ProHoster > Ibhulogi > Ulawulo > Qinisekisa i-Kubernetes YAML ngokuchasene nezenzo ezingcono kunye nemigaqo-nkqubo

Qinisekisa i-Kubernetes YAML ngokuchasene nezenzo ezingcono kunye nemigaqo-nkqubo

Phawula. transl.: Ngenani elikhulayo lolungelelwaniso lwe-YAML yeemeko-bume ze-K8s, imfuno yoqinisekiso lwazo oluzenzekelayo iya ingxamiseka ngakumbi. Umbhali wolu hlaziyo akakhethanga kuphela izisombululo ezikhoyo kulo msebenzi, kodwa wajonga nendlela esebenza ngayo usebenzisa ukusasazwa njengomzekelo. Kuye kwabonakala kuluncedo kakhulu kwabo banomdla kwesi sihloko.

Qinisekisa i-Kubernetes YAML ngokuchasene nezenzo ezingcono kunye nemigaqo-nkqubo

TL; DR: Eli nqaku lithelekisa izixhobo ezintandathu ezimileyo zokuqinisekisa kunye nokuvavanya iifayile ze-Kubernetes YAML ngokuchasene nezenzo ezifanelekileyo kunye neemfuno.

Umthwalo we-Kubernetes uchazwa ngokwendlela yamaxwebhu e-YAML. Enye yeengxaki nge-YAML bubunzima bokuchaza imiqobo okanye ubudlelwane phakathi kweefayile ze-manifest.

Kuthekani ukuba kufuneka siqinisekise ukuba yonke imifanekiso ethunyelwe kwiqela iphuma kwirejista ethembekileyo?

Ndingakuthintela njani ukusasazwa okungekho PodDisruptionBudgets ekubeni ithunyelwe kwiqela?

Ukudityaniswa kovavanyo lwe-static kukuvumela ukuba uchonge iimpazamo kunye nokuphulwa komgaqo-nkqubo kwinqanaba lophuhliso. Oku kwandisa isiqinisekiso sokuba iinkcazelo zezibonelelo zichanekile kwaye zikhuselekile, kwaye kwenza kube lula ukuba umthwalo wemveliso uya kulandela ezona zenzo zilungileyo.

I-Kubernetes static ye-YAML yokuhlola ifayile ye-ecosystem inokwahlulwa ngokwezi ndidi zilandelayo:

  • Iziqinisekisi ze-API. Izixhobo ezikolu luhlu zijonga i-YAML manifest ngokuchasene neemfuno ze-Kubernetes API umncedisi.
  • Abavavanyi abakulungeleyo. Izixhobo ezisuka kolu luhlu ziza kunye novavanyo olulungele ukhuseleko, ukuthotyelwa kweendlela ezilungileyo, njl.
  • izingqinisiso Custom. Abameli beli candelo likuvumela ukuba wenze iimvavanyo zesiko kwiilwimi ezahlukeneyo, umzekelo, iRego kunye neJavascript.

Kweli nqaku siza kuchaza kwaye sithelekise izixhobo ezintandathu ezahlukeneyo:

  1. kubeval;
  2. kube-inqaku;
  3. i-config-lint;
  4. ubhedu;
  5. ukhuphiswano;
  6. IPolaris.

Ewe, masiqalise!

Ukujonga ukusasazwa

Phambi kokuba siqale ukuthelekisa izixhobo, makhe senze imvelaphi esiza kuzivavanya ngayo.

Lo mgaqo-nkqubo ungezantsi uneempazamo ezininzi kunye nokungathotyelwa kweendlela zokuziphatha: zingaphi kuzo onokuzifumana?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Siza kusebenzisa le YAML ukuthelekisa izixhobo ezahlukeneyo.

Le manifesto ingentla base-valid.yaml kunye nezinye i-manifestos kweli nqaku inokufumaneka kwi Git zokugcina.

I-manifest ichaza usetyenziso lwewebhu umsebenzi walo ophambili kukuphendula ngomyalezo othi "Hello World" kwi-port 5678. Ingasetyenziswa ngomyalelo olandelayo:

kubectl apply -f hello-world.yaml

Kwaye ke-jonga umsebenzi:

kubectl port-forward svc/http-echo 8080:5678

Ngoku yiya ku http://localhost:8080 kwaye uqinisekise ukuba isicelo siyasebenza. Kodwa ngaba ilandela ezona zenzo zilungileyo? Makhe sijonge.

1. Kubeval

Kwentliziyo ye kubeval Umbono kukuba nayiphi na intsebenziswano kunye ne-Kubernetes kwenzeka nge-REST API yayo. Ngamanye amagama, ungasebenzisa i-API schema ukujonga ukuba i-YAML enikiweyo iyahambelana nayo. Makhe sijonge umzekelo.

Imiyalelo yokuFakela kubeval ziyafumaneka kwiwebhusayithi yeprojekthi.

Ngexesha lokubhalwa kwenqaku lokuqala, i-version 0.15.0 yayifumaneka.

Nje ukuba ifakiwe, masiyondle ngale-manifest engentla:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Ukuba uphumelele, kubeval uzakuphuma ngekhowudi yokuphuma 0. Ungayijonga ngolu hlobo lulandelayo:

$ echo $?
0

Makhe sizame ngoku kubeval ngomboniso owahlukileyo:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Ngaba uyayibona ingxaki ngeliso? Masiqalise:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²Ρ€Π°Ρ‚Π°
$ echo $?
1

Umthombo awuqinisekiswa.

Ukusasazwa kusetyenziswa inguqulelo ye-API apps/v1, mayibandakanye umkhethi ohambelana neleyibhile yepod. I-manifest engentla ayiquki umkhethi, ngoko ke kubeval uxele imposiso kwaye waphuma ngekhowudi engeyo-zero.

I wonder kuzokwenzeka ntoni xa ndenze njalo kubectl apply -f nalo manifesto?

Kulungile, masizame:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Le yimpazamo kanye ukubeval walumkisa ngayo. Ungayilungisa ngokongeza umkhethi:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Inzuzo yezixhobo ezifana ne-kubeval kukuba iimpazamo ezinjengalezi zinokubanjwa kwangoko kumjikelo wokuthunyelwa.

Ukongeza, olu vavanyo alufuni ukufikelela kwiqela; lunokwenziwa ngaphandle kweintanethi.

Ngokungagqibekanga, kubeval ijonga izixhobo ngokuchasene ne Kubernetes API schema yamva nje. Nangona kunjalo, kwiimeko ezininzi unokufuna ukujonga ngokuchasene nokukhululwa kwe-Kubernetes ethile. Oku kunokwenziwa kusetyenziswa iflegi --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Nceda uqaphele ukuba inguqulelo kufuneka icaciswe kwifomathi Major.Minor.Patch.

Kuluhlu lweenguqulelo ezixhaswa ukuqinisekiswa, nceda ujonge I-JSON schema kwi-GitHub, esetyenziswa ngukubeval ukuqinisekiswa. Ukuba ufuna ukwenza kubeval ngaphandle kweintanethi, khuphela i-schemas kwaye uchaze indawo yazo yendawo usebenzisa iflegi --schema-location.

Ukongeza kwiifayile ze-YAML zomntu ngamnye, kubeval inokusebenza nabalawuli kunye ne-stdin.

Ukongeza, i-Kubeval idibanisa ngokulula kumbhobho weCI. Abo banqwenela ukuqhuba iimvavanyo phambi kokuthumela i-manifest kwiqela baya konwaba ukwazi ukuba kubeval ixhasa iifomati ezintathu zemveliso:

  1. Amagama alula;
  2. JSON;
  3. Vavanya Nantoni na iProtocol (TAP).

Kwaye naziphi na iifomati zingasetyenziselwa ukwahlula-hlula okungaphezulu kwemveliso ukuvelisa isishwankathelo seziphumo zohlobo olufunwayo.

Enye yeengxaki ze-kubeval kukuba okwangoku ayinakukhangela ukuthotyelwa kweeNkcazo zeSibonelelo seSiko (CRDs). Nangona kunjalo, kuyenzeka ukuqwalasela i-kubeval ungabanaki.

I-Kubeval sisixhobo esihle sokujonga kunye nokuvavanya izixhobo; Nangona kunjalo, kufanele kugxininiswe ukuba ukuphumelela uvavanyo akuqinisekisi ukuba uvimba wolwazi uyangqinelana nezona ndlela zingcono zokusebenza.

Umzekelo, usebenzisa ithegi latest kwisikhongozeli asizilandeli iindlela ezilungileyo. Nangona kunjalo, u-kubeval akayithathi le mpazamo kwaye akayixeli. Oko kukuthi, ukuqinisekiswa kweYAML kuya kugqiba ngaphandle kwezilumkiso.

Kodwa kuthekani ukuba ufuna ukuvavanya i-YAML kwaye uchonge ukwaphulwa okufana nethegi latest? Ndiyijonga njani ifayile yeYAML ngokuchasene nezona zenzo zilungileyo?

2. Kube-inqaku

Kube-inqaku Ukwacazulula i-YAML ibonakalisa kwaye ivavanye ngokuchasene novavanyo olwakhelwe ngaphakathi. Olu vavanyo lukhethwa ngokusekelwe kwizikhokelo zokhuseleko kunye nezenzo ezilungileyo, ezifana:

  • Ukuqhuba isikhongozeli njengomsebenzisi ongeyongcambu.
  • Ubukho bokuhlolwa kwempilo ye-pod.
  • Ukumisela izicelo kunye nemida yezibonelelo.

Ngokusekelwe kwiziphumo zovavanyo, iziphumo ezithathu zinikwa: OK, Isilumkiso ΠΈ EZIQHELEKILEYO.

Ungazama i-Kube-score kwi-intanethi okanye uyifake ekuhlaleni.

Ngexesha lokubhalwa kwenqaku lokuqala, inguqulo yakamuva ye-kube-score yayingu-1.7.0.

Masiyizame kwimanifest yethu base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  Β· http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  Β· The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  Β· Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  Β· http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  Β· http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  Β· http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  Β· http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  Β· http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  Β· No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  Β· Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

I-YAML iphumelela iimvavanyo ze-kubeval, ngelixa i-kube-inqaku likhomba kwezi ziphene zilandelayo:

  • Ukuhlolwa kokulungela akumiselwanga.
  • Akukho zicelo okanye imida yezixhobo ze-CPU kunye nememori.
  • Uhlahlo lwabiwo-mali lokuphazamiseka kwePod aluchazwanga.
  • Akukho migaqo yokwahlula (anti-affinity) ukwandisa ukufumaneka.
  • Isikhongozeli sibaleka njengengcambu.

Ezi zonke ngamanqaku afanelekileyo malunga neentsilelo ekufuneka ziqwalaselwe ukwenza ukusasazwa kusebenze ngakumbi kwaye kunokwethenjelwa.

Iqela kube-score ibonisa ulwazi olukwimo efundeka ngabantu kuquka lonke uhlobo lokwaphulwa komthetho Isilumkiso ΠΈ EZIQHELEKILEYO, enceda kakhulu ngexesha lophuhliso.

Abo banqwenela ukusebenzisa esi sixhobo ngaphakathi kumbhobho weCI banokwenza imveliso ecinezelekileyo ngakumbi usebenzisa iflegi --output-format ci (kule meko, iimvavanyo ezinesiphumo nazo ziyaboniswa OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Ngokufana ne kubeval, kube-score ibuyisela ikhowudi yokuphuma engeyiyo-zero xa kukho uvavanyo olungaphumeleliyo. EZIQHELEKILEYO. Unako kwakhona ukwenza inkqubo efanayo ye Isilumkiso.

Ukongeza, kuyenzeka ukujonga izixhobo zokuthobela iinguqulelo ezahlukeneyo ze-API (njengakukubeval). Nangona kunjalo, olu lwazi lufakwe nzima kwi-kube-score ngokwayo: awukwazi ukukhetha uguqulelo olwahlukileyo lwe Kubernetes. Lo mda unokuba yingxaki enkulu ukuba ujonge ukuphucula iqela lakho okanye ukuba unamaqela amaninzi aneenguqulelo ezahlukeneyo ze K8s.

Qaphela oko sele kukho umcimbi ngesiphakamiso sokuphumeza eli thuba.

Ulwazi oluthe vetshe malunga ne-kube-score lunokufumaneka apha website esemthethweni.

Iimvavanyo ze-Kube-score sisixhobo esihle sokuphumeza izenzo ezilungileyo, kodwa kuthekani ukuba kufuneka wenze utshintsho kuvavanyo okanye wongeze imithetho yakho? Yeha, ayinakwenziwa le nto.

I-Kube-score ayongezeleki: awukwazi ukongeza imigaqo-nkqubo kuyo okanye ulungelelanise yona.

Ukuba ufuna ukubhala iimvavanyo zesiko ukuqinisekisa ukuthotyelwa kwemigaqo-nkqubo yenkampani, ungasebenzisa esinye sezi zixhobo zine zilandelayo: i-config-lint, ubhedu, i-conftest, okanye i-polaris.

3.Config-lint

Config-lint sisixhobo sokuqinisekisa iYAML, JSON, Terraform, CSV iifayile zoqwalaselo kunye neKubernetes ibonakalisa.

Ungayifaka usebenzisa imiyalelo kwiwebhusayithi yeprojekthi.

Ukukhutshwa kwangoku njengokuba ngexesha lokubhala inqaku lokuqala yi-1.5.0.

I-Config-lint ayinamvavanyo eyakhelwe-ngaphakathi yokuqinisekisa umboniso we-Kubernetes.

Ukuqhuba naluphi na uvavanyo, kufuneka udale imithetho efanelekileyo. Zibhalwe kwiifayile ze-YAML ezibizwa ngokuba yi "rulesets" (imithetho), kwaye ube nolwakhiwo lulandelayo:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список ΠΏΡ€Π°Π²ΠΈΠ»

(rule.yaml)

Masiyifundisise ngakumbi:

  • Intsimi type ixela ukuba loluphi uhlobo loqwalaselo-lint oluya kusebenzisa. Kwi K8s ibonakalisa oku rhoqo Kubernetes.
  • Kwintsimi files Ukongeza kwiifayile ngokwazo, ungakhankanya uvimba weefayili.
  • Intsimi rules yenzelwe ukuseta iimvavanyo zabasebenzisi.

Masithi ufuna ukuqiniseka ukuba imifanekiso ekuDeployment ihlala ikhutshelwa kwindawo yokugcina ethembekileyo njenge my-company.com/myapp:1.0. Umgaqo-nkqubo woqwalaselo owenza uqwalaselo olunjalo unokujongeka ngolu hlobo:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Umgaqo ngamnye kufuneka ube nezi mpawu zilandelayo:

  • id - isazisi esisodwa somgaqo;
  • severity - Ingayiyo UKUSILELA, Isilumkiso ΠΈ UNGAHLANGANISI;
  • message - ukuba umgaqo uphulwa, iziqulatho zalo mgca ziboniswa;
  • resource β€” uhlobo lobutyebi osebenza kubo lo mgaqo;
  • assertions β€” uluhlu lweemeko eziya kuvavanywa ngokunxulumene nesi sixhobo.

Kulo mthetho ungentla assertion phantsi kwegama every ijonga ukuba zonke izikhongozeli kukusasazwa (key: spec.templates.spec.containers) sebenzisa imifanekiso ethembekileyo (oko kukuthi ukuqala nge my-company.com/).

Isethi yomthetho epheleleyo ibonakala ngolu hlobo:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Ukuzama uvavanyo, masilugcine njenge check_image_repo.yaml. Masiqhube ukukhangela kwifayile base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Itshekhi ayiphumelelanga. Ngoku makhe sijonge le mbonakalo ilandelayo enomfanekiso ochanekileyo wogcino:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Siqhuba uvavanyo olufanayo kunye ne-manifest engentla. Akukho zingxaki zifunyenweyo:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint sisikhokelo esithembisayo esikuvumela ukuba wenze olwakho uvavanyo ukuze uqinisekise i-Kubernetes YAML ibonisa usebenzisa i-YAML DSL.

Kodwa kuthekani ukuba ufuna ingqiqo kunye novavanyo oluntsonkothileyo? Ngaba i-YAML ayiphelelanga kakhulu kule nto? Kuthekani ukuba unokwenza iimvavanyo ngolwimi olupheleleyo lokuprograma?

4. Ubhedu

Ubhedu V2 yinkqubo-sikhokelo yokuqinisekisa imiboniso kusetyenziswa iimvavanyo zesiko (ezifana ne-config-lint).

Nangona kunjalo, iyahluka kule yokugqibela kuba ayisebenzisi i-YAML ukuchaza iimvavanyo. Uvavanyo lungabhalwa kwiJavaScript endaweni yoko. Ubhedu lubonelela ngethala leencwadi elinezixhobo ezininzi ezisisiseko, ekunceda ukuba ufunde ulwazi malunga nezinto ze-Kubernetes kwaye ubike iimpazamo.

Amanyathelo okufaka iCopper anokufumaneka kwi amaxwebhu asemthethweni.

2.0.1 lukhutshwe lwamva nje lwesi sixhobo ngexesha lokubhalwa kwenqaku lokuqala.

Njengo-config-lint, iCopper ayinayo iimvavanyo ezakhelweyo. Masibhale ibe nye. Mayijonge ukuba ukuthunyelwa kusebenzisa imifanekiso yesikhongozeli ngokukodwa kwiindawo zokugcina ezithembekileyo ezifana my-company.com.

Yenza ifayile check_image_repo.js ngomxholo olandelayo:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Ngoku ukuvavanya i-manifest yethu base-valid.yaml, sebenzisa umyalelo copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

Kucacile ukuba ngoncedo lobhedu unokwenza iimvavanyo ezinzima ngakumbi - umzekelo, ukujonga amagama e-domain kwi-Ingress ibonakalisa okanye ukugatya iipods ezisebenza kwimodi enelungelo.

Ubhedu lunemisebenzi eyahlukeneyo eyakhelwe kuyo:

  • DockerImage ifunda ifayile yegalelo ekhankanyiweyo kwaye idale into enezi mpawu zilandelayo:
    • name -igama lomfanekiso,
    • tag -ithegi yomfanekiso,
    • registry -irejista yomfanekiso,
    • registry_url -iprothokholi (https://) kunye nobhaliso lomfanekiso,
    • fqin - indawo epheleleyo yomfanekiso.
  • Umsebenzi findByName inceda ukufumana uvimba ngodidi olunikiweyo (kind) kunye negama (name) ukusuka kwifayile yegalelo.
  • Umsebenzi findByLabels inceda ukufumana uvimba ngodidi olukhankanyiweyo (kind) kunye neelebhile (labels).

Ungajonga yonke imisebenzi yenkonzo ekhoyo apha.

Ngokungagqibekanga ilayisha lonke igalelo lefayile ye-YAML kuguquko $$ kwaye iyenze ifumaneke kwiscripting (ubuchule obuqhelekileyo kwabo banamava ejQuery).

Olona ncedo luphambili lweCopper luyabonakala: awudingi ukuba nolwazi ngolwimi olukhethekileyo kwaye ungasebenzisa izinto ezahlukeneyo zeJavaScript ukwenza iimvavanyo zakho, njengokuguqulelwa komtya, imisebenzi, njl.

Kufuneka kwakhona kuqatshelwe ukuba inguqu yangoku yeCopper isebenza kunye ne-ES5 version ye-injini yeJavaScript, kungekhona i-ES6.

Iinkcukacha ziyafumaneka kwi iwebhusayithi yeprojekthi esemthethweni.

Nangona kunjalo, ukuba awuyithandi ncam iJavaScript kwaye ukhetha ulwimi oluyilelwe ngokukodwa ukudala imibuzo kunye nemigaqo-nkqubo echazayo, kuya kufuneka unikele ingqalelo kukhuphiswano.

5.Ukhuphiswano

Conftest sisikhokelo sovavanyo lwedatha yoqwalaselo. Ikwalungele ukuvavanya/ukuqinisekisa ukubonakaliswa kweKubernetes. Iimvavanyo zichazwa kusetyenziswa ulwimi olukhethekileyo lombuzo Rego.

Ungafaka i-conftest usebenzisa imiyalelozidweliswe kwiwebhusayithi yeprojekthi.

Ngexesha lokubhalwa kwenqaku lokuqala, inguqulelo yamva nje ekhoyo yayiyi-0.18.2.

Ngokufana ne-config-lint kunye nobhedu, i-conftest iza ngaphandle kovavanyo olwakhelwe ngaphakathi. Masiyizame kwaye sibhale eyethu ipolisi. Njengakwimizekelo yangaphambili, siya kujonga ukuba ingaba imifanekiso yesikhongozeli ithathwe kumthombo othembekileyo.

Yenza uvimba weefayili conftest-checks, kwaye kuyo kukho ifayile ebizwa ngegama check_image_registry.rego ngomxholo olandelayo:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Ngoku masivavanye base-valid.yaml ngokusebenzisa conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Uvavanyo aluphumelelanga ngenxa yokuba imifanekiso iphuma kumthombo ongathenjwayo.

Kwifayile yeRego sichaza ibhloko deny. Inyaniso yayo ithathwa njengokwaphulwa. Ukuba iibhloko deny eziliqela, conftest iitshekhi kubo ngokuzimeleyo omnye komnye, kwaye inyaniso naziphi na iibhloko iphathwa njengokwaphulwa.

Ukongeza kwimveliso engagqibekanga, i-conftest ixhasa i-JSON, i-TAP kunye nefomathi yetafile-uphawu oluluncedo kakhulu ukuba ufuna ukushumeka iingxelo kumbhobho okhoyo weCI. Unokuseta ifomathi oyifunayo usebenzisa iflegi --output.

Ukwenza kube lula ukulungisa imigaqo-nkqubo, i-conftest ineflegi --trace. Ikhupha umkhondo wendlela i-conftest ecalula ngayo iifayile zenkqubo ekhankanyiweyo.

Imigaqo-nkqubo yokhuphiswano inokupapashwa kwaye kwabelwane ngayo kwi-OCI (i-Open Container Initiative) iirejistri njengezinto zakudala.

Izixhobo push ΠΈ pull ikuvumela ukuba upapashe i-artifact okanye ufumane i-artifact ekhoyo kwindawo yobhaliso. Makhe sizame ukupapasha umgaqo-nkqubo esiwuyileyo kubhaliso lwasekhaya lweDocker sisebenzisa conftest push.

Qala irejista yakho yeDocker yasekhaya:

$ docker run -it --rm -p 5000:5000 registry

Kwesinye i-terminal, yiya kuluhlu olwenzile ngaphambili conftest-checks kwaye sebenzisa lo myalelo ulandelayo:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ukuba umyalelo uphumelele, uya kubona umyalezo onje:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Ngoku yenza uluhlu lwexeshana kwaye usebenzise umyalelo kuyo conftest pull. Iza kukhuphela ipakethe eyenziwe ngumyalelo wangaphambili:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Uvimba weefayili onganeno uya kuvela kulawulo lwexeshana policyequlathe ifayile yethu yepolisi:

$ tree
.
└── policy
  └── check_image_registry.rego

Iimvavanyo zinokuqhutywa ngokuthe ngqo kwindawo yokugcina:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Ngelishwa, i-DockerHub ayikaxhaswa. Ngoko zithathele ingqalelo unethamsanqa ukuba usebenzisa Azure Container Registry (ACR) okanye eyakho irejistri.

Ifomathi ye-Artifact iyafana ne Vula iiphakheji ze-Agent yePolisi (OPA), ekuvumela ukuba usebenzise i-conftest ukuqhuba iimvavanyo kwiipakethe ze-OPA ezikhoyo.

Unokufunda ngakumbi malunga nokwabelana ngepolisi kunye nezinye iimpawu zokhuphiswano iwebhusayithi yeprojekthi esemthethweni.

6. IPolaris

Isixhobo sokugqibela esiza kuxutyushwa kweli nqaku Polaris. (Isibhengezo sakhe sonyaka wokugqibela thina sele iguqulelwe - malunga. inguqulelo)

I-Polaris inokufakwa kwi-cluster okanye isetyenziswe kwimodi yomgca womyalelo. Njengoko usenokuba uqikelele, ikuvumela ukuba uhlalutye ngokwezibalo i-Kubernetes ibonakalisa.

Xa uqhuba kwimo yomgca womyalelo, iimvavanyo ezakhelwe ngaphakathi zikhona ezigquma iindawo ezifana nokhuseleko kunye nezenzo ezingcono (ezifana ne-kube-inqaku). Ukongeza, unokwenza iimvavanyo zakho (njengakwi-config-lint, ubhedu kunye ne-conftest).

Ngamanye amazwi, iPolaris idibanisa izibonelelo zazo zombini iindidi zezixhobo: kunye novavanyo olwakhelwe ngaphakathi kunye nesiko.

Ukufakela iPolaris kwimowudi yomgca womyalelo, sebenzisa imiyalelo kwiwebhusayithi yeprojekthi.

Ngexesha lokubhalwa kwenqaku lokuqala, i-version 1.0.3 iyafumaneka.

Nje ukuba ufakelo lugqityiwe ungaqhuba i-polaris kwi-manifest base-valid.yaml ngalo myalelo ulandelayo:

$ polaris audit --audit-path base-valid.yaml

Iya kukhupha umtya kwifomathi ye-JSON kunye nenkcazo ecacileyo yovavanyo olwenziweyo kunye neziphumo zabo. Isiphumo siya kuba nolwakhiwo lulandelayo:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* Π΄Π»ΠΈΠ½Π½Ρ‹ΠΉ список */
  ]
}

Imveliso epheleleyo ekhoyo apha.

Njengokube-amanqaku, i-Polaris ichonga imiba kwiindawo apho i-manifest ingadibani neendlela ezingcono:

  • Akukho zitshekisho lwempilo yeepods.
  • Iithegi zemifanekiso yesikhongozeli azichazwanga.
  • Isikhongozeli sibaleka njengengcambu.
  • Izicelo kunye nemida yememori kunye ne-CPU ayichazwanga.

Uvavanyo ngalunye, ngokuxhomekeke kwiziphumo zalo, lunikwa iqondo lokugxeka: isilumkiso okanye Ingozi. Ukuze ufunde ngakumbi malunga novavanyo olukhoyo olwakhelwe ngaphakathi, nceda ujonge ku amaxwebhu.

Ukuba iinkcukacha azifuneki, ungakhankanya iflegi --format score. Kule meko, i-Polaris iya kuvelisa inani ukusuka kwi-1 ukuya kwi-100 - Inqaku (okt. uvavanyo):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Okukhona inqaku lisondela kwi-100, kokukhona iqondo eliphezulu lesivumelwano. Ukuba ujonga ikhowudi yokuphuma yomyalelo polaris audit, kwavela ukuba ilingana no-0.

Ngenyanzelo polaris audit Ungawuphelisa umsebenzi ngekhowudi engeyo-zero usebenzisa iiflegi ezimbini:

  • Iflegi --set-exit-code-below-score ithatha njenge mpikiswano ixabiso le-threshold kuluhlu lwe-1-100. Kule meko, umyalelo uya kuphuma ngekhowudi yokuphuma yesi-4 ukuba amanqaku angaphantsi komqobo. Oku kuluncedo kakhulu xa unexabiso elithile le-threshold (yithi 75) kwaye kufuneka ufumane isilumkiso ukuba amanqaku aya ngaphantsi.
  • Iflegi --set-exit-code-on-danger iya kubangela ukuba umyalelo usilele ngekhowudi yesi-3 ukuba olunye lovavanyo lwengozi aluphumeleli.

Ngoku makhe sizame ukwenza uvavanyo lwesiko olujonga ukuba umfanekiso uthatyathwe kwindawo yokugcina ethembekileyo. Uvavanyo lwesiko luchazwe kwifomathi ye-YAML, kwaye uvavanyo ngokwalo luchazwa kusetyenziswa i-JSON Schema.

Isiqwengana sekhowudi yeYAML ilandelayo ichaza uvavanyo olutsha olubizwa ngokuba checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Masiyijonge ngakumbi:

  • successMessage β€” lo mgca uya kuprintwa ukuba uvavanyo lugqiba ngempumelelo;
  • failureMessage β€” lo myalezo uzakuboniswa xa usilela;
  • category β€” ibonisa olunye lweendidi: Images, Health Checks, Security, Networking ΠΈ Resources;
  • target--- imisela ukuba loluphi uhlobo lwento (specuvavanyo lusetyenziswa. Amaxabiso anokubakho: Container, Pod okanye Controller;
  • Uvavanyo ngokwalo luchazwe kwinto schema usebenzisa iJSON schema. Igama eliphambili kolu vavanyo lithi pattern isetyenziselwe ukuthelekisa umthombo womfanekiso kunye nofunekayo.

Ukwenza olu vavanyo lungentla, kufuneka wenze olu qwalaselo lwePolaris lulandelayo:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Masicazulule ifayile:

  • Kwintsimi checks iimvavanyo kunye nenqanaba labo lokugxeka limiselwe. Ekubeni kunqweneleka ukufumana isilumkiso xa umfanekiso uthathwa kumthombo ongathembekanga, sibeka inqanaba apha danger.
  • Uvavanyo ngokwalo checkImageRepo emva koko ibhaliswe kwinto customChecks.

Gcina ifayile njenge custom_check.yaml. Ngoku ungabaleka polaris audit ngomboniso weYAML ofuna uqinisekiso.

Masivavanye i-manifesto yethu base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

Iqela polaris audit iqhube kuphela uvavanyo lomsebenzisi oluchazwe ngasentla kwaye aluphumelelanga.

Ukuba ulungisa umfanekiso ku my-company.com/http-echo:1.0, I-Polaris iya kugqiba ngempumelelo. Imanifesto enotshintsho sele ingenile iindawo zokugcinangoko ungajonga umyalelo wangaphambili kwi-manifest image-valid-mycompany.yaml.

Ngoku umbuzo uvela: indlela yokuqhuba iimvavanyo ezakhelwe ngaphakathi kunye neziko? Ngokulula! Ufuna nje ukongeza izichazi zovavanyo ezakhelweyo kwifayile yoqwalaselo. Ngenxa yoko, iya kuthatha le fomu ilandelayo:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Umzekelo wefayile yoqwalaselo epheleleyo iyafumaneka apha.

Khangela i-manifest base-valid.yamlusebenzisa eyakhelwe-ngaphakathi kunye novavanyo lwesiko, ungasebenzisa umyalelo:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

I-Polaris incedisa uvavanyo olwakhelwe ngaphakathi kunye neziko, ngaloo ndlela idibanisa ezona hlabathi zimbini.

Kwelinye icala, ukungakwazi ukusebenzisa iilwimi ezinamandla ngakumbi njengeRego okanye iJavaScript kunokuba yinto ethintela ukwenziwa kovavanyo oluntsonkothileyo.

Olunye ulwazi malunga nePolaris luyafumaneka kwi iwebhusayithi yeprojekthi.

Isishwankathelo

Ngelixa zininzi izixhobo ezikhoyo zokuhlola kunye nokuvavanya iifayile ze-Kubernetes YAML, kubalulekile ukuqonda ngokucacileyo ukuba iimvavanyo ziya kuyilwa kwaye zenziwe njani.

Ngokomzekelo, ukuba uthatha iKubernetes ibonakalisa idlula kumbhobho, kubeval inokuba linyathelo lokuqala kumbhobho onjalo. Iyakubeka iliso ukuba ingaba iinkcazelo zento ziyahambelana ne-Kubernetes API schema.

Nje ukuba uphononongo olunjalo lugqityiwe, umntu unokuqhubela phambili kwiimvavanyo ezintsonkothileyo, ezinjengokuthotyelwa kweendlela zokuziphatha ezisemgangathweni kunye nemigaqo-nkqubo ethile. Apha kulapho kube-inqaku kunye nePolaris ziya kunceda.

Kwabo baneemfuno ezinzima kwaye bafuna ukwenza ngokwezifiso iimvavanyo ngokweenkcukacha, ubhedu, i-config-lint kunye ne-confstst iya kufaneleka..

I-Conftest kunye ne-config-lint isebenzisa i-YAML ukuchaza iimvavanyo zesiko, kunye nobhedu lukunika ukufikelela kulwimi olupheleleyo lwenkqubo, luyenza ibe lukhetho oluhle.

Ngakolunye uhlangothi, ngaba kufanelekile ukusebenzisa enye yezi zixhobo kwaye, ngoko ke, ukudala zonke iimvavanyo ngesandla, okanye ukhetha i-Polaris kwaye wongeze kuphela into efunekayo kuyo? Akukho mpendulo icacileyo kulo mbuzo.

Itheyibhile engezantsi inika inkcazo emfutshane yesixhobo ngasinye:

Isixhobo
Injongo
Iingxaki
Iimvavanyo zabasebenzisi

kubeval
Iqinisekisa i-YAML ibonakalisa ngokuchasene noguqulelo oluthile lwe-API schema
Ayikwazi ukusebenza ngeCRD
akukho

kube-inqaku
Ihlalutya i-YAML ibonakalisa ngokuchasene nezenzo ezingcono
Awunakukhetha inguqulo yakho ye-Kubernetes API ukujonga izixhobo
akukho

zobhedu
Isakhelo esiqhelekileyo sokwenza uvavanyo lweJavaScript yesiko lwe-YAML lubonakalisa
Akukho mvavanyo eyakhelwe-ngaphakathi. Amaxwebhu angalunganga
ukuba

config-lint
Isakhelo esiqhelekileyo sokudala iimvavanyo kulwimi oluthe ngqo olufakwe kwi-YAML. Ixhasa iifomati zoqwalaselo ezahlukeneyo (umzekelo, iTerraform)
Akukho zimvavanyo zisele zenziwe. Iingxelo ezakhelwe-ngaphakathi kunye nemisebenzi isenokunganeli
ukuba

ukhuphiswano
Isakhelo sokudala iimvavanyo zakho usebenzisa iRego (ulwimi lombuzo olukhethekileyo). Ivumela ukwabelana ngemigaqo-nkqubo kusetyenziswa iinyanda ze-OCI
Akukho mvavanyo eyakhelwe-ngaphakathi. Kufuneka ndifunde iRego. I-Docker Hub ayixhaswanga xa kupapashwa imigaqo-nkqubo
ukuba

Polaris
Uphononongo lwe-YAML lubonakalisa ngokuchasene nezona nkqubo zisemgangathweni. Ikuvumela ukuba wenze iimvavanyo zakho usebenzisa i-JSON Schema
Uvavanyo lobuchule olusekwe kwi-JSON Schema lusenokungonelanga
ukuba

Ngenxa yokuba ezi zixhobo azithembeli ekufikeleleni kwi-cluster ye-Kubernetes, kulula ukuyifaka. Bakuvumela ukuba ucofe iifayile zemithombo kwaye unikeze impendulo ekhawulezayo kubabhali bezicelo zokutsala kwiiprojekthi.

PS evela kumguquleli

Funda nakwibhlog yethu:

umthombo: www.habr.com

Yongeza izimvo