Whakamana Kubernetes YAML ki nga tikanga pai me nga kaupapa here

Tuhipoka. whakamaori.: Na te tipu haere o nga whirihoranga YAML mo nga taiao K8s, ko te hiahia mo to raatau manatoko aunoa ka kaha ake. Ko te kaituhi o tenei arotake ehara i te mea kowhiri noa i nga otinga o naianei mo tenei mahi, engari i whakamahia ano e te Tukunga hei tauira ki te kite me pehea te mahi. I puta he tino korero mo te hunga e pirangi ana ki tenei kaupapa.

TL; DR: Ka whakatauritehia e tenei tuhinga nga taputapu pateko e ono hei whakamana me te arotake i nga konae YAML Kubernetes ki nga whakaritenga me nga whakaritenga pai.

Ko nga kawenga mahi a Kubernetes i te nuinga o te waa ka tautuhia ki te ahua o nga tuhinga YAML. Ko tetahi o nga raru ki te YAML ko te uaua ki te tautuhi i nga here, hononga ranei i waenga i nga konae whakaatu.

Ka aha mena ka hiahia tatou ki te whakarite ko nga whakaahua katoa ka tukuna ki te tautau ka ahu mai i te rehita pono?

Me pehea e taea ai e au te aukati i nga Tukunga karekau he PodDisruptionBudgets kia tukuna ki te tautau?

Ko te whakauru o nga whakamatautau tuuturu ka taea e koe te tautuhi i nga hapa me nga takahi kaupapa here i te waahanga whanaketanga. Ka piki ake te taurangi he tika, he haumaru hoki nga whakamaaramatanga rauemi, ka kaha ake te whai i nga mahi pai rawa atu.

Ka taea te wehewehea te punaha tirotiro rauropi YAML a Kubernetes ki nga waahanga e whai ake nei:

• Kaiwhakamana API. Ko nga taputapu o tenei waahanga ka tirohia te whakaaturanga YAML ki nga whakaritenga o te tūmau API Kubernetes.
• Kua rite nga kaiwhakaatu. Ko nga taputapu mai i tenei waahanga ka tae mai me nga whakamatautau kua rite mo te haumarutanga, te whakatutuki i nga tikanga pai, me era atu.
• Kaiwhakatika ritenga. Mā ngā māngai o tēnei kāwai ka taea e koe te hanga whakamātautau ritenga i roto i ngā reo rerekē, hei tauira, Rego me Javascript.

I roto i tenei tuhinga ka whakaahuahia, ka whakatauritea e ono nga taputapu rereke:

1. kubeval;
2. kube-score;
3. whirihora-lint;
4. parahi;
5. whakataetae;
6. Pāhara.

Ana, kia timata tatou!

Te arowhai i nga Tukunga

I mua i te tiimata ki te whakataurite i nga taputapu, me hanga he papamuri hei whakamatautau.

Kei roto i te whakaaturanga i raro nei te maha o nga hapa me te kore e tutuki ki nga tikanga pai: e hia o enei ka kitea e koe?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Ka whakamahia e matou tenei YAML hei whakataurite i nga taputapu rereke.

Ko te whakaaturanga o runga ake nei base-valid.yaml me etahi atu whakaaturanga mai i tenei tuhinga ka kitea i roto Nga whare putunga Git.

Ko te whakaaturanga e whakaatu ana i tetahi tono tukutuku ko tana mahi matua ko te whakautu me te karere "Hello World" ki te tauranga 5678. Ka taea te tuku ma te whakahau e whai ake nei:

kubectl apply -f hello-world.yaml

Na - tirohia te mahi:

kubectl port-forward svc/http-echo 8080:5678

Haere inaianei ki http://localhost:8080 me te whakaū kei te mahi te tono. Engari e whai ana i nga tikanga pai? Kia tirohia.

1. Kubeval

I te matua kubeval Ko te whakaaro ko nga taunekeneke me nga Kubernetes ka puta mai i tana REST API. I etahi atu kupu, ka taea e koe te whakamahi i te aronuinga API ki te tirotiro mena kei te rite tetahi YAML ki a ia. Ka titiro tatou ki tetahi tauira.

Nga tohutohu whakaurunga Kei te waatea te kubeval i runga i te paetukutuku kaupapa.

I te wa i tuhia ai te tuhinga taketake, i te wa e waatea ana te putanga 0.15.0.

Ka oti te whakauru, ka whangaihia te whakaaturanga i runga ake nei:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Ki te angitu, ka puta te kubeval me te waehere putanga 0. Ka taea e koe te tirotiro penei:

$ echo $?
0

Me whakamatau i te kubeval me tetahi whakaaturanga rereke:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Ka taea e koe te kite i te raru ma te kanohi? Kia whakarewa tatou:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# проверим код возврата
$ echo $?
1

Kāore te rauemi i te manatokohia.

Nga tukunga ma te whakamahi i te putanga API apps/v1, me whakauru he kaikowhiri e rite ana ki te tapanga o te pākākano. Ko te whakaaturanga i runga ake nei karekau te kaiwhiriwhiri, na reira i kii a kubeval i tetahi hapa ka puta me te waehere kore-kore.

Ka whakaaro ahau ka aha mena ka mahi ahau kubectl apply -f me tenei whakaaturanga?

Ana, me whakamatau tatou:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Koinei tonu te hapa i whakatupatohia e kubeval. Ka taea e koe te whakatika ma te taapiri i tetahi kaiwhiriwhiri:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Ko te painga o nga taputapu penei i te kubeval ko nga hapa penei ka mau wawe i te huringa tuku.

I tua atu, karekau enei arowhai e uru ki te tautau, ka taea te mahi tuimotu.

Ma te taunoa, ka taki a kubeval i nga rauemi ki te aronuinga API Kubernetes hou. Heoi, i te nuinga o nga keehi ka hiahia pea koe ki te tirotiro mo tetahi tukunga Kubernetes motuhake. Ka taea tenei ma te whakamahi i te haki --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Kia mahara ko te putanga me tohu ki te whakatakotoranga Major.Minor.Patch.

Mo te rarangi o nga putanga e tautokohia ana te manatoko, tirohia koa Aronuinga JSON i GitHub, e whakamahia ana e kubeval mo te whakamana. Ki te hiahia koe ki te whakahaere kubeval tuimotu, tango i nga aronuinga me te tautuhi i to waahi rohe ma te whakamahi i te haki --schema-location.

I tua atu i nga konae YAML takitahi, ka taea hoki e kubeval te mahi me nga whaiaronga me te stdin.

Hei taapiri, he ngawari te whakauru a Kubeval ki te paipa CI. Ko te hunga e hiahia ana ki te whakahaere i nga whakamatautau i mua i te tuku whakaaturanga ki te tautau ka koa ki te mohio kei te tautoko a kubeval i nga whakatakotoranga whakaputa e toru:

1. Kuputuhi noa;
2. JSON;
3. Whakamatautauria Anything Protocol (TAP).

Ka taea hoki te whakamahi tetahi o nga whakatakotoranga mo te wetewete i te putanga hei whakaputa whakarāpopototanga o nga hua o te momo e hiahiatia ana.

Ko tetahi o nga ngoikoretanga o te kubeval ko te kore e taea e ia te tirotiro mo te tautukunga ki nga Whakaritenga Rauemi Ritenga (CRDs). Heoi, ka taea te whirihora i te kubeval kaua e wareware ki a raatau.

He taputapu pai a Kubeval mo te arowhai me te arotake i nga rauemi; Heoi, me whakanuia ko te puta i te whakamatautau karekau e kii kei te u te rauemi ki nga tikanga pai.

Hei tauira, te whakamahi i te tohu latest i roto i te ipu kaore i te whai i nga tikanga pai. Heoi, kare a kubeval e whakaaro he hapa tenei, kaore hoki e ripoata. Arā, ka oti te whakamana o taua YAML me te kore whakatupato.

Engari he aha mena ka hiahia koe ki te arotake i te YAML me te tautuhi i nga takahi penei i te tohu latest? Me pehea taku tirotiro i tetahi konae YAML ki nga mahi pai?

2. Kube-Score

Kube-Score ka poroporoaki i nga whakaaturanga a YAML me te arotake i a raatau ki nga whakamatautau i hangaia. Ko enei whakamatautau ka tohua i runga i nga aratohu haumaru me nga mahi pai, penei:

• Ko te whakahaere i te ipu ehara i te mea he pakiaka.
• Te waatea o nga arowhai hauora pod.
• Te whakatakoto tono me nga rohe mo nga rauemi.

I runga i nga hua whakamatautau, e toru nga hua ka tukuna: OK, WHAKATŪPATO и Tuhinga.

Ka taea e koe te whakamatau i te Kube-Score ki runga ipurangi, ki te whakauru ranei i te rohe.

I te wa i tuhia ai te tuhinga taketake, ko te putanga hou o te kube-score ko 1.7.0.

Kia tamata tatou i runga i to tatou whakaaturanga base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  · http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  · The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  · Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  · http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  · http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  · http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  · http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  · http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  · No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  · Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

Ka tukuna e YAML nga whakamatautau kubeval, ko te kube-score e tohu ana ki nga hapa e whai ake nei:

• Kaore i te whirihorahia nga arowhai reri.
• Kaore he tono, he rohe ranei mo nga rauemi CPU me te mahara.
• Kaore i te tauwhāitihia nga tahua whakaraeraetanga pod.
• Karekau he ture wehewehe (whakaaro-arotahi) ki te whakanui i te waatea.
• Ka rere te ipu hei pakiaka.

He tohu whaimana katoa enei e pa ana ki nga ngoikoretanga e tika ana kia whakatikahia kia pai ake ai, kia pono ai te Whakamahinga.

rōpū kube-score he whakaatu korero i roto i te ahua ka taea e te tangata te panui tae atu ki nga momo takahi katoa WHAKATŪPATO и Tuhinga, he awhina nui i te wa o te whanaketanga.

Ka taea e te hunga e hiahia ana ki te whakamahi i tenei taputapu i roto i te paipa CI ka taea te whakaputa i etahi atu taapiri ma te whakamahi i te haki --output-format ci (i tenei keehi, ka whakaatuhia ano nga whakamatautau me nga hua OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

He rite ki te kubeval, ka whakahokia e te kube-score he waehere putanga kore-kore ina he whakamatautau ka rahua Tuhinga. Ka taea hoki e koe te mahi tukatuka rite mo WHAKATŪPATO.

I tua atu, ka taea te tirotiro i nga rauemi mo te tautukunga ki nga momo putanga API (penei i te kubeval). Heoi ano, ko enei korero kua whakawaeherehia ki te kube-score ake: kaore e taea e koe te kowhiri i tetahi momo putanga rereke o Kubernetes. He raru nui tenei here mena ka hiahia koe ki te whakapai ake i to kahui, mena he maha nga tautau he rereke nga momo K8.

mōhio e he take kē me te tono kia tutuki tenei whai waahi.

Ka kitea etahi atu korero mo te kube-Score i paetukutuku mana.

He taputapu pai nga whakamatautau Kube-Score mo te whakatinana i nga tikanga pai, engari ka pehea mena ka hiahia koe ki te whakarereke i te whakamatautau me te taapiri i o ake ture? Aue, e kore e taea tenei.

Ko te Kube-Score e kore e taea te whakawhanui: kaore e taea e koe te taapiri kaupapa here ki te whakatika ranei.

Mena ka hiahia koe ki te tuhi i nga whakamatautau ritenga hei manatoko i te ū ki nga kaupapa here a te kamupene, ka taea e koe te whakamahi i tetahi o nga taputapu e wha e whai ake nei: config-lint, copper, conftest, polaris ranei.

3.Config-lint

Ko te Config-lint he taputapu hei whakamana i te YAML, JSON, Terraform, nga konae whirihoranga CSV me nga whakaaturanga Kubernetes.

Ka taea e koe te whakauru ma te whakamahi tohutohu i runga i te paetukutuku kaupapa.

Ko te tukunga o naianei i te wa i tuhia ai te tuhinga taketake ko 1.5.0.

Karekau he whakamatautau i roto i te Config-lint hei whakamana i nga whakaaturanga Kubernetes.

Hei whakahaere i nga whakamatautau, me hanga e koe nga ture tika. Kua tuhia ki roto i nga konae YAML e kiia nei ko "nga huinga ture" (nga ture), me te hanganga e whai ake nei:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список правил

(rule.yaml)

Kia ata ako tatou:

• mara type he tohu he aha te momo whirihoranga-lint ka whakamahia. Mo nga K8 e whakaatu ana ko tenei i nga wa katoa Kubernetes.
• I roto i te mara files I tua atu i nga konae ake, ka taea e koe te tautuhi i tetahi whaiaronga.
• mara rules kua whakaritea mo te whakarite i nga whakamatautau kaiwhakamahi.

Me kii e hiahia ana koe ki te whakarite ko nga whakaahua i roto i te Whakamahinga ka tangohia i nga wa katoa mai i te putunga whirinaki penei my-company.com/myapp:1.0. Ko te ture whirihora-lint e mahi ana i taua haki ka penei te ahua:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Me whai i ia ture nga huanga e whai ake nei:

• id — te tautuhi ahurei o te ture;
• severity - Tera pea Tuhinga, WHAKATŪPATO и KORE_KORE;
• message — ki te takahia he ture, ka whakaatuhia nga korero o tenei rarangi;
• resource — te momo rauemi e pa ana tenei ture;
• assertions — he rarangi o nga tikanga ka arotakehia e pa ana ki tenei rauemi.

I roto i te ture i runga ake nei assertion i karangatia every ka tirohia kei roto nga ipu katoa i te Whakamahi (key: spec.templates.spec.containers) whakamahi whakapakoko whakawhirinaki (arā, timata ki my-company.com/).

He penei te ahua o te rarangi ture katoa:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Hei whakamatau i te whakamatautau, me penapena hei check_image_repo.yaml. Me whakahaere he haki i runga i te konae base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

I rahua te haki. Inaianei tirohia te whakaaturanga e whai ake nei me te putunga whakaahua tika:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Ka whakahaerehia e maatau te whakamatautau me te whakaaturanga o runga ake nei. Karekau he raru i kitea:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Ko te Config-lint he anga whaimana e taea ai e koe te hanga i a koe ake whakamatautau hei whakamana i nga whakaaturanga Kubernetes YAML ma te whakamahi i te YAML DSL.

Engari ka pehea mena ka hiahia koe ki te arorau uaua me nga whakamatautau? He iti rawa te YAML mo tenei? He aha mehemea ka taea e koe te hanga whakamatautau i roto i te reo hotaka katoa?

4. Parahi

Koraha V2 he anga mo te whakamana i nga whakaaturanga ma te whakamahi i nga whakamatautau ritenga (he rite ki te config-lint).

Heoi, he rereke mai i nga mea o muri na te kore e whakamahi i te YAML hei whakaahua i nga whakamatautau. Ka taea te tuhi i nga whakamatautau ki te JavaScript. Ka whakaratohia e Copper he whare pukapuka me etahi taputapu taketake, hei awhina i a koe ki te panui korero mo nga taonga Kubernetes me te ripoata hapa.

Ko nga taahiraa mo te whakauru i te Parahi ka kitea i roto tuhinga whaimana.

Ko te 2.0.1 te putanga hou o tenei taputapu i te wa i tuhia ai te tuhinga taketake.

Pērā i te config-lint, kāre a Copper he whakamatautau i roto. Me tuhi tetahi. Tukuna kia tirohia kei te whakamahi nga whakatakotoranga i nga whakaahua ipu mai i nga putunga whirinaki penei my-company.com.

Waihangatia he kōnae check_image_repo.js me nga ihirangi e whai ake nei:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Inaianei hei whakamatautau i ta maatau whakaaturanga base-valid.yaml, whakamahia te whakahau copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

E marama ana ma te awhina o te parahi ka taea e koe te mahi i nga whakamatautau uaua ake - hei tauira, te tirotiro i nga ingoa rohe i roto i nga whakaaturanga Ingress, te whakakore ranei i nga poti e rere ana i roto i te aratau whaimana.

He maha nga mahi a te parahi i hangaia ki roto:

• DockerImage ka panui i te konae whakaurunga kua tohua me te hanga i tetahi ahanoa me nga huanga e whai ake nei:
  • name - ingoa o te ahua,
  • tag - tohu whakaahua,
  • registry - rehita whakaahua,
  • registry_url - kawa (https://) me te rehita whakaahua,
  • fqin — te waahi katoa o te ahua.
• mahi findByName he awhina ki te kimi rauemi ma tetahi momo (kind) me te ingoa (name) mai i te konae whakauru.
• mahi findByLabels ka awhina ki te kimi rauemi ma tetahi momo kua tohua (kind) me nga tapanga (labels).

Ka taea e koe te tiro i nga mahi ratonga katoa e waatea ana konei.

Ma te taunoa ka utaina te katoa o te konae YAML whakauru ki tetahi taurangi $$ ka whakawāteatia mō te tuhi hōtuhi (he tikanga mōhio mā te hunga whai wheako jQuery).

Ko te painga nui o Copper he maamaa: kaore koe e hiahia ki te mohio ki tetahi reo motuhake ka taea e koe te whakamahi i nga momo waahanga JavaScript hei hanga i o ake whakamatautau, penei i te honohono aho, nga mahi, me era atu.

Me tohu ano ko te putanga o naianei o Copper e mahi ana me te putanga ES5 o te miihini JavaScript, ehara i te ES6.

Kei te waatea nga korero i paetukutuku mana o te kaupapa.

Heoi, ki te kore koe e tino pai ki a JavaScript me te hiahia ki te reo i hangaia mo te hanga patai me te whakaahua kaupapa here, me aro koe ki te whakataetae.

5. Whakataetae

Ko Conftest he anga mo te whakamatautau i nga raraunga whirihoranga. He pai hoki mo te whakamatautau/manatoko i nga whakaaturanga Kubernetes. Ka whakaahuahia nga whakamatautau ma te whakamahi i te reo patai motuhake Rego.

Ka taea e koe te whakauru whakataetae ma te whakamahi tohutohukua whakarārangitia ki te paetukutuku kaupapa.

I te wa i tuhia ai te tuhinga taketake, ko te putanga hou e waatea ana ko 0.18.2.

He rite ki te config-lint me te parahi, ka tae mai te whakataetae me te kore he whakamatautau i roto. Me whakamatau me te tuhi i ta tatou ake kaupapa here. Pērā i ngā tauira o mua, ka tirohia mena ka tangohia nga whakaahua ipu mai i tetahi puna pono.

Waihangahia he whaiaronga conftest-checks, kei roto he konae te ingoa check_image_registry.rego me nga ihirangi e whai ake nei:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Inaianei me whakamatau base-valid.yaml i roto i conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

I rahua te whakamatautau na te mea i ahu mai nga whakaahua i tetahi puna kore pono.

I roto i te kōnae Rego ka tautuhia e matou te poraka deny. Ko tana pono ka kiia he takahi. Ki te poraka deny He maha, ka tirohia e te taupatupatu tetahi ki tetahi, a ko te pono o tetahi o nga poraka ka kiia he takahi.

I tua atu i te putanga taunoa, ka tautokohia e te conftest te JSON, TAP me te whakatakotoranga ripanga - he waahanga tino whai hua mena ka hiahia koe ki te whakauru i nga purongo ki roto i te paipa CI o naianei. Ka taea e koe te tautuhi i te whakatakotoranga e hiahiatia ana ma te whakamahi i te haki --output.

Kia pai ake ai te patuiro i nga kaupapa here, he haki kei te conftest --trace. Ka puta he tohu mo te whakamaarama i nga konae kaupapa here kua tohua.

Ka taea te whakaputa me te tiri i nga kaupapa here whakataetae ki nga rehita OCI (Open Container Initiative) hei taonga toi.

Ngā rōpū push и pull tukua koe ki te whakaputa i tetahi taonga toi, ki te tiki mai ranei i tetahi taonga toi mai i te rehita mamao. Me ngana ki te whakaputa i te kaupapa here i hanga e matou ki te rehita Docker rohe ma te whakamahi conftest push.

Tīmatahia to rehita Docker rohe:

$ docker run -it --rm -p 5000:5000 registry

I tetahi atu tauranga, haere ki te whaiaronga i hanga e koe i mua conftest-checks ka whakahaere i te whakahau e whai ake nei:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Mena i angitu te whakahau, ka kite koe i tetahi karere penei:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Hangaia he whaiaronga rangitahi ka whakahaere i te whakahau ki roto conftest pull. Ka tango i te kete i hangaia e te whakahau o mua:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ka puta he whaiaronga iti i roto i te whaiaronga rangitahi policykei roto ta matou konae kaupapa here:

$ tree
.
└── policy
  └── check_image_registry.rego

Ka taea te whakahaere tika nga whakamatautau mai i te putunga:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Kia aroha mai, kaore ano a DockerHub i te tautokohia. Na whakaaro koe waimarie ki te whakamahi koe Rehita Ipu Azure (ACR) to rehita ranei.

He rite tonu te whakatakotoranga toi Whakatuwherahia nga kohinga Kaihoko Kaupapahere (OPA), ka taea e koe te whakamahi conftest ki te whakahaere i nga whakamatautau mai i nga kete OPA o mua.

Ka taea e koe te ako atu mo te tiri kaupapa here me etahi atu ahuatanga o te whakataetae i paetukutuku mana o te kaupapa.

6. Polaris

Ko te taputapu whakamutunga ka korerohia i tenei tuhinga Paetukutuku. (Ko tana panui o tera tau kua whakamaoritia - āhua. whakamaori.)

Ka taea te whakauru i te Polaris ki roto i te tautau ka whakamahia ranei ki te aratau raina whakahau. Ka rite ki taau i whakaaro ai, ka taea e koe te tarai i nga whakaaturanga Kubernetes.

I te wa e rere ana i roto i te aratau raina whakahau, kei te waatea nga whakamatautau kua whakauruhia ki roto i nga waahi penei i te haumaru me nga mahi pai (he rite ki te kube-score). I tua atu, ka taea e koe te hanga i a koe ake whakamatautau (penei i te config-lint, copper and conftest).

I etahi atu kupu, ka whakakotahi a Polaris i nga painga o nga waahanga e rua o nga taputapu: me nga whakamatautau whakauru me nga whakamatautau ritenga.

Hei whakauru i a Polaris ki te aratau raina whakahau, whakamahia tohutohu i runga i te paetukutuku kaupapa.

I te wa i tuhia ai te tuhinga taketake, kei te waatea te putanga 1.0.3.

Kia oti te whakaurunga ka taea e koe te whakahaere i te polaris i runga i te whakaaturanga base-valid.yaml me te whakahau e whai ake nei:

$ polaris audit --audit-path base-valid.yaml

Ka whakaputahia he aho ki te whakatakotoranga JSON me te whakamaarama taipitopito o nga whakamatautau i mahia me o raatau hua. Ko te putanga ka whai i te hanganga e whai ake nei:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* длинный список */
  ]
}

Kei te waatea te putanga katoa konei.

Pērā i te kube-score, ka tautuhia e Polaris nga take i nga waahi kaore te whakaaturanga e tutuki i nga whakaritenga pai:

• Karekau he arowhai hauora mo nga pi.
• Ko nga tohu mo nga whakaahua ipu kaore i te tohua.
• Ka rere te ipu hei pakiaka.
• Ko nga tono me nga rohe mo te mahara me te PTM kaore i te tohua.

Ko ia whakamatautau, i runga ano i ona hua, ka tohua he tohu whakahirahira: whakatūpato ranei ati. Ki te ako atu mo nga whakamatautau whakauru e waatea ana, tirohia koa tuhinga.

Mena kaore e hiahiatia nga korero, ka taea e koe te tohu i te haki --format score. I tenei take, ka whakaputahia e Polaris tetahi tau mai i te 1 ki te 100 − tohu (arā, te aromatawai):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Ko te tata o te kaute ki te 100, ka teitei ake te tohu o te whakaaetanga. Mena ka tirohia e koe te waehere putanga o te whakahau polaris audit, ka puta he rite ki te 0.

Te kaha polaris audit Ka taea e koe te whakamutu i te mahi me te waehere kore-kore ma te whakamahi i nga haki e rua:

• Kara --set-exit-code-below-score ka mau hei tohenga he uara paepae i te awhe 1-100. I tenei keehi, ka puta te whakahau me te waehere putanga 4 mena kei raro te kaute i te paepae. He tino whaihua tenei ina he uara paepae koe (me kii 75) me whiwhi matohi mena kei te heke iho te kaute.
• Kara --set-exit-code-on-danger ka rahua te whakahau me te waehere 3 mena ka rahua tetahi o nga whakamatautau morearea.

Inaianei me ngana ki te hanga i tetahi whakamatautau ritenga hei tirotiro mena ka tangohia te ahua mai i tetahi putunga whirinaki. Ko nga whakamatautau ritenga kua tohua i roto i te whakatakotoranga YAML, a ko te whakamatautau ano e whakaahuahia ana ma te JSON Schema.

Ko te waahanga waehere YAML e whai ake nei e whakaatu ana i tetahi whakamatautau hou e kiia nei checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Kia ata tirohia e tatou:

• successMessage — ka taia tenei rarangi ki te oti pai te whakamatautau;
• failureMessage — ka whakaatuhia tenei karere ki te rahua;
• category — tohu tetahi o nga waahanga: Images, Health Checks, Security, Networking и Resources;
• target--- ka whakatau he aha te momo ahanoa (spec) ka tukuna he whakamatautau. Uara pea: Container, Pod ranei Controller;
• Ko te whakamatautau ano kua tohua i roto i te ahanoa schema te whakamahi i te kaupapa JSON. Ko te kupu matua o tenei whakamatautau pattern whakamahia hei whakatairite i te puna whakaahua me te mea e hiahiatia ana.

Hei whakahaere i te whakamatautau i runga ake nei, me hanga e koe te whirihoranga Polaris e whai ake nei:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Me poroporoaki te kōnae:

• I roto i te mara checks kua whakaritea nga whakamatautau me o raatau taumata whakahirahira. I te mea he pai ki te whiwhi whakatupato ina tangohia he whakaahua mai i tetahi puna kore pono, ka whakatauhia e matou te taumata ki konei danger.
• Ko te whakamatautau ano checkImageRepo katahi ka rehitatia ki te ahanoa customChecks.

Tiakina te kōnae hei custom_check.yaml. Inaianei ka taea e koe te oma polaris audit me te whakaaturanga YAML me whakamana.

Kia whakamatautau tatou i ta tatou whakaaturanga base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

rōpū polaris audit i whakahaere anake i te whakamatautau kaiwhakamahi kua tohua i runga ake nei ka rahua.

Mena ka whakatikahia e koe te ahua ki my-company.com/http-echo:1.0, Ka oti pai a Polaris. Kua uru kē te whakaaturanga me nga huringa whare putungakia taea e koe te tirotiro i te whakahau o mua i runga i te whakaaturanga image-valid-mycompany.yaml.

Inaianei ka puta ake te patai: me pehea te whakahaere i nga whakamatautau i hangaia me nga mea ritenga? Ngawari! Me taapiri noa koe i nga kaitautuhi whakamatautau i hangaia ki te konae whirihoranga. Ko te mutunga, ko te ahua e whai ake nei:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Kei te waatea he tauira o te konae whirihoranga konei.

Tirohia te whakaaturanga base-valid.yamlma te whakamahi i nga whakamatautau i hangaia me nga whakamatautau ritenga, ka taea e koe te whakamahi i te whakahau:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Ka whakakiia e Polaris nga whakamatautau i hangaia me nga mea ritenga, na reira ka whakakotahi i te pai o nga ao e rua.

I tetahi atu taha, ko te kore e kaha ki te whakamahi i nga reo kaha ake penei i a Rego, JavaScript ranei ka taea te aukati i te hanga o nga whakamatautau tino mohio.

Kei te waatea etahi atu korero mo Polaris i paetukutuku kaupapa.

Whakarāpopoto

Ahakoa he maha nga taputapu e waatea ana ki te tirotiro me te arotake i nga konae YAML Kubernetes, he mea nui kia tino marama ki te hoahoa me te mahi o nga whakamatautau.

Hei tauira, Mena ka tango koe i nga whakaaturanga Kubernetes e haere ana i roto i te paipa, ko te kubeval te mahi tuatahi mo taua paipa.. Ka aro turuki mena ka rite nga whakamaramatanga ahanoa ki te aronuinga API Kubernetes.

Kia oti taua arotake, ka taea e te tangata te neke ki nga whakamatautau tino mohio, penei i te whai i nga tikanga pai me nga kaupapa here motuhake. I konei ka whai hua te kube-score me Polaris.

Mo te hunga he uaua nga whakaritenga me te hiahia ki te whakarite taipitopito i nga whakamatautau, he pai te parahi, te whirihora me te whakataetae..

Ka whakamahi te Conftest me te config-lint i te YAML ki te tautuhi i nga whakamatautau ritenga, a ka hoatu e te parahi ki a koe te uru ki te reo hootaka katoa, he mea tino ataahua te whiriwhiri.

I tetahi atu taha, he mea pai ki te whakamahi i tetahi o enei taputapu, na reira, ka hangaia nga whakamatautau katoa ma te ringa, ka pai ranei ki a Polaris me te taapiri i nga mea e hiahiatia ana? Karekau he whakautu marama mo tenei patai.

Ko te ripanga i raro nei he korero poto mo ia taputapu:

Tool
Te kaupapa
hapehape
Nga whakamatautau kaiwhakamahi

kubeval
Ka whakamana i nga whakaaturanga YAML ki tetahi putanga motuhake o te aronuinga API
Kaore e taea te mahi me te CRD
No

kube-score
Ka tātari i nga whakaaturanga YAML ki nga mahi pai
Kaore e taea te kowhiri i to putanga API Kubernetes hei tirotiro i nga rauemi
No

parahi
He anga whanui mo te hanga i nga whakamatautau JavaScript mo nga whakaaturanga YAML
Kaore he whakamatautau i roto. He pai nga tuhinga
Ae

whirihora-lint
He anga whaanui mo te hanga whakamatautau i roto i te reo motuhake-a-rohe kua mau ki YAML. Ka tautoko i nga momo whakatakotoranga whirihoranga (hei tauira, Terraform)
Karekau he whakamatautau kua rite. Kare pea i te rawaka nga whakapae me nga mahi whakauru
Ae

whakataetae
He anga mo te hanga i o ake whakamatautau ma te whakamahi i te Rego (he reo patai motuhake). Whakaaetia te tiri kaupapa here ma nga paihere OCI
Kaore he whakamatautau i roto. Me ako ahau i a Rego. Kaore i te tautokohia a Docker Hub i te wa e whakaputa ana i nga kaupapa here
Ae

Paetukutuku
Ko nga arotake e whakaatu ana a YAML ki nga tikanga pai rawa atu. Ka taea e koe te hanga i a koe ake whakamatautau ma te whakamahi JSON Schema
Ko nga kaha whakamatautau i runga i te JSON Schema kaore pea i te rawaka
Ae

Na te mea kaore enei taputapu e whakawhirinaki ki te uru ki te roopu Kubernetes, he ngawari ki te whakauru. Ka taea e koe te tarai i nga konae puna me te tuku urupare tere ki nga kaituhi o nga tono toia i roto i nga kaupapa.

PS mai i te kaiwhakamaori

Pānuihia hoki i runga i ta maatau blog:

• «I whakauruhia a Polaris ki te pupuri i te hauora o nga tautau Kubernetes";
• «Vim me te tautoko YAML mo Kubernetes";
• «7 nga tikanga pai mo te whakamahi ipu e ai ki a Google".

Source: will.com