ProHoster > ΠΠ»ΠΎΠ³ > Maamulka > Xaqiiji Kubernetes YAML lid ku ah dhaqamada iyo siyaasadaha ugu wanaagsan
Xaqiiji Kubernetes YAML lid ku ah dhaqamada iyo siyaasadaha ugu wanaagsan
Ogow. turjumi: Iyada oo tirada sii kordhaysa ee qaabaynta YAML ee deegaannada K8s, baahida loo qabo xaqiijintooda otomaatiga ah ayaa noqonaysa mid degdeg ah. Qoraaga dib u eegistani kaliya ma dooran xalalka jira ee hawshan, laakiin sidoo kale wuxuu u adeegsaday Deployment tusaale ahaan si uu u arko sida ay u shaqeeyaan. Waxa ay noqotay mid aad u xog-ogaal u ah kuwa xiiseeya mawduucan.
TL, DRMaqaalkani waxa uu isbarbar dhigayaa lix qalab oo taagan si loo ansixiyo loona qiimeeyo faylasha Kubernetes YAML lidka ku ah hababka iyo shuruudaha ugu fiican.
Kubernetes culayska shaqada waxa sida caadiga ah lagu qeexaa qaab dukumeenti YAML ah. Mid ka mid ah dhibaatooyinka YAML waa dhibka lagu qeexo caqabadaha ama xiriirka ka dhexeeya faylasha muuqda.
Maxaa dhacaya haddii aan u baahanahay inaan hubinno in dhammaan sawirada la geeyey kooxda ay ka yimaadeen diiwaan la aamini karo?
Sideen uga hortagi karaa Dirista aan lahayn Miisaaniyadda PodDisruption in loo diro kooxda?
Isku dhafka imtixaannada joogtada ah ayaa kuu ogolaanaya inaad aqoonsato khaladaadka iyo xadgudubyada siyaasadda marxaladda horumarinta. Tani waxay kordhinaysaa dammaanadda in qeexitaannada agabku yihiin kuwo sax ah oo sugan, waxayna ka dhigaysaa mid aad u badan in culayska shaqada ee wax-soo-saarku raaci doono hababka ugu wanaagsan.
Kubernetes static YAML nidaamka deegaanka ee faylalka waxa loo qaybin karaa qaybahan soo socda:
ansaxayaasha API. Aaladaha qaybtaan waxay hubinayaan YAML muujinta ka soo horjeeda shuruudaha server-ka Kubernetes API.
Tijaabiyeyaal diyaarsan. Aaladaha ka socda qaybtaan waxay wataan imtixaano diyaarsan oo loogu talagalay amniga, u hoggaansanaanta hababka ugu wanaagsan, iwm.
Ansaxiyeyaasha gaarka ah. Wakiilada qaybtan waxay kuu oggolaanayaan inaad ku abuurto imtixaano gaar ah oo ku qoran luqado kala duwan, tusaale ahaan, Rego iyo Javascript.
Maqaalkan waxaan ku tilmaami doonaa oo isbarbardhigi doonaa lix qalab oo kala duwan:
kubeval;
kube-dhibcaha;
config-lint;
naxaas;
kibirka;
Polaris
Hagaag, aan bilowno!
Hubinta Gelitaanka
Kahor intaanan bilaabin isbarbardhigga aaladaha, aan abuurno asal aan ku tijaabinno.
Qoraalkan hoose waxa uu ka kooban yahay tiro khaladaad ah iyo u hoggaansanaan la'aanta hab-dhaqannada ugu wanaagsan: imisa ka mid ah ayaad heli kartaa?
Waxaan u isticmaali doonaa YAML kan si aan u barbar dhigno qalabyada kala duwan.
Qoraalka kore base-valid.yaml iyo qoraalo kale oo maqaalkan ka mid ah ayaa laga heli karaa Git bakhaarada.
Qoraalku wuxuu qeexayaa arji shabakad oo hawshiisa ugu weyn ay tahay inuu kaga jawaabo fariinta "Hello World" ee dekedda 5678. Waxaa lagu diri karaa amarka soo socda:
kubectl apply -f hello-world.yaml
Oo sidaas - hubi shaqada:
kubectl port-forward svc/http-echo 8080:5678
Hadda tag http://localhost:8080 oo xaqiiji in codsigu shaqaynayo. Laakiin ma raacdaa dhaqamada ugu fiican? Aan hubinno.
1. Kubeval
Wadnaha kubeval Fikradda ayaa ah in isdhexgalka kasta oo lala yeesho Kubernetes uu ku dhaco REST API. Si kale haddii loo dhigo, waxaad isticmaali kartaa qorshaha API si aad u hubiso in YAML la siiyay uu waafaqsan yahay. Bal aan tusaale u soo qaadano.
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Kheyraadka lama xaqiijin.
Hawlgelinta iyadoo la isticmaalayo nooca API apps/v1, waa in lagu daraa doore u dhigma calaamadda boodhka. Muujinta sare kuma jirto doorashada, sidaa darteed kubeval ayaa sheegay qalad oo la baxay kood aan eber ahayn.
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Tani waa dhab ahaan qaladka uu kubeval ka digay. Waxaad hagaajin kartaa tan adiga oo ku dara xulasho:
Faa'iidada qalabka sida kubeval waa in khaladaadka kuwan oo kale ah la qabsan karo goor hore ee wareegga dirista.
Intaa waxaa dheer, jeegaggu uma baahna gelitaanka kooxda; waxaa lagu samayn karaa offline.
Sida caadiga ah, kubeval waxa ay hubisaa agabka kubernetes API schema ee u dambaysay. Si kastaba ha ahaatee, inta badan kiisaska waxaad u baahan kartaa inaad iska hubiso siidaynta Kubernetes gaar ah. Tan waxaa lagu samayn karaa iyadoo la isticmaalayo calanka --kubernetes-version:
Fadlan ogow nooca waa in lagu qeexaa qaabka Major.Minor.Patch.
Liiska noocyada xaqiijinta la taageeray, fadlan tixraac JSON schema ee GitHub, kaas oo kubeval u isticmaalo ansaxinta. Haddii aad u baahan tahay inaad kubeval offline ku socodsiiso, soo deji schemas oo qeex meesha ay ku taal adiga oo isticmaalaya calanka --schema-location.
Marka lagu daro faylalka YAML ee shaqsiga ah, kubeval waxa kale oo ay la shaqayn kartaa hagaha iyo stdin.
Intaa waxaa dheer, Kubeval waxay si fudud u dhexgelisaa dhuumaha CI. Kuwa raba inay tijaabiyaan ka hor intaanay u dirin caddaynta kooxda waxay ku farxi doonaan inay ogaadaan in kubeval ay taageerto saddex qaab oo wax soo saar ah:
Qoraal cad;
JSON;
Tijaabi wax kasta borotokool (TAP).
Oo mid kasta oo ka mid ah qaababka ayaa loo isticmaali karaa in si dheeraad ah loo falanqeeyo wax soo saarka si loo soo koobo natiijooyinka nooca la rabo.
Mid ka mid ah cilladaha kubevalku waa in aysan hadda hubin karin u hoggaansanaanta Qeexitaannada Kheyraadka Gaarka ah (CRDs). Si kastaba ha ahaatee, waxaa suurtagal ah in la habeeyo kubeval iska daa.
Kubeval waa qalab weyn oo lagu hubinayo laguna qiimeeyo ilaha; Si kastaba ha ahaatee, waa in la caddeeyo in ku guuleysiga imtixaanku aanu dammaanad qaadin in agabku u hoggaansamo hababka ugu wanaagsan.
Tusaale ahaan, isticmaalka tag latest weel ku jira ma raaco hababka ugu fiican. Si kastaba ha ahaatee, kubeval uma arko tan qalad mana soo sheegaan. Taasi waa, xaqiijinta YAML noocan oo kale ah waxay dhammayn doontaa digniin la'aan.
Laakiin ka waran haddii aad rabto inaad qiimeyso YAML oo aad aqoonsato xadgudubyada sida sumadda latest? Sideen u eegaa faylka YAML lidka ku ah dhaqamada ugu wanaagsan?
2. Kube-dhibcaha
Kube-dhibcaha kala soocida YAML waxay muujisaa oo ku qiimaysaa imtixaanada la dhisay. Imtixaanadan waxaa lagu soo xulay iyadoo lagu salaynayo tilmaamaha amniga iyo hababka ugu wanaagsan, sida:
Ku socodsiinta weelka ma aha sidii xidid.
Helitaanka hubinta caafimaadka podska.
Dejinta codsiyada iyo xadka ilaha.
Iyada oo ku saleysan natiijooyinka baaritaanka, saddex natiijooyin ayaa la bixiyaa: OK, DIGNIIN ΠΈ TIXRAACA.
Waxaad isku dayi kartaa Kube-score online ama waxaad ku rakibi kartaa gudaha.
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
YAML waxay ku gudubtaa imtixaanada kubeval, halka kube-dhibcaha ay tilmaamayso cilladaha soo socda:
Jeegaga diyaargarowga lama habbayn
Ma jiraan wax codsiyo ah ama xaddidaad khayraadka CPU iyo xusuusta.
Miisaaniyada carqaladaynta boodhka lama cayimin.
Ma jiraan xeerar lagu kala tago (ka-hortagga xidhiidhka) si loo kordhiyo helitaanka.
Weelku wuxuu u socdaa sidii xidid.
Dhammaan kuwan waa qodobbo sax ah oo ku saabsan khaladaadka jira ee u baahan in wax laga qabto si loo sameeyo Hawlgelinta mid hufan oo la isku halayn karo.
kooxda kube-score wuxuu soo bandhigaa macluumaadka qaab bini'aadmigu akhrin karo oo ay ku jiraan dhammaan noocyada xadgudubyada DIGNIIN ΠΈ TIXRAACA, taas oo wax badan ka taraysa inta lagu jiro horumarka.
Kuwa doonaya inay u adeegsadaan qalabkan gudaha dhuunta CI waxay awood u siin karaan wax soo saar badan oo cufan iyagoo isticmaalaya calanka --output-format ci (xaaladdan, tijaabooyinka natiijada ayaa sidoo kale la soo bandhigay OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Si la mid ah kubeval, kube-score waxay soo celisaa koodka bixista aan eber ahayn marka uu jiro imtixaan guuldareystay TIXRAACA. Waxa kale oo aad awood u siin kartaa habayn la mid ah DIGNIIN.
Intaa waxaa dheer, waxaa suurtagal ah in la hubiyo ilaha u hoggaansanaanta noocyada API ee kala duwan (sida kubeval). Si kastaba ha ahaatee, macluumaadkani waa mid adag oo kube-dhibcaha laftiisa: ma dooran kartid nooc ka duwan Kubernetes. Xaddidaaddan waxay noqon kartaa dhibaato weyn haddii aad doonayso inaad cusboonaysiiso kutladaada ama haddii aad haysato kooxo badan oo leh noocyo kala duwan oo K8s ah.
Macluumaad dheeraad ah oo ku saabsan kube-score waxaa laga heli karaa at website-ka rasmiga ah.
Imtixaannada Kube-score waa qalab aad u fiican oo lagu hirgelinayo hababka ugu fiican, laakiin ka waran haddii aad u baahan tahay inaad isbeddel ku samayso imtixaanka ama aad ku darto sharciyadaada? Hoogay, tan lama samayn karo.
Kube-dhibcaha maaha mid la dheerayn karo: ma ku dari kartid siyaasado mana hagaajin kartid.
Haddii aad u baahan tahay inaad qorto imtixaannada gaarka ah si aad u xaqiijiso u hoggaansanaanta siyaasadaha shirkadda, waxaad isticmaali kartaa mid ka mid ah afartan qalab ee soo socda: config-lint, copper, conftest, ama polaris.
Config-lint ma laha tijaabooyin ku dhex jira oo lagu xaqiijinayo muujinta Kubernetes.
Si aad u samayso imtixaan kasta, waxaad u baahan tahay inaad abuurto xeerar ku habboon. Waxay ku qoran yihiin galalka YAML ee loo yaqaan "rulesets" (sharciyo), waxayna leeyihiin qaabkan soo socda:
field type qeexaa nooca qaabeynta config-lint isticmaali doono. Waayo, K8-yada ka muuqda tani waa had iyo jeerKubernetes.
In berrinka files Marka lagu daro faylalka laftooda, waxaad cayimi kartaa hagaha.
field rules loogu talagalay dejinta imtixaannada isticmaalaha.
Aynu nidhaahno inaad rabto inaad hubiso in sawirada Deployment mar walba laga soo dejiyo kayd la aamini karo sida my-company.com/myapp:1.0. Xeerka isku xidhka ee fuliya jeegga noocan oo kale ah wuxuu u ekaan doonaa sidan:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml)
Xeer kastaa waa inuu lahaadaa sifooyinka soo socda:
id - aqoonsiga gaarka ah ee qaanuunka;
severity - Waxaa laga yaabaa in FASHIL, DIGNIIN ΠΈ AAN_DARAN;
message - haddii sharciga la jebiyo, waxa ku jira khadkan ayaa la soo bandhigayaa;
resource - nooca kheyraadka ee xeerkani khuseeyo;
assertions - liiska shuruudaha lagu qiimayn doono ee la xidhiidha khayraadkan.
Xeerka sare assertion loo yaqaan every wuxuu hubiyaa in dhammaan weelasha ay ku jiraan Hawlgelinta (key: spec.templates.spec.containers) isticmaal sawiro la aamini karo (ie. ka bilaabma my-company.com/).
Config-lint waa qaab-dhismeed rajo leh oo kuu ogolaanaya inaad abuurto imtixaanadaada si aad u ansixiso Kubernetes YAML muujinta adoo isticmaalaya YAML DSL.
Laakiin maxaa dhacaya haddii aad u baahan tahay caqli-gal kakan iyo tijaabooyin? Miyaan YAML aad u xaddidnayn tan? Maxaa dhacaya haddii aad ku abuuri karto imtixaan luqad barnaamij buuxa ah?
4.Copper
Copper V2 waa qaab-dhismeed lagu xaqiijinayo muujinta iyadoo la adeegsanayo imtixaanno gaar ah (oo la mid ah habayn-lint).
Si kastaba ha ahaatee, way ka duwan tahay tan dambe in aysan isticmaalin YAML si ay u qeexdo imtixaannada. Imtixaanada waxaa lagu qori karaa JavaScript. Copper wuxuu bixiyaa maktabad leh dhowr qalab oo aasaasi ah, kaas oo kaa caawinaya inaad akhrido macluumaadka ku saabsan walxaha Kubernetes oo aad ka warbixiso khaladaadka.
Tallaabooyinka lagu rakibo Copper waxaa laga heli karaa gudaha dukumeenti rasmi ah.
Sida config-lint, Copper ma laha tijaabooyin ku dhex jira. Aan qorno mid. Ha hubiso in geyntu ay isticmaasho sawirada weelka si gaar ah meelaha la aamini karo sida my-company.com.
Samee fayl check_image_repo.js oo leh nuxurka soo socda:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Hadda si loo tijaabiyo muujinteena base-valid.yaml, isticmaal amarka copper validate:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Way caddahay in iyadoo la kaashanayo naxaasta aad samayn karto imtixaano kakan oo badan - tusaale ahaan, hubinta magacyada domain in Ingress muujiyaan ama diido pods ku shaqeeya hab mudnaanta.
Copper wuxuu leeyahay shaqooyin kala duwan oo utility ah oo lagu dhex dhisay:
DockerImage wuxuu akhriyaa galka la cayimay wuxuuna abuuraa shay leh sifooyinka soo socda:
Waqtiga qorista maqaalkii asalka ahaa, nooca ugu dambeeyay ee la heli karo wuxuu ahaa 0.18.2.
Si la mid ah config-lint iyo copper, conftest waxay ku timaadaa iyada oo aan wax tijaabo ah lagu dhex-dhisay. Aynu isku dayno oo qorno siyaasaddeenna. Sida tusaalooyinkii hore, waxaan hubin doonaa in sawirada weelka laga soo qaaday ilo lagu kalsoonaan karo iyo in kale.
Samee hage conftest-checks, oo waxaa ku jira fayl la magacaabay check_image_registry.rego oo leh nuxurka soo socda:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
Hadda aan tijaabino base-valid.yaml iyada oo loo marayo conftest:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
Tijaabada ayaa si la saadaaliyay u dhicisowday sababtoo ah sawiradu waxay ka yimaadeen meel aan la aamini karin.
Faylka Rego waxaan ku qeexaynaa xannibaadda deny. Run ahaantiisa waxaa loo arkaa xadgudub. Haddii blocks deny dhowr, conftest iyaga u hubiyaa si madax banaan midba midka kale, iyo xaqiiqada mid ka mid ah blocks waxaa loola dhaqmaa sidii xadgudub.
Marka lagu daro soosaarka caadiga ah, conftest waxay taageertaa JSON, TAP iyo qaabka miiska - sifo aad waxtar u leh haddii aad u baahan tahay inaad ku dhejiso warbixinnada dhuumaha CI ee jira. Waxaad dejin kartaa qaabka aad rabto adigoo isticmaalaya calanka --output.
Si loo fududeeyo khaladka siyaasadaha, conftest waxay leedahay calan --trace. Waxay soo saartaa raad ku saabsan sida conftest u kala qaybiyo faylalka siyaasadda ee la cayimay.
Siyaasadaha tartanka waa la daabici karaa oo lagu wadaagi karaa OCI (Initiative Container Initiative) sida farshaxan ahaan.
Kulanka push ΠΈ pull kuu ogolaato inaad daabacdo farshaxan ama aad ka soo saarto artifact ka jira diiwaanka fog Aan isku dayno inaan daabacno siyaasada aan u abuurnay diiwaanka Docker-ka deegaanka anagoo adeegsanayna conftest push.
Bilow diiwaanka Docker ee deegaankaaga:
$ docker run -it --rm -p 5000:5000 registry
Terminal kale, aad tusaha aad hore u abuurtay conftest-checks oo socodsii amarka soo socda:
Qalabka ugu dambeeya ee looga hadli doono maqaalkan waa Polaris. (Ogaysiiskiisii ββββsanadkii hore waxaan mar hore loo turjumay - qiyaastii turjumaada)
Polaris waxaa lagu rakibi karaa koox ama waxaa loo isticmaali karaa habka khadka taliska. Sida laga yaabo inaad qiyaastay, waxay kuu ogolaaneysaa inaad si sax ah u falanqeyso muujinta Kubernetes.
Sida kube-score, Polaris waxay aqoonsataa arrimaha meelaha ay muujinta aan la kulmin dhaqamada ugu wanaagsan:
Ma jiraan baaritaanno caafimaad oo lagu sameeyo pods.
Calaamadaha sawirada weelka lama cayimin.
Weelku wuxuu u socdaa sidii xidid.
Codsiyada iyo xadka xusuusta iyo CPU lama cayimin.
Imtixaan kasta, iyadoo ku xiran natiijooyinkiisa, waxaa loo qoondeeyay heer muhiim ah: digniinta ama khatar. Si aad wax badan uga barato imtixaanada ku dhex jira, fadlan tixraac dukumentiyo.
Haddii aan faahfaahin loo baahnayn, waxaad cayimi kartaa calanka --format score. Xaaladdan oo kale, Polaris waxay soo saari doontaa tiro u dhaxaysa 1 ilaa 100 - score (sida qiimayn):
Markasta oo dhibcuhu ku dhawaado 100, waa ay sareeysaa heerka heshiiska. Haddii aad hubiso koodka bixitaanka ee amarka polaris audit, waxaa soo baxday in ay la mid tahay 0.
Xoog polaris audit Waxaad ku joojin kartaa shaqada koodka aan eber ahayn adiga oo isticmaalaya laba calan:
Calanka --set-exit-code-below-score waxay u qaadataa dood ahaan qiimaha marinka inta u dhaxaysa 1-100. Xaaladdan oo kale, amarku wuxuu la bixi doonaa koodka bixitaanka 4 haddii buundada ay ka hooseyso heerka. Tani aad bay faa'iido u leedahay marka aad leedahay qiime xaddidan oo go'an (dheh 75) oo waxaad u baahan tahay inaad hesho digniin haddii dhibcuhu hoos u dhaco.
Hadda aan isku dayno inaan abuurno tijaabo gaar ah oo hubinaysa in sawirka laga soo qaaday kayd la aamini karo iyo in kale. Imtixaanada gaarka ah waxaa lagu qeexay qaabka YAML, iyo imtixaanka laftiisa waxaa lagu sifeeyay iyadoo la isticmaalayo JSON Schema.
Qoraalka soo socda ee YAML code wuxuu qeexayaa imtixaan cusub oo la yiraahdo checkImageRepo:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Aan si hoose u eegno:
successMessage - khadkan waa la daabici doonaa haddii imtixaanku si guul leh u dhammaado;
failureMessage - farriintan waxaa la tusi doonaa haddii ay dhacdo guuldarro;
category - waxay tilmaamaysaa mid ka mid ah qaybaha: Images, Health Checks, Security, Networking ΠΈ Resources;
target--- ayaa go'aamiya nooca shay (spec) imtixaan baa la mariyaa. Qiimaha macquulka ah: Container, Pod ama Controller;
Imtixaanka laftiisa ayaa lagu qeexay shayga schema iyadoo la isticmaalayo JSON schema. Erayga muhiimka ah ee imtixaankani waa pattern loo isticmaalo in lagu barbar dhigo isha sawirka iyo midka loo baahan yahay.
Si aad u socodsiiso imtixaanka kore, waxaad u baahan tahay inaad abuurto qaabeynta Polaris ee soo socota:
In berrinka checks imtixaanada iyo heerkooda halista ayaa la qoraa. Maadaama ay suurtagal tahay in la helo digniin marka sawir laga soo qaado ilo aan la aamini karin, waxaan dejineynaa heerka halkan danger.
Imtixaanka laftiisa checkImageRepo ka dibna ka diiwaan gashan shayga customChecks.
Kaydi faylka sida custom_check.yaml. Hadda waad ordi kartaa polaris audit oo wata caddayn YAML ah oo u baahan xaqiijin.
kooxda polaris audit Waxa uu sameeyay kaliya tijaabada isticmaale ee kor lagu sheegay wayna ku guuldareysatay.
Hadii aad sawirka ku hagaajiso my-company.com/http-echo:1.0, Polaris si guul leh ayay u dhammayn doontaa. Badhasaabka isbeddellada leh ayaa durba soo galay kaydsi aad u hubiso amarkii hore ee muujinta image-valid-mycompany.yaml.
Hadda su'aashu waxay soo baxaysaa: sida loo socodsiiyo imtixaannada la dhisay oo ay la socdaan kuwa caadiga ah? Si fudud! Kaliya waxaad u baahan tahay inaad ku darto aqoonsiga tijaabada ku dhex jira faylka qaabeynta. Natiijo ahaan, waxay qaadan doontaa qaabkan soo socda:
Polaris waxay ku dhamaystirtaa imtixaanada ku dhex jira kuwo caado u ah, oo isku daraya kuwa ugu fiican labada adduun.
Dhanka kale, awood la'aanta in la isticmaalo luqado ka awood badan sida Rego ama JavaScript waxay noqon kartaa arrin xaddidan oo ka hortagaysa abuurista imtixaanno aad u casrisan.
Macluumaad dheeraad ah oo ku saabsan Polaris ayaa laga heli karaa website-ka mashruuca.
Soo koobid
Iyadoo ay jiraan qalabyo badan oo la heli karo si loo baaro laguna qiimeeyo faylalka Kubernetes YAML, waxaa muhiim ah in si cad loo fahmo sida imtixaanada loo qaabayn doono loona fulin doono.
Tusaale ahaan, Haddii aad qaadato Kubernetes muujinta iyada oo marinaysa dhuumaha, kubeval waxay noqon kartaa tallaabada ugu horreysa ee dhuumaha noocaas ah. Waxay la socon doontaa in qeexitaannada shaygu ay waafaqsan yihiin qorshaha Kubernetes API.
Marka dib u eegista noocan oo kale ah la dhammeeyo, qofku wuxuu u gudbi karaa imtixaanno aad u casrisan, sida u hoggaansanaanta hababka ugu wanaagsan ee caadiga ah iyo siyaasadaha gaarka ah. Tani waa halka kube-dhibcaha iyo Polaris ay ku anfacayaan.
Kuwa leh shuruudo adag oo u baahan inay si faahfaahsan u habeeyaan imtixaanada, copper, config-lint iyo conftest ayaa ku haboonaan lahaa.
Conftest iyo config-lint waxay isticmaalaan YAML si ay u qeexaan imtixaanada gaarka ah, iyo naxaasta ayaa ku siinaysa marin u helka luuqad barnaamijeed buuxa, taas oo ka dhigaysa doorasho soo jiidasho leh.
Dhanka kale, miyay mudan tahay in la isticmaalo mid ka mid ah qalabkan iyo, sidaas darteed, abuurista dhammaan imtixaanada gacanta, ama doorbidaya Polaris oo ku dar kaliya waxa loo baahan yahay? Ma jirto jawaab cad oo su'aashan ah.
kubeval
Waxay xaqiijisaa YAML ka soo horjeeda nooc gaar ah oo qorshaha API ah
Lama shaqayn karo CRD
No
kube-dhibcaha
Wuxuu falanqeeyaa YAML ka soo horjeeda dhaqamada ugu wanaagsan
Ma dooran karo noocaaga Kubernetes API si loo hubiyo ilaha
No
copper
Qaab dhismeedka guud ee abuuritaanka imtixaanada JavaScript ee caadiga ah ee YAML
Ma jiraan tijaabooyin ku dhex jira Dukumeenti liidata
Haa
config-lint
Qaab dhismeedka guud ee samaynta imtixaanada luuqad gaar ah oo domain ku dhex duugan YAML. Waxay taageertaa qaabab kala duwan oo habayn (tusaale Terraform)
Ma jiraan tijaabooyin diyaarsan Sheegashooyinka iyo hawlqabadyadu kuma filna
Haa
kalsooni
Qaab dhismeedka samaynta imtixaanadaada adiga oo isticmaalaya Rego (luuqad su'aal gaar ah) Oggolow wadaagga siyaasadaha iyada oo loo marayo xidhmooyinka OCI
Ma jiraan tijaabooyin ku dhex jira Waa inaan bartaa Rego. Docker Hub lama taageero marka la daabacayo siyaasadaha
Haa
Polaris
Dib u eegisyada YAML waxay ka soo horjeedaa hababka ugu wanaagsan ee caadiga ah. Kuu ogolaanayaa inaad abuurto imtixaanadaada adigoo isticmaalaya JSON Schema
Awoodaha tijaabada ee ku salaysan Schema JSON waxa laga yaabaa inaanay ku filnayn
Haa
Sababtoo ah qalabkani kuma tiirsana gelitaanka kooxda Kubernetes, way fududahay in la rakibo. Waxay kuu oggolaanayaan inaad shaandhayso faylasha isha oo aad siiso jawaab celin degdeg ah qorayaasha codsiyada jiidashada ee mashaariicda.