Cherechedza. transl.: Nekuwedzera kuri kuita kweYAML zvigadziriso zveK8s nharaunda, iko kudiwa kweiyo otomatiki verification inowedzera uye nekukasira. Munyori weongororo iyi haana kungosarudza mhinduro dziripo dzebasa iri, asi zvakare akashandisa Deployment semuenzaniso wekuona mashandiro avanoita. Zvakaratidza kuva zvinodzidzisa zvikuru kune avo vanofarira munyaya iyi.
TL; DR: Chinyorwa ichi chinofananidza zvitanhatu zvakamira maturusi ekusimbisa uye kuongorora Kubernetes YAML mafaera achipesana neakanakisa maitiro uye zvinodiwa.
Kubernetes mitoro yebasa inowanzotsanangurwa muchimiro cheYAML zvinyorwa. Rimwe rematambudziko neYAML kuoma kwekutsanangura zvipingaidzo kana hukama pakati pemafaera ekuratidzira.
Zvakadini kana isu tichida kuve nechokwadi chekuti mifananidzo yese yakatumirwa kune cluster inobva kune yakavimbika registry?
Ndingadzivirira sei MaDeployments asina PodDisruptionBudgets kuti atumirwe kune cluster?
Kubatanidzwa kwekuyedzwa kwakamira kunobvumidza iwe kuona zvikanganiso uye kutyora mutemo padanho rekusimudzira. Izvi zvinowedzera vimbiso yekuti tsananguro dzezvekushandisa dzakaringana uye dzakachengeteka, uye zvinoita kuti zvive nyore kuti mabasa ekugadzira atevere maitiro akanaka.
Iyo Kubernetes static YAML faira yekuongorora ecosystem inogona kukamurwa muzvikamu zvinotevera:
- API vagadzirisi. Zvishandiso zviri muchikamu ichi tarisa iyo YAML inoratidzira inopesana nezvinodiwa zveKubernetes API server.
- Vakagadzirira vaedzi. Zvishandiso kubva muchikamu ichi zvinouya neakagadzirira-akagadzirwa bvunzo dzekuchengetedza, kutevedzera zvakanakisa maitiro, nezvimwe.
- Custom validators. Vamiririri vechikamu ichi vanokubvumira kuti ugadzire bvunzo dzetsika mumitauro yakasiyana-siyana, semuenzaniso, Rego uye Javascript.
Muchikamu chino tichatsanangura uye kuenzanisa zvishandiso zvitanhatu zvakasiyana:
- kubeval;
- kube-score;
- config-lint;
- mhangura;
- conftest;
- polaris.
Zvakanaka, ngatitangei!
Kuongorora Deployments
Tisati tatanga kuenzanisa maturusi, ngatitangei mamwe mamiriro ekuti tizviedze.
Manifesto pazasi ane akati wandei zvikanganiso uye kusatevedzera maitiro akanakisa: vangani vavo vaungawana?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Tichashandisa iyi YAML kuenzanisa zvishandiso zvakasiyana.
Manifesto iri pamusoro
base-valid.yaml
uye mamwe manifestos kubva kuchinyorwa ichi anogona kuwanikwa mukatiGit repositories .
Iyo manifest inotsanangura application yewebhu iyo basa guru nderekudaira neshoko re "Mhoro Nyika" kuchiteshi 5678. Inogona kutumirwa nemurairo unotevera:
kubectl apply -f hello-world.yaml
Uye saka - tarisa basa:
kubectl port-forward svc/http-echo 8080:5678
Zvino enda ku
1. Kubeval
Pamwoyo we
Panguva yekunyora chinyorwa chekutanga, vhezheni 0.15.0 yaivepo.
Kana yangoiswa, ngatiipei manifesto iri pamusoro:
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)
Kana ikabudirira, kubeval ichabuda necode yekubuda 0. Unogona kuitarisa sezvizvi:
$ echo $?
0
Ngatiedzei kubeval nemanifesiti yakasiyana:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(kubeval-invalid.yaml
)
Unogona kuona dambudziko neziso here? Ngatitange:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Izvo zviwanikwa hazvisi kusimbiswa.
Deployments uchishandisa API vhezheni apps/v1
, inofanira kusanganisira sarudzo inoenderana neiyo pod label. Iyo manifest iri pamusoro haisanganisire iyo yakasarudzwa, saka kubeval yakataura chikanganiso ndokubuda neisiri-zero kodhi.
Hameno kuti chii chichaitika kana ndikadaro kubectl apply -f
nei manifesto iyi?
Zvakanaka, ngatiedze:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Ichi ndicho chaicho chikanganiso chakayambira kubeval nezvacho. Unogona kuzvigadzirisa nekuwedzera sarudzo:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Kubatsira kwezvishandiso zvakaita sekubeval ndechekuti zvikanganiso senge izvi zvinogona kubatwa kutanga mukutenderera kutenderera.
Uye zvakare, aya macheki haadi kuwana kune cluster; anogona kuitwa kunze kwenyika.
Nekutadza, kubeval inotarisa zviwanikwa zvichipesana neazvino Kubernetes API schema. Nekudaro, mune dzakawanda zviitiko iwe ungangoda kutarisa uchipokana neyakananga Kubernetes kuburitswa. Izvi zvinogona kuitwa uchishandisa mureza --kubernetes-version
:
$ kubeval --kubernetes-version 1.16.1 base-valid.yaml
Ndapota cherechedza kuti shanduro inofanira kutsanangurwa mufomati Major.Minor.Patch
.
Kuti uwane runyoro rweshanduro dzinotsigirwa nekuongorora, ndapota tarisa kune --schema-location
.
Kuwedzera kune yega YAML mafaera, kubeval inogona zvakare kushanda nemadhairekitori uye stdin.
Mukuwedzera, Kubeval inobatanidza nyore mupombi yeCI. Vanoshuvira kumhanyisa bvunzo vasati vatumira zviratidziro kune cluster vachafara kuziva kuti kubeval inotsigira matatu ekubuda mafomati:
- Plain text;
- JSON;
- Edza Chero Chinhu Protocol (TAP).
Uye chero mafomati anogona kushandiswa pakuwedzera kupatsanurwa kwezvakabuda kuburitsa pfupiso yemhedzisiro yerudzi rwaunoda.
Chimwe chezvipingamupinyi zvekubeval ndechekuti parizvino haikwanise kutarisa kutevedzana neCustom Resource Definitions (CRDs). Nekudaro, zvinogoneka kugadzirisa kubeval
Kubeval chishandiso chikuru chekutarisa uye kuongorora zviwanikwa; Nekudaro, zvinofanirwa kusimbiswa kuti kupasa bvunzo hakuvimbise kuti sosi inoenderana neakanakisa maitiro.
Semuenzaniso, kushandisa tag latest
mumudziyo haateveri maitiro akanaka. Nekudaro, kubeval haaone ichi chikanganiso uye haazvitaurire. Kureva kuti, kuoneswa kweYAML yakadaro kunopera pasina yambiro.
Asi ko kana iwe uchida kuongorora YAML uye kuona kutyorwa senge tag latest
? Ndinotarisa sei faira reYAML rinopesana nemaitiro akanaka?
2. Kube-score
- Kumhanyisa mudziyo kwete semudzi.
- Kuvepo kwekuongororwa kwehutano hwepod.
- Kuisa zvikumbiro nemiganhu yezviwanikwa.
Zvichienderana nemhedzisiro yebvunzo, mibairo mitatu inopihwa: OK, YAMBIRO ΠΈ CHITENDA.
Unogona kuedza Kube-score online kana kuiisa munharaunda.
Panguva yekunyora chinyorwa chekutanga, iyo yazvino vhezheni ye kube-score yaive 1.7.0.
Ngatizviedze pamanifesiti yedu base-valid.yaml
:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
YAML inopfuura kubeval bvunzo, uku kube-score inonongedzera kune zvinotevera kukanganisa:
- Macheki ekugadzirira haana kugadzirwa.
- Iko hakuna zvikumbiro kana miganhu yeCPU zviwanikwa uye ndangariro.
- Pod kukanganisa bhajeti haina kutaurwa.
- Hapana mitemo yekuparadzanisa (anti-affinity) kuwedzera kuwanikwa.
- Chigaba chinomhanya semudzi.
Aya ese mapoinzi anoshanda nezve zvikanganiso zvinoda kugadziriswa kuti Deployment ishande uye yakavimbika.
chikwata kube-score
inoratidza ruzivo muchimiro chinoverengeka nevanhu kusanganisira kutyora kwerudzi rwese YAMBIRO ΠΈ CHITENDA, iyo inobatsira zvikuru panguva yekuvandudza.
Avo vanoda kushandisa chishandiso ichi mukati meCI pombi vanogona kugonesa yakawedzera kudzvanywa kubuda vachishandisa mureza --output-format ci
(munyaya iyi, bvunzo dzine mhedzisiro dzinoratidzwawo OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Zvakafanana nekubeval, kube-score inodzosera iyo isiri-zero yekubuda kodhi kana paine bvunzo inotadza. CHITENDA. Iwe unogona zvakare kugonesa zvakafanana kugadzirisa kwe YAMBIRO.
Uye zvakare, zvinokwanisika kutarisa zviwanikwa zvekuteedzera akasiyana API shanduro (sekubeval). Nekudaro, ruzivo urwu rwakaomeswa mune kube-score pachayo: haugone kusarudza imwe vhezheni yeKubernetes. Kupikiswa uku kunogona kuve dambudziko hombe kana iwe uchifunga kukwidziridza cluster yako kana uine akawanda masumbu ane akasiyana maK8s.
ziva kuti
patova nenyaya nechikumbiro chekuzadzisa mukana uyu.
Rumwe ruzivo nezve kube-score runogona kuwanikwa pa
Kube-score bvunzo chishandiso chikuru chekushandisa zvakanakisa maitiro, asi ko kana iwe uchida kuchinja bvunzo kana kuwedzera yako wega mitemo? Maiwe, izvi hazvigone kuitwa.
Kube-score haina kuwedzera: haugone kuwedzera marongero kwairi kana kuagadzirisa.
Kana iwe uchida kunyora bvunzo dzetsika kuti uone kutevedzerwa nemitemo yekambani, unogona kushandisa chimwe chezvishandiso zvina zvinotevera: config-lint, mhangura, conftest, kana polaris.
3.Config-lint
Config-lint chishandiso chekusimbisa YAML, JSON, Terraform, CSV kumisikidza mafaera uye Kubernetes inoratidza.
Unogona kuiisa uchishandisa
Ikozvino kuburitswa sepanguva yekunyora chinyorwa chekutanga ndeye 1.5.0.
Config-lint haina yakavakirwa-mukati bvunzo yekusimbisa Kubernetes inoratidzira.
Kuti uite chero bvunzo, unofanirwa kugadzira mitemo yakakodzera. Akanyorwa mumafaira eYAML anonzi "rulesets" (mitemo), uye uve neinotevera chimiro:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# ΡΠΏΠΈΡΠΎΠΊ ΠΏΡΠ°Π²ΠΈΠ»
(rule.yaml
)
Ngatidzidzei zvakanyanya:
- munda
type
inotsanangura kuti ndeupi rudzi rwekugadzirisa config-lint ichashandisa. Kune K8s inoratidza izvi ndizvo nguva dzoseKubernetes
. - Mumunda
files
Pamusoro pemafaira pachawo, unogona kutsanangura dhairekitori. - munda
rules
chinangwa chekuseta bvunzo dzemushandisi.
Ngatiti iwe unoda kuve nechokwadi chekuti mifananidzo iri muDeployment inogara ichitorwa kubva kune yakavimbika repository senge. my-company.com/myapp:1.0
. Mutemo we-config-lint unoita cheki yakadaro unotaridzika seizvi:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml
)
Mutemo wega wega unofanirwa kuve neanotevera maitiro:
id
- yakasarudzika identifier yemutemo;severity
- Zvingava KUKUNDA, YAMBIRO ΠΈ NON_COMPLIANT;message
- kana mutemo ukaputswa, zviri mukati memutsara uyu zvinoratidzwa;resource
- rudzi rwechishandiso icho mutemo uyu unoshanda;assertions
- runyoro rwemamiriro ezvinhu achaongororwa maererano nechinhu ichi.
Mumutemo uri pamusoro assertion
pasi pezita every
key: spec.templates.spec.containers
) shandisa mifananidzo yaunovimba (kureva kutanga ne my-company.com/
).
Iyo yakazara ruleset inoita seizvi:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(ruleset.yaml
)
Kuti tiedze bvunzo, ngatiichengetedze se check_image_repo.yaml
. Ngatimhanyei cheki pane faira base-valid.yaml
:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]
Cheki yakundikana. Ikozvino ngatitarisei inotevera manifest ine chaiyo mufananidzo repository:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
(image-valid-mycompany.yaml
)
Isu tinomhanya bvunzo imwechete neiyo iri pamusoro manifest. Hapana matambudziko awanikwa:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]
Config-lint igadziriro inovimbisa iyo inokutendera kuti ugadzire yako bvunzo kusimbisa Kubernetes YAML inoratidza uchishandisa iyo YAML DSL.
Asi zvakadini kana iwe uchida mamwe akaoma kunzwisisa uye bvunzo? YAML haina kunyanya kugumira pane izvi? Ko kana iwe ukakwanisa kugadzira bvunzo mumutauro uzere wechirongwa?
4. Mhangura
Nekudaro, inosiyana neyekupedzisira pakuti haishandise YAML kutsanangura bvunzo. Miedzo inogona kunyorwa muJavaScript pachinzvimbo. Mhangura inopa raibhurari ine akati wandei maturusi ekutanga, iyo inokubatsira iwe kuverenga ruzivo nezve Kubernetes zvinhu uye kushuma zvikanganiso.
Matanho ekuisa Copper anogona kuwanikwa mukati
2.0.1 ndiyo ichangoburwa yechishandiso ichi panguva yekunyora chinyorwa chekutanga.
Kunge config-lint, Copper haina yakavakirwa-mukati bvunzo. Ngatinyore imwe. Rega itarise kuti deployments inoshandisa mifananidzo yemidziyo chete kubva kune akavimbika repositori senge my-company.com
.
Gadzira faira check_image_repo.js
nezvinotevera zvirimo:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Zvino kuyedza manifest yedu base-valid.yaml
, shandisa murairo copper validate
:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Zviri pachena kuti nerubatsiro rwemhangura iwe unogona kuita mimwe miedzo yakaoma - semuenzaniso, kutarisa mazita emazita muIngress inoratidza kana kuramba mapodhi anomhanya mune yakasarudzika mode.
Copper ine akasiyana ekushandisa mabasa akavakwa mairi:
DockerImage
inoverenga iyo yakataurwa faira yekuisa uye inogadzira chinhu chine zvinotevera hunhu:name
- zita remufananidzo,tag
- mufananidzo tag,registry
- mufananidzo registry,registry_url
- protocol (https://
) uye registry yemifananidzo,fqin
- izere nzvimbo yemufananidzo.
- shanda
findByName
inobatsira kuwana sosi nerudzi rwakapihwa (kind
) uye zita (name
) kubva kufaira rekuisa. - shanda
findByLabels
inobatsira kuwana sosi nerudzi rwakatarwa (kind
) uye mavara (labels
).
Unogona kuona ese aripo masevhisi mabasa
Nekusagadzika inoremedza iyo yese yekupinda YAML faira kuita shanduko $$
uye inoita kuti ivepo yekunyora (maitiro anozivikanwa kune avo vane ruzivo rwejQuery).
Mukana mukuru weCopper uri pachena: haufanire kugona mutauro wakasarudzika uye unogona kushandisa akasiyana maJavaScript maficha kugadzira yako bvunzo, senge tambo kududzira, mabasa, nezvimwe.
Izvo zvinofanirwa kucherechedzwa kuti ikozvino vhezheni yeCopper inoshanda neES5 vhezheni yeJavaScript injini, kwete ES6.
Details iripo pa
Nekudaro, kana iwe usingade JavaScript uye uchida mutauro wakagadzirirwa kugadzira mibvunzo uye kutsanangura marongero, unofanirwa kuterera kumakwikwi.
5.Makwikwi
Conftest chimiro chekuyedza kugadzirisa data. Yakakodzerawo kuyedza / kuona Kubernetes inoratidzira. Miedzo inotsanangurwa uchishandisa mutauro wemubvunzo wakasarudzika
Unogona kuisa conftest uchishandisa
Panguva yekunyora chinyorwa chekutanga, yazvino vhezheni yaivepo yaive 0.18.2.
Zvakafanana ne-config-lint uye mhangura, conftest inouya isina chero yakavakirwa-mukati bvunzo. Ngatiedzei uye tinyore zvedu mutemo. Semienzaniso yapfuura, tichatarisa kana mifananidzo yemidziyo yakatorwa kubva kune yakavimbika sosi.
Gadzira dhairekitori conftest-checks
, uye mairi mune faira rakanzi check_image_registry.rego
nezvinotevera zvirimo:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
Zvino ngatiedze base-valid.yaml
kuburikidza conftest
:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
Muedzo wacho wakatadza kufanofungidzira nekuti mifananidzo yakabva kune isingavimbike.
MuRego faira tinotsanangura block deny
. Chokwadi chayo chinonzi kutyora mutemo. Kana mabhuroko deny
akati wandei, makwikwi anoaongorora akazvimiririra kubva kune mumwe nemumwe, uye chokwadi chechero chezvivharo chinobatwa sekutyorwa.
Pamusoro peiyo default kuburitsa, conftest inotsigira JSON, TAP uye tafura fomati - chinhu chinobatsira zvakanyanya kana iwe uchida kunyudza mishumo mune iripo CI pombi. Iwe unogona kuseta iyo yaunoda fomati uchishandisa mureza --output
.
Kuti zvive nyore kugadzirisa mitemo, conftest ine mureza --trace
. Inoburitsa mucherechedzo wekuti conftest inodhirowa sei mafaera akatsanangurwa epolicy.
Makwikwi marongero anogona kuburitswa nekugovaniswa muOCI (Open Container Initiative) registries sezvigadzirwa.
Teams push
ΠΈ pull
inokutendera kuti uburitse chigadziriso kana kutora chivakwa chiripo kubva kune kure registry. Ngatiedzei kuburitsa mutemo watakagadzira kune yemuno Docker registry tichishandisa conftest push
.
Tanga yako yemunharaunda Docker registry:
$ docker run -it --rm -p 5000:5000 registry
Mune imwe terminal, enda kune dhairekitori rawakagadzira kare conftest-checks
uye shandisa murairo unotevera:
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Kana murairo wakabudirira, iwe uchaona meseji yakaita seiyi:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c
Iye zvino gadzira dhairekitori renguva pfupi uye mhanyisa rairo mariri conftest pull
. Ichadhawunirodha pasuru yakagadzirwa neyakapfuura rairo:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
A subdirectory ichaonekwa mune yechinguva dhairekitori policy
ine policy file yedu:
$ tree
.
βββ policy
βββ check_image_registry.rego
Miedzo inogona kuitwa yakananga kubva kune repository:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure
Nehurombo, DockerHub haisati yatsigirwa. Saka zvitore uine rombo rakanaka kana ukashandisa
Artifact format yakafanana ne
Iwe unogona kudzidza zvakawanda nezve kugovaniswa kwepolicy uye mamwe maficha emakwikwi pa
6. Polaris
Chekupedzisira chishandiso chichakurukurwa munyaya ino
Polaris inogona kuiswa musumbu kana kushandiswa mukuraira mutsara modhi. Sezvaungave wakafungidzira, zvinokutendera kuti uongorore statically Kubernetes inoratidzira.
Paunenge uchimhanya mumutsara wemirairo modhi, yakavakirwa-mukati bvunzo inowanikwa inovhara nzvimbo senge chengetedzo uye akanakisa maitiro (akafanana nekube-score). Mukuwedzera, iwe unogona kugadzira yako bvunzo (semu-config-lint, mhangura uye conftest).
Mune mamwe mazwi, Polaris inosanganisa mabhenefiti emhando mbiri dzezvishandiso: ine yakavakirwa-mukati uye tsika bvunzo.
Kuisa Polaris mune yekuraira mutsara modhi, shandisa
Panguva yekunyora chinyorwa chekutanga, shanduro 1.0.3 inowanikwa.
Kana kuiswa kwapera iwe unogona kumhanya polaris pane manifest base-valid.yaml
nemurairo unotevera:
$ polaris audit --audit-path base-valid.yaml
Ichaburitsa tambo muJSON fomati ine tsananguro yakadzama yebvunzo dzakaitwa uye zvadzo. Iyo inobuda ichave neinotevera chimiro:
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* Π΄Π»ΠΈΠ½Π½ΡΠΉ ΡΠΏΠΈΡΠΎΠΊ */
]
}
Kubuda kwakazara kunowanikwa
Kufanana nekube-score, Polaris inoratidzira nyaya munzvimbo idzo manifest isingasangane nemaitiro akanakisa:
- Iko hakuna cheki yehutano yemapods.
- Matagi emifananidzo yemidziyo haana kutaurwa.
- Chigaba chinomhanya semudzi.
- Zvikumbiro uye miganhu yendangariro uye CPU haina kutaurwa.
Muedzo wega wega, zvichienderana nemhedzisiro yayo, inopihwa dhigirii rekutsoropodza: nyevero kana ngozi. Kuti udzidze zvakawanda nezve iripo yakavakirwa-mukati bvunzo, ndapota tarisa kune
Kana ruzivo rusingadiwi, unogona kutsanangura mureza --format score
. Muchiitiko ichi, Polaris ichaburitsa nhamba kubva pa1 kusvika ku100 - chibozwa (kureva kuongorora):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68
Iko kuswedera kwezvibodzwa kusvika ku100, iyo yakakwirira dhigirii yechibvumirano. Kana iwe ukatarisa kodhi yekubuda yemirairo polaris audit
, zvinoonekwa kuti yakaenzana na0.
Simba polaris audit
Unogona kumisa basa neisiri zero kodhi uchishandisa mireza miviri:
- Flag
--set-exit-code-below-score
inotora senharo kukosha kwechikumbaridzo muhuwandu 1-100. Muchiitiko ichi, murairo uchabuda nekubuda kodhi 4 kana mamakisi ari pazasi pechikumbaridzo. Izvi zvinobatsira kwazvo kana iwe uine imwe chikumbaridzo kukosha (taura 75) uye iwe unofanirwa kugamuchira yambiro kana mamakisi aenda pazasi. - Flag
--set-exit-code-on-danger
ichaita kuti murairo ukunde nekodhi 3 kana imwe yebvunzo dzengozi ikatadza.
Zvino ngatiedzei kugadzira bvunzo yetsika inotarisa kana mufananidzo wacho wakatorwa kubva kune yakavimbika repository. Miedzo yetsika inotsanangurwa muYAML fomati, uye bvunzo pachayo inotsanangurwa uchishandisa JSON Schema.
Iyo inotevera YAML kodhi snippet inotsanangura bvunzo nyowani inonzi checkImageRepo
:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Ngatitarisei zvakanyanya:
successMessage
- mutsetse uyu uchadhindwa kana bvunzo yapera zvinobudirira;failureMessage
- iyi meseji icharatidzwa kana yakundikana;category
- inoratidza imwe yezvikamu:Images
,Health Checks
,Security
,Networking
ΠΈResources
;target
--- inosarudza rudzi rwechinhu (spec
) test inoshandiswa. Zvinogoneka kukosha:Container
,Pod
kanaController
;- Muedzo pachawo unotsanangurwa muchinhu
schema
uchishandisa JSON schema. Izwi rakakosha muchiyedzo ichi nderekutipattern
inoshandiswa kuenzanisa kunobva mufananidzo neinodiwa.
Kuti uite bvunzo iri pamusoro, iwe unofanirwa kugadzira inotevera Polaris kumisikidzwa:
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(polaris-conf.yaml
)
Ngatitarisei faira:
- Mumunda
checks
bvunzo uye nhanho yavo yekutsoropodza inotarwa. Sezvo zvichidikanwa kugashira yambiro kana chifananidzo chatorwa kubva kune isina kuvimbwa sosi, tinoisa nhanho panodanger
. - Muedzo pachawo
checkImageRepo
akabva anyoreswa muchinhucustomChecks
.
Sevha faira se custom_check.yaml
. Iye zvino unogona kumhanya polaris audit
neYAML manifest inoda kuongororwa.
Ngatiyedzei manifesto yedu base-valid.yaml
:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml
chikwata polaris audit
yakangoita bvunzo yemushandisi yataurwa pamusoro uye yakatadza.
Kana iwe ukagadzirisa mufananidzo ku my-company.com/http-echo:1.0
, Polaris ichapedza zvinobudirira. Manifesto ine shanduko yatopinda image-valid-mycompany.yaml
.
Zvino mubvunzo unomuka: maitiro ekumhanyisa akavakirwa-mukati bvunzo pamwe neaya etsika? Zviri nyore! Iwe unongoda kuwedzera iyo yakavakirwa-mukati bvunzo identifiers kune yekumisikidza faira. Nekuda kweizvozvo, zvinotora fomu rinotevera:
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(config_with_custom_check.yaml
)
Muenzaniso wefaira rekugadzirisa rakakwana rinowanikwa
Check manifest base-valid.yaml
uchishandisa yakavakirwa-mukati uye tsika bvunzo, unogona kushandisa iwo murairo:
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml
Polaris inozadzisa iyo yakavakirwa-mukati bvunzo neyakajairwa, nekudaro ichibatanidza akanakisa epasirese.
Nekune rimwe divi, kusakwanisa kushandisa mitauro ine simba senge Rego kana JavaScript inogona kumisa chinhu chinodzivirira kusikwa kwemiedzo yakaoma.
Rumwe ruzivo nezve Polaris runowanikwa pa
Summary
Kunyange paine akawanda maturusi aripo ekuongorora uye kuongorora Kubernetes YAML mafaera, zvakakosha kuve nekunzwisisa kwakajeka kwekuti bvunzo dzichagadzirwa sei uye dzichaitwa sei.
Somuenzaniso, kana iwe ukatora Kubernetes inoratidzira ichienda nepapombi, kubeval inogona kunge iri nhanho yekutanga mupombi yakadai. Yaizotarisa kana tsananguro yechinhu ichienderana neKubernetes API schema.
Kana ongororo yakadai yapera, munhu anogona kuenderera mberi kune mamwe maedzo akaomarara, sekuteedzera maitiro akanakisa uye marongero chaiwo. Apa ndipo paizosvika kube-score uye Polaris yaizouya inobatsira.
Kune avo vane zvakaoma zvinodiwa uye vanoda kugadzirisa bvunzo zvakadzama, mhangura, config-lint uye conftest ingave yakakodzera..
Conftest uye config-lint shandisa YAML kutsanangura tsika bvunzo, uye mhangura inokupa iwe kupinda kune yakazara programming mutauro, zvichiita kuti ive sarudzo yakanaka.
Kune rimwe divi, zvakakosha here kushandisa chimwe chezvishandiso izvi uye, nekudaro, kugadzira bvunzo dzese nemaoko, kana kusarudza Polaris uye wedzera izvo zvinodiwa kwairi? Hapana mhinduro yakajeka kumubvunzo uyu.
Tafura iri pazasi inopa tsananguro pfupi yechishandiso chimwe nechimwe:
Tool
Chinangwa
kutadza
Miedzo yemushandisi
kubeval
Inosimbisa YAML inoratidzira inopesana neimwe shanduro yeAPI schema
Haikwanise kushanda neCRD
kwete
kube-score
Inoongorora YAML inoratidzira inopesana neakanakisa maitiro
Haikwanise kusarudza yako Kubernetes API vhezheni yekutarisa zviwanikwa
kwete
Mhangura
Iyo yakajairika chimiro chekugadzira tsika JavaScript bvunzo yeYAML inoratidza
Hapana bvunzo dzakavakwa. Mapepa asina kunaka
kuti
config-lint
Hurongwa hwese hwekugadzira bvunzo mumutauro wakasarudzika wakadzikwa muYAML. Inotsigira akasiyana mafomati ekugadzirisa (semuenzaniso Terraform)
Hapana bvunzo dzakagadzirwa. Kuvaka-mukati matauriro uye mabasa anogona kunge asina kukwana
kuti
makwikwi
Chimiro chekugadzira yako bvunzo uchishandisa Rego (yakasarudzika mitauro yemubvunzo). Inobvumira kugoverana kwemitemo kuburikidza neOCI masumbu
Hapana bvunzo dzakavakwa. Ndinofanira kudzidza Rego. Docker Hub haitsigirwe kana ichiburitsa marongero
kuti
Polaris
Wongororo YAML inotaridza kupesana neyakajairwa maitiro akanaka. Inokutendera kuti ugadzire yako bvunzo uchishandisa JSON Schema
Kugona kuyedza kwakavakirwa paJSON Schema inogona kunge isina kukwana
kuti
Nekuti maturusi aya haavimbe nekuwana iyo Kubernetes cluster, ari nyore kuisa. Ivo vanokutendera iwe kusefa sosi mafaera uye nekupa nekukurumidza mhinduro kune vanyori vekudhonza zvikumbiro mumapurojekiti.
PS kubva kumushanduri
Verenga zvakare pablog yedu:
- Β«
Polaris yakaunzwa kuchengetedza Kubernetes masumbu ane hutano "; - Β«
Vim ine YAML rutsigiro rweKubernetes "; - Β«
7 akanakisa maitiro ekushandisa midziyo zvinoenderana neGoogle ".
Source: www.habr.com