Tsimikizirani Kubernetes YAML motsutsana ndi machitidwe ndi mfundo zabwino
Zindikirani. transl.: Ndi kuchuluka kwa masinthidwe a YAML pama K8s, kufunikira kwa kutsimikizira kwawoko kumakhala kofunikira kwambiri. Wolemba ndemangayi sanangosankha njira zomwe zilipo kale pa ntchitoyi, koma adagwiritsanso ntchito Kutumiza monga chitsanzo kuti awone momwe amagwirira ntchito. Zinakhala zothandiza kwambiri kwa omwe ali ndi chidwi ndi mutuwu.
TL; DR: Nkhaniyi ikuyerekeza zida zisanu ndi chimodzi zokhazikika zotsimikizira ndikuwunika mafayilo a Kubernetes YAML motsutsana ndi machitidwe ndi zofunikira.
Kuchuluka kwa ntchito za Kubernetes kumatanthauzidwa ngati zolemba za YAML. Limodzi mwamavuto ndi YAML ndizovuta kufotokoza zopinga kapena maubale pakati pa mafayilo owonetsera.
Nanga bwanji ngati tikufuna kuwonetsetsa kuti zithunzi zonse zomwe zatumizidwa ku gululo zimachokera ku registry yodalirika?
Tigwiritsa ntchito YAML iyi kufananiza zida zosiyanasiyana.
Manifesto yomwe ili pamwambapa base-valid.yaml ndi ma manifesto ena kuchokera m'nkhaniyi angapezeke mu Git repositories.
Manifesiti amafotokoza pulogalamu yapaintaneti yomwe ntchito yake yayikulu ndikuyankha ndi uthenga wa "Moni Padziko Lonse" ku port 5678. Itha kutumizidwa ndi lamulo ili:
kubectl apply -f hello-world.yaml
Kenako - onani ntchito:
kubectl port-forward svc/http-echo 8080:5678
Tsopano pitani ku http://localhost:8080 ndikutsimikizira kuti pulogalamuyo ikugwira ntchito. Koma kodi amatsatira njira zabwino? Tiyeni tione.
1. Kukhala
Pamtima wa kukhala Lingaliro ndiloti kuyanjana kulikonse ndi Kubernetes kumachitika kudzera mu REST API. Mwanjira ina, mutha kugwiritsa ntchito schema ya API kuti muwone ngati YAML yopatsidwa ikugwirizana nayo. Tiyeni tione chitsanzo.
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Zothandizira sizikutsimikiziridwa.
Kutumiza pogwiritsa ntchito mtundu wa API apps/v1, iyenera kukhala ndi chosankha chomwe chikugwirizana ndi chizindikiro cha pod. Mawonekedwe omwe ali pamwambapa sakuphatikiza wosankha, ndiye kubeval adanenanso cholakwika ndikutuluka ndi nambala yosakhala ziro.
Ndikudabwa kuti ndikanatani kubectl apply -f ndi manifesto iyi?
Chabwino, tiyeni tiyese:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
YAML imapambana mayeso a kubeval, pomwe kube-score imalozera ku zolakwika zotsatirazi:
Macheke okonzeka sanakonzedwe.
Palibe zopempha kapena malire azinthu za CPU ndi kukumbukira.
timu kube-score amawonetsa zidziwitso m'mawonekedwe owerengeka ndi anthu kuphatikiza zophwanya zamtundu uliwonse CHENJEZO ΠΈ ZOKHUDZA, zomwe zimathandiza kwambiri panthawi ya chitukuko.
Omwe akufuna kugwiritsa ntchito chida ichi mkati mwa payipi ya CI amatha kupangitsa kuti pakhale choponderezedwa kwambiri pogwiritsa ntchito mbendera --output-format ci (panthawiyi, mayeso okhala ndi zotsatira akuwonetsedwanso OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Zofanana ndi kubeval, kube-score imabweretsanso code yotuluka yopanda zero pakakhala mayeso omwe amalephera. ZOKHUDZA. Mukhozanso athe yofanana processing kwa CHENJEZO.
Kuphatikiza apo, ndizotheka kuyang'ana zothandizira kuti zitsatire mitundu yosiyanasiyana ya API (monga kubeval). Komabe, chidziwitsochi ndi cholimba mu kube-score palokha: simungathe kusankha mtundu wina wa Kubernetes. Izi zitha kukhala vuto lalikulu ngati mukufuna kukweza gulu lanu kapena ngati muli ndi magulu angapo okhala ndi mitundu yosiyanasiyana ya ma K8.
Zindikirani kuti pali nkhani kale ndi lingaliro kuti tikwaniritse mwayiwu.
Zambiri za kube-score zitha kupezeka pa webusaitiyi.
Mayeso a Kube-score ndi chida chabwino kwambiri chogwiritsira ntchito njira zabwino, koma bwanji ngati mukufuna kusintha mayeso kapena kuwonjezera malamulo anu? Kalanga, izi sizingatheke.
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Zikuwonekeratu kuti mothandizidwa ndi mkuwa mutha kuchita mayeso ovuta kwambiri - mwachitsanzo, kuyang'ana mayina amtundu mu Ingress kuwonetsa kapena kukana ma pods omwe akuyenda mwamwayi.
Copper ili ndi ntchito zosiyanasiyana zomwe zimapangidwira mmenemo:
DockerImage amawerenga fayilo yomwe yatchulidwa ndikupanga chinthu chokhala ndi zotsatirazi:
name - dzina lachithunzicho,
tag - chithunzi tag,
registry - kaundula wa zithunzi,
registry_url - protocol (https://) ndi kaundula wa zithunzi,
fqin - malo athunthu a chithunzicho.
ntchito findByName kumathandiza kupeza gwero ndi mtundu wina (kind) ndi dzina (name) kuchokera ku fayilo yolowera.
ntchito findByLabels kumathandiza kupeza gwero ndi mtundu wina (kind) ndi zilembo (labels).
Mwachikhazikitso imakweza fayilo yonse ya YAML yolowetsa muzosintha $$ ndikupangitsa kuti ipezeke polemba (njira yodziwika bwino kwa omwe ali ndi chidziwitso cha jQuery).
Ubwino waukulu wa Copper ndiwodziwikiratu: simuyenera kudziwa chilankhulo chapadera ndipo mutha kugwiritsa ntchito mawonekedwe osiyanasiyana a JavaScript kuti mupange mayeso anu, monga kumasulira kwa zingwe, ntchito, ndi zina.
Tiyeneranso kudziwa kuti mtundu waposachedwa wa Copper umagwira ntchito ndi mtundu wa ES5 wa injini ya JavaScript, osati ES6.
Panthawi yolemba nkhani yoyambirira, mtundu wa 1.0.3 ulipo.
Kukhazikitsa kukamaliza mutha kuyendetsa polaris pa chiwonetsero base-valid.yaml ndi lamulo ili:
$ polaris audit --audit-path base-valid.yaml
Idzatulutsa chingwe mumtundu wa JSON ndi kufotokozera mwatsatanetsatane za mayesero omwe achitidwa ndi zotsatira zake. Chotulukacho chidzakhala ndi mawonekedwe awa: