Manatua. fa'aliliu.: Faʻatasi ai ma le faʻatupulaia o numera o faʻasalalauga YAML mo K8s siosiomaga, o le manaʻoga mo a latou faʻamaoniga faʻapitoa e faʻateleina ma sili atu ona faanatinati. O le tusitala o lenei iloiloga e le gata na filifilia ni fofo o loʻo i ai mo lenei galuega, ae na faʻaaogaina foi le Faʻasalalauga e fai ma faʻataʻitaʻiga e vaʻai ai pe faʻapefea ona latou galulue. Na faʻaalia e matua faʻamatalaga mo i latou e fiafia i lenei autu.
TL; AMA: O lenei tusiga o loʻo faʻatusatusaina meafaigaluega faʻapitoa e ono e faʻamaonia ma iloilo ai faila Kubernetes YAML e faʻatatau i faiga sili ona lelei ma manaʻoga.
O galuega a Kubernetes e masani ona faʻamatalaina i le tulaga o YAML pepa. O se tasi o faʻafitauli i le YAML o le faigata o le faʻamaonia o faʻalavelave poʻo sootaga i le va o faila faʻaalia.
Ae fa'afefea pe a mana'omia ona tatou mautinoa o ata uma e fa'apipi'i i le fuifui e sau mai se resitala fa'atuatuaina?
E fa'afefea ona ou taofia Fa'atonuga e leai ni PodDisruptionBudgets mai le lafoina i le fuifui?
O le tuʻufaʻatasia o suʻega faʻataʻitaʻi e mafai ai ona e iloa mea sese ma faiga faʻavae i le tulaga o le atinaʻe. Ole mea lea e fa'ateleina ai le fa'amautinoaga e sa'o ma malupuipuia fa'amatalaga o puna'oa, ma fa'ateleina ai le fa'atupuina o galuega fa'atino o le a mulimulita'i i faiga sili.
O le Kubernetes static YAML file inspection ecosystem e mafai ona vaevaeina i vaega nei:
- API fa'amaonia. Meafaigaluega i lenei vaega siaki le YAML faʻaaliga e faʻatatau i manaʻoga o le Kubernetes API server.
- Ua saunia tagata su'e. Meafaigaluega mai lenei vaega o loʻo sau ma faʻataʻitaʻiga saunia mo le saogalemu, tausisia o faiga sili, ma isi.
- Fa'atonu fa'apitoa. O sui o lenei vaega e mafai ai ona e faia ni su'ega masani i gagana eseese, mo se fa'ata'ita'iga, Rego ma Javascript.
I lenei tusiga o le a matou faʻamatalaina ma faʻatusatusa meafaigaluega eseese e ono:
- kubeval;
- kube-sikoa;
- config-lint;
- apamemea;
- tauvaga;
- polaris.
Ia, tatou amata!
Siaki Fa'atonuga
Ae tatou te leʻi amata faʻatusatusa meafaigaluega, seʻi o tatou faia ni faʻamatalaga e suʻe ai.
O le fa'aaliga o lo'o i lalo o lo'o i ai le tele o mea sese ma le le tausisia o faiga sili ona lelei: e to'afia o latou e mafai ona e mauaina?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(base-valid.yaml)
Matou te faʻaogaina lenei YAML e faʻatusatusa ai meafaigaluega eseese.
Le fa'aaliga o lo'o i luga
base-valid.yamlma isi fa'aaliga mai lenei tusiga e mafai ona maua i totonu .
O le faʻaaliga o loʻo faʻamatalaina ai se 'upega tafaʻilagi o lana galuega autu o le tali atu i se "Hello World" feʻau i le taulaga 5678. E mafai ona faʻapipiʻiina i le poloaiga lenei:
kubectl apply -f hello-world.yamlMa o lea - siaki le galuega:
kubectl port-forward svc/http-echo 8080:5678Alu loa i le ma faʻamaonia o loʻo galue le talosaga. Ae e mulimuli i faiga sili? Sei o tatou siaki.
1. Kubeval
I le fatu o Ole manatu ole so'o se fegalegaleaiga ma Kubernetes e tupu ile REST API. I se isi faaupuga, e mafai ona e faʻaogaina se API schema e siaki pe faʻamalieina se YAML tuʻuina atu. Seʻi o tatou vaavaai i se faaaʻoaʻoga.
o lo'o maua le kubeval ile upegatafa'ilagi ole poloketi.
I le taimi na tusia ai le uluaʻi tusiga, sa maua le version 0.15.0.
A maeʻa ona faʻapipiʻi, seʻi o tatou fafagaina le faʻaaliga o loʻo i luga:
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)Afai e manuia, o le a alu ese le kubeval ma le code exit 0. E mafai ona e siakiina e pei ona taua i lalo:
$ echo $?
0Sei o tatou taumafai nei kubeval ma se faʻaaliga ese:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(kubeval-invalid.yaml)
E mafai ona e va'aia le fa'afitauli ile mata? Tatou amata:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# проверим код возврата
$ echo $?
1E le o fa'amaonia le punaoa.
Fa'atonuga e fa'aaoga ai le API apps/v1, e tatau ona aofia ai se filifiliga e fetaui ma le igoa o le pod. O le faʻaaliga o loʻo i luga e le o aofia ai le tagata filifilia, o lea na lipotia ai e kubeval se mea sese ma alu ese ma se code e le-zero.
Ou te mafaufau pe o le a le mea e tupu pe a ou faia kubectl apply -f ma lenei fa'aaliga?
Ia, tatou taumafai:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=falseO le mea tonu lava lea na lapatai mai ai kubeval. E mafai ona e faʻaleleia lenei mea e ala i le faʻaopoopoina o se tagata filifilia:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(base-valid.yaml)
O le aoga o meafaigaluega e pei o le kubeval o mea sese e pei o nei e mafai ona vave maua i le taamilosaga faʻapipiʻi.
E le gata i lea, o nei siaki e le manaʻomia le avanoa i le fuifui; e mafai ona faia tuusao.
Ona o le faaletonu, e siaki e kubeval punaoa faasaga i le Kubernetes API schema fou. Ae ui i lea, i le tele o tulaga atonu e te manaʻomia e siaki se faʻasalalauga faʻapitoa Kubernetes. E mafai ona faia lenei mea i le faʻaaogaina o le fuʻa --kubernetes-version:
$ kubeval --kubernetes-version 1.16.1 base-valid.yamlFaamolemole ia matau o le lomiga e tatau ona faamaoti i le faatulagaga Major.Minor.Patch.
Mo se lisi o fa'aliliuga o lo'o lagolagoina le fa'amaoniga, fa'amolemole va'ai i , lea e fa'aogaina e kubeval mo le fa'amaonia. Afai e te manaʻomia le taʻavale kubeval tuusao, download le schemas ma faʻamaonia lo latou nofoaga faʻapitonuʻu e faʻaaoga ai le fuʻa --schema-location.
I le faʻaopoopoga i faila YAML taʻitasi, e mafai foi e kubeval ona galue faʻatasi ma directories ma stdin.
E le gata i lea, e faigofie ona tuʻufaʻatasia Kubeval i le paipa CI. O i latou e manaʻo e suʻe suʻega aʻo leʻi tuʻuina atu faʻaaliga i le fuifui o le a fiafia e iloa o loʻo lagolagoina e le kubeval ni faʻasologa e tolu:
- Fa'amatalaga manino;
- JSON;
- Su'ega So'o se Mea (TAP).
Ma o soʻo se faʻatulagaga e mafai ona faʻaogaina mo le faʻavasegaina atili o le gaioiga e maua ai se aotelega o taunuuga o le ituaiga manaʻomia.
O se tasi o fa'aletonu o le kubeval e le mafai ona siaki i le taimi nei mo le tausisia o Fa'amatalaga Punaoa Fa'apitoa (CRDs). Ae ui i lea, e mafai ona faʻapipiʻi kubeval .
Kubeval o se meafaigaluega sili mo le siakiina ma le iloiloina o punaoa; Ae ui i lea, e tatau ona faamamafaina o le pasia o le suʻega e le faʻamaonia ai o le punaoa o loʻo ogatasi ma faiga sili ona lelei.
Mo se faʻataʻitaʻiga, faʻaaogaina le pine latest i totonu o se atigipusa e le mulimulitaia faiga sili. Ae ui i lea, e le manatu le kubeval o se mea sese ma e le lipotia. O lona uiga, o le faʻamaoniga o ia YAML o le a maeʻa e aunoa ma ni lapataiga.
Ae faʻapefea pe a e manaʻo e iloilo le YAML ma faʻailoa soliga pei o le pine latest? E fa'afefea ona ou siakiina se faila YAML e fa'atatau i faiga sili?
2. Kube-sikoa
parses YAML faʻaalia ma iloilo i latou e faasaga i suʻega faʻapipiʻi. O nei suʻega e filifilia e faʻavae i luga o taʻiala saogalemu ma faiga sili, e pei o:
- Fa'amama le koneteina e le o le a'a.
- Avanoa o siaki soifua maloloina pod.
- Fa'atulaga talosaga ma tapula'a mo punaoa.
Faʻavae i luga o faʻaiʻuga o suʻega, e tolu iʻuga e tuʻuina atu: OK, LAPATAIGA и FUAFUAGA.
E mafai ona e fa'ata'ita'i le Kube-score i luga ole laiga pe fa'apipi'i ile lotoifale.
I le taimi na tusia ai le uluai tusiga, o le lomiga aupito lata mai o le kube-score o le 1.7.0.
Sei o tatou faataitai i la tatou faaaliga base-valid.yaml:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.Ua pasia e le YAML suega kubeval, ae o le kube-score e faasino i faaletonu nei:
- E le'i fa'atulagaina su'ega sauniuni.
- E leai ni talosaga po'o ni tapula'a mo puna'oa o le CPU ma le manatua.
- E le o fa'amaoti mai tala fa'atatau o le fa'alavelave.
- E leai ni tulafono o le tuueseeseina (tetee-afine) ia fa'ateleina avanoa.
- O le atigipusa e tafe e pei o aʻa.
O manatu aoga uma ia e uiga i faʻaletonu e manaʻomia ona faʻatalanoa ina ia sili atu le lelei ma le faʻatuatuaina o le Deployment.
au kube-score fa'aalia fa'amatalaga i foliga e mafai ona faitau tagata e aofia ai ituaiga soliga uma LAPATAIGA и FUAFUAGA, lea e fesoasoani tele i le taimi o le atinaʻe.
O i latou o lo'o mana'o e fa'aoga lenei mea faigaluega i totonu ole paipa CI e mafai ona fa'aogaina atili ai le fa'aogaina o le fu'a --output-format ci (i lenei tulaga, o suʻega ma le iʻuga o loʻo faʻaalia foi OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/ServiceE tutusa ma le kubeval, o le kube-score e toe faʻafoʻi se numera e le-zero pe a iai se suʻega e le manuia FUAFUAGA. E mafai fo'i ona e fa'agaoioia faiga fa'apena mo LAPATAIGA.
E le gata i lea, e mafai ona siaki punaoa mo le tausisia o ituaiga API eseese (pei o le kubeval). Ae ui i lea, o lenei faʻamatalaga e faʻamaonia i le kube-score lava ia: e le mafai ona e filifilia se isi faʻamatalaga o Kubernetes. O lenei tapula'a e mafai ona avea ma fa'afitauli tele pe afai e te mana'o e fa'aleleia lau fuifui po'o le tele o au fuifui fa'atasi ma fa'aliliuga eseese o K8s.
matau lena fa'atasi ai ma se talosaga ina ia fa'ataunu'uina lenei avanoa.
E mafai ona maua nisi fa'amatalaga e uiga i le kube-score ile .
O su'ega Kube-score o se meafaigaluega sili mo le fa'atinoina o faiga sili, ae fa'apefea pe a mana'omia le faia o suiga i le su'ega pe fa'aopoopo au lava tulafono? Talofa e, e le mafai ona faia lenei mea.
Kube-score e le mafai ona fa'alautele: e le mafai ona e fa'aopoopo i ai ni faiga fa'avae pe fetu'una'i.
Afai e te manaʻomia le tusia o suʻega masani e faʻamaonia ai le tausisia o faiga faʻavae a le kamupani, e mafai ona e faʻaogaina se tasi o meafaigaluega nei e fa: config-lint, copper, conftest, polaris.
3.Config-lint
Config-lint o se meafaigaluega mo le faʻamaonia YAML, JSON, Terraform, CSV configuration faila ma Kubernetes faʻaaliga.
E mafai ona e fa'apipi'i fa'aaoga luga ole upegatafa'ilagi ole poloketi.
O le faʻasalalauga o loʻo iai nei i le taimi na tusia ai le uluaʻi tusiga o le 1.5.0.
Config-lint e leai ni su'ega fa'apipi'i mo le fa'amaoniaina o fa'aaliga Kubernetes.
Ina ia faia soʻo se suʻega, e tatau ona e faia ni tulafono talafeagai. Ua tusia i faila YAML ua taʻua o "rulesets" (tulafono), ma ia iai le fausaga nei:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# список правил(rule.yaml)
Se'i o tatou su'esu'e atili i ai:
- laufanua
typefa'ailoa mai po'o le a le ituaiga config-lint e fa'aogaina. Mo K8s faʻaalia o le i taimi umaKubernetes. - I le fanua
filesI le faaopoopo atu i faila lava ia, e mafai ona e faʻamaonia se lisi. - laufanua
rulesfa'amoemoe mo le fa'atulagaina o su'ega a tagata fa'aoga.
Seʻi tatou fai atu e te manaʻo e faʻamautinoa o ata i le Deployment o loʻo faʻapipiʻiina i taimi uma mai se faleoloa faʻalagolago e pei o my-company.com/myapp:1.0. O se tulafono config-lint e faia sea siaki e pei o lenei:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"(rule-trusted-repo.yaml)
O tulafono ta'itasi e tatau ona iai uiga nei:
id- fa'ailoga tulaga ese o le tulafono;severity- Atonu Toilalo, LAPATAIGA и NON_COMPLIANT;message- afai e solia se tulafono, o mea o loʻo i totonu o lenei laina e faʻaalia;resource- o le ituaiga punaoa o loʻo faʻatatau i ai lenei tulafono;assertions- se lisi o tulaga o le a iloiloina e tusa ai ma lenei punaoa.
I le tulafono i luga assertion i lalo o le igoa siaki o container uma o lo'o i le Fa'atulagaina (key: spec.templates.spec.containers) fa'aaoga ata fa'atuatuaina (e amata ile my-company.com/).
O le tulafono atoa e pei o lenei:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"(ruleset.yaml)
Ina ia fa'ata'ita'i le su'ega, se'i fa'asaoina e pei check_image_repo.yaml. Sei o tatou faia se siaki ile faila base-valid.yaml:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]Ua le manuia le siaki. Sei o tatou siaki le faʻaaliga o loʻo i lalo ma le faʻamaumauga saʻo ata:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678(image-valid-mycompany.yaml)
Matou te faia le suʻega tutusa ma le faʻaaliga o loʻo i luga. Leai ni fa'afitauli na maua:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]O le Config-lint o se fa'avae fa'amoemoe e mafai ai ona e faia au lava su'ega e fa'amaonia ai fa'aaliga Kubernetes YAML e fa'aaoga ai le YAML DSL.
Ae faʻafefea pe a e manaʻomia ni faʻamatalaga faigata ma suʻega? E le fa'agata tele le YAML mo lenei mea? Ae fa'apefea pe a mafai ona e faia su'ega i se gagana fa'apolokalame atoa?
4. Apamemea
ose fa'avae mo le fa'amaoniaina o fa'aaliga e fa'aaoga ai su'ega fa'aleaganu'u (e tutusa ma le config-lint).
Ae ui i lea, e ese mai le mulimuli i le le faʻaaogaina o le YAML e faʻamatala ai suʻega. E mafai ona tusia su'ega ile JavaScript nai lo. O le Copper e maua ai se faletusi ma ni meafaigaluega fa'avae, e fesoasoani ia te oe e faitau fa'amatalaga e uiga i mea Kubernetes ma lipoti mea sese.
O laasaga mo le faʻapipiʻiina o Copper e mafai ona maua i totonu .
2.0.1 o le faʻasalalauga lata mai o lenei aoga i le taimi na tusia ai le uluaʻi tusiga.
E pei o le config-lint, Copper e leai ni suʻega faʻapipiʻi. Tatou tusi se tasi. Tuu atu e siaki pe o faʻapipiʻiina e faʻaaoga ata atigipusa naʻo mai fale teu faʻatuatuaina pei my-company.com.
Fausia se faila check_image_repo.js fa'atasi ai ma mea nei:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});O lea e su'e la matou fa'aaliga base-valid.yaml, faaaoga le poloaiga copper validate:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failedE manino lava o le fesoasoani a le kopa e mafai ona e faia ni suʻega sili atu ona faigata - mo se faʻataʻitaʻiga, siaki igoa ole igoa ile Ingress faʻaalia poʻo le teena o pods o loʻo taʻavale ile tulaga faʻapitoa.
O loʻo i ai i le Copper galuega faʻaoga eseese ua fausia i totonu:
DockerImagefaitau le faila faila faʻamaonia ma fatuina se mea ma uiga nei:name- igoa o le ata,tag- fa'ailoga ata,registry- resitala ata,registry_url- protocol (https://) ma le resitala ata,fqin- nofoaga atoa o le ata.
- galuega tauave
findByNamefesoasoani i le sailia o se punaoa e ala i se ituaiga (kind) ma le igoa (name) mai le faila faila. - galuega tauave
findByLabelsfesoasoani e su'e se puna'oa i se ituaiga fa'apitoa (kind) ma fa'ailoga (labels).
E mafai ona e va'ai i galuega uma o lo'o avanoa .
E ala i le le mafai ona utaina le faila YAML uma i totonu o se fesuiaiga $$ ma fa'aavanoaina mo tusitusiga (se auala masani mo i latou e iai le poto masani i le jQuery).
O le aoga autu o Copper e manino: e te le manaʻomia le aʻoaʻoina o se gagana faʻapitoa ma e mafai ona e faʻaogaina uiga eseese o le JavaScript e fai ai au lava suʻega, e pei o le faʻaogaina o manoa, galuega, ma isi.
E tatau foi ona maitauina o le lomiga o loʻo i ai nei o Copper e galue ma le ES5 version o le masini JavaScript, ae le o le ES6.
E maua fa'amatalaga ile .
Ae peita'i, afai e te le fiafia tele i le Javascript ma e te mana'o i se gagana na fa'atulaga faapitoa mo le fa'atupuina o fesili ma fa'amatala faiga fa'avae, e tatau ona e fa'alogo i le tete'e.
5. Tauvaga
Conftest o se fa'avae mo le su'eina o fa'amaumauga o fa'amaumauga. E talafeagai foi mo le su'ega/fa'amaonia fa'aaliga Kubernetes. O su'ega o lo'o fa'amatalaina i le fa'aogaina o se gagana fa'apitoa mo fesili .
E mafai ona e faʻapipiʻi conftest faʻaaoga lisiina i luga ole upega tafa'ilagi ole poloketi.
I le taimi na tusia ai le uluaʻi tusiga, o le lomiga lata mai na maua o le 0.18.2.
E tutusa ma le config-lint ma le kopa, o le conftest e sau e aunoa ma ni suʻega faʻapipiʻi. Sei o tatou faataitai ma tusi a tatou lava faiga faavae. E pei o faʻataʻitaʻiga talu ai, o le a matou siaki pe o ata o pusa na ave mai se punaoa faʻalagolago.
Fausia se lisi conftest-checks, ma o loo i ai se faila e igoa check_image_registry.rego fa'atasi ai ma mea nei:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}Sei o tatou faataitai nei base-valid.yaml e ala i conftest:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failureO le su'ega e mautinoa na le manuia ona o ata na sau mai se puna e le talitonuina.
I le faila Rego matou te faʻamalamalamaina le poloka deny. O lona moni e manatu o se soliga. Afai poloka deny tele, fa'atete'e siaki latou tuto'atasi mai le tasi ma le isi, ma o le moni o so'o se poloka e faia o se soliga.
I le fa'aopoopoina i le fa'aletonu o galuega, o le fa'aupuga e lagolagoina le JSON, TAP ma le laulau - o se mea sili ona aoga pe afai e te mana'omia le fa'apipi'iina o lipoti i se paipa CI o iai nei. E mafai ona e setiina le faatulagaga manaʻomia e faʻaaoga ai le fuʻa --output.
Ina ia faafaigofie le debug faiga faavae, conftest ei ai se fuʻa --trace. O lo'o fa'aalia ai se fa'ailoga o le auala e fa'asoa ai e le fa'atauva'a faila o faiga fa'avae.
E mafai ona fa'asalalau faiga fa'atauvaga ma fa'asoa ile OCI (Open Container Initiative) resitara e fai ma mea taua.
Команды push и pull fa'ataga oe e fa'asalalau se mea fa'apitoa po'o le toe aumai o se mea fa'apitoa o lo'o iai mai se resitala mamao. Sei o tatou taumafai e lolomi le faiga faʻavae na matou faia i le resitala Docker i le lotoifale faʻaaoga conftest push.
Amata lau resitala Docker i le lotoifale:
$ docker run -it --rm -p 5000:5000 registryI se isi laina, alu i le lisi na e faia muamua conftest-checks ma tamomoe le poloaiga lenei:
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latestAfai na manuia le poloaiga, o le a e vaʻai i se feʻau faʻapenei:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609cFausia nei se lisi le tumau ma fa'atonu le fa'atonuga i totonu conftest pull. O le a sii maia le afifi na faia e le poloaiga muamua:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latestO le a aliali mai se subdirectory i le lisi le tumau policyo lo'o iai a matou faila fa'avae:
$ tree
.
└── policy
└── check_image_registry.regoO su'ega e mafai ona fai sa'o mai le fale teu oloa:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failureAe paga lea, e leʻi lagolagoina le DockerHub. O lea ia mafaufau ia te oe lava e laki pe a e faʻaaogaina (ACR) po'o lau lava resitala.
E tutusa le fa'atulagaina o mea (OPA), lea e fa'ataga ai oe e fa'aoga fa'atauvaga e fa'atino su'ega mai afifi OPA o iai.
E mafai ona e a'oa'o atili e uiga i le fefa'asoaa'i o faiga fa'avae ma isi vaega o fa'atauvaga i .
6.Polaris
O le meafaigaluega mulimuli o le a talanoaina i lenei tusiga o le . (O lana faʻaaliga o le tausaga mulimuli matou - tusa. fa'aliliuga)
E mafai ona faʻapipiʻi Polaris i se fuifui pe faʻaaoga i le laina laina laina. E pei ona e mateina, e mafai ai ona e suʻesuʻeina faʻamatalaga Kubernetes.
A tamo'e i le laina fa'atonu, o lo'o avanoa su'ega fa'apipi'i e aofia ai vaega e pei o le saogalemu ma faiga sili (e tutusa ma le kube-score). E le gata i lea, e mafai ona e faia au lava su'ega (pei o le config-lint, copper ma le conftest).
I se isi faaupuga, ua tuʻufaʻatasia e Polaris faʻamanuiaga o vaega uma e lua o meafaigaluega: faʻatasi ai ma suʻega faʻapipiʻi ma aganuʻu.
Ina ia faʻapipiʻi Polaris i le laina laina laina, faʻaoga .
I le taimi na tusia ai le uluaʻi tusiga, o loʻo avanoa le version 1.0.3.
A maeʻa le faʻapipiʻi e mafai ona e taʻavale polaris i luga o le faʻaaliga base-valid.yaml ma le poloaiga lenei:
$ polaris audit --audit-path base-valid.yamlO le a faʻaalia ai se manoa i le JSON format ma se faʻamatalaga auiliili o suʻega na faia ma o latou taunuuga. O le a iai le fa'atulagaga nei:
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* длинный список */
]
}O lo'o maua galuega uma .
E pei o le kube-score, e faʻailoa e Polaris faʻafitauli i vaega e le o fetaui lelei le faʻaaliga:
- E leai ni siaki soifua maloloina mo pods.
- O fa'ailoga mo ata atigipusa e le o fa'amaoti mai.
- O le atigipusa e tafe e pei o aʻa.
- Talosaga ma tapulaʻa mo le manatua ma le PPU e le o faʻamaonia.
O suʻega taʻitasi, e faʻatatau i ona taunuuga, e tuʻuina atu i ai se tikeri o le taua: lapataʻiga poʻo lamatiaga. Mo nisi fa'amatalaga e uiga i su'ega fa'apipi'i o lo'o avanoa, fa'amolemole va'ai .
Afai e le manaʻomia faʻamatalaga, e mafai ona e faʻamaonia le fuʻa --format score. I lenei tulaga, o le a faʻaalia e Polaris se numera mai le 1 i le 100 − togi (ie iloiloga):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68Ole latalata ole sikoa ile 100, ole maualuga ole tikeri ole maliliega. Afai e te siakiina le code exit o le poloaiga polaris audit, e aliali mai e tutusa ma le 0.
Malosi polaris audit E mafai ona e fa'amutaina le galuega e le-zero code e fa'aaoga ai fu'a se lua:
- Flag
--set-exit-code-below-scoree avea o se finauga o se tau fa'ailoga i le va 1-100. I lenei tulaga, o le a alu ese le poloaiga ma le code exit 4 pe afai o le sikoa o loʻo i lalo ole faitotoʻa. E aoga tele lenei mea pe'ā i ai sau tau fa'ailoga (fai mai 75) ma e tatau ona e maua se mataala pe a alu le sikoa i lalo. - Flag
--set-exit-code-on-dangero le a mafua ai ona toilalo le poloaiga i le code 3 pe a le manuia se tasi o suʻega mataʻutia.
Se'i o tatou taumafai nei e fai se su'ega fa'aaganu'u e siaki ai pe aumai le ata mai se fale teu fa'atuatuaina. O faʻataʻitaʻiga faʻapitoa o loʻo faʻamaonia i le YAML format, ma o le suʻega lava ia o loʻo faʻamatalaina i le JSON Schema.
Ole YAML code snippet o loʻo faʻamatalaina se suʻega fou ua taʻua checkImageRepo:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$Se'i tatou va'ai toto'a i ai:
successMessage- o lenei laina o le a lolomi pe a maeʻa le suʻega;failureMessage- o le a faʻaalia lenei feʻau pe a le manuia;category- faʻaalia se tasi o vaega:Images,Health Checks,Security,NetworkingиResources;target--- e fuafua po o le a le ituaiga mea (spec) ua fa'aaogaina le su'ega. Tulaga talafeagai:Container,PodpoʻoController;- O le suʻega lava ia o loʻo faʻamaonia i le mea
schemafa'aaoga le JSON schema. O le upu autu i lenei suega o lepatternfa'aoga e fa'atusatusa le puna ata ma le mea e mana'omia.
Ina ia faʻataʻitaʻiina le suʻega o loʻo i luga, e tatau ona e fatuina le faʻatulagaina o Polaris:
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$(polaris-conf.yaml)
Se'i fa'avasega le faila:
- I le fanua
checkssu'ega ma o latou tulaga taua o lo'o fa'atonuina. Talu ai e manaʻomia le mauaina o se lapataiga pe a ave se ata mai se punavai e le talitonuina, matou te setiina le tulaga iineidanger. - O le suega lava ia
checkImageRepoona resitalaina lea i le meacustomChecks.
Faasaoina le faila e pei o custom_check.yaml. O lea ua mafai ona e tamoe polaris audit fa'atasi ai ma se fa'aaliga YAML e mana'omia le fa'amaonia.
Se'i o tatou fa'ata'ita'i la tatou fa'aaliga base-valid.yaml:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yamlau polaris audit taufetuli na'o le su'ega a le tagata fa'aoga o lo'o ta'ua i luga ae na le manuia.
Afai e te fa'aleleia le ata i my-company.com/http-echo:1.0, o le a maeʻa manuia Polaris. O le manifesto ma suiga ua uma ona i totonu ina ia mafai ona e siaki le poloaiga muamua i luga o le faaaliga image-valid-mycompany.yaml.
O lea la o le fesili e tulaʻi mai: faʻafefea ona faʻatautaia suʻega faʻapipiʻi faʻatasi ma aganuʻu? Faigofie! E na'o lou mana'omia e fa'aopoopo i totonu fa'ailoga su'ega ile faila fa'atulagaina. O se taunuuga, o le a faia le faiga lenei:
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$(config_with_custom_check.yaml)
O loʻo maua se faʻataʻitaʻiga o se faila faʻatulagaina atoatoa .
Siaki fa'aaliga base-valid.yamlfaʻaaogaina suʻega faʻapipiʻi ma aganuʻu, e mafai ona e faʻaogaina le poloaiga:
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yamlO le Polaris e faʻapipiʻi suʻega faʻapipiʻi faʻatasi ma aganuʻu, ma faʻapipiʻi ai le sili o lalolagi uma e lua.
I le isi itu, o le le mafai ona faʻaogaina gagana sili atu ona mamana e pei o Rego poʻo JavaScript e mafai ona avea ma mea faʻatapulaʻa e taofia ai le faia o suʻega sili atu ona faʻapitoa.
E maua nisi fa'amatalaga e uiga i Polaris ile .
Aotelega
E ui e tele meafaigaluega e avanoa e asiasia ma iloilo ai faila Kubernetes YAML, e taua le i ai o se malamalama manino i le auala o le a mamanuina ma faʻatino ai suʻega.
Mo se faataitaiga, afai e te ave Kubernetes faʻaaliga e alu i se paipa, o le kubeval e mafai ona avea ma laasaga muamua i sea paipa.. O le a mata'ituina pe talafeagai fa'amatalaga mea ma le Kubernetes API schema.
O le taimi lava e maeʻa ai sea iloiloga, e mafai e se tasi ona faʻagasolo i suʻega sili atu ona faʻapitoa, e pei o le tausisia o faiga masani sili ona lelei ma faiga faʻavae patino. O le mea lea e aoga ai le kube-score ma Polaris.
Mo i latou e iai manaʻoga faʻalavelave ma manaʻomia le faʻavasegaina o suʻega i auiliiliga, kopa, config-lint ma conftest o le a talafeagai..
Conftest ma config-lint fa'aaoga le YAML e fa'amatala ai su'ega fa'aaganu'u, ma le 'apamemea e tu'uina atu ai ia te oe le avanoa i se gagana fa'apolokalame atoa, ma avea ai ma se filifiliga aulelei.
I le isi itu, e aoga le faʻaaogaina o se tasi o nei meafaigaluega ma, o le mea lea, faia uma suʻega ma le lima, pe manaʻo ia Polaris ma faʻaopoopo naʻo mea e manaʻomia i ai? E leai se tali manino i lenei fesili.
O le laulau o loʻo i lalo o loʻo tuʻuina atu ai se faʻamatalaga puupuu o meafaigaluega taitasi:
Meafaigaluega
Faamoemoe
vaivaiga
Su'ega fa'aoga
kubeval
Fa'amaonia fa'aaliga YAML e fa'asaga i se fa'amatalaga patino o le polokalame API
Le mafai ona galue ma CRD
leai
kube-sikoa
Iloiloga fa'aaliga YAML fa'asaga i faiga sili ona lelei
Le mafai ona filifili lau Kubernetes API version e siaki ai punaoa
leai
apamemea
O se ta'iala lautele mo le faia o su'ega JavaScript masani mo fa'aaliga YAML
Leai ni su'ega fa'apipi'i. Le lelei fa'amaumauga
lea
config-lint
O se ta'iala lautele mo le faia o su'ega i se gagana fa'apitoa o lo'o fa'apipi'i ile YAML. Lagolagoina fa'asologa o fa'atulagaga eseese (eg Terraform)
E leai ni su'ega ua saunia. O fa'aupuga ma galuega fa'atino atonu e le lava
lea
fa'atauvaga
Se fa'avae mo le faia o au lava su'ega e fa'aaoga ai le Rego (se gagana fa'apitoa mo fesili). Fa'ataga le fa'asoaina o faiga fa'avae e ala ile fusi ole OCI
Leai ni su'ega fa'apipi'i. E tatau ona ou aoaoina Rego. E le lagolagoina le Docker Hub pe a fa'asalalau faiga fa'avae
lea
Palemia
Iloiloga fa'aalia YAML fa'asaga i faiga masani sili ona lelei. Fa'ataga oe e fai au lava su'ega e fa'aaoga ai le JSON Schema
Atonu e le lava su'ega e fa'avae ile JSON Schema
lea
Ona o nei meafaigaluega e le faʻalagolago i le avanoa i le Kubernetes cluster, e faigofie ona faʻapipiʻi. Latou te faʻatagaina oe e faʻamama faila faila ma tuʻuina atu faʻamatalaga vave i tusitala o talosaga toso i galuega faatino.
PS mai faaliliu
Faitau foi i la matou blog:
- «";
- «";
- «".
puna: www.habr.com