Kwado Kubernetes YAML megide omume na atumatu kacha mma
Rịba ama. ntụgharị asụsụ.: Site na ọnụ ọgụgụ na-eto eto nke nhazi YAML maka gburugburu K8, mkpa maka nkwenye ha na-akpaghị aka na-aghọwanye ngwa ngwa. Onye edemede nke nyocha a abụghị naanị họrọ ngwọta dị adị maka ọrụ a, ma lekwa anya ka ha si arụ ọrụ iji Deployment dị ka ihe atụ. Ọ tụgharịrị bụrụ ihe ọmụma nke ukwuu maka ndị nwere mmasị na isiokwu a.
TL; DR: Isiokwu a na-atụnyere ngwaọrụ isii static iji kwado ma nyochaa faịlụ Kubernetes YAML megide omume na ihe kacha mma.
A na-akọwakarị ọrụ Kubernetes n'ụdị akwụkwọ YAML. Otu n'ime nsogbu dị na YAML bụ ihe isi ike nke ịkọwa mmachi ma ọ bụ mmekọrịta n'etiti faịlụ ngosi.
Kedu ihe ma ọ bụrụ na anyị kwesịrị ijide n'aka na onyonyo niile etinyere na ụyọkọ ahụ sitere na ndekọ ntụkwasị obi?
Kedu otu m ga-esi gbochie izipu ndị ọrụ na-enweghị PodDisruptionBudgets na ụyọkọ?
Njikọ nke ule static na-enye gị ohere ịchọpụta njehie na mmebi iwu na ọkwa mmepe. Nke a na-abawanye nkwa na nkọwa akụrụngwa ziri ezi na nchekwa, ma mee ka o yikarịrị ka ọrụ mmepụta ga-agbaso usoro kachasị mma.
Enwere ike kewaa gburugburu ebe obibi nyocha faịlụ Kubernetes static YAML n'ime ụdị ndị a:
API nkwado. Ngwa dị n'ụdị a na-elele ngosipụta YAML megidere ihe nkesa Kubernetes API chọrọ.
Ndị nyocha dị njikere. Ngwa ndị sitere na otu a na-abịa na nnwale akwadoro maka nchekwa, nnabata na omume kacha mma, wdg.
Ndị nkwado omenala. Ndị nnọchi anya otu a na-enye gị ohere ịmepụta ule omenala n'asụsụ dị iche iche, dịka ọmụmaatụ, Rego na Javascript.
N'isiokwu a, anyị ga-akọwa ma tụnyere ngwaọrụ isii dị iche iche:
kubeval;
kube-isi;
nhazi-lint;
ọla kọpa;
nturuugo;
polaris.
Ọfọn, ka anyị malite!
Na-enyocha ntinye ọrụ
Tupu anyị amalite ntụnyere ngwaọrụ, ka anyị mepụta ụfọdụ ndabere nke anyị ga-anwale ha.
Ngosipụta dị n'okpuru nwere ọtụtụ njehie yana enweghị nnabata na omume kacha mma: ole n'ime ha ka ị ga-ahụ?
Ihe ngosi dị n'elu base-valid.yaml na ndị ọzọ manifestos si isiokwu a nwere ike ịhụ na Git ebe nchekwa.
Ngosipụta ahụ na-akọwa ngwa weebụ nke isi ọrụ ya bụ iji ozi "Hello World" zaghachi na ọdụ ụgbọ mmiri 5678. Enwere ike ibunye ya na iwu a:
kubectl apply -f hello-world.yaml
Ya mere - lelee ọrụ:
kubectl port-forward svc/http-echo 8080:5678
Ugbu a gaa http://localhost:8080 ma gosi na ngwa a na-arụ ọrụ. Mana ọ na-agbaso omume kacha mma? Ka anyị lelee.
1. Kubeval
Na obi kubeval Echiche a bụ na mmekọrịta ọ bụla na Kubernetes na-eme site na API REST ya. N'ikwu ya n'ụzọ ọzọ, ịnwere ike iji atụmatụ API lelee ma YAML nyere ya kwekọrọ na ya. Ka anyị lee otu ihe atụ.
Ị nwere ike ịhụ nsogbu ahụ na anya? Ka anyị malite:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# проверим код возврата
$ echo $?
1
A naghị enyocha akụrụngwa ahụ.
Nkwanye na-eji ụdị API apps/v1, ga-agụnye onye nhọpụta kwekọrọ na akara pọd ahụ. Ngosipụta dị n'elu anaghị agụnye onye nhọpụta, yabụ kubeval kọrọ njehie wee jiri koodu na-abụghị efu pụọ.
M na-eche ihe ga-eme ma m mee kubectl apply -f na nke a manifesto?
Ọfọn, ka anyị nwaa:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Nke a bụ kpọmkwem njehie kubeval dọrọ aka ná ntị banyere ya. Ị nwere ike idozi nke a site na ịgbakwunye onye na-ahọrọ:
Uru nke ngwaọrụ dị ka kubeval bụ na enwere ike ijide njehie dị ka ndị a n'isi mmalite oge mbugharị.
Na mgbakwunye, nlele ndị a anaghị achọ ịnweta ụyọkọ ahụ; enwere ike ịme ha na-anọghị n'ịntanetị.
Na ndabara, kubeval na-enyocha akụrụngwa megide atụmatụ Kubernetes API kachasị ọhụrụ. Agbanyeghị, n'ọtụtụ oge ị nwere ike ịlele maka ntọhapụ Kubernetes akọwapụtara. Enwere ike ime nke a site na iji ọkọlọtọ --kubernetes-version:
Biko mara na a ga-akọwarịrị ụdị ụdị a n'ụdị Major.Minor.Patch.
Maka ndepụta ụdị nke akwadoro nkwenye, biko rụtụ aka JSON schema na GitHub, nke kubeval na-eji maka nkwado. Ọ bụrụ na ịchọrọ ịgba ọsọ kubeval na-anọghị n'ịntanetị, budata schemas wee kọwaa mpaghara ha site na iji ọkọlọtọ --schema-location.
Na mgbakwunye na faịlụ YAML nke ọ bụla, kubeval nwekwara ike ịrụ ọrụ na akwụkwọ ndekọ aha na stdin.
Na mgbakwunye, Kubeval na-abanye ngwa ngwa n'ime pipeline CI. Ndị chọrọ ịgba ọsọ ule tupu iziga ngosipụta na ụyọkọ ga-enwe obi ụtọ ịmara na kubeval na-akwado usoro mmepụta atọ:
Ederede dị larịị;
JSON;
Nwalee Protocol ọ bụla (TAP).
Na nke ọ bụla nke formats nwere ike iji maka n'ihu parsing nke mmepụta ka n'ịwa a nchịkọta nke nsonaazụ nke chọrọ ụdị.
Otu n'ime ihe ndọghachi azụ nke kubeval bụ na ọ nweghị ike ịlele ugbu a maka nnabata na nkọwapụta akụrụngwa omenala (CRDs). Otú ọ dị, ọ ga-ekwe omume ịhazi kubeval leghara ha anya.
Kubeval bụ ngwá ọrụ dị ukwuu maka ịlele na ịlele akụrụngwa; Agbanyeghị, ekwesịrị imesi ya ike na ịgafe ule anaghị ekwe nkwa na akụrụngwa na-akwado usoro kacha mma.
Dịka ọmụmaatụ, iji mkpado latest n'ime akpa anaghị agbaso omume kacha mma. Otú ọ dị, kubeval anaghị ewere nke a dị ka njehie ma ghara ịkọ ya. Ya bụ, nkwenye nke YAML dị otú ahụ ga-emecha na-enweghị ịdọ aka ná ntị.
Mana gịnị ma ọ bụrụ na ịchọrọ inyocha YAML wee chọpụta mmebi dị ka mkpado latest? Kedu otu m ga-esi lelee faịlụ YAML megide omume kacha mma?
2. Kube-akara
Kube-akara nyochaa YAML ma nyochaa ha megide ule arụnyere n'ime ya. A na-ahọrọ ule ndị a dabere na ntuziaka nchekwa yana omume kacha mma, dịka:
Na-agba ọsọ akpa dị ka onye na-abụghị mgbọrọgwụ.
Nnweta nlele ahụike pod.
Ịtọlite arịrịọ na oke maka akụrụngwa.
Dabere na nsonaazụ ule, a na-enye nsonaazụ atọ: OK, ỊDỌ AKA NA NTỊ и Egwu.
Ị nwere ike ịnwale Kube-score online ma ọ bụ wụnye ya na mpaghara.
N'oge edere akụkọ mbụ, ụdị kube-score kachasị ọhụrụ bụ 1.7.0.
Ka anyị nwalee ya na ngosipụta anyị base-valid.yaml:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
YAML gafere ule kubeval, ebe kube-score na-atụ aka na ntụpọ ndị a:
Ahazighị nlele njikere.
Enweghị arịrịọ ma ọ bụ oke maka akụrụngwa na ebe nchekwa CPU.
akọwapụtaghị atụmatụ mmefu ego nbibi.
Enweghị iwu nkewa (mgbochi mmekọrịta) iji bulie nnweta ya.
Akpa ahụ na-agba ọsọ dị ka mgbọrọgwụ.
Ihe ndị a niile bụ isi ihe dị mma gbasara emezighị emezi ndị kwesịrị ileba anya iji mee ka Nnyekwasa rụọ ọrụ nke ọma na ntụkwasị obi.
otu kube-score na-egosiputa ozi n'ụdị mmadụ nwere ike ịgụ gụnyere mmebi iwu niile ỊDỌ AKA NA NTỊ и Egwu, nke na-enyere aka nke ukwuu n'oge mmepe.
Ndị na-achọ iji ngwá ọrụ a n'ime pipeline CI nwere ike ime ka mmepụta ihe mgbagwoju anya site na iji ọkọlọtọ --output-format ci (na nke a, a na-egosipụtakwa ule ndị nwere nsonaazụ ya OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Yiri kubeval, kube-score na-eweghachi koodu ọpụpụ na-abụghị efu mgbe enwere ule na-ada. Egwu. Ị nwekwara ike mee ka nhazi yiri nke a maka ỊDỌ AKA NA NTỊ.
Na mgbakwunye, ọ ga-ekwe omume ịlele akụrụngwa maka nnabata na ụdị API dị iche iche (dịka ọ dị na kubeval). Agbanyeghị, ozi a nwere koodu siri ike na kube-score n'onwe ya: ịnweghị ike họrọ ụdị Kubernetes dị iche. Mmachi a nwere ike ịbụ nnukwu nsogbu ma ọ bụrụ na ịchọrọ ịkwalite ụyọkọ gị ma ọ bụ ọ bụrụ na ị nwere ọtụtụ ụyọkọ nwere ụdị K8 dị iche iche.
rụba nke ahụ ama enweelarị okwu na aro iji ghọta ohere a.
Nnwale Kube-score bụ ngwá ọrụ dị ukwuu iji mejuputa omume kachasị mma, mana gịnị ma ọ bụrụ na ịchọrọ ime mgbanwe na ule ahụ ma ọ bụ tinye iwu nke gị? Ewoo, a pụghị ime nke a.
Kube-score abụghị extensible: ị nweghị ike itinye atumatu na ya ma ọ bụ gbanwee ha.
Ọ bụrụ na ịchọrọ ịde ule omenala iji chọpụta nrube isi na atumatu ụlọ ọrụ, ị nwere ike iji otu n'ime ngwaọrụ anọ ndị a: config-lint, ọla kọpa, conftest, ma ọ bụ polaris.
3.Config-lint
Config-lint bụ ngwá ọrụ iji kwado YAML, JSON, Terraform, faịlụ nhazi CSV na Kubernetes gosipụtara.
Ị nwere ike tinye ya site na iji ntuziaka na webụsaịtị oru ngo.
Ntọhapụ ugbu a dị ka oge edere edemede mbụ bụ 1.5.0.
Config-lint enweghị ule arụnyere maka ịkwado ngosipụta Kubernetes.
Iji mee ule ọ bụla, ịkwesịrị ịmepụta iwu kwesịrị ekwesị. Edere ha na faịlụ YAML a na-akpọ "rulesets" (usoro iwu), ma nwee usoro a:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# список правил
(rule.yaml)
Ka anyị mụọ ya nke ọma:
ubi type na-akọwapụta ụdị nhazi config-lint ga-eji. N'ihi na K8 na-egosipụta nke a bụ mgbe niileKubernetes.
Na ubi files Na mgbakwunye na faịlụ n'onwe ha, ị nwere ike ịkọwa ndekọ.
ubi rules ezubere maka ịtọọ ule onye ọrụ.
Ka anyị kwuo na ịchọrọ ijide n'aka na a na-ebudata onyonyo dị na Deployment mgbe niile site na ebe nchekwa ntụkwasị obi dịka my-company.com/myapp:1.0. Iwu config-lint nke na-eme ụdị nlele a ga-adị ka nke a:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml)
Iwu ọ bụla ga-enwerịrị njirimara ndị a:
id - ihe nchọpụta pụrụ iche nke iwu;
severity - Enwere ike ADAGH., ỊDỌ AKA NA NTỊ и NON_COMPLIANT;
message - ọ bụrụ na emebi iwu, a na-egosipụta ọdịnaya nke ahịrị a;
resource - ụdị akụ nke iwu a metụtara;
assertions - ndepụta nke ọnọdụ ndị a ga-enyocha n'ihe metụtara akụ a.
Na iwu n'elu assertion n'okpuru aha every na-enyocha na akpa niile dị na Deployment (key: spec.templates.spec.containers) jiri onyonyo tụkwasịrị obi (ya bụ malite na my-company.com/).
Config-lint bụ usoro na-ekwe nkwa na-enye gị ohere ịmepụta ule nke gị iji kwado ihe ngosi Kubernetes YAML site na iji YAML DSL.
Ma gịnị ma ọ bụrụ na ịchọrọ mgbagha mgbagwoju anya na ule? Ọ bụ na YAML enweghị oke maka nke a? Kedu ihe ma ọ bụrụ na ị nwere ike ịmepụta ule na asụsụ mmemme zuru oke?
4. Ọla kọpa
Ọla kọpa V2 bụ usoro maka ịkwado ngosipụta site na iji ule omenala (dị ka nhazi-lint).
Agbanyeghị, ọ dị iche na nke ikpeazụ n'ihi na ọ naghị eji YAML kọwaa ule. Enwere ike dee ule na Javascript kama. Ọla kọpa na-enye ọbá akwụkwọ nwere ọtụtụ ngwa ọrụ, nke na-enyere gị aka ịgụ ozi gbasara ihe Kubernetes na mkpesa njehie.
Enwere ike ịchọta usoro maka ịwụnye ọla kọpa na akwụkwọ ikike.
2.0.1 bụ mwepụta kacha ọhụrụ nke akụrụngwa a n'oge edere edemede mbụ.
Dị ka config-lint, ọla kọpa enweghị ule arụnyere n'ime ya. Ka anyị dee otu. Ka ọ lelee na mbugharị na-eji onyonyo akpa naanị site na ebe nchekwa ntụkwasị obi dịka my-company.com.
Mepụta faịlụ check_image_repo.js ya na ọdịnaya ndị a:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Ugbu a iji nwalee ihe ngosi anyị base-valid.yaml, jiri iwu copper validate:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
O doro anya na site n'enyemaka nke ọla kọpa ị nwere ike ịme ule ndị dị mgbagwoju anya - dịka ọmụmaatụ, ịlele ngalaba aha na Ingress na-egosi ma ọ bụ na-ajụ pods na-agba ọsọ na ọnọdụ dị ùgwù.
Ọla kọpa nwere ọrụ dị iche iche arụnyere n'ime ya:
DockerImage na-agụ faịlụ ndenye akọwapụtara wee mepụta ihe nwere njirimara ndị a:
name - aha oyiyi,
tag - mkpado foto,
registry - ndekọ foto,
registry_url - protocol (https://) na ndekọ ndekọ,
fqin - zuru ebe oyiyi.
ọrụ findByName na-enyere aka ịchọta akụrụngwa site n'ụdị enyere (kind) na aha (name) site na faịlụ ntinye.
ọrụ findByLabels na-enyere aka ịchọta akụrụngwa site na ụdị akọwapụtara (kind) na akara (labels).
Site na ndabara ọ na-ebunye faịlụ YAML ndenye niile n'ime mgbanwe $$ ma mee ka ọ dị maka ịde ederede (usoro a maara nke ọma maka ndị nwere ahụmahụ jQuery).
Isi uru nke ọla kọpa doro anya: ọ dịghị mkpa ka ị mara asụsụ pụrụ iche ma ị nwere ike iji atụmatụ Javascript dị iche iche mepụta ule nke gị, dị ka interpolation eriri, ọrụ, wdg.
Ekwesiri ighota na ụdị ọla kọpa dị ugbu a na-arụ ọrụ na ụdị ES5 nke injin Javascript, ọ bụghị ES6.
Otú ọ dị, ọ bụrụ na ịchọghị Javascript n'ezie ma na-ahọrọ asụsụ ahaziri maka ịmepụta ajụjụ na ịkọwa iwu, ị kwesịrị ịṅa ntị na conftest.
5.Conftest
Conftest bụ usoro maka ịnwale data nhazi. Kwesịrị ekwesị maka ịnwale / nyochaa Kubernetes gosipụtara. A na-akọwa ule site na iji asụsụ ajụjụ pụrụ iche Rego.
Ị nwere ike ịwụnye conftest site na iji ntuziakaedepụtara na webụsaịtị ọrụ.
N'oge edere akụkọ mbụ, ụdị kachasị ọhụrụ dị bụ 0.18.2.
Yiri config-lint na ọla kọpa, conftest na-abịa na-enweghị ule arụnyere n'ime ya. Ka anyị nwaa ya wee dee amụma nke anyị. Dị ka ọ dị na ihe atụ ndị gara aga, anyị ga-enyocha ma e si n'ebe a pụrụ ịdabere na ya wepụta ihe oyiyi akpa ahụ.
Mepụta ndekọ conftest-checks, na n'ime ya e nwere faịlụ aha check_image_registry.rego ya na ọdịnaya ndị a:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
Ugbu a, ka anyị nwalee base-valid.yaml site conftest:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
Nnwale a tụrụ anya na ọ dara n'ihi na onyonyo a sitere na ebe enweghị ntụkwasị obi.
Na faịlụ Rego anyị na-akọwa ngọngọ deny. A na-ewere eziokwu ya dị ka mmebi. Ọ bụrụ na ngọngọ deny ọtụtụ, conftest na-enyocha ha n'adabereghị na ibe ha, na eziokwu nke ọ bụla nke blocks na-emeso dị ka mmebi.
Na mgbakwunye na mmepụta ndabara, conftest na-akwado JSON, TAP na usoro tebụl - njirimara bara uru ma ọ bụrụ na ịchọrọ itinye akụkọ n'ime pipeline CI dị ugbu a. Ị nwere ike ịtọ usoro achọrọ site na iji ọkọlọtọ --output.
Iji mee ka ọ dị mfe ịmegharị atumatu, conftest nwere ọkọlọtọ --trace. Ọ na-ewepụta akara ka conftest na-atụgharị faịlụ amụma akọwapụtara.
Enwere ike ibipụta ma kesaa amụma asọmpi na ndekọ OCI (Open Container Initiative) dị ka ihe arịa.
Egwuregwu push и pull nye gị ohere ibipụta arịa ma ọ bụ weghachi ihe dị adị na ndekọ dịpụrụ adịpụ. Ka anyị nwaa ibipụta amụma anyị mepụtara na ndekọ Docker mpaghara site na iji conftest push.
Bido ndekọ Docker mpaghara gị:
$ docker run -it --rm -p 5000:5000 registry
N'ọnụ ụzọ ọzọ, gaa na ndekọ aha ị mepụtara na mbụ conftest-checks wee mee iwu a:
Ọ bụrụ na iwu ahụ gara nke ọma, ị ga-ahụ ozi dị ka nke a:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c
Ugbu a mepụta ndekọ nwa oge wee mee iwu n'ime ya conftest pull. Ọ ga-ebudata ngwugwu nke iwu gara aga mebere:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Akwụkwọ ndekọ aha ga-apụta na ndekọ nwa oge policynwere faịlụ amụma anyị:
$ tree
.
└── policy
└── check_image_registry.rego
Enwere ike ịme ule ozugbo site na ebe nchekwa:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure
Ọ dị nwute, akwadobeghị DockerHub. Ya mere tụlee onwe gị onye kechioma ma ọ bụrụ na ị na-eji Ndekọ akpa akpa Azure (ACR) ma ọ bụ ndekọ nke gị.
Ọkpụkpọ artifact bụ otu ihe ahụ Mepee ngwugwu Agent Amụma (OPA), nke na-enye gị ohere iji conftest mee ule site na ngwugwu OPA dị ugbu a.
Ị nwere ike ịmụtakwu banyere nkesa amụma yana atụmatụ ndị ọzọ nke conftest na webụsaịtị ọrụ gọọmentị.
6. Polaris
Ngwá ọrụ ikpeazụ a ga-atụle n'isiokwu a bụ Polaris. (Nkwupụta nke afọ ikpeazụ ya anyị atụgharịrịlarị - ihe ruru. ntụgharị asụsụ)
Enwere ike itinye Polaris na ụyọkọ ma ọ bụ jiri ya na ọnọdụ ahịrị iwu. Dịka ị siri chepụta, ọ na-enye gị ohere inyocha ihe ngosi Kubernetes nke ọma.
Mgbe ị na-agba ọsọ na usoro ahịrị iwu, ule arụnyere n'ime dị na-ekpuchi mpaghara dịka nchekwa na omume kacha mma (yiri kube-score). Na mgbakwunye, ị nwere ike ịmepụta ule nke gị (dịka na config-lint, ọla kọpa na conftest).
N'ikwu ya n'ụzọ ọzọ, Polaris na-ejikọta uru nke ụdị ngwaọrụ abụọ a: na ule arụnyere na omenala.
Dị ka kube-score, Polaris na-akọwapụta okwu na mpaghara ebe ngosipụta ahụ anaghị emezu omume kacha mma:
Enweghị nlele ahụike maka pọd.
akọwapụtaghị mkpado maka onyonyo akpa.
Akpa ahụ na-agba ọsọ dị ka mgbọrọgwụ.
Arịrịọ na oke maka ebe nchekwa na CPU akọwapụtaghị ya.
Nnwale ọ bụla, dabere na nsonaazụ ya, ka ekenyere ogo nke dị oke mkpa: ịdọ aka ná ntị ma ọ bụ Ihe egwu. Iji mụtakwuo maka ule arụnyere n'ime dị, biko rụtụ aka akwụkwọ.
Ọ bụrụ na-adịghị mkpa nkọwa, ị nwere ike ezipụta ọkọlọtọ --format score. N'okwu a, Polaris ga-ewepụta nọmba sitere na 1 ruo 100 - Akara (ya bụ ntule):
Ka akara akara dị nso na 100, ka ogo nkwekọrịta dị elu. Ọ bụrụ na ịlele koodu ọpụpụ nke iwu ahụ polaris audit, ọ na-apụta na ọ hà nhata 0.
Ike polaris audit Ị nwere ike kwụsị ọrụ na koodu na-abụghị efu site na iji ọkọlọtọ abụọ:
Flag --set-exit-code-below-score na-ewere dị ka arụmụka uru ọnụ ụzọ na oke 1-100. N'okwu a, iwu ahụ ga-eji koodu ọpụpụ 4 pụọ ma ọ bụrụ na akara ahụ dị n'okpuru ọnụ ụzọ. Nke a bara uru nke ukwuu mgbe ị nwere uru ọnụ ụzọ (kwuo 75) yana ịkwesịrị ịnweta njikere ma ọ bụrụ na akara a na-aga n'okpuru.
Flag --set-exit-code-on-danger ga-eme ka iwu daa na koodu 3 ma ọ bụrụ na otu n'ime ule egwu daa.
Ugbu a, ka anyị nwaa imepụta nnwale omenala nke na-elele ma e si na ebe nchekwa nchekwa ewere foto a. A na-akọwapụta ule omenala n'ụdị YAML, a na-akọwakwa ule n'onwe ya site na iji JSON Schema.
Snippet koodu YAML na-esonụ na-akọwa ule ọhụrụ a na-akpọ checkImageRepo:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Ka anyị lebakwuo anya na ya:
successMessage - A ga-ebipụta ahịrị a ma ọ bụrụ na ule ahụ emechaa nke ọma;
failureMessage - a ga-egosipụta ozi a ma ọ bụrụ na ọdịda;
category - na-egosi otu n'ime edemede: Images, Health Checks, Security, Networking и Resources;
target--- na-ekpebi ụdị ihe (spec) a na-etinye ule. Ụkpụrụ enwere ike: Container, Pod ma ọ bụ Controller;
A na-akọwapụta ule n'onwe ya na ihe ahụ schema iji JSON schema. Isi okwu na ule a bụ pattern eji atụnyere isi iyi onyonyo na nke achọrọ.
Iji mee ule dị n'elu, ịkwesịrị ịmepụta nhazi Polaris ndị a:
Na ubi checks Edebere ule na ọkwa ha dị oke egwu. Ebe ọ bụ na ọ bụ ihe na-achọsi ike ịnata ịdọ aka ná ntị mgbe a na-ese onyinyo site na ebe a na-atụkwasịghị obi, anyị na-edozi ọkwa ebe a danger.
Nnwale ahụ n'onwe ya checkImageRepo wee debanye aha na ihe customChecks.
Chekwaa faịlụ dị ka custom_check.yaml. Ugbu a ị nwere ike ịgba ọsọ polaris audit ya na ihe ngosi YAML chọrọ nkwenye.
otu polaris audit gbara naanị ule onye ọrụ akọwapụtara n'elu wee daa.
Ọ bụrụ na ị na-edozi ihe oyiyi na my-company.com/http-echo:1.0, Polaris ga-emecha nke ọma. Ihe ngosi nwere mgbanwe abanyelarị ebe nchekwayabụ ị nwere ike lelee iwu gara aga na ngosipụta image-valid-mycompany.yaml.
Ugbu a ajụjụ na-ebilite: otu esi agba ọsọ n'ime ule na ndị omenala? Ọ dị mfe! Naanị ịchọrọ ịgbakwunye ihe nchọpụta ule arụnyere na faịlụ nhazi. N'ihi ya, ọ ga-ewere ụdị a:
Ọ bụ ezie na enwere ọtụtụ ngwaọrụ dị iji nyochaa na nyochaa faịlụ Kubernetes YAML, ọ dị mkpa inwe nghọta doro anya ka a ga-esi hazie ma mebie ule.
Dịka ọmụmaatụ, Ọ bụrụ na ị were Kubernetes gosipụtara na-aga site na pipeline, kubeval nwere ike ịbụ nzọụkwụ mbụ na pipeline dị otú ahụ.. Ọ ga-enyocha ma nkọwapụta ihe dabara na atụmatụ Kubernetes API.
Ozugbo emechara nyocha dị otú ahụ, mmadụ nwere ike ịga n'ihu na ule ndị ọkaibe, dị ka nrube isi na ụkpụrụ omume kacha mma na atumatu akọwapụtara. Nke a bụ ebe kube-score na Polaris ga-aba uru.
Maka ndị nwere ihe mgbagwoju anya chọrọ ma chọọ ịhazi ule n'ụzọ zuru ezu, ọla kọpa, config-lint na conftest ga-adabara..
Conftest na config-lint na-eji YAML kọwaa ule omenala, ọla kọpa na-enye gị ohere ịnweta asụsụ mmemme zuru oke, na-eme ka ọ bụrụ nhọrọ mara mma.
N'aka nke ọzọ, ọ bara uru iji otu n'ime ngwaọrụ ndị a na, ya mere, ịmepụta ule niile na aka, ma ọ bụ na-ahọrọ Polaris ma tinye naanị ihe dị mkpa na ya? Enweghị azịza doro anya nye ajụjụ a.
Tebụl dị n'okpuru na-enye nkọwa dị nkenke nke ngwá ọrụ ọ bụla:
Ngwá ọrụ
Nzube
-adịghị emezi emezi
Nnwale onye ọrụ
kubeval
Na-akwado YAML na-egosipụta megide otu ụdị nke atụmatụ API
Enweghị ike ịrụ ọrụ na CRD
Ọ dịghị
kube-akara
Nyochaa YAML pụtara megide omume kacha mma
Enweghị ike ịhọrọ ụdị Kubernetes API gị ka ịlele akụrụngwa
Ọ dịghị
ọla kọpa
Usoro izugbe maka ịmepụta ule Javascript omenala maka ngosipụta YAML
Enweghị ule arụnyere n'ime ya. Akwụkwọ na-adịghị mma
Ee
nhazi-lint
Usoro izugbe maka ịmepụta ule n'ime asụsụ akọwapụtara nke agbakwunyere na YAML. Na-akwado usoro nhazi dị iche iche (dịka Terraform)
Enweghị ule emebere. Nkwenye na ọrụ arụnyere nwere ike ọ gaghị ezuru
Ee
nkwanye ùgwù
Usoro maka ịmepụta ule nke gị site na iji Rego (asụsụ ajụjụ pụrụ iche). Na-enye ohere ikesa amụma site na ngwugwu OCI
Enweghị ule arụnyere n'ime ya. M ga-amụ Rego. Anaghị akwado Docker Hub mgbe a na-ebipụta amụma
Ee
Polaris
Nyocha YAML na-egosipụta megidere ụkpụrụ kacha mma ọkọlọtọ. Na-enye gị ohere ịmepụta ule nke gị site na iji JSON Schema
Ike nnwale dabere na JSON Schema nwere ike ọ gaghị ezu
Ee
N'ihi na ngwaọrụ ndị a anaghị adabere na ịnweta ụyọkọ Kubernetes, ọ dị mfe ịwụnye. Ha na-enye gị ohere inyocha faịlụ isi mmalite ma nye nzaghachi ngwa ngwa nye ndị dere arịrịọ dọtara na ọrụ.