ProHoster > Blog > Utongi > Helm Security

Helm Security

Izvo zvakakosha zvenyaya nezve anonyanya kufarirwa pasuru maneja weKubernetes anogona kuratidzwa uchishandisa emoji:

  • bhokisi iHelm (ndicho chinhu chiri padhuze kune yazvino Emoji kuburitswa);
  • kukiya - chengetedzo;
  • murume mudiki ndiye mhinduro kudambudziko.

Helm Security

Muchokwadi, zvese zvichave zvishoma zvakanyanya kuomarara, uye iyo nyaya izere nehunyanzvi ruzivo nezve Maitiro ekuita kuti Helm ive yakachengeteka.

  • Muchidimbu kuti Helm chii kana iwe wanga usingazive kana kukanganwa. Ndeapi matambudziko anogadzirisa uye anowanikwa kupi mu ecosystem.
  • Ngatitarisei Helm architecture. Hapana nhaurirano nezve chengetedzo uye maitiro ekuita chishandiso kana mhinduro yakachengeteka zvakakwana pasina kunzwisisa mavakirwo echikamu.
  • Ngatikurukurei zvikamu zveHelm.
  • Mubvunzo unonyanya kupisa ndeweramangwana - iyo itsva vhezheni yeHelm 3. 

Zvese zviri muchinyorwa chino zvinoshanda kuHelm 2. Iyi vhezheni parizvino iri mukugadzirwa uye ingangove ndiyo yauri kushandisa parizvino, uye ndiyo vhezheni ine njodzi dzekuchengetedza.


Nezvemutauri Alexander Khayorov (allexx) yave ichigadzira kwemakore gumi, ichibatsira kuvandudza zvirimo Moscow Python Conf++ ndokupinda mukomiti Helm Summit. Iye zvino anoshanda kuChainstack semutungamiri webudiriro - iyi isanganiswa pakati pemaneja webudiriro uye munhu ane basa rekuendesa kuburitswa kwekupedzisira. Ndiko kuti, iri panzvimbo yehondo, apo zvinhu zvose zvinoitika kubva pakusikwa kwechigadzirwa kusvika pakushanda kwayo.

Chainstack idiki, inoshingairira kukura yekutanga ine chinangwa chekugonesa vatengi kukanganwa nezve zvivakwa uye kuomarara kwekushandisa dhizaini maapplication; timu yekusimudzira iri muSingapore. Usabvunze Chainstack kutengesa kana kutenga cryptocurrency, asi ipa kutaura nezve bhizinesi blockchain masisitimu, uye ivo vachakupindura nemufaro.

Helmamu

Iyi pasuru (chati) maneja weKubernetes. Iyo yakanyanya intuitive uye yepasirese nzira yekuunza zvikumbiro kune Kubernetes cluster.

Helm Security

Isu, hongu, tiri kutaura nezve yakawedzera kurongeka uye maindasitiri maitiro pane kugadzira yako YAML inoratidza uye kunyora zvidiki zvinoshandiswa.

Helm ndiyo yakanakisa iripo uye yakakurumbira.

Sei Helm? Kunyanya nekuti inotsigirwa neCNCF. Cloud Native isangano rakakura uye ndiyo kambani yevabereki yemapurojekiti Kubernetes, etcd, Fluentd nevamwe.

Chimwe chinhu chakakosha ndechekuti Helm ipurojekiti yakakurumbira. Pandakatanga kutaura nezve maitiro ekuita Helm kuchengeteka muna Ndira 2019, chirongwa ichi chaive nechiuru chenyeredzi paGitHub. Pakazosvika May pakanga pane zviuru gumi nezviviri zvavo.

Vanhu vazhinji vanofarira Helm, saka kunyangwe iwe usingaishandise zvakadaro, unozobatsirwa nekuziva nezve chengetedzo yayo. Kuchengeteka kwakakosha.

Iyo yakakosha Helm timu inotsigirwa neMicrosoft Azure uye saka ipurojekiti yakagadzikana, kusiyana nevamwe vazhinji. Kuburitswa kweHelm 3 Alpha 2 pakati paChikunguru kunoratidza kuti kune vanhu vazhinji vari kushanda pachirongwa ichi, uye vane chishuwo nesimba rekugadzira nekuvandudza Helm.

Helm Security

Helm inogadzirisa akati wandei midzi matambudziko ekushandisa manejimendi muKubernetes.

  • Application kurongedza. Kunyangwe application senge "Mhoro, Nyika" paWordPress yatove nemasevhisi akati wandei, uye iwe unoda kuaisa pamwechete.
  • Kugadzirisa kuoma kunouya nekugadzirisa izvi zvikumbiro.
  • Hupenyu kutenderera kusingapere mushure mekunge application yaiswa kana kuiswa. Inoramba ichirarama, inoda kuvandudzwa, uye Helm inobatsira neizvi uye inoedza kuunza matanho akakodzera uye marongero eizvi.

Bagging yakarongwa nenzira yakajeka: kune metadata izere zvinoenderana nebasa reanogara ari pasuru maneja weLinux, Windows kana MacOS. Kureva, repository, kutsamira pamapakeji akasiyana-siyana, meta ruzivo rwezvishandiso, zvigadziriso, zvimiro zvekugadzirisa, ruzivo indexing, etc. Helm inobvumidza iwe kuwana uye kushandisa zvese izvi kune maapplication.

Complexity Management. Kana iwe uine akawanda maapplication emhando imwe chete, saka parameterization inodiwa. Matemplate anobva pane izvi, asi kudzivirira kuuya nenzira yako yekugadzira matemplate, unogona kushandisa izvo Helm inopa kunze kwebhokisi.

Kushandisa Lifecycle Management - mumaonero angu, uyu ndiwo mubvunzo unonakidza uye usina kugadziriswa. Ndokusaka ndakauya kuHelm kumashure kwezuva. Isu taifanira kuramba takaisa ziso pahupenyu hwekushandisa uye taida kufambisa yedu CI / CD uye maitiro ekushandisa kune iyi paradigm.

Helm inokubvumira kuti:

  • maneja kutumirwa, inosuma iyo pfungwa yekumisikidza nekudzokorora;
  • kubudirira kuita rollback;
  • shandisa zvikorekedzo zvezviitiko zvakasiyana;
  • wedzera mamwe macheki ekushandisa uye pindura kune zvawanikwa.

Mukuwedzera Helm ine "mabhatiri" - nhamba huru yezvinhu zvinonaka zvinogona kuverengerwa muchimiro chemaplugins, kurerutsa hupenyu hwako. Plugins inogona kunyorwa yakazvimiririra, yakanyatsoparadzaniswa uye haidi inowirirana dhizaini. Kana iwe uchida kuita chimwe chinhu, ini ndinokurudzira kuzviita se plugin, uye pamwe nekuchisanganisira iyo kumusoro.

Helm yakavakirwa papfungwa nhatu huru:

  • Chart Repo - tsananguro uye ruzhinji rweparameterization inogoneka kune yako manifest. 
  • Config -kureva kuti, kukosha kuchashandiswa (zvinyorwa, nhamba dzenhamba, nezvimwewo).
  • rusununguko inounganidza zvikamu zviviri zvepamusoro, uye pamwe chete zvinoshanduka kuita Release. Kuburitswa kunogona kushandurwa, nekudaro kuwana kutenderera kwehupenyu hwakarongeka: diki panguva yekuiswa uye yakakura panguva yekuvandudza, kuderera kana kudzosera kumashure.

Helm architecture

Iyo dhairekitori inotaridza iyo yepamusoro-level dhizaini yeHelm.

Helm Security

Rega ndikuyeuchidze kuti Helm chimwe chinhu chine hukama neKubernetes. Naizvozvo, isu hatigone kuita pasina Kubernetes cluster (rectangle). Iyo kube-apiserver chikamu chinogara pane tenzi. Pasina Helm isu tine Kubeconfig. Helm inounza imwe diki bhinari, kana iwe uchigona kuidana iyo, Helm CLI utility, iyo yakaiswa pakombuta, laptop, mainframe - pane chero chinhu.

Asi izvi hazvina kukwana. Helm ine sevha chikamu chinonzi Tiller. Inomiririra zvinofarirwa neHelm mukati meboka; iko kushanda mukati meKubernetes cluster, senge chero imwe.

Chikamu chinotevera cheChati Repo inzvimbo ine machati. Kune nzvimbo yepamutemo, uye panogona kunge paine yakavanzika repository yekambani kana chirongwa.

Kubatana

Ngatitarisei kuti zvikamu zvezvivakwa zvinodyidzana sei kana tichida kuisa application tichishandisa Helm.

  • Tiri kutaura Helm install, pinda iyo repository (Chati Repo) uye tora Helm chati.

  • Iyo Helm utility (Helm CLI) inodyidzana neKubeconfig kuitira kuti uone kuti isumbu ripi rekubata. 
  • Mushure mekugamuchira ruzivo urwu, iyo yekushandisa inoreva Tiller, iyo iri musumbu redu, sechikumbiro. 
  • Tiller anodana Kube-apiserver kuita zviito muKubernetes, kugadzira zvimwe zvinhu (masevhisi, mapodhi, replicas, zvakavanzika, nezvimwewo).

Tevere, isu tinoomesa dhizaini kuti tione kurwisa vector iyo yese Helm yekuvaka seyese inogona kuratidzwa. Uye ipapo tichaedza kumudzivirira.

Attack vector

Yokutanga inogona kupera simba pfungwa ndeye privileged API-mushandisi. Sechikamu chechirongwa, uyu mubiki akawana kuwana admin kuHelm CLI.

Asina rusarura API mushandisi inogonawo kuunza njodzi kana iri kumwe pedyo. Mushandisi akadaro achave nemamiriro akasiyana, semuenzaniso, anogona kugadziriswa mune imwe cluster namespace muKubeconfig marongero.

Iyo inonyanya kunakidza yekurwisa vector inogona kunge iri maitiro anogara mukati meboka pane imwe nzvimbo pedyo neTiller uye anogona kuiwana. Iyi inogona kunge iri webhu server kana microservice inoona network nharaunda yesumbu.

Iyo inoshamisa, asi inowedzera mukurumbira, kurwisa kwakasiyana kunosanganisira Chati Repo. Chati yakagadzirwa nemunyori asina kutendeseka inogona kunge iine zviwanikwa zvisina kuchengetedzeka, uye iwe uchaipedzisa nekuitora nekutenda. Kana kuti inogona kutsiva iyo chati yaunorodha kubva kune yepamutemo repository uye, semuenzaniso, kugadzira sosi nenzira yemitemo uye kuwedzera kuwana kwayo.

Helm Security

Ngatiedzei kudzivirira kurwiswa kubva kumativi ose aya uye tione pane kune matambudziko muHelm architecture, uye kupi, zvichida, hapana.

Ngatikudze dhayagiramu, tiwedzere zvimwe zvinhu, asi chengeta zvese zvakakosha zvikamu.

Helm Security

Iyo Helm CLI inotaurirana neChati Repo, inodyidzana neKubeconfig, uye basa racho rinoendeswa kune sumbu kune chikamu cheTiller.

Tiller inomiririrwa nezvinhu zviviri:

  • Tiller-deploy svc, iyo inofumura imwe sevhisi;
  • Tiller-deploy pod (mumufananidzo mune imwe kopi mune imwe replica), iyo iyo yose mutoro inomhanya, iyo inopinda musumbu.

Zvirongwa zvakasiyana uye zvirongwa zvinoshandiswa pakudyidzana. Kubva pakuona kwekuchengetedza, isu tinonyanya kufarira:

  • Iyo nzira iyo Helm CLI inowana nayo chati repo: chii protocol, pane huchokwadi uye chii chingaitwa nacho.
  • Iyo protocol iyo Helm CLI, uchishandisa kubectl, inotaurirana naTiller. Iyi iRPC server yakaiswa mukati mesumbu.
  • Tiller pachayo inowanikwa kune microservices inogara musumbu uye inopindirana neKube-apiserver.

Helm Security

Ngatikurukurei nzvimbo idzi dzose zvakarongeka.

RBAC

Iko hakuna chikonzero chekutaura nezve chero chengetedzo yeHelm kana chero imwe sevhisi mukati mesumbu kunze kwekunge RBAC yagoneswa.

Zvinoita sekuti iyi haisiriyo kurudziro yazvino, asi ndine chokwadi chekuti vanhu vazhinji havasati vagonesa RBAC kunyangwe mukugadzira, nekuti kune mhirizhonga uye zvinhu zvakawanda zvinoda kugadzirwa. Zvisinei, ndinokukurudzira kuti uite izvi.

Helm Security

https://rbac.dev/ - gweta rewebhusaiti yeRBAC. Iyo ine huwandu hukuru hwezvinhu zvinonakidza zvinokubatsira iwe kumisikidza RBAC, ratidza kuti nei yakanaka uye maitiro ekurarama nayo mukugadzira.

Ini ndichaedza kutsanangura kuti Tiller neRBAC vanoshanda sei. Tiller inoshanda mukati mechikwata pasi peimwe account account. Kazhinji, kana RBAC isina kugadzirwa, iyi ichava iyo superuser. Mukugadzirisa kwekutanga, Tiller ichave admin. Ndokusaka zvichiwanzotaurwa kuti Tiller mugero weSSH kune cluster yako. Muchokwadi, ichi ichokwadi, saka unogona kushandisa yakatsaurwa yakatsaurwa sevhisi account pachinzvimbo cheDefault Service Account mudhiyagiramu iri pamusoro.

Paunotanga Helm uye woiisa pane sevha kekutanga, unogona kuseta iyo sevhisi account uchishandisa --service-account. Izvi zvinokutendera kuti ushandise mushandisi ane hushoma hunodiwa seti yekodzero. Ichokwadi, iwe uchafanirwa kugadzira yakadaro "garland": Basa uye RoleBinding.

Helm Security

Nehurombo, Helm haakuitire izvi. Iwe kana wako Kubernetes cluster administrator unofanirwa kugadzirira seti yeMatoro uye RoleBindings yebasa-akaundi pamberi kuti upfuure Helm.

Mubvunzo unomuka - ndeupi musiyano uripo pakati peBasa neClusterRole? Musiyano ndewekuti ClusterRole inoshanda kune ese mazita enzvimbo, kusiyana neanogara Matoro uye RoleBindings, iyo inongoshanda kune yakasarudzika nzvimbo yemazita. Iwe unogona kugadzirisa marongero echikwata chese uye ese mazita enzvimbo, kana kuti akasarudzika ega ega zita.

Zvakakodzera kutaura kuti RBAC inogadzirisa rimwe dambudziko hombe. Vanhu vazhinji vanonyunyuta kuti Helm, zvinosuruvarisa, haisi multitenancy (haisi kutsigira multitenancy). Kana zvikwata zvinoverengeka zvikadya sumbu uye kushandisa Helm, hazvigoneke kumisa marongero uye kudzikisira kupinda kwavo mukati mesumbu iri, nekuti pane imwe sevhisi account iyo Helm inomhanya pasi payo, uye inogadzira zvese zviwanikwa musumbu kubva pasi payo. , izvo dzimwe nguva zvisingaite zvakanyanya. Ichi ichokwadi - senge binary faira pachayo, senge maitiro, Helm Tiller haina pfungwa ye multitenancy.

Nekudaro, pane nzira huru inobvumidza iwe kuti umhanye Tiller kakawanda musumbu. Iko hakuna dambudziko neizvi, Tiller inogona kuvhurwa munzvimbo yese yemazita. Nekudaro, iwe unogona kushandisa RBAC, Kubeconfig senge mamiriro, uye kudzikisira kuwana kune yakakosha Helm.

Zvichaita seizvi.

Helm Security

Semuenzaniso, kune maviri Kubeconfigs ane mamiriro ezvikwata zvakasiyana (mbiri mbiri nzvimbo): X Chikwata chechikwata chekusimudzira uye admin cluster. Iyo admin cluster ine yayo yakafara Tiller, iyo iri muKube-system namespace, inopindirana yepamusoro sevhisi-account. Uye yakaparadzana namespace yechikwata chekusimudzira, ivo vanozokwanisa kuendesa masevhisi avo kune yakasarudzika nzvimbo yemazita.

Iyi inzira inoshanda, Tiller haina nzara yesimba zvekuti ichakanganisa zvakanyanya bhajeti yako. Iyi ndiyo imwe yemhinduro dzinokurumidza.

Inzwa wakasununguka kugadzirisa Tiller zvakasiyana uye kupa Kubeconfig ine mamiriro echikwata, kune yakasarudzika mugadziri kana yezvakatipoteredza: Dev, Staging, Production (hazvina chokwadi kuti zvese zvichange zviri paboka rimwe chete, zvisinei, izvi zvinogona kuitwa).

Kuenderera mberi nenyaya yedu, ngatichinje kubva kuRBAC totaura nezve ConfigMaps.

ConfigMaps

Helm inoshandisa ConfigMaps sechitoro chedata. Patakataura nezvezvivakwa, pakanga pasina dhatabhesi chero kupi kwaizochengeta ruzivo nezve kuburitswa, zvigadziriso, rollbacks, nezvimwe. ConfigMaps inoshandiswa pane izvi.

Dambudziko guru neConfigMaps rinozivikanwa - harina kuchengetedzeka mumusimboti; hazvibviri kuchengeta data inonzwisisika. Tiri kutaura pamusoro pezvinhu zvose zvisingafaniri kudarika sevhisi, semuenzaniso, mapassword. Nzira yemuno yeHelm parizvino ndeyekuchinja kubva pakushandisa ConfigMaps kuenda kune zvakavanzika.

Izvi zvinoitwa zviri nyore kwazvo. Pfuura iyo Tiller kuseta uye tsanangura kuti kuchengetedza kuchave zvakavanzika. Ipapo pakutumirwa kwega kwega haugamuchire ConfigMap, asi chakavanzika.

Helm Security

Unogona kupokana kuti zvakavanzika pachazvo ipfungwa inoshamisa uye haina kuchengetedzeka zvakanyanya. Nekudaro, zvakakosha kunzwisisa kuti ivo vanogadzira Kubernetes ivo vari kuita izvi. Kutanga kubva mushanduro 1.10, i.e. Kwenguva yakati rebei ikozvino, zvave zvichikwanisika, zvirinani mumakore eruzhinji, kubatanidza iyo chaiyo yekuchengetedza kuchengetedza zvakavanzika. Chikwata chave kushanda munzira dzekugovera zvirinani kuwana zvakavanzika, mapodhi ega, kana zvimwe masangano.

Zviri nani kuendesa Storage Helm kune zvakavanzika, uye ivo, ivowo, vanochengetedzwa nechepakati.

Chokwadi zvicharamba zviripo Kuchengetedzwa kwedata kunosvika 1 MB. Helm pano inoshandisa etcd sekuchengetedza kwakagoverwa kweConfigMaps. Uye ipapo vakafunga kuti iyi yaive yakakodzera data chunk yekudzokorora, nezvimwe. Pane nhaurirano inonakidza nezve izvi paReddit, ini ndinokurudzira kuwana iyi inosekesa kuverenga kwekupera kwesvondo kana kuverenga yakatorwa pano.

Chart Repos

Machati ndiwo anonyanya kunetseka munharaunda uye anogona kuve sosi ye "Munhu ari pakati", kunyanya kana iwe ukashandisa stock solution. Chekutanga pane zvese, tiri kutaura nezve marepositori anoburitswa kuburikidza neHTTP.

Iwe zvechokwadi unofanirwa kufumura Helm Repo pamusoro peHTTPS - iyi ndiyo yakanakisa sarudzo uye isingadhure.

teerera chati siginecha mechanism. Iyo tekinoroji iri nyore segehena. Ichi ndicho chinhu chimwe chete chaunoshandisa paGitHub, muchina wenguva dzose wePGP une makiyi eruzhinji uye akavanzika. Misa uye uve nechokwadi, uine makiyi anodiwa uye kusaina zvese, kuti iyi ndiyo chaiyo chati yako.

Mukuwedzera, Helm mutengi anotsigira TLS (kwete muserver-side HTTP pfungwa, asi mutual TLS). Iwe unogona kushandisa sevha uye vatengi makiyi kuti utaure. Kutaura chokwadi, ini handishandise michina yakadai nekuti handidi zvitupa. Chaizvoizvo, chartmuseum - chishandiso chikuru chekumisikidza Helm Repo yeHelm 2 - zvakare inotsigira basic auth. Unogona kushandisa basic auth kana iri nyore uye yakanyarara.

Kune zvakare plugin helm-gcs, iyo inokutendera kuti utore Chati Repos paGoogle Cloud Storage. Izvi zviri nyore, zvinoshanda zvikuru uye zvakachengeteka, nekuti ese akatsanangurwa masisitimu anodzokororwa.

Helm Security

Kana iwe ukagonesa HTTPS kana TLS, shandisa mTLS, uye gonesa yekutanga auth kuti uwedzere kuderedza njodzi, iwe unowana yakachengeteka yekutaurirana chiteshi neHelm CLI uye Chart Repo.

Purogiramu inonzi gRPC

Nhanho inotevera inonyanya kukosha - kuchengetedza Tiller, iyo iri muboka uye iri, kune rumwe rutivi, sevha, kune rumwe rutivi, iyo pachayo inopinda kune zvimwe zvikamu uye inoedza kunyepedzera kuva mumwe munhu.

Sezvandambotaura, Tiller ibasa rinofumura gRPC, mutengi weHelm anouya kwairi kuburikidza negRPC. Nekusagadzikana, hongu, TLS yakaremara. Nei izvi zvakaitwa mubvunzo unopokana, zvinoita kwandiri kurerutsa kuseta pakutanga.

Nekugadzira uye kunyangwe nhanho, ini ndinokurudzira kugonesa TLS pane gRPC.

Sekuona kwangu, kusiyana nemTLS yemachati, izvi zvakakodzera pano uye zvinoitwa zvakapusa - gadzira PQI zvivakwa, gadzira chitupa, tanga Tiller, fambisa chitupa panguva yekutanga. Mushure meizvi, unogona kuita ese Helm mirairo, uchizvipa iwe neyakagadzirwa chitupa uye yakavanzika kiyi.

Helm Security

Nenzira iyi iwe uchazvidzivirira kubva kune zvese zvikumbiro kuna Tiller kubva kunze kwesumbu.

Saka, isu takachengetedza chiteshi chekubatanidza kuTiller, isu takatokurukura RBAC uye nekugadzirisa kodzero dzeKubernetes apiserver, kudzikisa dura raanogona kudyidzana naro.

Inodzivirira Helm

Ngatitarisei dhayagiramu yekupedzisira. Ndiko kuvakwa kwakafanana nemiseve yakafanana.

Helm Security

Zvese zvinongedzo zvino zvinogona kudhonzwa zvakachengeteka mugirini:

  • yeChati Repo tinoshandisa TLS kana mTLS uye basic auth;
  • mTLS yeTiller, uye inoburitswa sevhisi yegRPC ine TLS, tinoshandisa zvitupa;
  • iyo cluster inoshandisa yakakosha sevhisi account ine Role uye RoleBinding. 

Isu takachengetedza zvakanyanya cluster, asi mumwe munhu akangwara akati:

"Panogona kuve nemhinduro imwe chete yakachengeteka - komputa yakadzimwa, iri mubhokisi rekongiri uye inochengetedzwa nemasoja."

Pane nzira dzakasiyana dzekushandisa data uye kutsvaga mavheti matsva ekurwisa. Nekudaro, ndine chivimbo chekuti kurudziro idzi dzichawana hwaro hweindasitiri chiyero chekuchengetedza.

Bhonasi

Ichi chikamu hachina hukama zvakananga nekuchengeteka, asi chichabatsirawo. Ndichakuratidza zvinhu zvinonakidza izvo vanhu vashoma vanoziva nezvazvo. Semuenzaniso, maitiro ekutsvaga machati - zviri pamutemo uye zvisiri pamutemo.

Munzvimbo inochengeterwa zvinhu github.com/helm/charts Ikozvino kune machati mazana matatu uye hova mbiri: yakagadzikana uye incubator. Chero ani anobatsira anonyatsoziva kuti zvakaoma sei kubva kune incubator kuenda kune yakagadzikana, uye kuti zviri nyore sei kubhururuka kunze kwekugadzikana. Nekudaro, ichi hachisi chishandiso chakanakisa chekutsvaga machati ePrometheus uye chero chimwe chaunoda, nechikonzero chimwe chakareruka - haisi portal kwaunogona kutsvaga zviri nyore mapeji.

Asi kune sevhisi hub.helm.sh, izvo zvinoita kuti zvive nyore kuwana machati. Kunyanya kukosha, kune akawanda akawanda ekunze repositori uye angangoita mazana masere mazango aripo. Uyezve, iwe unogona kubatanidza yako repository kana nekuda kwechimwe chikonzero iwe usingade kutumira machati ako kuti agadzikane.

Edza hub.helm.sh uye ngatizvigadzirire pamwechete. Iyi sevhisi iri pasi peHelm purojekiti, uye iwe unogona kutobatsira kuUI yayo kana iwe uri mugadziri wekupedzisira uye uchingoda kuvandudza chitarisiko.

Ndinodawo kukwevera pfungwa dzako kune Vhura Service Broker API kubatanidzwa. Zvinonzwika zvakaoma uye zvisina kujeka, asi zvinogadzirisa matambudziko anotarisana nemunhu wese. Rega nditsanangure nemuenzaniso wakapfava.

Helm Security

Kune Kubernetes cluster umo isu tinoda kumhanyisa yekirasi application - WordPress. Kazhinji, database inodiwa kuti iite zvizere. Kune akawanda akasiyana mhinduro, semuenzaniso, unogona kuvhura yako wega statefull sevhisi. Izvi hazvisi nyore, asi vanhu vazhinji vanozviita.

Vamwe, sesu paChainstack, shandisa dhatabhesi rakachengetwa seMySQL kana PostgreSQL kumaseva avo. Ndosaka dhatabhesi dzedu dziri pane imwe nzvimbo mugore.

Asi dambudziko rinomuka: isu tinofanirwa kubatanidza sevhisi yedu nedhatabhesi, gadzira dhatabheti flavour, kuendesa chitupa uye neimwe nzira tozvibata. Zvose izvi zvinowanzoitwa nemaoko nemutungamiri wehurongwa kana kuvandudza. Uye hapana dambudziko kana paine mashoma maapplication. Kana pane zvakawanda zvavo, unoda musanganiswa. Kune mukohwi akadaro - iSevhisi Broker. Inokubvumira kushandisa plugin yakakosha yeruzhinji cloud cluster uye kurongeka zviwanikwa kubva kumupi kuburikidza neBroker, sekunge iri API. Kuti uite izvi, unogona kushandisa maturusi ekuzvarwa Kubernetes.

Zviri nyore kwazvo. Iwe unogona kubvunza, semuenzaniso, Yakagadziriswa MySQL muAzure ine base tier (izvi zvinogona kugadzirwa). Uchishandisa iyo Azure API, iyo dhatabhesi ichagadzirwa uye yakagadzirirwa kushandiswa. Iwe haufanire kupindira neizvi, iyo plugin inokonzera izvi. Semuyenzaniso, OSBA (Azure plugin) inodzosa humbowo kubasa uye kuipfuudza kuHelm. Iwe unozogona kushandisa WordPress negore MySQL, kwete kubata neyakagadziriswa dhatabhesi zvachose uye usanetseka nezve statefull masevhisi mukati.

Tinogona kutaura kuti Helm inoshanda seglue iyo, kune rumwe rutivi, inobvumidza iwe kuendesa masevhisi, uye kune imwe, inopedza zviwanikwa zvevanopa makore.

Iwe unogona kunyora yako plugin uye shandisa iyi nyaya yese pane-nzvimbo. Ipapo iwe unongove neyako plugin yekambani Cloud mupi. Ini ndinokurudzira kuyedza nzira iyi, kunyanya kana uine chiyero chakakura uye uchida kukurumidza kuendesa dev, staging, kana iyo yese sisitimu yechinhu. Izvi zvichaita kuti hupenyu huve nyore kune ako maoparesheni kana maDevOps.

Chimwe chiwanikwa chandambotaura ndechekuti helm-gcs plugin, iyo inokubvumira kushandisa Google-mabhaketi (chinhu chekuchengetedza) kuchengetedza Helm machati.

Helm Security

Iwe unongoda mirairo mina kuti utange kuishandisa:

  1. kuisa plugin;
  2. tanga;
  3. isa nzira yebhaketi, iyo iri mu gcp;
  4. buritsa machati nenzira yakajairika.

Runako ndechekuti nzira yekuzvarwa yegcp ichashandiswa kubvumidza. Iwe unogona kushandisa sevhisi account, account yekuvandudza, chero chaunoda. Iri nyore kwazvo uye haina mari yekushandisa. Kana iwe, seni, uchisimudzira opsless uzivi, zvino izvi zvichave zviri nyore, kunyanya kuzvikwata zvidiki.

Alternatives

Helm haisiriyo yega sevhisi manejimendi mhinduro. Pane mibvunzo yakawanda pamusoro pazvo, zvichida ndicho chikonzero nei shanduro yechitatu yakaonekwa nekukurumidza. Zvechokwadi kune dzimwe nzira.

Aya anogona kuve akasarudzika mhinduro, semuenzaniso, Ksonnet kana Metaparticle. Iwe unogona kushandisa yako yemhando yepamusoro maturusi ekugadzirisa maturusi (Ansible, Terraform, Chef, nezvimwewo) nekuda kwezvinangwa zvakafanana zvandataura nezvazvo.

Pakupedzisira pane mhinduro Operator Framework, ane mukurumbira uri kuwedzera.

Operator Framework ndiyo yepamusoro Helm imwe nzira yekufunga nezvayo.

Inowanikwa zvakanyanya kuCNCF neKubernetes, asi chipingamupinyi chekupinda chakakwirira zvikuru, iwe unofanirwa kuronga zvakanyanya uye kutsanangura zvinoratidzira zvishoma.

Kune akasiyana maaddon, akadai seDraft, Scaffold. Ivo vanoita kuti hupenyu huve nyore, semuenzaniso, vanorerutsa kutenderera kwekutumira uye kuvhura Helm kune vanogadzira kuti vatumire nharaunda yekuyedza. Ndaivati ​​ma empowerers.

Heino chati yekuona pane zvese zviri.

Helm Security

Pa-x-axis ndiyo nhanho yekutonga kwako pachako pane zviri kuitika, pane y-axis ndiyo nhanho yekuzvarwa kweKubernetes. Helm version 2 inowira pane imwe nzvimbo pakati. Mushanduro 3, kwete yakakura, asi zvese kutonga uye nhanho yekuzvarwa yakagadziridzwa. Mhinduro padanho reKsonnet dzichiri dzakaderera kunyange kune Helm 2. Zvisinei, ivo vakakodzera kutarisa kuti vazive chii chimwe chiri munyika ino. Ehe, yako yekumisikidza maneja ichave pasi pekutonga kwako, asi haisi yekuzvarwa kwaKubernetes.

Iyo Operator Framework yakanyatso chizvarwa kuKubernetes uye inokutendera iwe kuti uibate zvakanyanya zvine hunyoro uye nehungwaru (asi rangarira nezve yekupinda nhanho). Asi, izvi zvakakodzerwa nehunyanzvi application uye kugadzirwa kwemanejimendi kwazviri, pane kukohwa kukuru kwekurongedza huwandu hukuru hwezvishandiso uchishandisa Helm.

Vanowedzera vanongovandudza kudzora zvishoma, kuzadzisa mafambiro ebasa, kana kucheka makona paCI/CD mapaipi.

Remangwana reHelm

Nhau dzakanaka ndedzekuti Helm 3 iri kuuya. Iyo alpha vhezheni yeHelm 3.0.0-alpha.2 yakatoburitswa, unogona kuiedza. Yakanyatsogadzikana, asi kushanda kuchiri kushoma.

Sei Helm 3? Chokutanga pane zvose, iyi inyaya pamusoro kunyangarika kwaTiller, sechikamu. Izvi, sezvaunotonzwisisa, idanho rakakura kumberi, nekuti kubva pakuona kwekuchengetedza kwezvivakwa, zvese zviri nyore.

Pakagadzirwa Helm 2, yaive yakatenderedza nguva yeKubernetes 1.8 kana kunyangwe yapfuura, mazhinji epfungwa aive asina kukura. Semuyenzaniso, iyo CRD pfungwa yave kuitwa nesimba, uye Helm ichaita kushandisa CRDkuchengeta zvivakwa. Izvo zvinogoneka kushandisa chete mutengi uye kwete kuchengetedza sevha chikamu. Saizvozvo, shandisa yemuno Kubernetes mirairo yekushanda nezvimiro uye zviwanikwa. Iri idanho rakakura kumberi.

Zvichaonekwa rutsigiro rwenzvimbo dzeOCI repositories (Vhura Container Initiative). Iri idanho rakakura, uye Helm anonyanya kufarira kuitira kuti atumire machati ayo. Zvinosvika padanho rekuti, semuenzaniso, Docker Hub inotsigira akawanda OCI zviyero. Ini handisi kufungidzira, asi pamwe vekare Docker repository vanopa vanozotanga kukupa iwe mukana wekutora Helm machati ako.

Nyaya ine nharo kwandiri ndeye Lua rutsigiro, seinjini ye templating yekunyora zvinyorwa. Ini handisi fan hombe yeLua, asi ichi chingave chakasarudzika sarudzo. Ndakatarisa izvi katatu - kushandisa Lua hazvizove zvakakosha. Naizvozvo, avo vanoda kukwanisa kushandisa Lua, avo vanoda Go, vanobatana nemusasa wedu mukuru uye shandisa go-tmpl kune izvi.

Pakupedzisira, chandakanga ndisiri chokwadi ndechokuti schema kubuda uye kusimbiswa kwemhando yedata. Hapachazove nematambudziko ne int kana tambo, hapana chikonzero chekuputira zero mune kaviri makotesheni. Iyo JSONS schema ichaonekwa iyo ichakubvumidza iwe kuti utsanangure zvakajeka izvi kune zvakakosha.

Ichagadziriswa zvakanyanya chiitiko-chinofambiswa modhi. Zvakatotsanangurwa zvine pfungwa. Tarisa pabazi reHelm 3, uye iwe uchaona kuti zvingani zviitiko uye zvikorekedzo uye zvimwe zvinhu zvakawedzerwa, izvo zvicharerutsa zvakanyanya uye, kune rumwe rutivi, kuwedzera kutonga pamusoro pemaitiro ekutumira uye maitiro kwavari.

Helm 3 ichave yakapfava, yakachengeteka, uye yakawedzera kunakidza, kwete nekuti isu hatifarire Helm 2, asi nekuti Kubernetes iri kuenderera mberi. Saizvozvo, Helm inogona kushandisa budiriro yeKubernetes uye kugadzira akanakisa maneja eKubernetes pairi.

Imwe nhau yakanaka ndeyekuti DevOpsConf Alexander Khayorov achakuudza, midziyo inogona kuchengetedzwa here? Ngatikuyeuchidzei kuti musangano wekubatanidzwa kwekusimudzira, kuedza uye maitiro ekushanda achaitwa muMoscow Gunyana 30 uye Gumiguru 1. Unogona kuzviita kusvika Nyamavhuvhu 20 isa mushumo uye tiudze nezve ruzivo rwako nemhinduro mumwe wevakawanda mabasa eDevOps maitiro.

Tevera nzvimbo dzekutarisa musangano uye nhau pa mailing list ΠΈ telegraph channel.

Source: www.habr.com

Voeg