ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Siv tau Kubernetes YAML tiv thaiv cov kev coj ua zoo tshaj plaws thiab cov cai

Siv tau Kubernetes YAML tiv thaiv cov kev coj ua zoo tshaj plaws thiab cov cai

Nco tseg. txhais.: Nrog rau kev loj hlob ntawm YAML kev teeb tsa rau K8s ib puag ncig, qhov xav tau rau lawv qhov kev txheeb xyuas tsis siv neeg ua ntau thiab ceev ceev. Tus sau ntawm qhov kev tshuaj xyuas no tsis tsuas yog xaiv cov kev daws teeb meem uas twb muaj lawm rau txoj haujlwm no, tab sis kuj tau siv Deployment ua piv txwv los saib seb lawv ua haujlwm li cas. Nws hloov tawm los ua cov ntaub ntawv zoo heev rau cov neeg uas xav paub txog lub ncauj lus no.

Siv tau Kubernetes YAML tiv thaiv cov kev coj ua zoo tshaj plaws thiab cov cai

TL; DR: Kab lus no sib piv rau XNUMX lub cuab yeej zoo li qub kom siv tau thiab ntsuas Kubernetes YAML cov ntaub ntawv tawm tsam cov kev coj ua zoo tshaj plaws thiab cov cai.

Kubernetes workloads feem ntau txhais nyob rau hauv daim ntawv ntawm YAML cov ntaub ntawv. Ib qho teeb meem nrog YAML yog qhov nyuaj ntawm kev qhia txog kev txwv lossis kev sib raug zoo ntawm cov ntaub ntawv tshwm sim.

Yuav ua li cas yog tias peb yuav tsum xyuas kom meej tias tag nrho cov duab xa mus rau pawg los ntawm kev tso npe tso siab?

Kuv tuaj yeem tiv thaiv Kev Tshaj Tawm uas tsis muaj PodDisruptionBudgets xa mus rau pawg li cas?

Kev sib koom ua ke ntawm kev ntsuas zoo li qub tso cai rau koj txheeb xyuas qhov yuam kev thiab kev ua txhaum cai ntawm kev txhim kho theem. Qhov no ua rau muaj kev lav phib xaub tias cov lus txhais tau raug thiab ruaj ntseg, thiab ua rau nws muaj feem ntau tias cov khoom ua haujlwm yuav ua raws li cov kev coj ua zoo tshaj plaws.

Kubernetes static YAML cov ntaub ntawv soj ntsuam ecosystem tuaj yeem muab faib ua pawg hauv qab no:

  • API validators. Cov cuab yeej hauv pawg no xyuas YAML manifest tawm tsam cov cai ntawm Kubernetes API server.
  • Npaj testers. Cov cuab yeej los ntawm pawg no tuaj nrog cov kev sim ua tiav rau kev ruaj ntseg, ua raws li kev coj ua zoo tshaj plaws, thiab lwm yam.
  • Kev cai validators. Cov neeg sawv cev ntawm pawg no tso cai rau koj los tsim cov kev cai xeem hauv ntau hom lus, piv txwv li, Rego thiab Javascript.

Hauv tsab xov xwm no peb yuav piav qhia thiab sib piv rau XNUMX cov cuab yeej sib txawv:

  1. kubeval;
  2. kub-score;
  3. config-lint;
  4. tooj liab;
  5. kev sib cav;
  6. polaris.

Zoo, cia peb pib!

Tshawb xyuas Kev xa tawm

Ua ntej peb pib sib piv cov cuab yeej, cia peb tsim qee qhov keeb kwm yav dhau los sim lawv.

Cov lus qhia hauv qab no muaj ntau qhov yuam kev thiab tsis ua raws li cov kev coj ua zoo tshaj plaws: koj tuaj yeem nrhiav tau ntau npaum li cas?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Peb yuav siv YAML no los sib piv cov cuab yeej sib txawv.

Qhov saum toj no manifesto base-valid.yaml thiab lwm yam manifestos los ntawm kab lus no tuaj yeem pom hauv Git repositories.

Lub manifest piav qhia txog lub vev xaib uas nws lub luag haujlwm tseem ceeb yog los teb nrog "Nyob Zoo Ntiaj Teb" cov lus rau chaw nres nkoj 5678. Nws tuaj yeem siv tau nrog cov lus txib hauv qab no:

kubectl apply -f hello-world.yaml

Thiab yog li ntawd - xyuas cov haujlwm:

kubectl port-forward svc/http-echo 8080:5678

Tam sim no mus rau http://localhost:8080 thiab paub meej tias daim ntawv thov ua haujlwm. Tab sis nws puas ua raws li kev coj ua zoo tshaj? Cia peb kuaj.

1. Kub

Hauv plawv kub Lub tswv yim yog tias kev sib cuam tshuam nrog Kubernetes tshwm sim los ntawm nws qhov REST API. Hauv lwm lo lus, koj tuaj yeem siv API schema los xyuas seb qhov muab YAML ua raws li nws. Cia peb saib ib qho piv txwv.

Cov lus qhia installation kubeval muaj nyob rau ntawm qhov project website.

Thaum lub sijhawm sau thawj tsab xov xwm, version 0.15.0 tau muaj.

Thaum ntsia, cia peb pub nws lub manifest saum toj no:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Yog tias ua tiav, kubeval yuav tawm nrog txoj cai tawm 0. Koj tuaj yeem tshawb xyuas nws raws li hauv qab no:

$ echo $?
0

Wb tam sim no sim kubeval nrog ib tug txawv manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Koj tuaj yeem pom qhov teeb meem ntawm qhov muag? Cia peb pib:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²Ρ€Π°Ρ‚Π°
$ echo $?
1

Cov peev txheej tsis raug txheeb xyuas.

Kev xa tawm siv API version apps/v1, yuav tsum muaj ib tug selector uas phim lub pod daim ntawv lo. Cov manifest saum toj no tsis suav nrog tus xaiv, yog li kubeval qhia txog qhov yuam kev thiab tawm nrog tus lej tsis yog xoom.

Kuv xav tias yuav ua li cas yog tias kuv ua kubectl apply -f nrog no manifesto?

Zoo, cia peb sim:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Qhov no yog qhov yuam kev uas kubeval ceeb toom txog. Koj tuaj yeem txhim kho qhov no los ntawm kev ntxiv tus xaiv:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Cov txiaj ntsig ntawm cov cuab yeej zoo li kubeval yog qhov yuam kev zoo li no tuaj yeem ntes tau thaum ntxov ntawm lub voj voog xa mus.

Tsis tas li ntawd, cov tshev no tsis tas yuav nkag mus rau pawg; lawv tuaj yeem ua tau offline.

Los ntawm lub neej ntawd, kubeval tshawb xyuas cov peev txheej tiv thaiv Kubernetes API schema tshiab. Txawm li cas los xij, feem ntau koj yuav tsum tau kuaj xyuas qhov tshwj xeeb Kubernetes tso tawm. Qhov no tuaj yeem ua tiav siv tus chij --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Thov nco ntsoov tias lub version yuav tsum tau teev nyob rau hauv hom Major.Minor.Patch.

Rau ib daim ntawv teev cov versions uas muaj kev pov thawj txaus siab, thov mus saib JSON schema ntawm GitHub, uas kubeval siv rau validation. Yog tias koj xav tau khiav kubeval offline, rub tawm cov schemas thiab qhia lawv qhov chaw nyob hauv zos siv tus chij --schema-location.

Ntxiv rau cov ntaub ntawv YAML ib leeg, kubeval kuj tseem tuaj yeem ua haujlwm nrog cov npe thiab stdin.

Tsis tas li ntawd, Kubeval yooj yim koom ua ke rau hauv CI pipeline. Cov neeg uas xav khiav cov kev xeem ua ntej xa cov manifests rau pawg yuav txaus siab paub tias kubeval txhawb peb cov zis tawm tswv yim:

  1. Cov ntawv dawb;
  2. JSON;
  3. Test Anything Protocol (TAP).

Thiab ib qho ntawm cov hom ntawv tuaj yeem siv rau kev txheeb xyuas ntxiv ntawm cov zis los tsim cov ntsiab lus ntawm cov txiaj ntsig ntawm hom xav tau.

Ib qho ntawm qhov tsis zoo ntawm kubeval yog tias tam sim no nws tsis tuaj yeem kuaj xyuas kev ua raws li Kev Cai Cov Lus Txhais (CRDs). Txawm li cas los xij, nws muaj peev xwm configure kubeval tsis quav ntsej lawv.

Kubeval yog lub cuab yeej zoo rau kev tshuaj xyuas thiab ntsuas cov peev txheej; Txawm li cas los xij, nws yuav tsum tau hais tias kev xeem dhau tsis tau lees tias cov peev txheej ua raws li cov kev coj ua zoo tshaj plaws.

Piv txwv li, siv tag latest hauv ib lub thawv tsis ua raws li kev coj ua zoo tshaj plaws. Txawm li cas los xij, kubeval tsis xav tias qhov no yog qhov yuam kev thiab tsis qhia nws. Ntawd yog, kev txheeb xyuas ntawm YAML yuav ua tiav yam tsis muaj lus ceeb toom.

Tab sis yuav ua li cas yog tias koj xav ntsuas YAML thiab txheeb xyuas qhov ua txhaum cai zoo li lub cim latest? Kuv yuav txheeb xyuas cov ntaub ntawv YAML li cas tiv thaiv kev coj ua zoo tshaj?

2. Kube-score

Kub-score parses YAML manifests thiab ntsuam xyuas lawv tawm tsam kev sim ua. Cov kev xeem no raug xaiv raws li cov txheej txheem kev nyab xeeb thiab kev coj ua zoo tshaj plaws, xws li:

  • Khiav lub thawv tsis yog hauv paus.
  • Muaj cov tshuaj ntsuam xyuas kev noj qab haus huv.
  • Teeb tsa kev thov thiab txwv rau cov peev txheej.

Raws li cov txiaj ntsig kev xeem, peb cov txiaj ntsig tau muab: OK, CEEB TOOM ΠΈ TXHEEJ TXHEEM.

Koj tuaj yeem sim Kube-score online lossis nruab nws hauv zos.

Thaum lub sijhawm sau thawj tsab xov xwm, qhov tseeb version ntawm kube-score yog 1.7.0.

Cia peb sim nws ntawm peb qhov manifest base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  Β· http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  Β· The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  Β· Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  Β· http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  Β· http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  Β· http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  Β· http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  Β· http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  Β· No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  Β· Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

YAML dhau qhov kev xeem kubeval, thaum kube-cov qhab nia rau qhov tsis zoo hauv qab no:

  • Kev kuaj kev npaj tsis tau teeb tsa.
  • Tsis muaj kev thov lossis txwv rau CPU cov peev txheej thiab nco.
  • Pod cuam tshuam pob nyiaj siv tsis tau teev tseg.
  • Tsis muaj kev cai sib cais (anti-affinity) kom ua kom muaj txaus.
  • Lub thawv khiav raws li hauv paus.

Cov no yog tag nrho cov ntsiab lus siv tau hais txog qhov tsis txaus uas yuav tsum tau hais los ua kom Kev Tshaj Tawm tau zoo dua thiab txhim khu kev qha.

pab neeg kube-score nthuav qhia cov ntaub ntawv hauv tib neeg-nyeem tau nrog rau txhua hom kev ua txhaum cai CEEB TOOM ΠΈ TXHEEJ TXHEEM, uas pab ntau heev thaum lub sij hawm kev loj hlob.

Cov neeg uas xav siv cov cuab yeej no nyob rau hauv CI pipeline tuaj yeem ua kom cov zis ntau compressed siv tus chij --output-format ci (nyob rau hauv cov ntaub ntawv no, kev ntsuam xyuas nrog cov txiaj ntsig tau tshwm sim OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Zoo ib yam li kubeval, kube-cov qhab nia rov qab tsis yog xoom tawm code thaum muaj qhov kev xeem uas ua tsis tiav TXHEEJ TXHEEM. Koj tseem tuaj yeem pab ua kom zoo sib xws rau CEEB TOOM.

Tsis tas li ntawd, nws tuaj yeem tshawb xyuas cov peev txheej rau kev ua raws li API versions sib txawv (xws li kubeval). Txawm li cas los xij, cov ntaub ntawv no yog hardcoded hauv kube-score nws tus kheej: koj tsis tuaj yeem xaiv qhov sib txawv ntawm Kubernetes. Qhov kev txwv no tuaj yeem yog qhov teeb meem loj yog tias koj npaj siab yuav hloov kho koj pawg lossis yog tias koj muaj ntau pawg nrog cov sib txawv ntawm K8s.

nco ntsoov tias twb muaj teeb meem lawm nrog rau lub tswv yim kom paub lub sijhawm no.

Xav paub ntau ntxiv txog kube-score tuaj yeem nrhiav tau ntawm official website.

Kube-cov qhab nia xeem yog ib qho cuab yeej zoo rau kev siv cov kev coj ua zoo tshaj plaws, tab sis yuav ua li cas yog tias koj xav tau hloov pauv los yog ntxiv koj cov cai? Alas, qhov no ua tsis tau.

Kube-cov qhab nia tsis tuaj yeem txuas ntxiv: koj tsis tuaj yeem ntxiv cov cai rau nws lossis kho lawv.

Yog tias koj yuav tsum tau sau cov kev ntsuas kev cai los txheeb xyuas kev ua raws li lub tuam txhab cov cai, koj tuaj yeem siv ib qho ntawm plaub yam nram qab no: config-lint, tooj liab, confest, lossis polaris.

3.Config-lint

Config-lint yog ib qho cuab yeej rau kev siv tau YAML, JSON, Terraform, CSV cov ntaub ntawv teeb tsa thiab Kubernetes manifests.

Koj tuaj yeem nruab nws siv cov lus qhia ntawm qhov project website.

Qhov kev tso tawm tam sim no raws li lub sijhawm sau cov ntawv thawj yog 1.5.0.

Config-lint tsis muaj qhov kev sim ua kom pom tseeb rau Kubernetes manifests.

Txhawm rau ua ib qho kev xeem, koj yuav tsum tsim cov cai tsim nyog. Lawv tau sau rau hauv YAML cov ntaub ntawv hu ua "rulesets" (cov cai), thiab muaj cov qauv hauv qab no:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список ΠΏΡ€Π°Π²ΠΈΠ»

(rule.yaml)

Cia peb kawm kom ntxaws ntxiv:

  • teb type qhia seb hom configuration config-lint yuav siv li cas. Rau K8s manifests qhov no yeej ib txwm Kubernetes.
  • Nyob rau hauv lub teb files Ntxiv nrog rau cov ntaub ntawv lawv tus kheej, koj tuaj yeem teev cov npe.
  • teb rules npaj rau kev teeb tsa cov neeg siv kev sim.

Cia peb hais tias koj xav kom paub tseeb tias cov duab hauv Deployment yeej ib txwm rub tawm los ntawm qhov chaw cia siab xws li my-company.com/myapp:1.0. Txoj cai config-lint uas ua raws li daim tshev yuav zoo li no:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Txhua txoj cai yuav tsum muaj cov yam ntxwv hauv qab no:

  • id - tus cim tshwj xeeb ntawm txoj cai;
  • severity - Tej zaum Ua tsis tiav, CEEB TOOM ΠΈ NON_COMPLIANT;
  • message - yog tias ib txoj cai raug ua txhaum cai, cov ntsiab lus ntawm kab no tau tshwm sim;
  • resource - hom kev pab uas txoj cai no siv;
  • assertions - ib daim ntawv teev cov xwm txheej uas yuav raug soj ntsuam nrog rau cov peev txheej no.

Nyob rau hauv txoj cai saum toj no assertion hu ua every txheeb xyuas tias tag nrho cov ntim khoom nyob rau hauv Deployment (key: spec.templates.spec.containers) siv cov duab ntseeg siab (piv txwv li pib nrog my-company.com/).

Cov cai tag nrho zoo li no:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Txhawm rau sim qhov kev sim, cia peb khaws nws li check_image_repo.yaml. Cia peb khiav ib daim tshev rau ntawm cov ntaub ntawv base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Kev kuaj ua tsis tiav. Tam sim no cia peb mus saib cov nram qab no manifest nrog rau qhov tseeb duab repository:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Peb khiav tib qhov kev sim nrog rau saum toj no manifest. Tsis pom muaj teeb meem:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint yog ib qho kev cog lus uas tso cai rau koj los tsim koj tus kheej cov kev sim kom siv tau Kubernetes YAML tshwm sim siv YAML DSL.

Tab sis yuav ua li cas yog tias koj xav tau ntau txoj kev xav thiab kev sim? YAML tsis txwv dhau rau qhov no? Yuav ua li cas yog tias koj tuaj yeem tsim cov kev xeem hauv ib hom lus programming?

4. Tooj liab

Tooj V2 yog lub moj khaum rau validating manifests siv cov kev cai xeem (zoo ib yam li config-lint).

Txawm li cas los xij, nws txawv ntawm qhov kawg uas nws tsis siv YAML los piav txog cov kev xeem. Cov ntawv xeem tuaj yeem sau rau hauv JavaScript hloov. Tooj liab muab lub tsev qiv ntawv nrog ntau yam cuab yeej yooj yim, uas pab koj nyeem cov ntaub ntawv hais txog Kubernetes cov khoom thiab tshaj tawm qhov yuam kev.

Cov kauj ruam rau kev txhim kho tooj liab tuaj yeem pom hauv cov ntaub ntawv raug cai.

2.0.1 yog qhov kev tso tawm tshiab kawg ntawm qhov kev siv hluav taws xob no thaum lub sijhawm sau cov ntawv thawj.

Zoo li config-lint, tooj liab tsis muaj kev sim ua hauv. Wb sau ib. Cia nws xyuas tias kev xa tawm siv cov thawv ntim khoom tshwj xeeb los ntawm cov chaw cia siab xws li my-company.com.

Tsim ib cov ntaub ntawv check_image_repo.js nrog cov ntsiab lus hauv qab no:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Tam sim no sim peb qhov manifest base-valid.yaml, siv cov lus txib copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

Nws yog qhov tseeb tias nrog kev pab ntawm tooj liab koj tuaj yeem ua qhov kev sim ntau dua - piv txwv li, tshawb xyuas cov npe hauv Ingress manifests lossis tsis lees txais cov pods khiav hauv hom muaj cai.

Copper muaj ntau yam khoom siv hluav taws xob tsim rau hauv nws:

  • DockerImage nyeem cov ntaub ntawv sau tseg thiab tsim ib qho khoom nrog cov cwj pwm hauv qab no:
    • name - lub npe ntawm daim duab,
    • tag - duab tag,
    • registry - daim ntawv teev npe,
    • registry_url - raws tu qauv (https://) thiab daim ntawv sau npe,
    • fqin - tag nrho qhov chaw ntawm daim duab.
  • muaj nuj nqi findByName pab nrhiav cov peev txheej los ntawm ib hom muab (kind) thiab lub npe (name) los ntawm cov ntaub ntawv nkag.
  • muaj nuj nqi findByLabels pab nrhiav cov peev txheej los ntawm ib hom kev teev tseg (kind) thiab cov ntawv (labels).

Koj tuaj yeem saib tag nrho cov kev pabcuam muaj no.

Los ntawm lub neej ntawd nws thauj tag nrho cov tswv yim YAML cov ntaub ntawv rau hauv qhov sib txawv $$ thiab ua rau nws muaj rau kev sau ntawv (cov txheej txheem paub rau cov uas muaj jQuery kev paub).

Qhov txiaj ntsig tseem ceeb ntawm tooj liab yog qhov pom tseeb: koj tsis tas yuav paub cov lus tshwj xeeb thiab koj tuaj yeem siv ntau yam JavaScript nta los tsim koj tus kheej cov kev xeem, xws li txoj hlua interpolation, kev ua haujlwm, thiab lwm yam.

Nws tseem yuav tsum tau muab sau tseg tias tam sim no version ntawm tooj liab ua haujlwm nrog ES5 version ntawm JavaScript cav, tsis yog ES6.

Paub meej muaj nyob ntawm official project website.

Txawm li cas los xij, yog tias koj tsis nyiam JavaScript thiab nyiam hom lus tshwj xeeb tsim los tsim cov lus nug thiab piav qhia txog cov cai, koj yuav tsum tau xyuam xim rau kev sib cav.

5. Kev sib tw

Confest yog lub hauv paus rau kev sim cov ntaub ntawv teeb tsa. Kuj tseem tsim nyog rau kev sim / txheeb xyuas Kubernetes manifests. Kev ntsuam xyuas tau piav qhia siv cov lus nug tshwj xeeb Rego.

Koj tuaj yeem nruab confest siv cov lus qhiateev nyob rau hauv qhov project website.

Thaum lub sijhawm sau thawj tsab xov xwm, qhov tseeb version muaj yog 0.18.2.

Zoo ib yam li config-lint thiab tooj liab, confest los tsis muaj kev sim ua hauv. Cia peb sim thiab sau peb tus kheej txoj cai. Raws li nyob rau hauv cov piv txwv yav dhau los, peb yuav xyuas seb lub thawv dluab yog muab los ntawm ib tug txhim khu kev qha qhov chaw.

Tsim ib daim ntawv teev npe conftest-checks, thiab nyob rau hauv nws muaj ib cov ntaub ntawv npe check_image_registry.rego nrog cov ntsiab lus hauv qab no:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Tam sim no cia peb sim base-valid.yaml los ntawm conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Qhov kev sim kwv yees ua tsis tiav vim cov duab los ntawm qhov chaw tsis ntseeg.

Hauv cov ntaub ntawv Rego peb txhais qhov thaiv deny. Nws qhov tseeb yog suav tias yog kev ua txhaum cai. Yog blocks deny ob peb, confest xyuas lawv ntawm nws tus kheej ntawm ib leeg, thiab qhov tseeb ntawm ib qho ntawm cov blocks raug kho raws li kev ua txhaum cai.

Ntxiv rau qhov kev tso tawm ua ntej, confest txhawb JSON, TAP thiab lub rooj hom - ib qho tseem ceeb heev yog tias koj xav tau embed cov ntaub ntawv rau hauv CI pipeline uas twb muaj lawm. Koj tuaj yeem teeb tsa hom ntawv xav tau siv tus chij --output.

Txhawm rau ua kom yooj yim rau kev debug cov cai, confest muaj tus chij --trace. Nws outputs ib tug kab ntawm yuav ua li cas confest parses cov cai teev cov ntaub ntawv.

Cov kev cai sib tw tuaj yeem luam tawm thiab sib koom hauv OCI (Open Container Initiative) cov npe ua khoom qub.

Lus txib push ΠΈ pull tso cai rau koj luam tawm cov khoom qub lossis khaws cov khoom qub uas twb muaj lawm los ntawm kev sau npe nyob deb. Cia peb sim tshaj tawm txoj cai peb tsim rau Docker npe hauv zos siv conftest push.

Pib koj lub npe Docker hauv zos:

$ docker run -it --rm -p 5000:5000 registry

Hauv lwm lub davhlau ya nyob twg, mus rau cov npe koj tau tsim ua ntej conftest-checks thiab khiav cov lus txib hauv qab no:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Yog hais tias qhov kev hais kom ua tiav, koj yuav pom cov lus zoo li no:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Tam sim no tsim ib daim ntawv teev npe ib ntus thiab khiav cov lus txib hauv nws conftest pull. Nws yuav rub lub pob tsim los ntawm cov lus txib dhau los:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ib subdirectory yuav tshwm nyob rau hauv ib ntus directory policymuaj peb cov ntaub ntawv txoj cai:

$ tree
.
└── policy
  └── check_image_registry.rego

Kev ntsuam xyuas tuaj yeem khiav ncaj qha los ntawm qhov chaw cia khoom:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Hmoov tsis zoo, DockerHub tseem tsis tau txais kev txhawb nqa. Yog li xav txog koj tus kheej muaj hmoo yog tias koj siv Azure Container Registry (ACR) lossis koj tus kheej sau npe.

Artifact format yog tib yam li Qhib cov pob ntawv Tus Neeg Saib Xyuas Txoj Cai (OPA), uas tso cai rau koj siv confest los khiav kev xeem los ntawm cov pob OPA uas twb muaj lawm.

Koj tuaj yeem kawm paub ntau ntxiv txog txoj cai sib qhia thiab lwm yam ntawm kev sib cav ntawm official project website.

6. Polaris

Cov cuab yeej kawg uas yuav tau tham hauv kab lus no yog Polaris. (Nws tshaj tawm xyoo tas los peb twb txhais - kwv yees. txhais lus)

Polaris tuaj yeem ntsia tau rau hauv ib pawg lossis siv hauv hom kab hais kom ua. Raws li koj tau twv, nws tso cai rau koj txheeb xyuas Kubernetes manifests.

Thaum khiav hauv hom kab hais kom ua, cov kev ntsuam xyuas ua tau muaj nyob rau hauv cov cheeb tsam xws li kev ruaj ntseg thiab kev coj ua zoo tshaj plaws (zoo ib yam li kube-score). Tsis tas li ntawd, koj tuaj yeem tsim koj tus kheej cov kev xeem (xws li hauv config-lint, tooj liab thiab confest).

Hauv lwm lo lus, Polaris sib txuas cov txiaj ntsig ntawm ob pawg ntawm cov cuab yeej: nrog kev sim ua thiab kev cai.

Txhawm rau nruab Polaris hauv hom kab hais kom ua, siv cov lus qhia ntawm qhov project website.

Thaum lub sijhawm sau thawj tsab xov xwm, version 1.0.3 muaj.

Thaum lub installation tiav lawm koj tuaj yeem khiav polaris ntawm qhov manifest base-valid.yaml nrog cov lus txib hauv qab no:

$ polaris audit --audit-path base-valid.yaml

Nws yuav tso tawm ib txoj hlua hauv JSON hom nrog cov lus piav qhia ntxaws ntawm cov kev sim ua tiav thiab lawv cov txiaj ntsig. Cov zis yuav muaj cov qauv hauv qab no:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* Π΄Π»ΠΈΠ½Π½Ρ‹ΠΉ список */
  ]
}

Tag nrho cov zis muaj no.

Zoo li kube-score, Polaris txheeb xyuas cov teeb meem hauv thaj chaw uas qhov tshwm sim tsis ua raws li cov kev coj ua zoo tshaj plaws:

  • Tsis muaj kev kuaj mob rau cov pob kws.
  • Cim npe rau cov duab thawv tsis tau teev tseg.
  • Lub thawv khiav raws li hauv paus.
  • Kev thov thiab txwv rau lub cim xeeb thiab CPU tsis tau teev tseg.

Txhua qhov kev xeem, nyob ntawm nws cov txiaj ntsig, tau muab ib qib ntawm kev thuam: ceeb toom los yog txaus ntshai. Yog xav paub ntxiv txog cov kev xeem uas muaj nyob hauv, thov mus saib cov ntaub ntawv.

Yog tias tsis xav tau cov ntsiab lus, koj tuaj yeem qhia tus chij --format score. Nyob rau hauv cov ntaub ntawv no, Polaris yuav tso tawm ib tug xov tooj ntawm 1 mus rau 100 βˆ’ tau (i.e. kev ntsuam xyuas):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Qhov ze dua qhov qhab nia yog 100, qhov siab dua qhov kev pom zoo. Yog tias koj tshawb xyuas qhov kev tawm code ntawm cov lus txib polaris audit, nws hloov tawm tias nws yog sib npaug rau 0.

quab yuam polaris audit Koj tuaj yeem txiav txim siab ua haujlwm nrog tsis yog xoom code siv ob tus chij:

  • Chij --set-exit-code-below-score siv raws li kev sib cav tus nqi pib nyob rau hauv thaj tsam 1-100. Hauv qhov no, cov lus txib yuav tawm nrog kev tawm code 4 yog tias qhov qhab nia qis dua qhov pib. Qhov no yog qhov tseem ceeb heev thaum koj muaj qee qhov nqi pib (hais 75) thiab koj yuav tsum tau txais kev ceeb toom yog tias qhov qhab nia mus hauv qab no.
  • Chij --set-exit-code-on-danger yuav ua rau cov lus txib ua tsis tiav nrog code 3 yog tias ib qho ntawm qhov kev ntsuam xyuas txaus ntshai tsis ua tiav.

Tam sim no cia peb sim ua qhov kev ntsuam xyuas kev cai uas kuaj xyuas seb cov duab puas raug coj los ntawm qhov chaw cia siab. Kev ntsuas kev cai tau teev tseg hauv YAML hom, thiab qhov kev sim nws tus kheej tau piav qhia siv JSON Schema.

YAML code snippet hauv qab no piav qhia txog qhov kev xeem tshiab hu ua checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Cia peb ua tib zoo saib nws:

  • successMessage - kab no yuav raug luam tawm yog tias qhov kev xeem ua tiav;
  • failureMessage - Cov lus no yuav raug qhia thaum ua tsis tiav;
  • category - qhia ib yam ntawm cov qeb: Images, Health Checks, Security, Networking ΠΈ Resources;
  • target--- txiav txim siab yam khoom (spec) xeem yog siv. Cov txiaj ntsig tau: Container, Pod los yog Controller;
  • Qhov kev ntsuam xyuas nws tus kheej yog teev nyob rau hauv cov khoom schema siv JSON schema. Lo lus tseem ceeb hauv kev sim no yog pattern siv los sib piv cov duab qhov chaw nrog qhov yuav tsum tau ua.

Txhawm rau khiav qhov kev sim saum toj no, koj yuav tsum tsim cov kev teeb tsa Polaris hauv qab no:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Cia peb txheeb xyuas cov ntaub ntawv:

  • Nyob rau hauv lub teb checks kev ntsuam xyuas thiab lawv cov theem ntawm kev thuam yog raug sau tseg. Txij li thaum nws yog qhov tsim nyog tau txais kev ceeb toom thaum ib qho duab raug coj los ntawm qhov chaw tsis ntseeg, peb tau teeb tsa qib ntawm no danger.
  • Kev kuaj nws tus kheej checkImageRepo ces sau npe rau hauv cov khoom customChecks.

Txuag cov ntaub ntawv li custom_check.yaml. Tam sim no koj tuaj yeem khiav polaris audit nrog rau YAML manifest uas yuav tsum tau ua pov thawj.

Cia peb sim peb manifesto base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

pab neeg polaris audit khiav tsuas yog cov neeg siv kev xeem teev saum toj no thiab nws ua tsis tau.

Yog koj kho cov duab rau my-company.com/http-echo:1.0, Polaris yuav ua kom tiav. Lub manifesto nrog cov kev hloov pauv twb nyob rau hauv chaw khaws ciayog li koj tuaj yeem tshawb xyuas cov lus txib dhau los ntawm qhov manifest image-valid-mycompany.yaml.

Tam sim no cov lus nug tshwm sim: yuav ua li cas khiav cov kev sim ua ke nrog cov kev cai? Yooj yim! Koj tsuas yog yuav tsum tau ntxiv cov cim ntsuas built-in rau hauv cov ntaub ntawv teeb tsa. Yog li ntawd, nws yuav siv daim ntawv hauv qab no:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Ib qho piv txwv ntawm cov ntaub ntawv teeb tsa tiav yog muaj no.

Xyuas manifest base-valid.yamlsiv built-in thiab kev ntsuam xyuas kev cai, koj tuaj yeem siv cov lus txib:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Polaris ua tiav cov kev sim ua tiav nrog cov kev cai, yog li sib txuas qhov zoo tshaj plaws ntawm ob lub ntiaj teb.

Ntawm qhov tod tes, qhov tsis muaj peev xwm siv cov lus muaj zog dua xws li Rego lossis JavaScript tuaj yeem yog qhov txwv tsis pub tiv thaiv kev tsim cov kev sim ntau dua.

Xav paub ntau ntxiv txog Polaris muaj nyob ntawm qhov project website.

Txoj kev xaus

Thaum muaj ntau yam cuab yeej muaj los tshuaj xyuas thiab ntsuas Kubernetes YAML cov ntaub ntawv, Nws yog ib qho tseem ceeb kom muaj kev nkag siab meej txog qhov kev ntsuam xyuas yuav tsim thiab ua li cas.

Piv txwv li, Yog tias koj coj Kubernetes manifests mus rau hauv lub raj xa dej, kubeval tuaj yeem yog thawj kauj ruam hauv cov raj xa dej.. Nws yuav saib xyuas seb cov khoom txhais tau li cas rau Kubernetes API schema.

Thaum qhov kev tshuaj xyuas tiav lawm, ib tus tuaj yeem txav mus rau qhov kev sim ntau dua, xws li kev ua raws li cov qauv kev coj ua zoo tshaj plaws thiab cov cai tshwj xeeb. Qhov no yog qhov uas kube-score thiab Polaris tuaj yeem ua ke.

Rau cov neeg uas muaj cov kev xav tau nyuaj thiab xav tau kho cov kev ntsuam xyuas kom ntxaws, tooj liab, config-lint thiab confest yuav tsim nyog..

Confest thiab config-lint siv YAML los txhais cov kev xeem kev cai, thiab tooj liab muab rau koj nkag mus rau tag nrho cov lus programming, ua rau nws xaiv zoo nkauj.

Ntawm qhov tod tes, nws puas tsim nyog siv ib qho ntawm cov cuab yeej no thiab, yog li ntawd, tsim txhua qhov kev xeem manually, lossis nyiam Polaris thiab ntxiv tsuas yog qhov xav tau rau nws? Tsis muaj lus teb meej rau lo lus nug no.

Cov lus hauv qab no muab cov lus piav qhia luv luv ntawm txhua lub cuab yeej:

Tool
Lub hom phiaj
Disadvantages
Cov neeg siv kev sim

kub
Validates YAML manifests tawm tsam ib qho version ntawm API schema
Tsis tuaj yeem ua haujlwm nrog CRD
Tsis

kub-score
Txheeb xyuas YAML tshwm sim tawm tsam cov kev coj ua zoo tshaj plaws
Tsis tuaj yeem xaiv koj tus Kubernetes API version txhawm rau txheeb xyuas cov peev txheej
Tsis

tooj liab
Lub ntsiab lus dav dav rau kev tsim cov kev cai JavaScript xeem rau YAML manifests
Tsis muaj kev sim ua hauv. Cov ntaub ntawv tsis zoo
Yog

config-lint
Lub ntsiab lus dav dav rau kev tsim cov kev xeem hauv ib hom lus tshwj xeeb hauv YAML. Txhawb ntau hom kev teeb tsa (xws li Terraform)
Tsis muaj kev sim ua tiav. Built-in kev lees paub thiab kev ua haujlwm yuav tsis txaus
Yog

confest
Lub moj khaum tsim koj tus kheej kev xeem siv Rego (ib hom lus nug tshwj xeeb). Tso cai sib koom cov cai ntawm OCI pob khoom
Tsis muaj kev sim ua hauv. Kuv yuav tsum kawm Rego. Docker Hub tsis txhawb nqa thaum tshaj tawm cov cai
Yog

Polaris
Kev tshuaj xyuas YAML tshwm sim tawm tsam cov qauv kev coj ua zoo tshaj plaws. Tso cai rau koj los tsim koj tus kheej qhov kev xeem siv JSON Schema
Kev ntsuas peev xwm raws li JSON Schema tej zaum yuav tsis txaus
Yog

Vim tias cov cuab yeej no tsis tso siab rau kev nkag mus rau Kubernetes pawg, lawv yooj yim rau nruab. Lawv tso cai rau koj lim cov ntaub ntawv thiab muab cov lus tawm tswv yim ceev rau cov neeg sau ntawv rub cov lus thov hauv cov haujlwm.

PS los ntawm tus txhais lus

Nyeem kuj ntawm peb blog:

Tau qhov twg los: www.hab.com

Ntxiv ib saib