Pulogalamu ya ProHoster > Blog > Ulamuliro > Tsimikizirani Kubernetes YAML motsutsana ndi machitidwe ndi mfundo zabwino

Tsimikizirani Kubernetes YAML motsutsana ndi machitidwe ndi mfundo zabwino

Zindikirani. transl.: Ndi kuchuluka kwa masinthidwe a YAML pama K8s, kufunikira kwa kutsimikizira kwawoko kumakhala kofunikira kwambiri. Wolemba ndemangayi sanangosankha njira zomwe zilipo kale pa ntchitoyi, koma adagwiritsanso ntchito Kutumiza monga chitsanzo kuti awone momwe amagwirira ntchito. Zinakhala zothandiza kwambiri kwa omwe ali ndi chidwi ndi mutuwu.

Tsimikizirani Kubernetes YAML motsutsana ndi machitidwe ndi mfundo zabwino

TL; DR: Nkhaniyi ikuyerekeza zida zisanu ndi chimodzi zokhazikika zotsimikizira ndikuwunika mafayilo a Kubernetes YAML motsutsana ndi machitidwe ndi zofunikira.

Kuchuluka kwa ntchito za Kubernetes kumatanthauzidwa ngati zolemba za YAML. Limodzi mwamavuto ndi YAML ndizovuta kufotokoza zopinga kapena maubale pakati pa mafayilo owonetsera.

Nanga bwanji ngati tikufuna kuwonetsetsa kuti zithunzi zonse zomwe zatumizidwa ku gululo zimachokera ku registry yodalirika?

Kodi ndingaletse bwanji Ma Deployments omwe alibe PodDisruptionBudgets kuti asatumizidwe kumagulu?

Kuphatikiza kwa kuyesa kwa static kumakupatsani mwayi wozindikira zolakwika ndi kuphwanya malamulo pagawo lachitukuko. Izi zimawonjezera chitsimikiziro chakuti matanthauzidwe azinthu ndi olondola komanso otetezeka, ndipo zimapangitsa kuti ntchito zopanga zizitsatira njira zabwino kwambiri.

The Kubernetes static YAML yowunikira mafayilo achilengedwe atha kugawidwa m'magulu awa:

  • API zotsimikizira. Zida zomwe zili mgululi zimayang'ana chiwonetsero cha YAML motsutsana ndi zofunikira za seva ya Kubernetes API.
  • Oyesa okonzeka. Zida zochokera m'gululi zimabwera ndi mayeso okonzekera chitetezo, kutsatira njira zabwino, ndi zina.
  • Zotsimikizira mwamakonda. Oimira gululi amakulolani kuti mupange mayesero achizolowezi m'zinenero zosiyanasiyana, mwachitsanzo, Rego ndi Javascript.

M'nkhaniyi tifotokoza ndikufanizira zida zisanu ndi chimodzi:

  1. kukhalaval;
  2. kube-score;
  3. config-lint;
  4. mkuwa;
  5. mpikisano;
  6. polaris.

Chabwino, tiyeni tiyambe!

Kuyang'ana Ma Deployments

Tisanayambe kufananiza zida, tiyeni tipange maziko omwe tingayesere.

Manifesto ili m'munsiyi ili ndi zolakwika zingapo komanso kusagwirizana ndi machitidwe abwino: ndi angati omwe mungapeze?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Tigwiritsa ntchito YAML iyi kufananiza zida zosiyanasiyana.

Manifesto yomwe ili pamwambapa base-valid.yaml ndi ma manifesto ena kuchokera m'nkhaniyi angapezeke mu Git repositories.

Manifesiti amafotokoza pulogalamu yapaintaneti yomwe ntchito yake yayikulu ndikuyankha ndi uthenga wa "Moni Padziko Lonse" ku port 5678. Itha kutumizidwa ndi lamulo ili:

kubectl apply -f hello-world.yaml

Kenako - onani ntchito:

kubectl port-forward svc/http-echo 8080:5678

Tsopano pitani ku http://localhost:8080 ndikutsimikizira kuti pulogalamuyo ikugwira ntchito. Koma kodi amatsatira njira zabwino? Tiyeni tione.

1. Kukhala

Pamtima wa kukhala Lingaliro ndiloti kuyanjana kulikonse ndi Kubernetes kumachitika kudzera mu REST API. Mwanjira ina, mutha kugwiritsa ntchito schema ya API kuti muwone ngati YAML yopatsidwa ikugwirizana nayo. Tiyeni tione chitsanzo.

Malangizo oyika kubeval akupezeka patsamba la polojekiti.

Panthawi yolemba nkhani yoyambirira, mtundu wa 0.15.0 unalipo.

Mukayiyika, tiyeni tiyidyetse chiwonetsero chomwe chili pamwambapa:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Ngati zikuyenda bwino, kubeval adzatuluka ndi khodi yotuluka 0. Mutha kuyiyang'ana motere:

$ echo $?
0

Tiyeni tsopano tiyese kubeval ndi chiwonetsero chosiyana:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Kodi mukuwona vuto ndi maso? Tiyeni tiyambe:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²Ρ€Π°Ρ‚Π°
$ echo $?
1

Zothandizira sizikutsimikiziridwa.

Kutumiza pogwiritsa ntchito mtundu wa API apps/v1, iyenera kukhala ndi chosankha chomwe chikugwirizana ndi chizindikiro cha pod. Mawonekedwe omwe ali pamwambapa sakuphatikiza wosankha, ndiye kubeval adanenanso cholakwika ndikutuluka ndi nambala yosakhala ziro.

Ndikudabwa kuti ndikanatani kubectl apply -f ndi manifesto iyi?

Chabwino, tiyeni tiyese:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Izi ndiye zolakwika zomwe kubeval anachenjeza. Mutha kukonza izi powonjezera chosankha:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Ubwino wa zida ngati kubeval ndikuti zolakwika ngati izi zitha kugwidwa koyambirira kwa nthawi yotumiza.

Kuphatikiza apo, macheke awa safuna kupeza masango; amatha kuchitidwa popanda intaneti.

Mwachikhazikitso, kubeval amayang'ana zothandizira motsutsana ndi Kubernetes API schema yaposachedwa. Komabe, nthawi zambiri mungafunike kuyang'ana pa Kubernetes kumasulidwa. Izi zitha kuchitika pogwiritsa ntchito mbendera --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Chonde dziwani kuti mtunduwo uyenera kufotokozedwa mumpangidwe Major.Minor.Patch.

Kuti mupeze mndandanda wamitundu yomwe kutsimikizira kumathandizidwa, chonde onani JSON schema pa GitHub, yomwe kubeval amagwiritsa ntchito kutsimikizira. Ngati mukufuna kuyendetsa kubeval pa intaneti, tsitsani ma schemas ndikufotokozera komwe akuchokera pogwiritsa ntchito mbendera --schema-location.

Kuphatikiza pa mafayilo amtundu wa YAML, kubeval imatha kugwiranso ntchito ndi maulalo ndi stdin.

Kuphatikiza apo, Kubeval amalumikizana mosavuta mu payipi ya CI. Iwo omwe akufuna kuyesa mayeso asanatumize ziwonetsero ku gululi adzasangalala kudziwa kuti kubeval imathandizira mitundu itatu yotulutsa:

  1. Mawu osavuta;
  2. JSON;
  3. Yesani Chilichonse Protocol (TAP).

Ndipo mawonekedwe aliwonse angagwiritsidwe ntchito powonjezera zotulukapo kuti apange chidule cha zotsatira za mtundu womwe mukufuna.

Chimodzi mwazovuta za kubeval ndikuti pakadali pano sichingayang'ane kuti ikutsatiridwa ndi Custom Resource Definitions (CRDs). Komabe, ndizotheka kukonza kubeval nyalanyaza iwo.

Kubeval ndi chida chabwino kwambiri chowonera ndikuwunika zothandizira; Komabe, ziyenera kutsindika kuti kupambana mayeso sikutsimikizira kuti gwerolo likugwirizana ndi machitidwe abwino.

Mwachitsanzo, kugwiritsa ntchito tag latest m'chidebe satsatira njira zabwino. Komabe, kubeval sawona izi ngati cholakwika ndipo samanena. Ndiye kuti, kutsimikizira kwa YAML yotere kutha popanda machenjezo.

Koma bwanji ngati mukufuna kuyesa YAML ndikuzindikira zophwanya ngati tag latest? Kodi ndimayang'ana bwanji fayilo ya YAML motsutsana ndi machitidwe abwino?

2. Kube-score

Kube-score imapanga YAML ikuwonetsa ndikuyiyesa motsutsana ndi mayeso omangidwa. Mayesowa amasankhidwa potengera malangizo achitetezo ndi machitidwe abwino, monga:

  • Kuthamanga chidebe osati ngati mizu.
  • Kupezeka kwa macheke aumoyo wa pod.
  • Kukhazikitsa zopempha ndi malire azinthu.

Kutengera zotsatira za mayeso, zotsatira zitatu zimaperekedwa: OK, CHENJEZO ΠΈ ZOKHUDZA.

Mutha kuyesa Kube-score pa intaneti kapena kuyiyika kwanuko.

Panthawi yolemba nkhani yoyambirira, mtundu waposachedwa kwambiri wa kube-score unali 1.7.0.

Tiyeni tiyese pa manifesto yathu base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  Β· http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  Β· The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  Β· Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  Β· http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  Β· http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  Β· http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  Β· http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  Β· http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  Β· No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  Β· Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

YAML imapambana mayeso a kubeval, pomwe kube-score imalozera ku zolakwika zotsatirazi:

  • Macheke okonzeka sanakonzedwe.
  • Palibe zopempha kapena malire azinthu za CPU ndi kukumbukira.
  • Mabajeti osokoneza ma Pod sanatchulidwe.
  • Palibe malamulo olekanitsa (anti-affinity) kukulitsa kupezeka.
  • Chidebecho chimayenda ngati mizu.

Izi ndi mfundo zomveka zokhuza zolakwika zomwe ziyenera kuthetsedwa kuti Kutumizako kukhale koyenera komanso kodalirika.

timu kube-score amawonetsa zidziwitso m'mawonekedwe owerengeka ndi anthu kuphatikiza zophwanya zamtundu uliwonse CHENJEZO ΠΈ ZOKHUDZA, zomwe zimathandiza kwambiri panthawi ya chitukuko.

Omwe akufuna kugwiritsa ntchito chida ichi mkati mwa payipi ya CI amatha kupangitsa kuti pakhale choponderezedwa kwambiri pogwiritsa ntchito mbendera --output-format ci (panthawiyi, mayeso okhala ndi zotsatira akuwonetsedwanso OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Zofanana ndi kubeval, kube-score imabweretsanso code yotuluka yopanda zero pakakhala mayeso omwe amalephera. ZOKHUDZA. Mukhozanso athe yofanana processing kwa CHENJEZO.

Kuphatikiza apo, ndizotheka kuyang'ana zothandizira kuti zitsatire mitundu yosiyanasiyana ya API (monga kubeval). Komabe, chidziwitsochi ndi cholimba mu kube-score palokha: simungathe kusankha mtundu wina wa Kubernetes. Izi zitha kukhala vuto lalikulu ngati mukufuna kukweza gulu lanu kapena ngati muli ndi magulu angapo okhala ndi mitundu yosiyanasiyana ya ma K8.

Zindikirani kuti pali nkhani kale ndi lingaliro kuti tikwaniritse mwayiwu.

Zambiri za kube-score zitha kupezeka pa webusaitiyi.

Mayeso a Kube-score ndi chida chabwino kwambiri chogwiritsira ntchito njira zabwino, koma bwanji ngati mukufuna kusintha mayeso kapena kuwonjezera malamulo anu? Kalanga, izi sizingatheke.

Kube-score sikuwonjezeke: simungathe kuwonjezera mfundo kapena kusintha.

Ngati mukufuna kulemba mayeso kuti muwonetsetse kuti akutsatira mfundo zamakampani, mutha kugwiritsa ntchito chimodzi mwa zida zinayi izi: config-lint, copper, conftest, kapena polaris.

3.Config-lint

Config-lint ndi chida chotsimikizira mafayilo a YAML, JSON, Terraform, CSV ndi mawonekedwe a Kubernetes.

Mukhoza kukhazikitsa ntchito malangizo pa webusaiti ya polojekiti.

Kutulutsidwa kwaposachedwa monga nthawi yolemba nkhani yoyambirira ndi 1.5.0.

Config-lint ilibe mayeso okhazikika otsimikizira Kubernetes chiwonetsero.

Kuti muyese mayeso aliwonse, muyenera kupanga malamulo oyenera. Zalembedwa mu mafayilo a YAML otchedwa "rulesets" (malamulo), ndi kukhala ndi dongosolo ili:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список ΠΏΡ€Π°Π²ΠΈΠ»

(rule.yaml)

Tiyeni tiiphunzire mozama:

  • m'munda type imatchula mtundu wa config-lint yomwe idzagwiritse ntchito. Kwa K8s ikuwonetsa izi nthawi zonse Kubernetes.
  • M'munda files Kuphatikiza pa mafayilo omwewo, mutha kufotokoza chikwatu.
  • m'munda rules cholinga chokhazikitsa zoyesa za ogwiritsa ntchito.

Tiyerekeze kuti mukufuna kuonetsetsa kuti zithunzi zomwe zili mu Deployment zimatsitsidwa nthawi zonse kuchokera kumalo odalirika monga my-company.com/myapp:1.0. Lamulo la config-lint lomwe limachita cheke chotere lingawoneke motere:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Lamulo lililonse liyenera kukhala ndi izi:

  • id - chizindikiritso chapadera cha lamulo;
  • severity - Mwina KULEphera, CHENJEZO ΠΈ NON_COMPLIANT;
  • message - ngati lamulo likuphwanyidwa, zomwe zili mu mzerewu zikuwonetsedwa;
  • resource - mtundu wazinthu zomwe lamuloli likugwira ntchito;
  • assertions - mndandanda wazinthu zomwe zidzawunikidwa mogwirizana ndi izi.

Mu lamulo pamwamba assertion pansi pa dzina every fufuzani kuti zotengera zonse zili mu Deployment (key: spec.templates.spec.containers) gwiritsani ntchito zithunzi zodalirika (ie kuyambira my-company.com/).

Lamulo lathunthu likuwoneka motere:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Kuti tiyese mayeso, tiyeni tisunge ngati check_image_repo.yaml. Tiyeni tiyese cheke pa fayilo base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Cheke yalephera. Tsopano tiyeni tiwone mawonekedwe otsatirawa ndi malo olondola azithunzi:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Timayesa mayeso omwewo ndi chiwonetsero chomwe chili pamwambapa. Palibe zovuta zomwe zapezeka:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint ndi chimango cholonjeza chomwe chimakupatsani mwayi wopanga mayeso anu kuti mutsimikizire Kubernetes YAML kuwonekera pogwiritsa ntchito YAML DSL.

Koma bwanji ngati mukufuna malingaliro ovuta kwambiri ndi mayeso? Kodi YAML ndiyochepera pa izi? Nanga bwanji ngati mutha kupanga mayeso muchilankhulo chathunthu chamapulogalamu?

4. Mkuwa

Mkuwa V2 ndi chimango chotsimikizira ziwonetsero pogwiritsa ntchito mayeso achizolowezi (ofanana ndi config-lint).

Komabe, imasiyana ndi yomalizayi chifukwa sichigwiritsa ntchito YAML pofotokoza mayeso. Mayesero amatha kulembedwa mu JavaScript m'malo mwake. Copper imapereka laibulale yokhala ndi zida zingapo zofunika, zomwe zimakuthandizani kuti muwerenge zambiri za zinthu za Kubernetes ndikuwonetsa zolakwika.

Njira zoyika Copper zitha kupezeka mkati zolemba zovomerezeka.

2.0.1 ndiye kutulutsidwa kwaposachedwa kwa chida ichi panthawi yolemba nkhani yoyambirira.

Monga config-lint, Copper ilibe mayeso omangidwa. Tiyeni tilembe imodzi. Lolani kuti iwonetsetse kuti zotumizira zimagwiritsa ntchito zithunzi zachidebe kuchokera ku nkhokwe zodalirika monga my-company.com.

Pangani fayilo check_image_repo.js ndi izi:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Tsopano kuyesa chiwonetsero chathu base-valid.yaml, gwiritsani ntchito lamulo copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

Zikuwonekeratu kuti mothandizidwa ndi mkuwa mutha kuchita mayeso ovuta kwambiri - mwachitsanzo, kuyang'ana mayina amtundu mu Ingress kuwonetsa kapena kukana ma pods omwe akuyenda mwamwayi.

Copper ili ndi ntchito zosiyanasiyana zomwe zimapangidwira mmenemo:

  • DockerImage amawerenga fayilo yomwe yatchulidwa ndikupanga chinthu chokhala ndi zotsatirazi:
    • name - dzina lachithunzicho,
    • tag - chithunzi tag,
    • registry - kaundula wa zithunzi,
    • registry_url - protocol (https://) ndi kaundula wa zithunzi,
    • fqin - malo athunthu a chithunzicho.
  • ntchito findByName kumathandiza kupeza gwero ndi mtundu wina (kind) ndi dzina (name) kuchokera ku fayilo yolowera.
  • ntchito findByLabels kumathandiza kupeza gwero ndi mtundu wina (kind) ndi zilembo (labels).

Mutha kuwona ntchito zonse zomwe zilipo apa.

Mwachikhazikitso imakweza fayilo yonse ya YAML yolowetsa muzosintha $$ ndikupangitsa kuti ipezeke polemba (njira yodziwika bwino kwa omwe ali ndi chidziwitso cha jQuery).

Ubwino waukulu wa Copper ndiwodziwikiratu: simuyenera kudziwa chilankhulo chapadera ndipo mutha kugwiritsa ntchito mawonekedwe osiyanasiyana a JavaScript kuti mupange mayeso anu, monga kumasulira kwa zingwe, ntchito, ndi zina.

Tiyeneranso kudziwa kuti mtundu waposachedwa wa Copper umagwira ntchito ndi mtundu wa ES5 wa injini ya JavaScript, osati ES6.

Zambiri zilipo pa tsamba lovomerezeka la polojekiti.

Komabe, ngati simukukonda JavaScript ndipo mumakonda chilankhulo chopangidwa kuti mupange mafunso ndikufotokozera mfundo, muyenera kulabadira mipikisano.

5.Mpikisano

Conftest ndi chimango choyesera zochunira za data. Zoyeneranso kuyesa / kutsimikizira Kubernetes ziwonetsero. Mayesero amafotokozedwa pogwiritsa ntchito chinenero chapadera cha mafunso Rego.

Mutha kukhazikitsa contest pogwiritsa ntchito malangizozolembedwa patsamba la polojekiti.

Panthawi yolemba nkhani yoyambirira, mtundu waposachedwa kwambiri unali 0.18.2.

Mofanana ndi config-lint ndi mkuwa, conftest imabwera popanda mayesero omangidwa. Tiyeni tiyese ndikulemba ndondomeko yathu. Monga m'zitsanzo zam'mbuyomu, tiwona ngati zithunzi zachidebezo zatengedwa kuchokera kugwero lodalirika.

Pangani chikwatu conftest-checks, ndipo m'menemo muli fayilo yotchedwa check_image_registry.rego ndi izi:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Tsopano tiyeni tiyese base-valid.yaml Ρ‡Π΅Ρ€Π΅Π· conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Mayesowa adalephera chifukwa zithunzizo zidachokera kugwero losadalirika.

Mu fayilo ya Rego timafotokozera block deny. Chowonadi chake chimawonedwa ngati kuphwanya. Ngati midadada deny angapo, kutsutsana amafufuza iwo paokha wina ndi mzake, ndi choonadi cha midadada aliyense amatengedwa ngati kuphwanya.

Kuphatikiza pazotulutsa zosasinthika, conftest imathandizira JSON, TAP ndi mtundu wa tebulo - chinthu chofunikira kwambiri ngati mukufuna kuyika malipoti mupaipi ya CI yomwe ilipo. Mutha kukhazikitsa mtundu womwe mukufuna kugwiritsa ntchito mbendera --output.

Kuti zikhale zosavuta kuthetsa ndondomeko, conftest ili ndi mbendera --trace. Imawonetsa momwe conftest imasinthira mafayilo osankhidwa.

Mfundo za mpikisano zitha kusindikizidwa ndikugawidwa mu registries ya OCI (Open Container Initiative) ngati zinthu zakale.

Malamulo push ΠΈ pull kukulolani kuti musindikize chojambula kapena kupezanso zomwe zilipo kale kuchokera ku registry yakutali. Tiyeni tiyese kufalitsa mfundo zomwe tidapanga ku registry yapafupi ya Docker pogwiritsa ntchito conftest push.

Yambitsani kaundula wanu wa Docker:

$ docker run -it --rm -p 5000:5000 registry

Mu terminal ina, pitani ku chikwatu chomwe mudapanga kale conftest-checks ndikuyendetsa lamulo ili:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ngati lamulolo lidapambana, muwona uthenga ngati uwu:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Tsopano pangani bukhu losakhalitsa ndikuyendetsa lamulo mmenemo conftest pull. Idzatsitsa phukusi lopangidwa ndi lamulo lakale:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Gulu laling'ono lidzawoneka m'ndandanda wanthawi yochepa policyyomwe ili ndi fayilo yathu yamalamulo:

$ tree
.
└── policy
  └── check_image_registry.rego

Mayesero atha kuyendetsedwa mwachindunji kuchokera kunkhokwe:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Tsoka ilo, DockerHub sinathandizidwebe. Choncho dzione kuti ndinu mwayi ngati ntchito Azure Container Registry (ACR) kapena registry yanu.

Mapangidwe a Artifact ndi ofanana ndi Tsegulani phukusi la Policy Agent (OPA), yomwe imakupatsani mwayi wogwiritsa ntchito mpikisano kuyesa mayeso kuchokera pamaphukusi a OPA omwe alipo.

Mukhoza kuphunzira zambiri za kugawana mfundo ndi zina za confstest pa tsamba lovomerezeka la polojekiti.

6. Polaris

Chida chomaliza chomwe tikambirana m'nkhaniyi ndi Polaris. (Chilengezo chake cha chaka chatha ife zamasuliridwa kale - pafupifupi. kumasulira)

Polaris ikhoza kukhazikitsidwa mumagulu kapena kugwiritsidwa ntchito mumayendedwe amzere. Monga momwe mungaganizire, zimakupatsani mwayi wosanthula mawonekedwe a Kubernetes.

Mukamagwira ntchito pamzere wamalamulo, mayeso okhazikika amapezeka okhudza madera monga chitetezo ndi machitidwe abwino (ofanana ndi kube-score). Kuphatikiza apo, mutha kupanga mayeso anu (monga config-lint, mkuwa ndi conftest).

Mwa kuyankhula kwina, Polaris imaphatikiza ubwino wamagulu onse awiri a zida: ndi mayesero omangidwamo komanso ovomerezeka.

Kuti muyike Polaris mumayendedwe a mzere, gwiritsani ntchito malangizo pa webusaiti ya polojekiti.

Panthawi yolemba nkhani yoyambirira, mtundu wa 1.0.3 ulipo.

Kukhazikitsa kukamaliza mutha kuyendetsa polaris pa chiwonetsero base-valid.yaml ndi lamulo ili:

$ polaris audit --audit-path base-valid.yaml

Idzatulutsa chingwe mumtundu wa JSON ndi kufotokozera mwatsatanetsatane za mayesero omwe achitidwa ndi zotsatira zake. Chotulukacho chidzakhala ndi mawonekedwe awa:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* Π΄Π»ΠΈΠ½Π½Ρ‹ΠΉ список */
  ]
}

Kutulutsa kwathunthu komwe kulipo apa.

Monga kube-score, Polaris amazindikira zovuta m'malo omwe chiwonetserochi sichimakumana ndi machitidwe abwino:

  • Palibe zoyezetsa zaumoyo za makoko.
  • Ma tag a zithunzi zamabokosi sanatchulidwe.
  • Chidebecho chimayenda ngati mizu.
  • Zopempha ndi malire a kukumbukira ndi CPU sizinatchulidwe.

Mayeso aliwonse, kutengera zotsatira zake, amapatsidwa digiri yazovuta: chenjezo kapena Ngozi. Kuti mudziwe zambiri za mayeso omwe alipo, chonde onani zolemba.

Ngati zambiri sizikufunika, mutha kufotokozera mbendera --format score. Pankhaniyi, Polaris itulutsa nambala kuyambira 1 mpaka 100 - Chogoli (ie kuwunika):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Kuyandikira kwa mphambu ndi 100, ndipamenenso mgwirizano umakwera. Ngati muyang'ana code yotuluka ya lamulo polaris audit, zikuwoneka kuti ndizofanana ndi 0.

Mphamvu polaris audit Mutha kuletsa ntchito ndi nambala yopanda ziro pogwiritsa ntchito mbendera ziwiri:

  • Sakanizani --set-exit-code-below-score amatenga ngati mkangano mtengo wapakati pa 1-100. Pankhaniyi, lamulolo lituluka ndi code 4 yotuluka ngati mphambu ili pansi poyambira. Izi ndizothandiza mukakhala ndi mtengo wina (kunena 75) ndipo muyenera kulandira chenjezo ngati mphambu ipita pansipa.
  • Sakanizani --set-exit-code-on-danger zidzachititsa kuti lamulolo lilephereke ndi code 3 ngati imodzi mwa mayesero owopsa ikalephera.

Tsopano tiyeni tiyese kupanga chiyeso chomwe chimayang'ana ngati chithunzicho chatengedwa kuchokera kunkhokwe yodalirika. Mayesero achizolowezi amatchulidwa mumtundu wa YAML, ndipo kuyesa komweko kumafotokozedwa pogwiritsa ntchito JSON Schema.

Kadukadu kakang'ono kotsatira ka code ka YAML kakufotokoza mayeso atsopano otchedwa checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Tiyeni tiwone bwinobwino izi:

  • successMessage - mzerewu udzasindikizidwa ngati mayeso amaliza bwino;
  • failureMessage - uthenga uwu udzawonetsedwa ngati walephera;
  • category - ikuwonetsa imodzi mwamagulu: Images, Health Checks, Security, Networking ΠΈ Resources;
  • target--- imatsimikizira mtundu wa chinthu (spec) mayeso agwiritsidwa ntchito. Zomwe zingatheke: Container, Pod kapena Controller;
  • Kuyesa komweko kumatchulidwa mu chinthucho schema pogwiritsa ntchito JSON schema. Mawu ofunika mu mayesowa ndi pattern amagwiritsidwa ntchito kufananiza gwero lachithunzi ndi lofunikira.

Kuti muyese mayeso omwe ali pamwambapa, muyenera kupanga masinthidwe awa a Polaris:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Tsegulani fayiloyi:

  • M'munda checks mayesero ndi mlingo wake wotsutsa amalembedwa. Popeza ndizofunika kulandira chenjezo pamene chithunzi chatengedwa kuchokera ku gwero losadalirika, timayika mlingo apa danger.
  • Mayeso okha checkImageRepo kenako analembetsa mu chinthu customChecks.

Sungani fayilo ngati custom_check.yaml. Tsopano mutha kuthamanga polaris audit ndi chiwonetsero cha YAML chomwe chimafuna kutsimikizira.

Tiyeni tiyese manifesto yathu base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

timu polaris audit idangoyesa mayeso omwe atchulidwa pamwambapa ndipo zidalephera.

Ngati mukonza chithunzicho my-company.com/http-echo:1.0, Polaris adzamaliza bwino. Manifesto yokhala ndi zosintha ili kale nkhokwekotero mutha kuyang'ana lamulo lapitalo pa chiwonetsero image-valid-mycompany.yaml.

Tsopano funso likubuka: momwe mungayendetsere mayeso omangidwa pamodzi ndi okhazikika? Mosavuta! Mukungoyenera kuwonjezera zozindikiritsa zoyesa zomangidwa mufayilo yosinthira. Zotsatira zake, zitenga mawonekedwe awa:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Chitsanzo cha fayilo yathunthu yokonzekera ilipo apa.

Onani chiwonetsero base-valid.yamlpogwiritsa ntchito mayeso omangidwa ndi mwachizolowezi, mutha kugwiritsa ntchito lamulo ili:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Polaris imakwaniritsa zoyeserera zomangidwa ndi zachikhalidwe, potero kuphatikiza zabwino kwambiri padziko lonse lapansi.

Kumbali ina, kulephera kugwiritsa ntchito zilankhulo zamphamvu kwambiri monga Rego kapena JavaScript zitha kukhala zolepheretsa kuletsa kuyesedwa kwamphamvu kwambiri.

Zambiri za Polaris zilipo tsamba la polojekiti.

Chidule

Ngakhale pali zida zambiri zowunikira ndikuwunika mafayilo a Kubernetes YAML, ndikofunikira kumvetsetsa bwino momwe mayesowo adzapangidwira ndi kuchitidwa.

Mwachitsanzo, ngati mutenga Kubernetes akuwonetsa podutsa payipi, kubeval ikhoza kukhala sitepe yoyamba paipi yotere. Ikhoza kuwunika ngati matanthauzidwe azinthu akugwirizana ndi Kubernetes API schema.

Ndemanga yotereyi ikamalizidwa, munthu akhoza kupita ku mayesero ovuta kwambiri, monga kutsata machitidwe abwino ndi ndondomeko zinazake. Apa ndipamene kube-score ndi Polaris zitha kukhala zothandiza.

Kwa iwo omwe ali ndi zofunikira zovuta ndipo akuyenera kusintha mayeso mwatsatanetsatane, mkuwa, config-lint ndi conftest zingakhale zoyenera..

Conftest ndi config-lint imagwiritsa ntchito YAML kutanthauzira zoyeserera, ndipo mkuwa umakupatsani mwayi wolankhula chilankhulo chathunthu, ndikupangitsa kukhala chisankho chokongola.

Komano, kodi ndikofunikira kugwiritsa ntchito imodzi mwa zidazi, motero, kupanga mayeso onse pamanja, kapena kusankha Polaris ndikuwonjezera zomwe zikufunika kwa izo? Palibe yankho lomveka bwino la funsoli.

Tebulo ili m'munsiyi likufotokoza mwachidule za chida chilichonse:

Chida
Cholinga
zolakwa
Mayeso ogwiritsa ntchito

kukhala
Imatsimikizira YAML ikuwonekera motsutsana ndi mtundu wina wa API schema
Sitingagwire ntchito ndi CRD
No

kube-score
Imasanthula YAML ikuwonekera motsutsana ndi machitidwe abwino
Simungathe kusankha mtundu wanu wa Kubernetes API kuti muwone zothandizira
No

zamkuwa
Dongosolo lopanga zoyeserera za JavaScript zamawonekedwe a YAML
Palibe mayeso omangidwa. Zolemba zolakwika
kuti

config-lint
Ndondomeko yopangira mayeso muchilankhulo chokhazikika chomwe chili mu YAML. Imathandizira masinthidwe osiyanasiyana (monga Terraform)
Palibe mayeso opangidwa okonzeka. Zolinga zomangidwa mkati ndi ntchito sizingakhale zokwanira
kuti

mpikisano
Ndondomeko yopangira mayeso anu pogwiritsa ntchito Rego (chilankhulo chapadera). Amalola kugawana mfundo kudzera pamagulu a OCI
Palibe mayeso omangidwa. Ndiyenera kuphunzira Rego. Docker Hub sichirikizidwa pofalitsa mfundo
kuti

Polaris
Ndemanga ya YAML ikuwonetsa motsutsana ndi machitidwe abwino. Imakulolani kuti mupange mayeso anu pogwiritsa ntchito JSON Schema
Mayesero otengera JSON Schema angakhale osakwanira
kuti

Chifukwa zida izi sizidalira kufikira gulu la Kubernetes, ndizosavuta kukhazikitsa. Amakulolani kuti musefa mafayilo oyambira ndikupereka mayankho mwachangu kwa olemba zopempha zama projekiti.

PS kuchokera kwa womasulira

Werenganinso pa blog yathu:

Source: www.habr.com

Kuwonjezera ndemanga