ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Xaqiiji Kubernetes YAML lid ku ah dhaqamada iyo siyaasadaha ugu wanaagsan

Xaqiiji Kubernetes YAML lid ku ah dhaqamada iyo siyaasadaha ugu wanaagsan

Ogow. turjumi: Iyada oo tirada sii kordhaysa ee qaabaynta YAML ee deegaannada K8s, baahida loo qabo xaqiijintooda otomaatiga ah ayaa noqonaysa mid degdeg ah. Qoraaga dib u eegistani kaliya ma dooran xalalka jira ee hawshan, laakiin sidoo kale wuxuu u adeegsaday Deployment tusaale ahaan si uu u arko sida ay u shaqeeyaan. Waxa ay noqotay mid aad u xog-ogaal u ah kuwa xiiseeya mawduucan.

Xaqiiji Kubernetes YAML lid ku ah dhaqamada iyo siyaasadaha ugu wanaagsan

TL, DRMaqaalkani waxa uu isbarbar dhigayaa lix qalab oo taagan si loo ansixiyo loona qiimeeyo faylasha Kubernetes YAML lidka ku ah hababka iyo shuruudaha ugu fiican.

Kubernetes culayska shaqada waxa sida caadiga ah lagu qeexaa qaab dukumeenti YAML ah. Mid ka mid ah dhibaatooyinka YAML waa dhibka lagu qeexo caqabadaha ama xiriirka ka dhexeeya faylasha muuqda.

Maxaa dhacaya haddii aan u baahanahay inaan hubinno in dhammaan sawirada la geeyey kooxda ay ka yimaadeen diiwaan la aamini karo?

Sideen uga hortagi karaa Dirista aan lahayn Miisaaniyadda PodDisruption in loo diro kooxda?

Isku dhafka imtixaannada joogtada ah ayaa kuu ogolaanaya inaad aqoonsato khaladaadka iyo xadgudubyada siyaasadda marxaladda horumarinta. Tani waxay kordhinaysaa dammaanadda in qeexitaannada agabku yihiin kuwo sax ah oo sugan, waxayna ka dhigaysaa mid aad u badan in culayska shaqada ee wax-soo-saarku raaci doono hababka ugu wanaagsan.

Kubernetes static YAML nidaamka deegaanka ee faylalka waxa loo qaybin karaa qaybahan soo socda:

  • ansaxayaasha API. Aaladaha qaybtaan waxay hubinayaan YAML muujinta ka soo horjeeda shuruudaha server-ka Kubernetes API.
  • Tijaabiyeyaal diyaarsan. Aaladaha ka socda qaybtaan waxay wataan imtixaano diyaarsan oo loogu talagalay amniga, u hoggaansanaanta hababka ugu wanaagsan, iwm.
  • Ansaxiyeyaasha gaarka ah. Wakiilada qaybtan waxay kuu oggolaanayaan inaad ku abuurto imtixaano gaar ah oo ku qoran luqado kala duwan, tusaale ahaan, Rego iyo Javascript.

Maqaalkan waxaan ku tilmaami doonaa oo isbarbardhigi doonaa lix qalab oo kala duwan:

  1. kubeval;
  2. kube-dhibcaha;
  3. config-lint;
  4. naxaas;
  5. kibirka;
  6. Polaris

Hagaag, aan bilowno!

Hubinta Gelitaanka

Kahor intaanan bilaabin isbarbardhigga aaladaha, aan abuurno asal aan ku tijaabinno.

Qoraalkan hoose waxa uu ka kooban yahay tiro khaladaad ah iyo u hoggaansanaan la'aanta hab-dhaqannada ugu wanaagsan: imisa ka mid ah ayaad heli kartaa?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Waxaan u isticmaali doonaa YAML kan si aan u barbar dhigno qalabyada kala duwan.

Qoraalka kore base-valid.yaml iyo qoraalo kale oo maqaalkan ka mid ah ayaa laga heli karaa Git bakhaarada.

Qoraalku wuxuu qeexayaa arji shabakad oo hawshiisa ugu weyn ay tahay inuu kaga jawaabo fariinta "Hello World" ee dekedda 5678. Waxaa lagu diri karaa amarka soo socda:

kubectl apply -f hello-world.yaml

Oo sidaas - hubi shaqada:

kubectl port-forward svc/http-echo 8080:5678

Hadda tag http://localhost:8080 oo xaqiiji in codsigu shaqaynayo. Laakiin ma raacdaa dhaqamada ugu fiican? Aan hubinno.

1. Kubeval

Wadnaha kubeval Fikradda ayaa ah in isdhexgalka kasta oo lala yeesho Kubernetes uu ku dhaco REST API. Si kale haddii loo dhigo, waxaad isticmaali kartaa qorshaha API si aad u hubiso in YAML la siiyay uu waafaqsan yahay. Bal aan tusaale u soo qaadano.

Tilmaamaha rakibidda kubeval waxaa laga heli karaa website-ka mashruuca.

Waqtiga qorista maqaalka asalka ah, nooca 0.15.0 waa la heli karaa.

Marka la rakibo, aan quudinno muujinta sare:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Haddii lagu guuleysto, kubeval waxay la bixi doontaa furaha bixista 0. Waxaad u hubin kartaa sida soo socota:

$ echo $?
0

Aynu hadda isku dayno kubeval oo wata muuqaal kale:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Ma ku ogaan kartaa dhibaatada isha? Aan bilowno:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²Ρ€Π°Ρ‚Π°
$ echo $?
1

Kheyraadka lama xaqiijin.

Hawlgelinta iyadoo la isticmaalayo nooca API apps/v1, waa in lagu daraa doore u dhigma calaamadda boodhka. Muujinta sare kuma jirto doorashada, sidaa darteed kubeval ayaa sheegay qalad oo la baxay kood aan eber ahayn.

Waxaan la yaabanahay maxaa dhici doona haddaan sameeyo kubectl apply -f manifesto this?

Hagaag, aan isku dayno:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Tani waa dhab ahaan qaladka uu kubeval ka digay. Waxaad hagaajin kartaa tan adiga oo ku dara xulasho:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Faa'iidada qalabka sida kubeval waa in khaladaadka kuwan oo kale ah la qabsan karo goor hore ee wareegga dirista.

Intaa waxaa dheer, jeegaggu uma baahna gelitaanka kooxda; waxaa lagu samayn karaa offline.

Sida caadiga ah, kubeval waxa ay hubisaa agabka kubernetes API schema ee u dambaysay. Si kastaba ha ahaatee, inta badan kiisaska waxaad u baahan kartaa inaad iska hubiso siidaynta Kubernetes gaar ah. Tan waxaa lagu samayn karaa iyadoo la isticmaalayo calanka --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Fadlan ogow nooca waa in lagu qeexaa qaabka Major.Minor.Patch.

Liiska noocyada xaqiijinta la taageeray, fadlan tixraac JSON schema ee GitHub, kaas oo kubeval u isticmaalo ansaxinta. Haddii aad u baahan tahay inaad kubeval offline ku socodsiiso, soo deji schemas oo qeex meesha ay ku taal adiga oo isticmaalaya calanka --schema-location.

Marka lagu daro faylalka YAML ee shaqsiga ah, kubeval waxa kale oo ay la shaqayn kartaa hagaha iyo stdin.

Intaa waxaa dheer, Kubeval waxay si fudud u dhexgelisaa dhuumaha CI. Kuwa raba inay tijaabiyaan ka hor intaanay u dirin caddaynta kooxda waxay ku farxi doonaan inay ogaadaan in kubeval ay taageerto saddex qaab oo wax soo saar ah:

  1. Qoraal cad;
  2. JSON;
  3. Tijaabi wax kasta borotokool (TAP).

Oo mid kasta oo ka mid ah qaababka ayaa loo isticmaali karaa in si dheeraad ah loo falanqeeyo wax soo saarka si loo soo koobo natiijooyinka nooca la rabo.

Mid ka mid ah cilladaha kubevalku waa in aysan hadda hubin karin u hoggaansanaanta Qeexitaannada Kheyraadka Gaarka ah (CRDs). Si kastaba ha ahaatee, waxaa suurtagal ah in la habeeyo kubeval iska daa.

Kubeval waa qalab weyn oo lagu hubinayo laguna qiimeeyo ilaha; Si kastaba ha ahaatee, waa in la caddeeyo in ku guuleysiga imtixaanku aanu dammaanad qaadin in agabku u hoggaansamo hababka ugu wanaagsan.

Tusaale ahaan, isticmaalka tag latest weel ku jira ma raaco hababka ugu fiican. Si kastaba ha ahaatee, kubeval uma arko tan qalad mana soo sheegaan. Taasi waa, xaqiijinta YAML noocan oo kale ah waxay dhammayn doontaa digniin la'aan.

Laakiin ka waran haddii aad rabto inaad qiimeyso YAML oo aad aqoonsato xadgudubyada sida sumadda latest? Sideen u eegaa faylka YAML lidka ku ah dhaqamada ugu wanaagsan?

2. Kube-dhibcaha

Kube-dhibcaha kala soocida YAML waxay muujisaa oo ku qiimaysaa imtixaanada la dhisay. Imtixaanadan waxaa lagu soo xulay iyadoo lagu salaynayo tilmaamaha amniga iyo hababka ugu wanaagsan, sida:

  • Ku socodsiinta weelka ma aha sidii xidid.
  • Helitaanka hubinta caafimaadka podska.
  • Dejinta codsiyada iyo xadka ilaha.

Iyada oo ku saleysan natiijooyinka baaritaanka, saddex natiijooyin ayaa la bixiyaa: OK, DIGNIIN ΠΈ TIXRAACA.

Waxaad isku dayi kartaa Kube-score online ama waxaad ku rakibi kartaa gudaha.

Waqtiga qorista maqaalka asalka ah, nooca ugu dambeeyay ee kube-dhibcaha wuxuu ahaa 1.7.0.

Aan ku tijaabino muujinteena base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  Β· http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  Β· The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  Β· Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  Β· http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  Β· http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  Β· http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  Β· http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  Β· http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  Β· No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  Β· Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

YAML waxay ku gudubtaa imtixaanada kubeval, halka kube-dhibcaha ay tilmaamayso cilladaha soo socda:

  • Jeegaga diyaargarowga lama habbayn
  • Ma jiraan wax codsiyo ah ama xaddidaad khayraadka CPU iyo xusuusta.
  • Miisaaniyada carqaladaynta boodhka lama cayimin.
  • Ma jiraan xeerar lagu kala tago (ka-hortagga xidhiidhka) si loo kordhiyo helitaanka.
  • Weelku wuxuu u socdaa sidii xidid.

Dhammaan kuwan waa qodobbo sax ah oo ku saabsan khaladaadka jira ee u baahan in wax laga qabto si loo sameeyo Hawlgelinta mid hufan oo la isku halayn karo.

kooxda kube-score wuxuu soo bandhigaa macluumaadka qaab bini'aadmigu akhrin karo oo ay ku jiraan dhammaan noocyada xadgudubyada DIGNIIN ΠΈ TIXRAACA, taas oo wax badan ka taraysa inta lagu jiro horumarka.

Kuwa doonaya inay u adeegsadaan qalabkan gudaha dhuunta CI waxay awood u siin karaan wax soo saar badan oo cufan iyagoo isticmaalaya calanka --output-format ci (xaaladdan, tijaabooyinka natiijada ayaa sidoo kale la soo bandhigay OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Si la mid ah kubeval, kube-score waxay soo celisaa koodka bixista aan eber ahayn marka uu jiro imtixaan guuldareystay TIXRAACA. Waxa kale oo aad awood u siin kartaa habayn la mid ah DIGNIIN.

Intaa waxaa dheer, waxaa suurtagal ah in la hubiyo ilaha u hoggaansanaanta noocyada API ee kala duwan (sida kubeval). Si kastaba ha ahaatee, macluumaadkani waa mid adag oo kube-dhibcaha laftiisa: ma dooran kartid nooc ka duwan Kubernetes. Xaddidaaddan waxay noqon kartaa dhibaato weyn haddii aad doonayso inaad cusboonaysiiso kutladaada ama haddii aad haysato kooxo badan oo leh noocyo kala duwan oo K8s ah.

Fadlan la soco taas mar horeba arin baa jirta iyadoo la soo jeedinayo in la xaqiijiyo fursadan.

Macluumaad dheeraad ah oo ku saabsan kube-score waxaa laga heli karaa at website-ka rasmiga ah.

Imtixaannada Kube-score waa qalab aad u fiican oo lagu hirgelinayo hababka ugu fiican, laakiin ka waran haddii aad u baahan tahay inaad isbeddel ku samayso imtixaanka ama aad ku darto sharciyadaada? Hoogay, tan lama samayn karo.

Kube-dhibcaha maaha mid la dheerayn karo: ma ku dari kartid siyaasado mana hagaajin kartid.

Haddii aad u baahan tahay inaad qorto imtixaannada gaarka ah si aad u xaqiijiso u hoggaansanaanta siyaasadaha shirkadda, waxaad isticmaali kartaa mid ka mid ah afartan qalab ee soo socda: config-lint, copper, conftest, ama polaris.

3.Config-lint

Config-lint waa aalad lagu ansixiyo YAML, JSON, Terraform, faylalka qaabeynta CSV iyo muujinta Kubernetes.

Waxaad ku rakiban kartaa adigoo isticmaalaya tilmaamaha bogga mashruuca.

Siideynta hadda jirta ilaa wakhtiga qorista maqaalka asalka ah waa 1.5.0.

Config-lint ma laha tijaabooyin ku dhex jira oo lagu xaqiijinayo muujinta Kubernetes.

Si aad u samayso imtixaan kasta, waxaad u baahan tahay inaad abuurto xeerar ku habboon. Waxay ku qoran yihiin galalka YAML ee loo yaqaan "rulesets" (sharciyo), waxayna leeyihiin qaabkan soo socda:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список ΠΏΡ€Π°Π²ΠΈΠ»

(rule.yaml)

Aynu si qoto dheer u baranno:

  • field type qeexaa nooca qaabeynta config-lint isticmaali doono. Waayo, K8-yada ka muuqda tani waa had iyo jeer Kubernetes.
  • In berrinka files Marka lagu daro faylalka laftooda, waxaad cayimi kartaa hagaha.
  • field rules loogu talagalay dejinta imtixaannada isticmaalaha.

Aynu nidhaahno inaad rabto inaad hubiso in sawirada Deployment mar walba laga soo dejiyo kayd la aamini karo sida my-company.com/myapp:1.0. Xeerka isku xidhka ee fuliya jeegga noocan oo kale ah wuxuu u ekaan doonaa sidan:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Xeer kastaa waa inuu lahaadaa sifooyinka soo socda:

  • id - aqoonsiga gaarka ah ee qaanuunka;
  • severity - Waxaa laga yaabaa in FASHIL, DIGNIIN ΠΈ AAN_DARAN;
  • message - haddii sharciga la jebiyo, waxa ku jira khadkan ayaa la soo bandhigayaa;
  • resource - nooca kheyraadka ee xeerkani khuseeyo;
  • assertions - liiska shuruudaha lagu qiimayn doono ee la xidhiidha khayraadkan.

Xeerka sare assertion loo yaqaan every wuxuu hubiyaa in dhammaan weelasha ay ku jiraan Hawlgelinta (key: spec.templates.spec.containers) isticmaal sawiro la aamini karo (ie. ka bilaabma my-company.com/).

Xeerarka oo dhammaystiran ayaa u eg sidan:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Si aad u tijaabiso imtixaanka, aynu u dhigno sida check_image_repo.yaml. Aynu hubinno faylka base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Jeega ayaa fashilmay. Hadda aan ku eegno qoraalka soo socda oo wata kaydka sawirka saxda ah:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Waxaan ku wadnaa tijaabo isku mid ah muujinta kore. Wax dhibaato ah lama helin:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint waa qaab-dhismeed rajo leh oo kuu ogolaanaya inaad abuurto imtixaanadaada si aad u ansixiso Kubernetes YAML muujinta adoo isticmaalaya YAML DSL.

Laakiin maxaa dhacaya haddii aad u baahan tahay caqli-gal kakan iyo tijaabooyin? Miyaan YAML aad u xaddidnayn tan? Maxaa dhacaya haddii aad ku abuuri karto imtixaan luqad barnaamij buuxa ah?

4.Copper

Copper V2 waa qaab-dhismeed lagu xaqiijinayo muujinta iyadoo la adeegsanayo imtixaanno gaar ah (oo la mid ah habayn-lint).

Si kastaba ha ahaatee, way ka duwan tahay tan dambe in aysan isticmaalin YAML si ay u qeexdo imtixaannada. Imtixaanada waxaa lagu qori karaa JavaScript. Copper wuxuu bixiyaa maktabad leh dhowr qalab oo aasaasi ah, kaas oo kaa caawinaya inaad akhrido macluumaadka ku saabsan walxaha Kubernetes oo aad ka warbixiso khaladaadka.

Tallaabooyinka lagu rakibo Copper waxaa laga heli karaa gudaha dukumeenti rasmi ah.

2.0.1 waa sii dayntii ugu dambaysay ee utility-ga wakhtiga qorista maqaalkii asalka ahaa.

Sida config-lint, Copper ma laha tijaabooyin ku dhex jira. Aan qorno mid. Ha hubiso in geyntu ay isticmaasho sawirada weelka si gaar ah meelaha la aamini karo sida my-company.com.

Samee fayl check_image_repo.js oo leh nuxurka soo socda:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Hadda si loo tijaabiyo muujinteena base-valid.yaml, isticmaal amarka copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

Way caddahay in iyadoo la kaashanayo naxaasta aad samayn karto imtixaano kakan oo badan - tusaale ahaan, hubinta magacyada domain in Ingress muujiyaan ama diido pods ku shaqeeya hab mudnaanta.

Copper wuxuu leeyahay shaqooyin kala duwan oo utility ah oo lagu dhex dhisay:

  • DockerImage wuxuu akhriyaa galka la cayimay wuxuuna abuuraa shay leh sifooyinka soo socda:
    • name - magaca sawirka,
    • tag - sumadda sawirka,
    • registry - diiwaanka sawirka,
    • registry_url - borotokool (https://) iyo diiwaanka sawirka,
    • fqin - goobta buuxda ee sawirka.
  • function findByName waxay ka caawisaa in lagu helo kheyraad nooc la siiyay (kind) iyo magaca (name) laga bilaabo galka gelinta.
  • function findByLabels waxay ka caawisaa in lagu helo kheyraad nooc cayiman (kind) iyo calaamado (labels).

Waxaad arki kartaa dhammaan hawlaha adeegga ee jira halkan.

Sida caadiga ah waxay ku shubtaa dhammaan galitaanka faylka YAML doorsoome $$ oo ka dhigaya mid diyaar u ah qorista (farsamo caan ah oo loogu talagalay kuwa leh waayo-aragnimada jQuery).

Faa'iidada ugu weyn ee Copper waa iska caddahay: uma baahnid inaad si fiican u barato luqad gaar ah oo waxaad isticmaali kartaa astaamo JavaScript kala duwan si aad u abuurto imtixaanadaada, sida isdhexgalka xargaha, shaqooyinka, iwm.

Waa in sidoo kale la ogaadaa in nooca hadda ee Copper uu la shaqeeyo nooca ES5 ee matoorka JavaScript, ma aha ES6.

Faahfaahinta waxaa laga heli karaa website-ka rasmiga ah ee mashruuca.

Si kastaba ha ahaatee, haddii aadan runtii jecleyn JavaScript oo aad door bidayso luqad si gaar ah loogu talagalay abuurista weydiimaha iyo qeexidda siyaasadaha, waa inaad fiiro gaar ah u yeelataa conftest.

5.Conftest

Conftest waa qaab-dhismeedka lagu tijaabinayo xogta qaabeynta. Sidoo kale ku habboon tijaabinta/xaqiijinta muuqaalada Kubernetes. Imtixaanada waxaa lagu sifeeyaa iyadoo la isticmaalayo luuqad su'aal gaar ah Rego.

Waxaad ku rakibi kartaa conftest addoo isticmaalaya tilmaamahaku qoran bogga mashruuca.

Waqtiga qorista maqaalkii asalka ahaa, nooca ugu dambeeyay ee la heli karo wuxuu ahaa 0.18.2.

Si la mid ah config-lint iyo copper, conftest waxay ku timaadaa iyada oo aan wax tijaabo ah lagu dhex-dhisay. Aynu isku dayno oo qorno siyaasaddeenna. Sida tusaalooyinkii hore, waxaan hubin doonaa in sawirada weelka laga soo qaaday ilo lagu kalsoonaan karo iyo in kale.

Samee hage conftest-checks, oo waxaa ku jira fayl la magacaabay check_image_registry.rego oo leh nuxurka soo socda:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Hadda aan tijaabino base-valid.yaml iyada oo loo marayo conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Tijaabada ayaa si la saadaaliyay u dhicisowday sababtoo ah sawiradu waxay ka yimaadeen meel aan la aamini karin.

Faylka Rego waxaan ku qeexaynaa xannibaadda deny. Run ahaantiisa waxaa loo arkaa xadgudub. Haddii blocks deny dhowr, conftest iyaga u hubiyaa si madax banaan midba midka kale, iyo xaqiiqada mid ka mid ah blocks waxaa loola dhaqmaa sidii xadgudub.

Marka lagu daro soosaarka caadiga ah, conftest waxay taageertaa JSON, TAP iyo qaabka miiska - sifo aad waxtar u leh haddii aad u baahan tahay inaad ku dhejiso warbixinnada dhuumaha CI ee jira. Waxaad dejin kartaa qaabka aad rabto adigoo isticmaalaya calanka --output.

Si loo fududeeyo khaladka siyaasadaha, conftest waxay leedahay calan --trace. Waxay soo saartaa raad ku saabsan sida conftest u kala qaybiyo faylalka siyaasadda ee la cayimay.

Siyaasadaha tartanka waa la daabici karaa oo lagu wadaagi karaa OCI (Initiative Container Initiative) sida farshaxan ahaan.

Kulanka push ΠΈ pull kuu ogolaato inaad daabacdo farshaxan ama aad ka soo saarto artifact ka jira diiwaanka fog Aan isku dayno inaan daabacno siyaasada aan u abuurnay diiwaanka Docker-ka deegaanka anagoo adeegsanayna conftest push.

Bilow diiwaanka Docker ee deegaankaaga:

$ docker run -it --rm -p 5000:5000 registry

Terminal kale, aad tusaha aad hore u abuurtay conftest-checks oo socodsii amarka soo socda:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Haddii amarku guulaystay, waxaad arki doontaa fariintan oo kale:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Hadda samee hage ku meel gaar ah oo ku socodsii amarka dhexdiisa conftest pull. Waxay soo dejin doontaa xirmada uu sameeyay amarkii hore:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Hage-hoosaad ayaa ka soo bixi doona hagaha ku meel gaadhka ah policyoo ka kooban faylka siyaasaddayada:

$ tree
.
└── policy
  └── check_image_registry.rego

Tijaabooyinku si toos ah ayaa looga samayn karaa kaydka:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Nasiib darro, DockerHub weli lama taageero. Markaa naftaada u tixgeli inaad nasiib leedahay haddii aad isticmaasho Diiwaanka Konteenarada Azure (ACR) ama diiwaankaaga.

Qaabka artifact waa isku mid Fur xirmooyinka Wakiilka Siyaasadda (OPA), kaas oo kuu ogolaanaya inaad isticmaasho conftest si aad u tijaabiso baakadaha OPA ee jira.

Waxaad wax badan oo ku saabsan wadaagga siyaasadda iyo sifooyinka kale ee conftest ka baran kartaa website-ka rasmiga ah ee mashruuca.

6. Polaris

Qalabka ugu dambeeya ee looga hadli doono maqaalkan waa Polaris. (Ogaysiiskiisii ​​​​sanadkii hore waxaan mar hore loo turjumay - qiyaastii turjumaada)

Polaris waxaa lagu rakibi karaa koox ama waxaa loo isticmaali karaa habka khadka taliska. Sida laga yaabo inaad qiyaastay, waxay kuu ogolaaneysaa inaad si sax ah u falanqeyso muujinta Kubernetes.

Markaad ku socoto habka khadka taliska, imtixaanada gudaha ku jira ayaa diyaar ah oo daboolaya meelaha sida amniga iyo hababka ugu fiican (la mid ah kube-dhibcaha). Intaa waxaa dheer, waxaad abuuri kartaa imtixaanadaada (sida config-lint, copper iyo conftest).

Si kale haddii loo dhigo, Polaris wuxuu isku daraa faa'iidooyinka labada qaybood ee qalabka: oo leh gudaha iyo imtixaanada gaarka ah.

Si aad ugu rakibto Polaris habka khadka taliska, isticmaal tilmaamaha ku yaal bogga mashruuca.

Waqtiga qorista maqaalka asalka ah, nooca 1.0.3 ayaa diyaar ah.

Marka rakibidda la dhammeeyo waxaad ku socodsiin kartaa polaris muujinta base-valid.yaml oo leh amarka soo socda:

$ polaris audit --audit-path base-valid.yaml

Waxay soo saari doontaa xadhig ah qaabka JSON oo leh sharraxaad faahfaahsan imtixaanadii la sameeyay iyo natiijooyinkooda. Wax soo saarku wuxuu yeelan doonaa qaabkan soo socda:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* Π΄Π»ΠΈΠ½Π½Ρ‹ΠΉ список */
  ]
}

Wax soo saar buuxa ayaa la heli karaa halkan.

Sida kube-score, Polaris waxay aqoonsataa arrimaha meelaha ay muujinta aan la kulmin dhaqamada ugu wanaagsan:

  • Ma jiraan baaritaanno caafimaad oo lagu sameeyo pods.
  • Calaamadaha sawirada weelka lama cayimin.
  • Weelku wuxuu u socdaa sidii xidid.
  • Codsiyada iyo xadka xusuusta iyo CPU lama cayimin.

Imtixaan kasta, iyadoo ku xiran natiijooyinkiisa, waxaa loo qoondeeyay heer muhiim ah: digniinta ama khatar. Si aad wax badan uga barato imtixaanada ku dhex jira, fadlan tixraac dukumentiyo.

Haddii aan faahfaahin loo baahnayn, waxaad cayimi kartaa calanka --format score. Xaaladdan oo kale, Polaris waxay soo saari doontaa tiro u dhaxaysa 1 ilaa 100 - score (sida qiimayn):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Markasta oo dhibcuhu ku dhawaado 100, waa ay sareeysaa heerka heshiiska. Haddii aad hubiso koodka bixitaanka ee amarka polaris audit, waxaa soo baxday in ay la mid tahay 0.

Xoog polaris audit Waxaad ku joojin kartaa shaqada koodka aan eber ahayn adiga oo isticmaalaya laba calan:

  • Calanka --set-exit-code-below-score waxay u qaadataa dood ahaan qiimaha marinka inta u dhaxaysa 1-100. Xaaladdan oo kale, amarku wuxuu la bixi doonaa koodka bixitaanka 4 haddii buundada ay ka hooseyso heerka. Tani aad bay faa'iido u leedahay marka aad leedahay qiime xaddidan oo go'an (dheh 75) oo waxaad u baahan tahay inaad hesho digniin haddii dhibcuhu hoos u dhaco.
  • Calanka --set-exit-code-on-danger waxay keeni doontaa amarka inuu ku guuldareysto koodka 3 haddii mid ka mid ah imtixaanada khatarta ah uu guuldareysto.

Hadda aan isku dayno inaan abuurno tijaabo gaar ah oo hubinaysa in sawirka laga soo qaaday kayd la aamini karo iyo in kale. Imtixaanada gaarka ah waxaa lagu qeexay qaabka YAML, iyo imtixaanka laftiisa waxaa lagu sifeeyay iyadoo la isticmaalayo JSON Schema.

Qoraalka soo socda ee YAML code wuxuu qeexayaa imtixaan cusub oo la yiraahdo checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Aan si hoose u eegno:

  • successMessage - khadkan waa la daabici doonaa haddii imtixaanku si guul leh u dhammaado;
  • failureMessage - farriintan waxaa la tusi doonaa haddii ay dhacdo guuldarro;
  • category - waxay tilmaamaysaa mid ka mid ah qaybaha: Images, Health Checks, Security, Networking ΠΈ Resources;
  • target--- ayaa go'aamiya nooca shay (spec) imtixaan baa la mariyaa. Qiimaha macquulka ah: Container, Pod ama Controller;
  • Imtixaanka laftiisa ayaa lagu qeexay shayga schema iyadoo la isticmaalayo JSON schema. Erayga muhiimka ah ee imtixaankani waa pattern loo isticmaalo in lagu barbar dhigo isha sawirka iyo midka loo baahan yahay.

Si aad u socodsiiso imtixaanka kore, waxaad u baahan tahay inaad abuurto qaabeynta Polaris ee soo socota:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Aynu kala saarno faylka:

  • In berrinka checks imtixaanada iyo heerkooda halista ayaa la qoraa. Maadaama ay suurtagal tahay in la helo digniin marka sawir laga soo qaado ilo aan la aamini karin, waxaan dejineynaa heerka halkan danger.
  • Imtixaanka laftiisa checkImageRepo ka dibna ka diiwaan gashan shayga customChecks.

Kaydi faylka sida custom_check.yaml. Hadda waad ordi kartaa polaris audit oo wata caddayn YAML ah oo u baahan xaqiijin.

Aynu tijaabino muujintayada base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

kooxda polaris audit Waxa uu sameeyay kaliya tijaabada isticmaale ee kor lagu sheegay wayna ku guuldareysatay.

Hadii aad sawirka ku hagaajiso my-company.com/http-echo:1.0, Polaris si guul leh ayay u dhammayn doontaa. Badhasaabka isbeddellada leh ayaa durba soo galay kaydsi aad u hubiso amarkii hore ee muujinta image-valid-mycompany.yaml.

Hadda su'aashu waxay soo baxaysaa: sida loo socodsiiyo imtixaannada la dhisay oo ay la socdaan kuwa caadiga ah? Si fudud! Kaliya waxaad u baahan tahay inaad ku darto aqoonsiga tijaabada ku dhex jira faylka qaabeynta. Natiijo ahaan, waxay qaadan doontaa qaabkan soo socda:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Tusaalaha faylka qaabaynta dhamaystiran ayaa diyaar ah halkan.

Hubi muujinta base-valid.yamlAdigoo isticmaalaya tijaabooyin gudaha ah iyo kuwa khaaska ah, waxaad isticmaali kartaa amarka:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Polaris waxay ku dhamaystirtaa imtixaanada ku dhex jira kuwo caado u ah, oo isku daraya kuwa ugu fiican labada adduun.

Dhanka kale, awood la'aanta in la isticmaalo luqado ka awood badan sida Rego ama JavaScript waxay noqon kartaa arrin xaddidan oo ka hortagaysa abuurista imtixaanno aad u casrisan.

Macluumaad dheeraad ah oo ku saabsan Polaris ayaa laga heli karaa website-ka mashruuca.

Soo koobid

Iyadoo ay jiraan qalabyo badan oo la heli karo si loo baaro laguna qiimeeyo faylalka Kubernetes YAML, waxaa muhiim ah in si cad loo fahmo sida imtixaanada loo qaabayn doono loona fulin doono.

Tusaale ahaan, Haddii aad qaadato Kubernetes muujinta iyada oo marinaysa dhuumaha, kubeval waxay noqon kartaa tallaabada ugu horreysa ee dhuumaha noocaas ah. Waxay la socon doontaa in qeexitaannada shaygu ay waafaqsan yihiin qorshaha Kubernetes API.

Marka dib u eegista noocan oo kale ah la dhammeeyo, qofku wuxuu u gudbi karaa imtixaanno aad u casrisan, sida u hoggaansanaanta hababka ugu wanaagsan ee caadiga ah iyo siyaasadaha gaarka ah. Tani waa halka kube-dhibcaha iyo Polaris ay ku anfacayaan.

Kuwa leh shuruudo adag oo u baahan inay si faahfaahsan u habeeyaan imtixaanada, copper, config-lint iyo conftest ayaa ku haboonaan lahaa.

Conftest iyo config-lint waxay isticmaalaan YAML si ay u qeexaan imtixaanada gaarka ah, iyo naxaasta ayaa ku siinaysa marin u helka luuqad barnaamijeed buuxa, taas oo ka dhigaysa doorasho soo jiidasho leh.

Dhanka kale, miyay mudan tahay in la isticmaalo mid ka mid ah qalabkan iyo, sidaas darteed, abuurista dhammaan imtixaanada gacanta, ama doorbidaya Polaris oo ku dar kaliya waxa loo baahan yahay? Ma jirto jawaab cad oo su'aashan ah.

Shaxda hoose waxay ku siinaysaa sharraxaad kooban oo qalab kasta ah:

Qalabka
Ujeeddo
Dhibaatooyin
Tijaabooyinka isticmaalaha

kubeval
Waxay xaqiijisaa YAML ka soo horjeeda nooc gaar ah oo qorshaha API ah
Lama shaqayn karo CRD
No

kube-dhibcaha
Wuxuu falanqeeyaa YAML ka soo horjeeda dhaqamada ugu wanaagsan
Ma dooran karo noocaaga Kubernetes API si loo hubiyo ilaha
No

copper
Qaab dhismeedka guud ee abuuritaanka imtixaanada JavaScript ee caadiga ah ee YAML
Ma jiraan tijaabooyin ku dhex jira Dukumeenti liidata
Haa

config-lint
Qaab dhismeedka guud ee samaynta imtixaanada luuqad gaar ah oo domain ku dhex duugan YAML. Waxay taageertaa qaabab kala duwan oo habayn (tusaale Terraform)
Ma jiraan tijaabooyin diyaarsan Sheegashooyinka iyo hawlqabadyadu kuma filna
Haa

kalsooni
Qaab dhismeedka samaynta imtixaanadaada adiga oo isticmaalaya Rego (luuqad su'aal gaar ah) Oggolow wadaagga siyaasadaha iyada oo loo marayo xidhmooyinka OCI
Ma jiraan tijaabooyin ku dhex jira Waa inaan bartaa Rego. Docker Hub lama taageero marka la daabacayo siyaasadaha
Haa

Polaris
Dib u eegisyada YAML waxay ka soo horjeedaa hababka ugu wanaagsan ee caadiga ah. Kuu ogolaanayaa inaad abuurto imtixaanadaada adigoo isticmaalaya JSON Schema
Awoodaha tijaabada ee ku salaysan Schema JSON waxa laga yaabaa inaanay ku filnayn
Haa

Sababtoo ah qalabkani kuma tiirsana gelitaanka kooxda Kubernetes, way fududahay in la rakibo. Waxay kuu oggolaanayaan inaad shaandhayso faylasha isha oo aad siiso jawaab celin degdeg ah qorayaasha codsiyada jiidashada ee mashaariicda.

PS ka turjumaan

Sidoo kale ka akhri boggayaga:

Source: www.habr.com

Add a comment