ããŒãã 翻蚳ã: K8s ç°å¢ã® YAML æ§æã®æ°ãå¢ããã«ã€ããèªåæ€èšŒã®å¿ èŠæ§ããŸããŸãé«ãŸã£ãŠããŸãã ãã®ã¬ãã¥ãŒã®èè ã¯ããã®ã¿ã¹ã¯çšã«æ¢åã®ãœãªã¥ãŒã·ã§ã³ãéžæããã ãã§ãªããå±éãäŸãšããŠäœ¿çšããŠãããããã©ã®ããã«æ©èœãããã確èªããŸããã ãã®ãããã¯ã«èå³ããã人ã«ãšã£ãŠã¯éåžžã«æçã§ããããšãããããŸããã
TL; DR: ãã®èšäºã§ã¯ããã¹ã ãã©ã¯ãã£ã¹ãšèŠä»¶ã«ç §ãã㊠Kubernetes YAML ãã¡ã€ã«ãæ€èšŒããã³è©äŸ¡ããããã® XNUMX ã€ã®éçããŒã«ãæ¯èŒããŸãã
Kubernetes ã¯ãŒã¯ããŒãã¯éåžžãYAML ããã¥ã¡ã³ãã®åœ¢åŒã§å®çŸ©ãããŸãã YAML ã®åé¡ã® XNUMX ã€ã¯ããããã§ã¹ã ãã¡ã€ã«éã®å¶çŽãé¢ä¿ãæå®ããããšãé£ããããšã§ãã
ã¯ã©ã¹ã¿ãŒã«ãããã€ããããã¹ãŠã®ã€ã¡ãŒãžãä¿¡é Œã§ããã¬ãžã¹ããªãŒããã®ãã®ã§ããããšã確èªããå¿ èŠãããå Žåã¯ã©ãããã°ããã§ãããã?
PodDisruptionBudget ãæããªããããã€ã¡ã³ããã¯ã©ã¹ã¿ãŒã«éä¿¡ãããªãããã«ããã«ã¯ã©ãããã°ããã§ãã?
éçãã¹ããçµ±åãããšãéçºæ®µéã§ãšã©ãŒãããªã·ãŒéåãç¹å®ã§ããŸãã ããã«ããããªãœãŒã¹å®çŸ©ãæ£ããå®å šã§ãããšããä¿èšŒã匷åãããå®çšŒåã¯ãŒã¯ããŒãããã¹ã ãã©ã¯ãã£ã¹ã«åŸãå¯èœæ§ãé«ããªããŸãã
Kubernetes ã®éç YAML ãã¡ã€ã«æ€æ»ãšã³ã·ã¹ãã ã¯ã次ã®ã«ããŽãªã«åé¡ã§ããŸãã
- APIããªããŒã¿ãŒã ãã®ã«ããŽãªã®ããŒã«ã¯ãKubernetes API ãµãŒããŒã®èŠä»¶ã«å¯Ÿã㊠YAML ãããã§ã¹ãããã§ãã¯ããŸãã
- æºåãã§ãããã¹ã¿ãŒã ãã®ã«ããŽãªã®ããŒã«ã«ã¯ãã»ãã¥ãªãã£ããã¹ã ãã©ã¯ãã£ã¹ãžã®æºæ ãªã©ã®ããã®æ¢è£œã®ãã¹ããä»å±ããŠããŸãã
- ã«ã¹ã¿ã ããªããŒã¿ãŒã ãã®ã«ããŽãªã®ä»£è¡šçãªãã®ã䜿çšãããšãRego ã Javascript ãªã©ã®ããŸããŸãªèšèªã§ã«ã¹ã¿ã ãã¹ããäœæã§ããŸãã
ãã®èšäºã§ã¯ãXNUMX ã€ã®ç°ãªãããŒã«ã«ã€ããŠèª¬æããæ¯èŒããŸãã
- ã¯ããŽã¡ã«ã
- kubeã¹ã³ã¢;
- èšå®-lint;
- é ;
- ã³ã³ãã¹ãã
- ãã©ãªã¹ã
ãããå§ããŸãããïŒ
ãããã€ã¡ã³ãã®ç¢ºèª
ããŒã«ã®æ¯èŒãå§ããåã«ãããŒã«ããã¹ãããããã®èæ¯ãäœæããŸãããã
以äžã®ãããã§ã¹ãã«ã¯ãå€æ°ã®ãšã©ãŒãšãã¹ã ãã©ã¯ãã£ã¹ãžã®éåãå«ãŸããŠããŸãããã®ãã¡ã®ããã€ããèŠã€ããããšãã§ããŸãã?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
ãã® YAML ã䜿çšããŠãããŸããŸãªããŒã«ãæ¯èŒããŸãã
äžèšãããã§ã¹ã
base-valid.yaml
ãã®èšäºã®ãã®ä»ã®ãããã§ã¹ãã¯ã次ã®å Žæã«ãããŸããGitãªããžã㪠.
ãããã§ã¹ãã«ã¯ãããŒã 5678 ã«ãHello Worldãã¡ãã»ãŒãžã§å¿çããããšãäž»ãªã¿ã¹ã¯ãšãã Web ã¢ããªã±ãŒã·ã§ã³ãèšè¿°ãããŠããŸããããã¯ã次ã®ã³ãã³ãã§ãããã€ã§ããŸãã
kubectl apply -f hello-world.yaml
ãããŠãäœæ¥ã確èªããŠãã ããã
kubectl port-forward svc/http-echo 8080:5678
ä»ããã«è¡ããŸã
1.ã¯ããŽã¡ã«
å¿ã®äžã§
å ã®èšäºã®å·çæç¹ã§ã¯ãããŒãžã§ã³ 0.15.0 ãå©çšå¯èœã§ããã
ã€ã³ã¹ããŒã«ããããäžèšã®ãããã§ã¹ãããã£ãŒãããŸãããã
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)
æåãããšãkubeval ã¯çµäºã³ãŒã 0 ã§çµäºããŸãã次ã®ããã«ç¢ºèªã§ããŸãã
$ echo $?
0
次ã«ãå¥ã®ãããã§ã¹ãã䜿çšã㊠kubeval ãè©ŠããŠã¿ãŸãããã
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(kubeval-invalid.yaml
)
ç®ã§èŠãŠåé¡ãèŠã€ããããšãã§ããŸãã? èµ·åããŸããã:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# пÑПвеÑОЌ кПЎ вПзвÑаÑа
$ echo $?
1
ãªãœãŒã¹ã¯æ€èšŒãããŠããŸããã
API ããŒãžã§ã³ã䜿çšãããããã€ã¡ã³ã apps/v1
ããããã®ã©ãã«ãšäžèŽããã»ã¬ã¯ã¿ãŒãå«ããå¿
èŠããããŸãã äžèšã®ãããã§ã¹ãã«ã¯ã»ã¬ã¯ã¿ãŒãå«ãŸããŠããªããããkubeval ã¯ãšã©ãŒãå ±åãããŒã以å€ã®ã³ãŒãã§çµäºããŸããã
ãã£ããã©ããªãã®ã㪠kubectl apply -f
ãã®ãããã§ã¹ãã§ïŒ
ããŠãè©ŠããŠã¿ãŸããã:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
ããã¯ãŸãã« kubeval ãèŠåãããšã©ãŒã§ãã ã»ã¬ã¯ã¿ãŒãè¿œå ããããšã§ä¿®æ£ã§ããŸãã
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
kubeval ã®ãããªããŒã«ã®å©ç¹ã¯ããã®ãããªãšã©ãŒããããã€ã¡ã³ã ãµã€ã¯ã«ã®æ©ã段éã§æ€åºã§ããããšã§ãã
ããã«ããããã®ãã§ãã¯ã¯ã¯ã©ã¹ã¿ãŒã«ã¢ã¯ã»ã¹ããå¿ èŠããªãããªãã©ã€ã³ã§å®è¡ã§ããŸãã
ããã©ã«ãã§ã¯ãkubeval ã¯ææ°ã® Kubernetes API ã¹ããŒãã«å¯ŸããŠãªãœãŒã¹ããã§ãã¯ããŸãã ãã ããã»ãšãã©ã®å Žåãç¹å®ã® Kubernetes ãªãªãŒã¹ãšç
§åããå¿
èŠãããå ŽåããããŸãã ããã¯ãã©ã°ã䜿çšããŠè¡ãããšãã§ããŸã --kubernetes-version
:
$ kubeval --kubernetes-version 1.16.1 base-valid.yaml
ããŒãžã§ã³ã¯æ¬¡ã®åœ¢åŒã§æå®ããå¿
èŠãããããšã«æ³šæããŠãã ããã Major.Minor.Patch
.
æ€èšŒããµããŒããããŠããããŒãžã§ã³ã®ãªã¹ãã«ã€ããŠã¯ããåç
§ããŠãã ããã --schema-location
.
åã ã® YAML ãã¡ã€ã«ã«å ããŠãkubeval ã¯ãã£ã¬ã¯ããªãæšæºå ¥åãæäœã§ããŸãã
ããã«ãKubeval 㯠CI ãã€ãã©ã€ã³ã«ç°¡åã«çµ±åã§ããŸãã ãããã§ã¹ããã¯ã©ã¹ã¿ãŒã«éä¿¡ããåã«ãã¹ããå®è¡ãããå Žåã¯ãkubeval ã XNUMX ã€ã®åºå圢åŒããµããŒãããŠããããšãç¥ã£ãŠãããŠãã ããã
- ãã¬ãŒã³ããã¹ãã
- JSON;
- ãã¹ã ãšãã·ã³ã° ãããã³ã« (TAP)ã
ãŸãããããã®åœ¢åŒãåºåãããã«è§£æããŠãç®çã®ã¿ã€ãã®çµæã®æŠèŠãçæããããã«äœ¿çšã§ããŸãã
kubeval ã®æ¬ ç¹ã® XNUMX ã€ã¯ãçŸæç¹ã§ã¯ã«ã¹ã¿ã ãªãœãŒã¹å®çŸ© (CRD) ãžã®æºæ ããã§ãã¯ã§ããªãããšã§ãã ãã ããkubeval ãæ§æããããšã¯å¯èœã§ã
Kubeval ã¯ããªãœãŒã¹ã確èªããã³è©äŸ¡ããããã®åªããããŒã«ã§ãã ãã ãããã¹ãã«åæ Œãããããšãã£ãŠããªãœãŒã¹ããã¹ã ãã©ã¯ãã£ã¹ã«æºæ ããŠããããšãä¿èšŒãããããã§ã¯ãªãããšã匷調ããŠããå¿ èŠããããŸãã
ããšãã°ãã¿ã°ã䜿çšãããšã latest
ã³ã³ããå
ã§ã®äœ¿çšã¯ãã¹ã ãã©ã¯ãã£ã¹ã«åŸã£ãŠããŸããã ãã ããkubeval ã¯ããããšã©ãŒãšã¯ã¿ãªãããå ±åããŸããã ã€ãŸãããã®ãã㪠YAML ã®æ€èšŒã¯èŠåãªãã§å®äºããŸãã
ããããYAML ãè©äŸ¡ããŠã¿ã°ã®ãããªéåãç¹å®ãããå Žåã¯ã©ãããã°ããã§ãããã latest
? YAML ãã¡ã€ã«ããã¹ã ãã©ã¯ãã£ã¹ãšç
§åããŠãã§ãã¯ããã«ã¯ã©ãããã°ããã§ãã?
2. ãã¥ãŒãã¹ã³ã¢
- root ãšããŠã§ã¯ãªãã³ã³ãããå®è¡ããŸãã
- ãããã®ãã«ã¹ãã§ãã¯ã®å¯çšæ§ã
- ãªãœãŒã¹ã®ãªã¯ãšã¹ããšå¶éãèšå®ããŸãã
ãã¹ãçµæã«åºã¥ããŠã次㮠XNUMX ã€ã®çµæãåŸãããŸãã OK, èŠå О CRITICAL.
Kube-score ããªã³ã©ã€ã³ã§è©ŠãããšããããŒã«ã«ã«ã€ã³ã¹ããŒã«ããããšãã§ããŸãã
å ã®èšäºã®å·çæç¹ã§ã® kube-score ã®ææ°ããŒãžã§ã³ã¯ 1.7.0 ã§ããã
ãããã§ã¹ãã§è©ŠããŠã¿ãŸããã base-valid.yaml
:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
YAML 㯠kubeval ãã¹ãã«åæ ŒããŸãããkube-score ã¯æ¬¡ã®æ¬ é¥ãææããŠããŸãã
- æºåç¶æ³ãã§ãã¯ãæ§æãããŠããŸããã
- CPU ãªãœãŒã¹ãšã¡ã¢ãªã«å¯ŸããèŠæ±ãå¶éã¯ãããŸããã
- ãããäžæã®äºç®ã¯æå®ãããŠããŸããã
- å¥ãã®ã«ãŒã«ãªããŠãªãã (ã¢ã³ãã¢ãã£ããã£) å¯çšæ§ãæ倧åããŸãã
- ã³ã³ãã㯠root ãšããŠå®è¡ãããŸãã
ãããã¯ãã¹ãŠãå±éãããå¹ççãã€ä¿¡é Œæ§ã®é«ããã®ã«ããããã«å¯ŸåŠããå¿ èŠãããæ¬ ç¹ã«é¢ããæå¹ãªç¹ã§ãã
ããŒã kube-score
ãã¹ãŠã®åéåãå«ãæ
å ±ã人éãå€èªã§ãã圢åŒã§è¡šç€ºããŸã èŠå О CRITICALãéçºäžã«éåžžã«åœ¹ç«ã¡ãŸãã
CI ãã€ãã©ã€ã³å
ã§ãã®ããŒã«ã䜿çšãããå Žåã¯ããã©ã°ã䜿çšããŠããå§çž®ãããåºåãæå¹ã«ã§ããŸãã --output-format ci
(ãã®å Žåãçµæãå«ããã¹ãã衚瀺ãããŸã) OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
kubeval ãšåæ§ã«ãkube-score ã¯ãã¹ãã倱æããå Žåã«ãŒã以å€ã®çµäºã³ãŒããè¿ããŸãã CRITICALã åæ§ã®åŠçãæå¹ã«ããããšãã§ããŸã èŠå.
ããã«ããªãœãŒã¹ãããŸããŸãª API ããŒãžã§ã³ (kubeval ãªã©) ã«æºæ ããŠãããã©ããã確èªããããšãã§ããŸãã ãã ãããã®æ å ±ã¯ kube-score èªäœã«ããŒãã³ãŒãã£ã³ã°ãããŠãããããå¥ã®ããŒãžã§ã³ã® Kubernetes ãéžæããããšã¯ã§ããŸããã ã¯ã©ã¹ã¿ãŒãã¢ããã°ã¬ãŒãããäºå®ãããå ŽåããŸãã¯ç°ãªãããŒãžã§ã³ã® K8 ãå«ãŸããè€æ°ã®ã¯ã©ã¹ã¿ãŒãããå Žåããã®å¶éã¯å€§ããªåé¡ãšãªãå¯èœæ§ããããŸãã
ãäºæ¿ãã ãã
ãã§ã«åé¡ããããŸã ãã®æ©äŒãå®çŸããããã®ãææ¡ããããŠããã ããŸãã
kube-score ã®è©³çŽ°ã«ã€ããŠã¯ã次ã®ãµã€ããåç
§ããŠãã ããã
Kube ã¹ã³ã¢ ãã¹ãã¯ããã¹ã ãã©ã¯ãã£ã¹ãå®è£ ããããã®åªããããŒã«ã§ããããã¹ãã«å€æŽãå ããããç¬èªã®ã«ãŒã«ãè¿œå ãããããå¿ èŠãããå Žåã¯ã©ãããã°ããã§ãããã? æ®å¿µãªãããããã¯ã§ããŸããã
Kube ã¹ã³ã¢ã¯æ¡åŒµå¯èœã§ã¯ãããŸãããããªã·ãŒãè¿œå ãããã調æŽãããããããšã¯ã§ããŸããã
äŒç€Ÿã®ããªã·ãŒãžã®æºæ ãæ€èšŒããããã«ã«ã¹ã¿ã ãã¹ããäœæããå¿ èŠãããå Žåã¯ãconfig-lintãCopperãconftestããŸã㯠Polaris ã® XNUMX ã€ã®ããŒã«ã®ããããã䜿çšã§ããŸãã
3.Config-lint
Config-lint ã¯ãYAMLãJSONãTerraformãCSV æ§æãã¡ã€ã«ãããã³ Kubernetes ãããã§ã¹ããæ€èšŒããããã®ããŒã«ã§ãã
ã䜿çšããŠã€ã³ã¹ããŒã«ã§ããŸã
å ã®èšäºã®å·çæç¹ã§ã®çŸåšã®ãªãªãŒã¹ã¯ 1.5.0 ã§ãã
Config-lint ã«ã¯ãKubernetes ãããã§ã¹ããæ€èšŒããããã®çµã¿èŸŒã¿ãã¹ãããããŸããã
ãã¹ããå®è¡ããã«ã¯ãé©åãªã«ãŒã«ãäœæããå¿ èŠããããŸãã ãããã¯ãã«ãŒã«ã»ããããšåŒã°ãã YAML ãã¡ã€ã«ã«èšè¿°ãããŸãã (ã«ãŒã«ã»ãã)ã次ã®æ§é ãæã£ãŠããŸãã
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# ÑпОÑПк пÑавОл
(rule.yaml
)
ãã£ãšè©³ãã調ã¹ãŠã¿ãŸããã:
- ãã£ãŒã«ã
type
config-lint ã䜿çšããæ§æã®ã¿ã€ããæå®ããŸãã K8s ãããã§ã¹ãã®å Žåãããã¯æ¬¡ã®ãšããã§ã åžžã«Kubernetes
. - ãã£ãŒã«ãã§
files
ãã¡ã€ã«èªäœã«å ããŠããã£ã¬ã¯ããªãæå®ããããšãã§ããŸãã - ãã£ãŒã«ã
rules
ãŠãŒã¶ãŒãã¹ãã®èšå®ãç®çãšããŠããŸãã
Deployment å
ã®ã€ã¡ãŒãžãåžžã«æ¬¡ã®ãããªä¿¡é Œã§ãããªããžããªããããŠã³ããŒããããããã«ããããšããŸãã my-company.com/myapp:1.0
ã ãã®ãããªãã§ãã¯ãå®è¡ãã config-lint ã«ãŒã«ã¯æ¬¡ã®ããã«ãªããŸãã
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml
)
åã«ãŒã«ã«ã¯æ¬¡ã®å±æ§ãå¿ èŠã§ãã
id
â ã«ãŒã«ã®äžæã®èå¥åãseverity
- å€å æ é, èŠå О éæºæ ;message
â ã«ãŒã«ã«éåããå Žåã¯ããã®è¡ã®å 容ã衚瀺ãããŸããresource
â ãã®ã«ãŒã«ãé©çšããããªãœãŒã¹ã®ã¿ã€ããassertions
â ãã®ãªãœãŒã¹ã«é¢é£ããŠè©äŸ¡ãããæ¡ä»¶ã®ãªã¹ãã
äžèšã®ã«ãŒã«ã§ã¯ assertion
ãšåŒã°ãã every
key: spec.templates.spec.containers
) ä¿¡é Œã§ããã€ã¡ãŒãžã䜿çšããŸã (ã€ãŸãã次ããå§ãŸããŸã) my-company.com/
).
å®å šãªã«ãŒã«ã»ããã¯æ¬¡ã®ããã«ãªããŸãã
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(ruleset.yaml
)
ãã¹ããè©Šãããã«ãååãä»ããŠä¿åããŸããã check_image_repo.yaml
ã ãã¡ã€ã«ã®ãã§ãã¯ãå®è¡ããŠã¿ãŸããã base-valid.yaml
:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]
ãã§ãã¯ã倱æããŸããã 次ã«ãæ£ããã€ã¡ãŒãž ãªããžããªãå«ã次ã®ãããã§ã¹ãããã§ãã¯ã¢ãŠãããŠã¿ãŸãããã
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
(image-valid-mycompany.yaml
)
äžèšã®ãããã§ã¹ãã䜿çšããŠåããã¹ããå®è¡ããŸãã åé¡ã¯èŠã€ãããŸããã§ãã:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]
Config-lint ã¯ãYAML DSL ã䜿çšã㊠Kubernetes YAML ãããã§ã¹ããæ€èšŒããç¬èªã®ãã¹ããäœæã§ããææãªãã¬ãŒã ã¯ãŒã¯ã§ãã
ããããããè€éãªããžãã¯ãšãã¹ããå¿ èŠãªå Žåã¯ã©ãããã°ããã§ãããã? YAML ã§ã¯ããã«ã¯å¶éããããããŸããã? å®å šãªããã°ã©ãã³ã°èšèªã§ãã¹ããäœæã§ãããã©ããªãã§ãããã?
4ã é
ãã ãããã¹ãã®èšè¿°ã« YAML ã䜿çšããªãç¹ã§åŸè ãšã¯ç°ãªããŸãã 代ããã«ããã¹ãã JavaScript ã§äœæããããšãã§ããŸãã Copper ã¯ãããã€ãã®åºæ¬ããŒã«ãåããã©ã€ãã©ãªãæäŸããŸãããã¯ãKubernetes ãªããžã§ã¯ãã«é¢ããæ å ±ãèªã¿åãããšã©ãŒãå ±åããã®ã«åœ¹ç«ã¡ãŸãã
Copper ãã€ã³ã¹ããŒã«ããæé ã¯ã次ã®å Žæã«ãããŸãã
å ã®èšäºã®å·çæç¹ã§ã¯ã2.0.1 ããã®ãŠãŒãã£ãªãã£ã®ææ°ãªãªãŒã¹ã§ãã
config-lint ãšåæ§ãCopper ã«ã¯çµã¿èŸŒã¿ã®ãã¹ãããããŸããã äžã€æžããŠã¿ãŸãããã ãããã€ã¡ã³ãã次ã®ãããªä¿¡é Œã§ãããªããžããªããã®ã³ã³ãã ã€ã¡ãŒãžã®ã¿ã䜿çšããŠããããšã確èªãããŸãã my-company.com
.
ãã¡ã€ã«ãäœæãã check_image_repo.js
次ã®å
容ã§ïŒ
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
次ã«ãããã§ã¹ãããã¹ãããŸã base-valid.yaml
ãã³ãã³ãã䜿çšããŸã copper validate
:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
é ã®å©ããåããŠãããè€éãªãã¹ããå®è¡ã§ããããšã¯æããã§ããããšãã°ãIngress ãããã§ã¹ãå ã®ãã¡ã€ã³åã®ãã§ãã¯ããç¹æš©ã¢ãŒãã§å®è¡ãããŠãããããã®æåŠãªã©ã§ãã
Copper ã«ã¯ãããŸããŸãªãŠãŒãã£ãªãã£é¢æ°ãçµã¿èŸŒãŸããŠããŸãã
DockerImage
æå®ãããå ¥åãã¡ã€ã«ãèªã¿åãã次ã®å±æ§ãæã€ãªããžã§ã¯ããäœæããŸããname
- ç»åã®ååãtag
- ç»åã¿ã°ãregistry
- ã€ã¡ãŒãžã¬ãžã¹ããªãregistry_url
- ãããã³ã« (https://
) ãšã€ã¡ãŒãžã¬ãžã¹ããªãfqin
â ç»åã®å®å šãªå Žæã
- æ©èœ
findByName
æå®ãããã¿ã€ãã§ãªãœãŒã¹ãæ€çŽ¢ããã®ã«åœ¹ç«ã¡ãŸã (kind
) ãšåå (name
) å ¥åãã¡ã€ã«ããã - æ©èœ
findByLabels
æå®ãããã¿ã€ãã«ãããªãœãŒã¹ã®æ€çŽ¢ã«åœ¹ç«ã¡ãŸã (kind
) ãšã©ãã« (labels
).
å©çšå¯èœãªãã¹ãŠã®ãµãŒãã¹æ©èœã衚瀺ã§ããŸã
ããã©ã«ãã§ã¯ãå
¥å YAML ãã¡ã€ã«å
šäœãå€æ°ã«ããŒããããŸãã $$
ãããŠãããã¹ã¯ãªããã§å©çšã§ããããã«ããŸã (jQuery ã®çµéšããã人ã«ãšã£ãŠã¯ããç¥ãããææ³ã§ã)ã
Copper ã®äž»ãªå©ç¹ã¯æããã§ããç¹æ®ãªèšèªãç¿åŸããå¿ èŠããªããããŸããŸãª JavaScript æ©èœã䜿çšããŠãæååè£éãé¢æ°ãªã©ã®ç¬èªã®ãã¹ããäœæã§ããŸãã
Copper ã®çŸåšã®ããŒãžã§ã³ã¯ãES5 ã§ã¯ãªã ES6 ããŒãžã§ã³ã® JavaScript ãšã³ãžã³ã§åäœããããšã«ã泚æããŠãã ããã
詳现ã¯æ¬¡ã®ãµã€ãã§å
¥æã§ããŸã
ãã ããJavaScript ãããŸã奜ãã§ã¯ãªããã¯ãšãªã®äœæãããªã·ãŒã®èšè¿°ã«ç¹åããŠèšèšãããèšèªã奜ãå Žåã¯ãconftest ã«æ³šæãæãå¿ èŠããããŸãã
5.ã³ã³ãã¹ã
Conftest ã¯ãæ§æããŒã¿ããã¹ãããããã®ãã¬ãŒã ã¯ãŒã¯ã§ãã Kubernetes ãããã§ã¹ãã®ãã¹ã/æ€èšŒã«ãé©ããŠããŸãã ãã¹ãã¯ç¹æ®ãªã¯ãšãªèšèªã䜿çšããŠèšè¿°ãããŸã
次ã䜿çšã㊠conftest ãã€ã³ã¹ããŒã«ã§ããŸã
å ã®èšäºã®å·çæç¹ã§ãå©çšå¯èœãªææ°ããŒãžã§ã³ã¯ 0.18.2 ã§ããã
config-lint ãé ãšåæ§ã«ãconftest ã«ã¯çµã¿èŸŒã¿ãã¹ãããããŸããã è©ŠããŠç¬èªã®ããªã·ãŒãäœæããŠã¿ãŸãããã åã®äŸãšåæ§ã«ãã³ã³ãã㌠ã€ã¡ãŒãžãä¿¡é Œã§ãããœãŒã¹ããååŸããããã®ã§ãããã©ããã確èªããŸãã
ãã£ã¬ã¯ããªãäœæãã conftest-checks
ããã®äžã«ã¯ãšããååã®ãã¡ã€ã«ããããŸã check_image_registry.rego
次ã®å
容ã§ïŒ
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
ããããã¹ãããŠã¿ãŸããã base-valid.yaml
ã¹ã«ãŒ conftest
:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
ç»åãä¿¡é Œã§ããªããœãŒã¹ããã®ãã®ã ã£ãããããã¹ãã¯äºæ³éã倱æããŸããã
Rego ãã¡ã€ã«ã§ãããã¯ãå®çŸ©ããŸãã deny
ã ãã®çå®ã¯éåãšã¿ãªãããŸãã ãããã¯ã®å Žå deny
ããã€ãã®å Žåãconftest ã¯ããããäºãã«ç¬ç«ããŠãã§ãã¯ãããããã¯ã®ãããããçå®ã§ããå Žåã¯éåãšããŠæ±ãããŸãã
ããã©ã«ãã®åºåã«å ããŠãconftest 㯠JSONãTAPãããã³ããŒãã«åœ¢åŒããµããŒãããŠããŸããããã¯ãæ¢åã® CI ãã€ãã©ã€ã³ã«ã¬ããŒããåã蟌ãå¿
èŠãããå Žåã«éåžžã«äŸ¿å©ãªæ©èœã§ãã ãã©ã°ã䜿çšããŠåžæã®åœ¢åŒãèšå®ã§ããŸã --output
.
ããªã·ãŒã®ãããã°ã容æã«ããããã«ãconftest ã«ã¯ãã©ã°ããããŸãã --trace
ã conftest ãæå®ãããããªã·ãŒ ãã¡ã€ã«ã解æããæ¹æ³ã®ãã¬ãŒã¹ãåºåããŸãã
ã³ã³ãã¹ã ããªã·ãŒã¯ãææç©ãšã㊠OCI (Open Container Initiative) ã¬ãžã¹ããªã§å ¬éããã³å ±æã§ããŸãã
ããŒã push
О pull
ã¢ãŒãã£ãã¡ã¯ããå
¬éãããããªã¢ãŒã ã¬ãžã¹ããªããæ¢åã®ã¢ãŒãã£ãã¡ã¯ããååŸãããã§ããŸãã 次ã䜿çšããŠãäœæããããªã·ãŒãããŒã«ã«ã® Docker ã¬ãžã¹ããªã«å
¬éããŠã¿ãŸãããã conftest push
.
ããŒã«ã«ã® Docker ã¬ãžã¹ããªãèµ·åããŸãã
$ docker run -it --rm -p 5000:5000 registry
å¥ã®ã¿ãŒããã«ã§ãåã«äœæãããã£ã¬ã¯ããªã«ç§»åããŸã conftest-checks
次ã®ã³ãã³ããå®è¡ããŸãã
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
ã³ãã³ããæåãããšã次ã®ãããªã¡ãã»ãŒãžã衚瀺ãããŸãã
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c
次ã«ãäžæãã£ã¬ã¯ããªãäœæãããã®äžã§ã³ãã³ããå®è¡ããŸã conftest pull
ã åã®ã³ãã³ãã§äœæãããããã±ãŒãžãããŠã³ããŒããããŸãã
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
äžæãã£ã¬ã¯ããªã«ãµããã£ã¬ã¯ããªã衚瀺ãããŸã policy
ããªã·ãŒ ãã¡ã€ã«ãå«ãŸããŠããŸã:
$ tree
.
âââ policy
âââ check_image_registry.rego
ãã¹ãã¯ãªããžããªããçŽæ¥å®è¡ã§ããŸãã
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure
æ®å¿µãªãããDockerHub ã¯ãŸã ãµããŒããããŠããŸããã ãããã£ãŠã䜿çšã§ããã°å¹žéã ãšèããŠãã ãã
ã¢ãŒãã£ãã¡ã¯ãã®åœ¢åŒã¯æ¬¡ãšåãã§ã
ããªã·ãŒå
±æã conftest ã®ãã®ä»ã®æ©èœã«ã€ããŠè©³ããã¯ã次㮠Web ãµã€ããã芧ãã ããã
6ã ãã©ãªã¹
ãã®èšäºã§èª¬æããæåŸã®ããŒã«ã¯ã
Polaris ã¯ã¯ã©ã¹ã¿ãŒã«ã€ã³ã¹ããŒã«ããããšããã³ãã³ã ã©ã€ã³ ã¢ãŒãã§äœ¿çšããããšãã§ããŸãã ãæ³åã®ãšãããKubernetes ãããã§ã¹ããéçã«åæã§ããããã«ãªããŸãã
ã³ãã³ã ã©ã€ã³ ã¢ãŒãã§å®è¡ããå Žåãã»ãã¥ãªãã£ããã¹ã ãã©ã¯ãã£ã¹ (kube-score ãšåæ§) ãªã©ã®é åãã«ããŒããçµã¿èŸŒã¿ãã¹ããå©çšã§ããŸãã ããã«ãç¬èªã®ãã¹ããäœæããããšãã§ããŸã (config-lintãcopperãconftest ãªã©)ã
èšãæããã°ãPolaris ã¯ãçµã¿èŸŒã¿ãã¹ããšã«ã¹ã¿ã ãã¹ããšããäž¡æ¹ã®ã«ããŽãªã®ããŒã«ã®å©ç¹ãçµã¿åãããŠããŸãã
Polaris ãã³ãã³ãã©ã€ã³ ã¢ãŒãã§ã€ã³ã¹ããŒã«ããã«ã¯ã次ã䜿çšããŸãã
å ã®èšäºã®å·çæç¹ã§ã¯ãããŒãžã§ã³ 1.0.3 ãå©çšå¯èœã§ãã
ã€ã³ã¹ããŒã«ãå®äºãããããããã§ã¹ã㧠Polaris ãå®è¡ã§ããŸãã base-valid.yaml
次ã®ã³ãã³ãã䜿çšããŸãã
$ polaris audit --audit-path base-valid.yaml
å®è¡ããããã¹ããšãã®çµæã®è©³çŽ°ãªèª¬æãå«ãæååã JSON 圢åŒã§åºåãããŸãã åºåã¯æ¬¡ã®æ§é ã«ãªããŸãã
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* ЎлОММÑй ÑпОÑПк */
]
}
å®å
šãªåºåãå©çšå¯èœ
kube-score ãšåæ§ã«ãPolaris ã¯ãããã§ã¹ãããã¹ã ãã©ã¯ãã£ã¹ãæºãããŠããªãé åã®åé¡ãç¹å®ããŸãã
- ãããã®ãã«ã¹ãã§ãã¯ã¯ãããŸããã
- ã³ã³ããã€ã¡ãŒãžã®ã¿ã°ã¯æå®ãããŠããŸããã
- ã³ã³ãã㯠root ãšããŠå®è¡ãããŸãã
- ã¡ã¢ãªãš CPU ã®èŠæ±ãšå¶éã¯æå®ãããŠããŸããã
åãã¹ãã«ã¯ããã®çµæã«å¿ããŠéèŠåºŠãå²ãåœãŠãããŸãã èŠå ãŸã㯠å±éºæ§ã å©çšå¯èœãªçµã¿èŸŒã¿ãã¹ãã®è©³çŽ°ã«ã€ããŠã¯ã以äžãåç
§ããŠãã ããã
詳现ãå¿
èŠãªãå Žåã¯ããã©ã°ãæå®ã§ããŸã --format score
ã ãã®å ŽåãPolaris 㯠1 ãã 100 ã®ç¯å²ã®æ°å€ãåºåããŸã- ã¹ã³ã¢ (ã€ãŸããè©äŸ¡):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68
ã¹ã³ã¢ã 100 ã«è¿ãã»ã©ãäžèŽåºŠãé«ããªããŸãã ã³ãã³ãã®çµäºã³ãŒãã確èªãããš polaris audit
ã0ã«çããããšãããããŸãã
äœã polaris audit
次㮠XNUMX ã€ã®ãã©ã°ã䜿çšããŠããŒã以å€ã®ã³ãŒãã§äœæ¥ãçµäºã§ããŸãã
- Ѐлаг
--set-exit-code-below-score
åŒæ°ãšã㊠1 ïœ 100 ã®ç¯å²ã®ãããå€ãåãåããŸãã ãã®å Žåãã¹ã³ã¢ããããå€ãäžåããšãã³ãã³ãã¯çµäºã³ãŒã 4 ã§çµäºããŸãã ããã¯ãç¹å®ã®ãããå€ (ããšãã° 75) ããããã¹ã³ã¢ããããäžåã£ãå Žåã«ã¢ã©ãŒããåãåãå¿ èŠãããå Žåã«éåžžã«äŸ¿å©ã§ãã - Ѐлаг
--set-exit-code-on-danger
å±éºæ§ãã¹ãã®ããããã倱æããå Žåãã³ãã³ãã¯ã³ãŒã 3 ã§å€±æããŸãã
次ã«ãã€ã¡ãŒãžãä¿¡é Œã§ãããªããžããªããååŸããããã©ããã確èªããã«ã¹ã¿ã ãã¹ããäœæããŠã¿ãŸãããã ã«ã¹ã¿ã ãã¹ã㯠YAML 圢åŒã§æå®ããããã¹ãèªäœã¯ JSON ã¹ããŒãã䜿çšããŠèšè¿°ãããŸãã
次㮠YAML ã³ãŒã ã¹ããããã¯ããšåŒã°ããæ°ãããã¹ãã説æããŠããŸãã checkImageRepo
:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
詳ããèŠãŠã¿ãŸããã:
successMessage
â ãã¹ããæ£åžžã«å®äºãããšããã®è¡ãåºåãããŸããfailureMessage
â ãã®ã¡ãã»ãŒãžã¯å€±æããå Žåã«è¡šç€ºãããŸããcategory
â ã¯æ¬¡ã®ã«ããŽãªã® XNUMX ã€ã瀺ããŸããImages
,Health Checks
,Security
,Networking
ОResources
;target
--- ãªããžã§ã¯ãã®ã¿ã€ãã決å®ããŸã (spec
) ãã¹ããé©çšãããŸãã å¯èœãªå€:Container
,Pod
ãŸãã¯Controller
;- ãã¹ãèªäœã¯ãªããžã§ã¯ãã§æå®ãããŸã
schema
JSON ã¹ããŒãã䜿çšããŸãã ãã®ãã¹ãã®ããŒã¯ãŒãã¯pattern
ç»åãœãŒã¹ãšå¿ èŠãªç»åãœãŒã¹ãæ¯èŒããããã«äœ¿çšãããŸãã
äžèšã®ãã¹ããå®è¡ããã«ã¯ã次㮠Polaris æ§æãäœæããå¿ èŠããããŸãã
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(polaris-conf.yaml
)
ãã¡ã€ã«ã解æããŠã¿ãŸããã:
- ãã£ãŒã«ãã§
checks
ãã¹ããšãã®éèŠåºŠã®ã¬ãã«ãèŠå®ãããŠããŸãã ç»åãä¿¡é Œã§ããªããœãŒã¹ããååŸãããå Žåã«ã¯èŠåãåãåãããšãæãŸãããããããã§ã¬ãã«ãèšå®ããŸãdanger
. - ãã¹ãèªäœ
checkImageRepo
次ã«ãªããžã§ã¯ãã«ç»é²ããŸãcustomChecks
.
ãã¡ã€ã«ãååãä»ããŠä¿åããŸã custom_check.yaml
ã ããã§å®è¡ã§ããŸã polaris audit
æ€èšŒãå¿
èŠãª YAML ãããã§ã¹ãã䜿çšããŸãã
ç§ãã¡ã®ãããã§ã¹ãããã¹ãããŠã¿ãŸããã base-valid.yaml
:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml
ããŒã polaris audit
äžèšã§æå®ããããŠãŒã¶ãŒ ãã¹ãã®ã¿ãå®è¡ããŸãããã倱æããŸããã
ç»åãä¿®æ£ãããšã my-company.com/http-echo:1.0
, ãã©ãªã¹ã¯æ£åžžã«å®äºããŸãã å€æŽãå«ããããã§ã¹ãã¯ãã§ã«äœæãããŠããŸã image-valid-mycompany.yaml
.
ããã§çåãçããŸããçµã¿èŸŒã¿ãã¹ããã«ã¹ã¿ã ãã¹ããšäžç·ã«å®è¡ããã«ã¯ã©ãããã°ããã§ãããã? ç°¡åã«ïŒ çµã¿èŸŒã¿ã®ãã¹ãèå¥åãæ§æãã¡ã€ã«ã«è¿œå ããã ãã§ãã ãã®çµæã次ã®ãããªåœ¢åŒã«ãªããŸãã
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(config_with_custom_check.yaml
)
å®å
šãªæ§æãã¡ã€ã«ã®äŸãå©çšå¯èœã§ã
ãããã§ã¹ãã確èªãã base-valid.yaml
çµã¿èŸŒã¿ãã¹ããšã«ã¹ã¿ã ãã¹ãã䜿çšãããšã次ã®ã³ãã³ãã䜿çšã§ããŸãã
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml
Polaris ã¯ãçµã¿èŸŒã¿ã®ãã¹ããã«ã¹ã¿ã ã®ãã¹ãã§è£å®ããäž¡æ¹ã®é·æãçµã¿åãããŸãã
äžæ¹ã§ãRego ã JavaScript ãªã©ã®ãã匷åãªèšèªã䜿çšã§ããªãããšããããé«åºŠãªãã¹ãã®äœæã劚ããå¶éèŠå ã«ãªãå¯èœæ§ããããŸãã
Polaris ã®è©³çŽ°ã«ã€ããŠã¯ã次㮠Web ãµã€ããåç
§ããŠãã ããã
ãµããªãŒ
Kubernetes YAML ãã¡ã€ã«ãæ€æ»ããã³è©äŸ¡ããããã«å©çšã§ããããŒã«ã¯æ°å€ããããŸããã ãã¹ããã©ã®ããã«èšèšããå®è¡ãããããæ確ã«ç解ããããšãéèŠã§ã.
ããšãã°ã Kubernetes ãããã§ã¹ãããã€ãã©ã€ã³çµç±ã§ååŸããå Žåãkubeval ããã®ãããªãã€ãã©ã€ã³ã®æåã®ã¹ããããšãªãå¯èœæ§ããããŸããã ãªããžã§ã¯ãå®çŸ©ã Kubernetes API ã¹ããŒãã«æºæ ããŠãããã©ãããç£èŠããŸãã
ãã®ãããªã¬ãã¥ãŒãå®äºãããšãæšæºã®ãã¹ã ãã©ã¯ãã£ã¹ãç¹å®ã®ããªã·ãŒãžã®æºæ ãªã©ãããé«åºŠãªãã¹ãã«é²ãããšãã§ããŸãã ããã§ãkube-score ãš Polaris ã圹ã«ç«ã¡ãŸãã
è€éãªèŠä»¶ãããããã¹ãã詳现ã«ã«ã¹ã¿ãã€ãºããå¿ èŠãããå Žåã¯ãCopperãconfig-lintãconftest ãé©ããŠããŸãã.
Conftest ãš config-lint 㯠YAML ã䜿çšããŠã«ã¹ã¿ã ãã¹ããå®çŸ©ããCopper ã䜿çšãããšå®å šãªããã°ã©ãã³ã°èšèªã«ã¢ã¯ã»ã¹ã§ãããããéåžžã«é åçãªéžæè¢ã«ãªããŸãã
äžæ¹ããããã®ããŒã«ã®ããããã䜿çšããŠãã¹ãŠã®ãã¹ããæåã§äœæãã䟡å€ãããã§ããããããããšããPolaris ã䜿çšããŠå¿ èŠãªãã®ã ããè¿œå ãã䟡å€ãããã®ã§ãããã? ãã®è³ªåã«å¯Ÿããæ確ãªçãã¯ãããŸãã.
以äžã®è¡šã«ãåããŒã«ã®ç°¡åãªèª¬æã瀺ããŸãã
ããŒã«
ç®ç
å¶éäºé
ãŠãŒã¶ãŒãã¹ã
ã¯ããŽã¡ã«
YAML ãããã§ã¹ãã API ã¹ããŒãã®ç¹å®ã®ããŒãžã§ã³ã«å¯ŸããŠæ€èšŒããŸã
CRDã§ã¯åäœããŸãã
ããŒ
kube-ã¹ã³ã¢
ãã¹ã ãã©ã¯ãã£ã¹ã«ç
§ãã㊠YAML ãããã§ã¹ããåæããŸã
ãªãœãŒã¹ã確èªããããã« Kubernetes API ããŒãžã§ã³ãéžæã§ããŸãã
ããŒ
é
YAML ãããã§ã¹ãã®ã«ã¹ã¿ã JavaScript ãã¹ããäœæããããã®äžè¬çãªãã¬ãŒã ã¯ãŒã¯
çµã¿èŸŒã¿ã®ãã¹ãã¯ãããŸããã äžååãªããã¥ã¡ã³ã
ã¯ã
æ§æ-lint
YAML ã«åã蟌ãŸãããã¡ã€ã³åºæèšèªã§ãã¹ããäœæããããã®äžè¬çãªãã¬ãŒã ã¯ãŒã¯ã ããŸããŸãªæ§æãã©ãŒãããããµããŒã (äŸ: Terraform)
æ¢è£œã®ãã¹ãã¯ãããŸããã çµã¿èŸŒã¿ã®ã¢ãµãŒã·ã§ã³ãšé¢æ°ã§ã¯ååã§ã¯ãªãå¯èœæ§ããããŸã
ã¯ã
ã³ã³ãã¹ã
Rego (ç¹æ®ãªã¯ãšãªèšèª) ã䜿çšããŠç¬èªã®ãã¹ããäœæããããã®ãã¬ãŒã ã¯ãŒã¯ã OCIãã³ãã«ãä»ããããªã·ãŒã®å
±æãèš±å¯ããŸã
çµã¿èŸŒã¿ã®ãã¹ãã¯ãããŸããã ã¬ãŽãåŠã°ãªããã°ãªããŸããã ããªã·ãŒãå
¬éããå ŽåãDocker Hub ã¯ãµããŒããããŸãã
ã¯ã
ãã©ãªã¹
æšæºã®ãã¹ã ãã©ã¯ãã£ã¹ã«ç
§ãã㊠YAML ãããã§ã¹ããã¬ãã¥ãŒããŸãã JSON ã¹ããŒãã䜿çšããŠç¬èªã®ãã¹ããäœæã§ããŸã
JSON ã¹ããŒãã«åºã¥ããã¹ãæ©èœã§ã¯ååã§ã¯ãªãå¯èœæ§ããããŸã
ã¯ã
ãããã®ããŒã«ã¯ Kubernetes ã¯ã©ã¹ã¿ãŒãžã®ã¢ã¯ã»ã¹ã«äŸåããªããããã€ã³ã¹ããŒã«ãç°¡åã§ãã ãããã䜿çšãããšããœãŒã¹ ãã¡ã€ã«ããã£ã«ã¿ãªã³ã°ãããããžã§ã¯ãå ã®ãã« ãªã¯ãšã¹ãã®äœæè ã«è¿ éãªãã£ãŒãããã¯ãæäŸã§ããŸãã
翻蚳è ããã®è¿œäŒž
ç§ãã¡ã®ããã°ããèªã¿ãã ãã:
- «
Kubernetes ã¯ã©ã¹ã¿ãŒãå¥å šã«ä¿ã€ããã«å°å ¥ããã Polaris "; - «
Kubernetes ã® YAML ãµããŒããåãã Vim "; - «
Google ã«ããã³ã³ãã䜿çšã«é¢ãã 7 ã€ã®ãã¹ã ãã©ã¯ãã£ã¹ 'ã
åºæïŒ habr.com