. Lub manifesto nrog cov kev hloov pauv twb nyob rau hauv chaw khaws ciayog li koj tuaj yeem tshawb xyuas cov lus txib dhau los ntawm qhov manifest image-valid-mycompany.yaml.
Tam sim no cov lus nug tshwm sim: yuav ua li cas khiav cov kev sim ua ke nrog cov kev cai? Yooj yim! Koj tsuas yog yuav tsum tau ntxiv cov cim ntsuas built-in rau hauv cov ntaub ntawv teeb tsa. Yog li ntawd, nws yuav siv daim ntawv hauv qab no: