Hlokomela. fetolela.: Ka palo e ntseng e hola ea meralo ea YAML bakeng sa tikoloho ea K8s, tlhoko ea netefatso ea bona e ntse e eketseha. Mongoli oa tlhahlobo ena ha aa ka a khetha feela tharollo e teng bakeng sa mosebetsi ona, empa hape o sebelisitse Deployment e le mohlala ho bona kamoo ba sebetsang kateng. E ile ea e-ba e rutang haholo ho ba thahasellang sehlooho sena.
TL; DR: Sengoliloeng sena se bapisa lisebelisoa tse tšeletseng tse tsitsitseng ho netefatsa le ho lekola lifaele tsa Kubernetes YAML khahlano le mekhoa le litlhoko tse ntle.
Mesebetsi ea Kubernetes hangata e hlalosoa ka mokhoa oa litokomane tsa YAML. E 'ngoe ea mathata a YAML ke bothata ba ho hlakisa litšitiso kapa likamano lipakeng tsa lifaele tse bonts'itsoeng.
Ho thoe'ng haeba re hloka ho etsa bonnete ba hore litšoantšo tsohle tse rometsoeng sehlopheng li tsoa ho registry e tšepahalang?
Nka thibela joang li-Deployments tse se nang PodDisruptionBudgets ho romelloa sehlopheng?
Ho kopanngoa ha liteko tse tsitsitseng ho u lumella ho khetholla liphoso le tlōlo ea molao sethaleng sa nts'etsopele. Sena se eketsa tiisetso ea hore litlhaloso tsa lisebelisoa li nepahetse ebile li bolokehile, 'me se etsa hore ho be bonolo hore mesebetsi e mengata ea tlhahiso e latele mekhoa e metle.
Sistimi ea tlhahlobo ea faele ea Kubernetes static YAML e ka aroloa ka mekhahlelo e latelang:
- Bahatisi ba API. Lisebelisoa tse sehlopheng sena li hlahloba ponahalo ea YAML khahlano le litlhoko tsa seva ea Kubernetes API.
- Ba itokiselitseng liteko. Lisebelisoa tse tsoang sehlopheng sena li tla le liteko tse seng li entsoe bakeng sa ts'ireletso, ho latela mekhoa e metle, joalo-joalo.
- Li-validator tse ikhethileng. Baemeli ba sehlopha sena ba u lumella ho etsa liteko tsa tloaelo ka lipuo tse sa tšoaneng, mohlala, Rego le Javascript.
Sehloohong sena re tla hlalosa le ho bapisa lisebelisoa tse tšeletseng tse fapaneng:
- kubeval;
- kube-score;
- config-lint;
- koporo;
- tlhōlisano;
- polaris.
Joale, a re qaleng!
Ho hlahloba Deployments
Pele re qala ho bapisa lisebelisoa, ha re theheng semelo seo re ka li lekang.
Manifesto e ka tlase e na le liphoso tse ngata le ho se ikamahanye le mekhoa e metle: ke tse kae tsa tsona tseo u ka li fumanang?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(base-valid.yaml)
Re tla sebelisa YAML ena ho bapisa lisebelisoa tse fapaneng.
Manifesto e ka holimo
base-valid.yamlle li-manifestos tse ling tse tsoang sehloohong sena li ka fumanoa ho .
Manifest e hlalosa ts'ebeliso ea webo eo mosebetsi oa eona o ka sehloohong e leng ho araba ka molaetsa oa "Hello World" ho port 5678. E ka tsamaisoa ka taelo e latelang:
kubectl apply -f hello-world.yaml'Me kahoo - hlahloba mosebetsi:
kubectl port-forward svc/http-echo 8080:5678Joale e-ea ho mme o netefatse hore kopo e sebetsa. Empa na e latela mekhoa e metle? Ha re hlahlobeng.
1. Kubeval
Botlaaseng Mohopolo ke hore tšebelisano efe kapa efe le Kubernetes e etsahala ka REST API ea eona. Ka mantsoe a mang, o ka sebelisa schema ea API ho lekola hore na YAML e fanoeng e lumellana le eona. A re hlahlobeng mohlala.
kubeval li fumaneha webosaeteng ea morero.
Nakong ea ho ngola sengoloa sa mantlha, mofuta oa 0.15.0 o ne o fumaneha.
Ha e se e kentsoe, a re e fepe ka manifesto ka holimo:
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)Haeba e atlehile, kubeval e tla tsoa ka khoutu ea ho tsoa 0. U ka e hlahloba ka tsela e latelang:
$ echo $?
0Ha re lekeng joale kubeval ka ponahalo e fapaneng:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(kubeval-invalid.yaml)
A na u ka bona bothata ka leihlo? Ha re qaleng:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# проверим код возврата
$ echo $?
1Mohloli ha o netefatsoe.
Lisebelisoa li sebelisa mofuta oa API apps/v1, e tlameha ho kenyelletsa sekhetho se ts'oanang le leibole ea pod. Pontšo e kaholimo ha e kenyeletse mokhethoa, kahoo kubeval o tlalehile phoso 'me a tsoa ka khoutu e seng zero.
Kea ipotsa hore na ho tla etsahala'ng ha ke etsa joalo kubectl apply -f ka manifesto ee?
Joale, ha re lekeng:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=falseEna ke eona phoso eo kubeval a lemositseng ka eona. U ka e lokisa ka ho eketsa sekhetho:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo(base-valid.yaml)
Melemo ea lisebelisoa tse kang kubeval ke hore liphoso tse kang tsena li ka ts'oaroa qalong ea potoloho ea phepelo.
Ntle le moo, licheke tsena ha li hloke monyetla oa ho fihlella sehlopha, li ka etsoa ntle le marang-rang.
Ka mokhoa o ikhethileng, kubeval e hlahloba lisebelisoa khahlano le schema ea morao-rao ea Kubernetes API. Leha ho le joalo, maemong a mangata u ka hloka ho hlahloba khahlano le tokollo e itseng ea Kubernetes. Sena se ka etsoa ho sebelisa folakha --kubernetes-version:
$ kubeval --kubernetes-version 1.16.1 base-valid.yamlKa kopo hlokomela hore phetolelo e tlameha ho hlalosoa ka mokhoa o hlophisitsoeng Major.Minor.Patch.
Bakeng sa lethathamo la liphetolelo tseo netefatso e tšehelitsoeng, ka kopo sheba ho , eo kubeval e e sebelisang bakeng sa netefatso. Haeba o hloka ho tsamaisa kubeval kantle ho marang-rang, khoasolla schemas 'me u hlalose sebaka sa bona sa lehae u sebelisa folakha --schema-location.
Ntle le lifaele tsa YAML ka bomong, kubeval e ka sebetsa le li-directory le stdin.
Ntle le moo, Kubeval e kenella habonolo pompong ea CI. Ba lakatsang ho etsa liteko pele ba romella lipontšo ho sehlopha ba tla thabela ho tseba hore kubeval e ts'ehetsa lifomate tse tharo tsa tlhahiso:
- Mongolo o hlakileng;
- JSON;
- Leka Protocol Anything (TAP).
'Me leha e le efe ea liforomo li ka sebelisoa bakeng sa ho hlahlobisisa ho eketsehileng ha tlhahiso ho hlahisa kakaretso ea liphetho tsa mofuta o lakatsehang.
E 'ngoe ea litšitiso tsa kubeval ke hore hajoale ha e khone ho hlahloba hore na e lumellana le Litlhaloso tsa Custom Resource (CRDs). Leha ho le joalo, hoa khoneha ho hlophisa kubeval .
Kubeval ke sesebelisoa se setle sa ho lekola le ho lekola lisebelisoa; Leha ho le joalo, ho lokela ho totobatsoa hore ho feta tlhahlobo ha ho tiise hore mohloli o lumellana le mekhoa e metle.
Ka mohlala, ho sebelisa tag latest ka setshelong ha e latele mekhoa e metle. Leha ho le joalo, kubeval ha e nke sena e le phoso ebile ha e tlalehe. Ke hore, netefatso ea YAML e joalo e tla phetheha ntle le litemoso.
Empa ho thoe'ng haeba u batla ho lekola YAML le ho tseba litlolo tse joalo ka tag latest? Ke sheba faele ea YAML joang khahlano le mekhoa e metle?
2. Kube-score
e fetisa YAML e bonts'a le ho e lekola khahlano le liteko tse hahelletsoeng kahare. Liteko tsena li khethoa ho ipapisitsoe le litataiso tsa ts'ireletso le mekhoa e metle, joalo ka:
- Ho matha setshelo eseng joalo ka motso.
- Ho fumaneha ha litlhahlobo tsa bophelo bo botle.
- Ho beha likopo le meeli ea lisebelisoa.
Ho latela liphetho tsa liteko, ho fanoa ka liphetho tse tharo: OK, TEMOSO и LITABA.
U ka leka Kube-score inthaneteng kapa ua e kenya sebakeng sa heno.
Nakong ea ho ngola sengoloa sa mantlha, mofuta oa morao-rao oa kube-score e ne e le 1.7.0.
Ha re e leke ho manifesto ea rona base-valid.yaml:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.YAML e feta liteko tsa kubeval, ha kube-score e supa liphoso tse latelang:
- Litlhahlobo tsa ho itokisa ha lia hlophisoa.
- Ha ho na likopo kapa meeli ea lisebelisoa tsa CPU le memori.
- Litekanyetso tsa tšitiso ea li-pod ha lia hlalosoa.
- Ha ho na melao ea karohano (anti-affinity) ho phahamisa boteng.
- Setshelo se matha joalo ka motso.
Tsena ke lintlha tse nepahetseng mabapi le mefokolo e lokelang ho rarolloa ho etsa hore Phallo e sebetse hantle le ho tšepahala.
sehlopha kube-score e bonts'a tlhahisoleseling ka mokhoa o ka baloang ke batho ho kenyelletsa le litlolo tsa mefuta eohle TEMOSO и LITABA, e thusang haholo nakong ea tsoelo-pele.
Ba lakatsang ho sebelisa sesebelisoa sena ka har'a phaephe ea CI ba ka etsa hore tlhahiso e hatelletsoeng haholoanyane ba sebelisa folakha --output-format ci (tabeng ena, liteko tse nang le sephetho li boetse li hlahisoa OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/ServiceHoa tšoana le kubeval, kube-score e khutlisa khoutu ea ho tsoa e seng zero ha ho na le teko e sa atleheng. LITABA. U ka boela ua lumella ts'ebetso e tšoanang bakeng sa TEMOSO.
Ntle le moo, hoa khonahala ho lekola lisebelisoa bakeng sa ho latela liphetolelo tse fapaneng tsa API (joalo ka kubeval). Leha ho le joalo, tlhahisoleseling ena e thatafalitsoe ho kube-score ka boeona: u ke ke ua khetha mofuta o fapaneng oa Kubernetes. Khaello ena e ka ba bothata bo boholo haeba u ikemiselitse ho ntlafatsa sehlopha sa hau kapa haeba u na le lihlopha tse ngata tse nang le mefuta e fapaneng ea K8s.
lemoha hore ka tlhahiso ea ho phethahatsa monyetla ona.
Lintlha tse ling mabapi le kube-score li ka fumanoa ho .
Liteko tsa Kube-score ke sesebelisoa se setle sa ho kenya ts'ebetsong mekhoa e metle, empa ho thoe'ng haeba u hloka ho etsa liphetoho tekong kapa ho eketsa melao ea hau? Che, sena se ke ke sa etsoa.
Kube-score ha e atolosoe: o ke ke oa eketsa maano kapa oa a fetola.
Haeba u hloka ho ngola liteko tsa tloaelo ho netefatsa hore na melao ea k'hamphani e lumellana le melaoana, u ka sebelisa e 'ngoe ea lisebelisoa tse latelang tse nne: config-lint, copper, conftest, kapa polaris.
3.Config-lint
Config-lint ke sesebelisoa sa ho netefatsa YAML, JSON, Terraform, lifaele tsa tlhophiso tsa CSV le lipontšo tsa Kubernetes.
U ka e kenya u sebelisa webosaeteng ea morero.
Tokollo ea hajoale ho tloha nakong ea ho ngola sengoloa sa mantlha ke 1.5.0.
Config-lint ha e na liteko tse hahelletsoeng ka hare tsa ho netefatsa lipontšo tsa Kubernetes.
Ho etsa liteko leha e le life, u lokela ho etsa melao e nepahetseng. Li ngotsoe ka lifaele tsa YAML tse bitsoang "rulesets" (melaoana), mme e be le sebopeho se latelang:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# список правил(rule.yaml)
A re e hlahlobeng haholoanyane:
- tšimo
typee hlalosa hore na config-lint ea tlhophiso e tla sebelisa mofuta ofe. Bakeng sa K8s e bonts'a sena ke kamehlaKubernetes. - Tšimong
filesNtle le lifaele ka botsona, o ka hlakisa directory. - tšimo
rulese reretsoeng ho beha liteko tsa basebelisi.
Ha re re u batla ho etsa bonnete ba hore litšoantšo tse Deployment li lula li jarolloa ho tsoa polokelong e tšepahalang joalo ka my-company.com/myapp:1.0. Molao oa config-lint o etsang cheke e joalo o ka shebahala tjena:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"(rule-trusted-repo.yaml)
Molao o mong le o mong o tlameha ho ba le litšobotsi tse latelang:
id- sekhetho se ikhethileng sa molao;severity- Mohlomong PUSELETSO, TEMOSO и HA HO_KELANA;message- haeba molao o tlōtsoe, litaba tsa mola ona li bontšoa;resource- mofuta oa sesebelisoa seo molao ona o sebetsang ho sona;assertions- lenane la maemo a tla hlahlojwa mabapi le mohlodi ona.
Molaong o ka holimo assertion tlasa lebitso e lekola hore lijana tsohle li ho Deployment (key: spec.templates.spec.containers) sebelisa litšoantšo tse tšeptjoang (i.e. ho qala ka my-company.com/).
Molao-motheo o feletseng o shebahala tjena:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"(ruleset.yaml)
Ho leka tlhahlobo, ha re e boloke joalo ka check_image_repo.yaml. Ha re hlahlobeng faele base-valid.yaml:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]Cheke e hlolehile. Joale ha re hlahlobeng pontšo e latelang ka polokelo e nepahetseng ea litšoantšo:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678(image-valid-mycompany.yaml)
Re etsa tlhahlobo e ts'oanang le pontšo e kaholimo. Ha ho mathata a fumanoeng:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]Config-lint ke moralo o ts'episang o o lumellang hore u iketsetse liteko ho netefatsa lipontšo tsa Kubernetes YAML u sebelisa YAML DSL.
Empa ho thoe'ng haeba u hloka logic le liteko tse rarahaneng? Na YAML ha e na moeli haholo bakeng sa see? Ho thoe'ng haeba u ka etsa liteko ka puo e feletseng ea lenaneo?
4. Koporo
ke moralo oa ho netefatsa lipontšo ka ho sebelisa liteko tsa tloaelo (tse ts'oanang le config-lint).
Leha ho le joalo, e fapane le ea morao-rao ka hore ha e sebelise YAML ho hlalosa liteko. Liteko li ka ngoloa ka JavaScript. Koporo e fana ka laebrari e nang le lisebelisoa tse 'maloa tsa motheo, e u thusang ho bala tlhahisoleseling mabapi le lintho tsa Kubernetes le ho tlaleha liphoso.
Mehato ea ho kenya Copper e ka fumanoa ho .
2.0.1 ke tokollo ea morao-rao ea sesebelisoa sena nakong ea ho ngola sengoloa sa mantlha.
Joalo ka config-lint, Copper ha e na liteko tse hahelletsoeng. Ha re ngoleng e le nngwe. E lumelle hore e hlahlobe hore na li-deployments li sebelisa litšoantšo tsa setshelo feela ho tsoa ho polokelo e tšepahalang joalo ka my-company.com.
Etsa faele check_image_repo.js ka litaba tse latelang:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});Joale ho leka ponahalo ea rona base-valid.yaml, sebelisa taelo copper validate:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failedHo hlakile hore ka thuso ea koporo u ka etsa liteko tse rarahaneng - ka mohlala, ho hlahloba mabitso a marang-rang ho lipontšo tsa Ingress kapa ho hana li-pods tse sebetsang ka mokhoa o khethehileng.
Copper e na le mesebetsi e fapaneng ea ts'ebeliso e hahiloeng ho eona:
DockerImagee bala faele e kentsoeng mme e theha ntho e nang le litšobotsi tse latelang:name- lebitso la setšoantšo,tag- tag ea setšoantšo,registry- ngoliso ea litšoantšo,registry_url- protocol (https://) le ngoliso ea litšoantšo,fqin- sebaka se felletseng sa setšoantšo.
- Mosebetsi
findByNamee thusa ho fumana sesebelisoa ka mofuta o itseng (kind) le lebitso (name) ho tsoa faeleng ea ho kenya. - Mosebetsi
findByLabelse thusa ho fumana sesebelisoa ka mofuta o itseng (kind) le li-labels (labels).
U ka sheba lits'ebeletso tsohle tse fumanehang .
Ka kamehla e kenya faele eohle ea YAML e kentsoeng ka mokhoa o fapaneng $$ le ho etsa hore e fumanehe bakeng sa ho ngola (mokhoa o tloaelehileng bakeng sa ba nang le phihlelo ea jQuery).
Monyetla o ka sehloohong oa Copper o hlakile: ha ho hlokahale hore u tsebe puo e ikhethang 'me u ka sebelisa likarolo tse fapaneng tsa JavaScript ho iketsetsa liteko, joalo ka ho fetolela likhoele, mesebetsi, jj.
Hape hoa lokela ho hlokomeloa hore mofuta oa hona joale oa Copper o sebetsa le mofuta oa ES5 oa enjene ea JavaScript, eseng ES6.
Lintlha li fumaneha ho .
Leha ho le joalo, haeba u hlile u sa rate JavaScript 'me u khetha puo e etselitsoeng ka ho khetheha ho theha lipotso le ho hlalosa melaoana, u lokela ho ela hloko likhohlano.
5.Khohlano
Conftest ke moralo oa tlhahlobo ea lintlha tsa tlhophiso. E boetse e loketse ho etsa liteko / ho netefatsa lipontšo tsa Kubernetes. Liteko li hlalosoa ho sebelisoa puo e khethehileng ea lipotso .
U ka kenya conftest u sebelisa e thathamisitsoeng ho websaeteng ea morero.
Nakong ea ho ngola sengoloa sa mantlha, mofuta oa morao-rao o neng o fumaneha e ne e le 0.18.2.
Joalo ka config-lint le koporo, conftest e tla ntle le liteko tse hahelletsoeng. Ha re e leke ebe re ngola leano la rona. Joalo ka mehlala e fetileng, re tla hlahloba hore na litšoantšo tsa setshelo li nkiloe mohloling o tšepahalang.
Theha lethathamo conftest-checks, 'me ho eona ho na le faele e bitsoang check_image_registry.rego ka litaba tse latelang:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}Jwale ha re lekeng base-valid.yaml ho pholletsa conftest:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failureTeko e hlolehile esale pele hobane litšoantšo li tsoa mohloling o sa tšepahaleng.
Ka faeleng ea Rego re hlalosa block deny. 'Nete ea eona e nkoa e le tlōlo ea molao. Haeba li-blocks deny maloa, conftest li hlahloba ba ikemetseng mong ho e mong, 'me' nete ea leha e le efe ea diboloko e tšoaroa e le tlōlo ea molao.
Ntle le tlhahiso ea kamehla, conftest e ts'ehetsa JSON, TAP le sebopeho sa tafole - tšobotsi e sebetsang haholo haeba o hloka ho kenya litlaleho ho phaephe e teng ea CI. O ka seta fomate eo o e batlang o sebedisa folaga --output.
Ho etsa hore ho be bonolo ho lokisa maano, conftest e na le folakha --trace. E hlahisa mohlala oa kamoo conftest e fetisang lifaele tsa pholisi tse boletsoeng.
Melao ea tlhōlisano e ka phatlalatsoa le ho arolelanoa ho OCI (Open Container Initiative) e le li-artifacts.
Melao push и pull e u lumella ho phatlalatsa lintho tsa khale kapa ho fumana lintho tse seng li ntse li le teng ho tsoa ho registry e hole. Ha re leke ho phatlalatsa leano leo re le thehileng ho ngoliso ea lehae ea Docker re sebelisa conftest push.
Qala ngoliso ea hau ea lehae ea Docker:
$ docker run -it --rm -p 5000:5000 registrySebakeng se seng, e-ea bukeng eo u e entseng pejana conftest-checks ebe o tsamaisa taelo e latelang:
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latestHaeba taelo e atlehile, u tla bona molaetsa o kang ona:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609cJoale theha bukana ea nakoana 'me u tsamaise taelo ho eona conftest pull. E tla khoasolla sephutheloana se entsoeng ke taelo e fetileng:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latestBukana e nyane e tla hlaha bukeng ea nakoana policye nang le faele ea rona ea leano:
$ tree
.
└── policy
└── check_image_registry.regoLiteko li ka etsoa ka kotloloho sebakeng sa polokelo:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failureKa bomalimabe, DockerHub ha e so tšehetsoe. Kahoo inka u le lehlohonolo ha u sebelisa (ACR) kapa ngoliso ea hau.
Sebopeho sa Artifact se tšoana le (OPA), e u lumellang hore u sebelise conftest ho etsa liteko ho tsoa ho liphutheloana tse teng tsa OPA.
U ka ithuta ho eketsehileng ka ho arolelana leano le likarolo tse ling tsa tlhōlisano ho .
6. Polaris
Sesebelisoa sa ho qetela se tla tšohloa sehloohong sena ke . (Phatlalatso ea hae ea selemo se fetileng re - hoo e ka bang. phetolelo)
Polaris e ka kenngoa ka har'a sehlopha kapa ea sebelisoa ka mokhoa oa mola oa taelo. Joalo ka ha o ka be o nahanne, e o lumella ho sekaseka ka mokhoa o tsitsitseng lipontšo tsa Kubernetes.
Ha o sebetsa ka mokhoa oa mola oa taelo, liteko tse hahelletsoeng li teng tse koahelang libaka tse joalo ka ts'ireletso le mekhoa e metle (e ts'oanang le kube-score). Ntle le moo, o ka iketsetsa liteko tsa hau (joalo ka config-lint, koporo le conftest).
Ka mantsoe a mang, Polaris e kopanya melemo ea mekhahlelo ka bobeli ea lisebelisoa: ka liteko tse hahelletsoeng le tse tloaelehileng.
Ho kenya Polaris ka mokhoa oa mola oa taelo, sebelisa .
Nakong ea ho ngola sengoloa sa mantlha, mofuta oa 1.0.3 oa fumaneha.
Hang ha ts'ebetso e felile u ka tsamaisa polaris ho manifest base-valid.yaml ka taelo e latelang:
$ polaris audit --audit-path base-valid.yamlE tla hlahisa khoele ka sebopeho sa JSON ka tlhaloso e qaqileng ea liteko tse entsoeng le liphetho tsa tsona. Sephetho se tla ba le sebopeho se latelang:
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* длинный список */
]
}Tlhahiso e felletseng e teng .
Joalo ka kube-score, Polaris e supa litaba libakeng tseo ponaletso e sa kopaneleng le mekhoa e metle:
- Ha ho litlhahlobo tsa bophelo bo botle bakeng sa li-pods.
- Li-tag tsa litšoantšo tsa setshelo ha lia boleloa.
- Setshelo se matha joalo ka motso.
- Likopo le meeli ea memori le CPU ha lia hlalosoa.
Teko e 'ngoe le e' ngoe, ho latela liphetho tsa eona, e fuoa tekanyo ea bohlokoa: temoso ea kapa kotsi. Ho ithuta haholoanyane ka liteko tse fumanehang tse hahelletsoeng, ka kopo sheba ho .
Haeba lintlha li sa hlokehe, o ka bolela folakha --format score. Tabeng ena, Polaris e tla hlahisa palo ho tloha ho 1 ho isa ho 100 - Laduma (ke hore tekanyetso):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68Ha lintlha li le haufi le ho fihla ho 100, ho ea holimo tekanyo ea tumellano. Haeba u sheba khoutu ea ho tsoa ea taelo polaris audit, ho fumaneha hore e lekana le 0.
Matlafatsa polaris audit U ka emisa mosebetsi ka khoutu e seng zero u sebelisa lifolakha tse peli:
- Senya
--set-exit-code-below-scoree nka e le khang boleng ba moeli pakeng tsa 1-100. Tabeng ena, taelo e tla tsoa ka khoutu ea ho tsoa 4 haeba lintlha li ka tlase ho moeli. Sena se thusa haholo ha o na le boleng bo itseng ba moeli (e re 75) mme o hloka ho fumana tlhokomeliso haeba lintlha li ea ka tlase. - Senya
--set-exit-code-on-dangere tla etsa hore taelo e hlolehe ka khoutu 3 haeba e 'ngoe ea liteko tsa kotsi e hloleha.
Joale ha re lekeng ho etsa tlhahlobo ea tloaelo e lekola hore na setšoantšo se nkiloe polokelong e tšepahalang. Liteko tsa tloaelo li hlahisoa ka sebopeho sa YAML, 'me tlhahlobo ka boeona e hlalosoa ho sebelisoa JSON Schema.
Snippet ea khoutu e latelang ea YAML e hlalosa teko e ncha e bitsoang checkImageRepo:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$Ha re e shebisiseng:
successMessage- mohala ona o tla hatisoa haeba tlhahlobo e phethoa ka katleho;failureMessage— molaetsa ona o tla bontshwa ha o ka hloleha;category- e bonts'a e 'ngoe ea mekhahlelo:Images,Health Checks,Security,NetworkingиResources;target--- e khetha mofuta oa ntho (spec) teko e sebelisoa. Lintlha tse ka bang teng:Container,PodkapaController;- Teko ka boyona e hlalositsoe nthong
schemasebelisa JSON schema. Lentsoe la bohlokoa tekong ena kepatternse sebedisoang ho bapisa mohlodi wa setshwantsho le o hlokahalang.
Ho etsa tlhahlobo e kaholimo, o hloka ho theha tlhophiso e latelang ea Polaris:
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$(polaris-conf.yaml)
Ha re hlahlobe faele:
- Tšimong
checksliteko le boemo ba tsona ba ho nyatsa li laetsoe. Kaha ke ntho e lakatsehang ho fumana temoso ha setšoantšo se nkiloe mohloling o sa tšepahaleng, re beha boemo monadanger. - Teko ka boeona
checkImageRepoebe e ngolisoa ka nthocustomChecks.
Boloka faele joalo ka custom_check.yaml. Joale u ka matha polaris audit ka YAML manifesto e hlokang netefatso.
Ha re hlahlobeng manifesto ea rona base-valid.yaml:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yamlsehlopha polaris audit e tsamaile feela tlhahlobo ea mosebelisi e boletsoeng ka holimo mme ea hloleha.
Haeba u lokisa setšoantšo ho my-company.com/http-echo:1.0, Polaris e tla tsoa ka katleho. Manifesto e nang le liphetoho e se e kene kahoo o ka hlahloba taelo e fetileng ho manifest image-valid-mycompany.yaml.
Joale ho hlaha potso: mokhoa oa ho etsa liteko tse hahelletsoeng hammoho le tse tloaelehileng? Habonolo! U hloka feela ho kenyelletsa li-identifiers tsa liteko tse hahelletsoeng ho faele ea tlhophiso. Ka lebaka leo, e tla nka foromo e latelang:
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$(config_with_custom_check.yaml)
Mohlala oa faele e felletseng ea litlhophiso oa fumaneha .
Sheba ponahalo base-valid.yamlu sebelisa liteko tse hahelletsoeng le tsa tloaelo, u ka sebelisa taelo:
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yamlPolaris e tlatsana le liteko tse hahelletsoeng ka har'a tse tloaelehileng, ka hona e kopanya tse ntlehali tsa lefatše ka bobeli.
Ka lehlakoreng le leng, ho se khone ho sebelisa lipuo tse matla joalo ka Rego kapa JavaScript e ka ba ntho e thibelang ho theha liteko tse rarahaneng.
Lintlha tse ling mabapi le Polaris li fumaneha ho .
Kakaretso
Leha ho na le lisebelisoa tse ngata tse fumanehang ho hlahloba le ho lekola lifaele tsa Kubernetes YAML, ho bohlokoa ho ba le kutloisiso e hlakileng ea hore na liteko li tla raloa le ho etsoa joang.
Ka mohlala, haeba u nka Kubernetes e bonts'a e tsamaea ka liphaephe, kubeval e ka ba mohato oa pele pompong e joalo. E ne e tla beha leihlo hore na litlhaloso tsa ntho li lumellana le schema ea Kubernetes API.
Hang ha tlhahlobo e joalo e phethiloe, motho a ka fetela litekong tse tsoetseng pele, tse kang ho latela mekhoa e metle e tloaelehileng le maano a itseng. Mona ke moo kube-score le Polaris li neng li tla sebetsa hantle.
Bakeng sa ba nang le litlhoko tse rarahaneng mme ba hloka ho etsa liteko ka botlalo, koporo, config-lint le conftest e ka ba tse loketseng..
Conftest le config-lint sebelisa YAML ho hlalosa liteko tsa tloaelo, 'me koporo e u fa monyetla oa ho fumana puo e felletseng ea lenaneo, e e etsa khetho e ntle haholo.
Ka lehlakoreng le leng, na ho bohlokoa ho sebelisa e 'ngoe ea lisebelisoa tsee, ka hona, ho theha liteko tsohle ka letsoho, kapa ho khetha Polaris le ho eketsa feela se hlokahalang ho eona? Ha ho karabo e hlakileng potsong ena.
Tafole e ka tlase e fana ka tlhaloso e khuts'oane ea sesebelisoa ka seng:
Sesebelisoa
Morero
Mathata
Liteko tsa basebelisi
ho beval
E netefatsa ponahalo ea YAML khahlano le mofuta o itseng oa schema ea API
Ha e khone ho sebetsa le CRD
No
kube-ntlha
E sekaseka YAML e bonts'a khahlano le mekhoa e metle
Ha e khone ho khetha mofuta oa hau oa Kubernetes API ho lekola lisebelisoa
No
Koporo
Moralo o akaretsang oa ho theha liteko tsa tloaelo tsa JavaScript bakeng sa lipontšo tsa YAML
Ha ho liteko tse ahiloeng. Litokomane tse fokolang
hore
config-lint
Moralo o akaretsang oa ho etsa liteko ka puo e ikhethileng e kenelletseng ho YAML. E ts'ehetsa lifomate tse fapaneng tsa tlhophiso (mohlala, Terraform)
Ha ho na liteko tse seng li entsoe. Lipolelo le mesebetsi e hahelletsoeng e kanna ea se lekane
hore
qabanya
Moralo oa ho iketsetsa liteko u sebelisa Rego (puo e khethehileng ea ho botsa). E lumella ho arolelana maano ka bongata ba OCI
Ha ho liteko tse ahiloeng. Ke tlameha ho ithuta Rego. Docker Hub ha e tšehetsoe ha ho phatlalatsoa melaoana
hore
Polaris
Maikutlo a YAML e iponahatsa khahlano le mekhoa e metle e tloaelehileng. E u lumella ho iketsetsa liteko u sebelisa JSON Schema
Bokhoni ba liteko bo thehiloeng ho JSON Schema bo kanna ba se lekane
hore
Hobane lisebelisoa tsena ha li itšetlehe ka phihlello ea sehlopha sa Kubernetes, ho bonolo ho li kenya. Li u lumella ho sefa lifaele tsa mohloli le ho fana ka maikutlo a potlakileng ho bangoli ba likopo tsa ho hula mererong.
PS ho tsoa ho mofetoleli
Bala hape ho blog ea rona:
- «";
- «";
- «".
Source: www.habr.com