Phawula. transl.: Ngenani elikhulayo lolungelelwaniso lwe-YAML yeemeko-bume ze-K8s, imfuno yoqinisekiso lwazo oluzenzekelayo iya ingxamiseka ngakumbi. Umbhali wolu hlaziyo akakhethanga kuphela izisombululo ezikhoyo kulo msebenzi, kodwa wajonga nendlela esebenza ngayo usebenzisa ukusasazwa njengomzekelo. Kuye kwabonakala kuluncedo kakhulu kwabo banomdla kwesi sihloko.
TL; DR: Eli nqaku lithelekisa izixhobo ezintandathu ezimileyo zokuqinisekisa kunye nokuvavanya iifayile ze-Kubernetes YAML ngokuchasene nezenzo ezifanelekileyo kunye neemfuno.
Umthwalo we-Kubernetes uchazwa ngokwendlela yamaxwebhu e-YAML. Enye yeengxaki nge-YAML bubunzima bokuchaza imiqobo okanye ubudlelwane phakathi kweefayile ze-manifest.
Kuthekani ukuba kufuneka siqinisekise ukuba yonke imifanekiso ethunyelwe kwiqela iphuma kwirejista ethembekileyo?
Ndingakuthintela njani ukusasazwa okungekho PodDisruptionBudgets ekubeni ithunyelwe kwiqela?
Ukudityaniswa kovavanyo lwe-static kukuvumela ukuba uchonge iimpazamo kunye nokuphulwa komgaqo-nkqubo kwinqanaba lophuhliso. Oku kwandisa isiqinisekiso sokuba iinkcazelo zezibonelelo zichanekile kwaye zikhuselekile, kwaye kwenza kube lula ukuba umthwalo wemveliso uya kulandela ezona zenzo zilungileyo.
I-Kubernetes static ye-YAML yokuhlola ifayile ye-ecosystem inokwahlulwa ngokwezi ndidi zilandelayo:
- Iziqinisekisi ze-API. Izixhobo ezikolu luhlu zijonga i-YAML manifest ngokuchasene neemfuno ze-Kubernetes API umncedisi.
- Abavavanyi abakulungeleyo. Izixhobo ezisuka kolu luhlu ziza kunye novavanyo olulungele ukhuseleko, ukuthotyelwa kweendlela ezilungileyo, njl.
- izingqinisiso Custom. Abameli beli candelo likuvumela ukuba wenze iimvavanyo zesiko kwiilwimi ezahlukeneyo, umzekelo, iRego kunye neJavascript.
Kweli nqaku siza kuchaza kwaye sithelekise izixhobo ezintandathu ezahlukeneyo:
- kubeval;
- kube-inqaku;
- i-config-lint;
- ubhedu;
- ukhuphiswano;
- IPolaris.
Ewe, masiqalise!
Ukujonga ukusasazwa
Phambi kokuba siqale ukuthelekisa izixhobo, makhe senze imvelaphi esiza kuzivavanya ngayo.
Lo mgaqo-nkqubo ungezantsi uneempazamo ezininzi kunye nokungathotyelwa kweendlela zokuziphatha: zingaphi kuzo onokuzifumana?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Siza kusebenzisa le YAML ukuthelekisa izixhobo ezahlukeneyo.
Le manifesto ingentla
base-valid.yaml
kunye nezinye i-manifestos kweli nqaku inokufumaneka kwiGit zokugcina .
I-manifest ichaza usetyenziso lwewebhu umsebenzi walo ophambili kukuphendula ngomyalezo othi "Hello World" kwi-port 5678. Ingasetyenziswa ngomyalelo olandelayo:
kubectl apply -f hello-world.yaml
Kwaye ke-jonga umsebenzi:
kubectl port-forward svc/http-echo 8080:5678
Ngoku yiya ku
1. Kubeval
Kwentliziyo ye
Ngexesha lokubhalwa kwenqaku lokuqala, i-version 0.15.0 yayifumaneka.
Nje ukuba ifakiwe, masiyondle ngale-manifest engentla:
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)
Ukuba uphumelele, kubeval uzakuphuma ngekhowudi yokuphuma 0. Ungayijonga ngolu hlobo lulandelayo:
$ echo $?
0
Makhe sizame ngoku kubeval ngomboniso owahlukileyo:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(kubeval-invalid.yaml
)
Ngaba uyayibona ingxaki ngeliso? Masiqalise:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Umthombo awuqinisekiswa.
Ukusasazwa kusetyenziswa inguqulelo ye-API apps/v1
, mayibandakanye umkhethi ohambelana neleyibhile yepod. I-manifest engentla ayiquki umkhethi, ngoko ke kubeval uxele imposiso kwaye waphuma ngekhowudi engeyo-zero.
I wonder kuzokwenzeka ntoni xa ndenze njalo kubectl apply -f
nalo manifesto?
Kulungile, masizame:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Le yimpazamo kanye ukubeval walumkisa ngayo. Ungayilungisa ngokongeza umkhethi:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Inzuzo yezixhobo ezifana ne-kubeval kukuba iimpazamo ezinjengalezi zinokubanjwa kwangoko kumjikelo wokuthunyelwa.
Ukongeza, olu vavanyo alufuni ukufikelela kwiqela; lunokwenziwa ngaphandle kweintanethi.
Ngokungagqibekanga, kubeval ijonga izixhobo ngokuchasene ne Kubernetes API schema yamva nje. Nangona kunjalo, kwiimeko ezininzi unokufuna ukujonga ngokuchasene nokukhululwa kwe-Kubernetes ethile. Oku kunokwenziwa kusetyenziswa iflegi --kubernetes-version
:
$ kubeval --kubernetes-version 1.16.1 base-valid.yaml
Nceda uqaphele ukuba inguqulelo kufuneka icaciswe kwifomathi Major.Minor.Patch
.
Kuluhlu lweenguqulelo ezixhaswa ukuqinisekiswa, nceda ujonge --schema-location
.
Ukongeza kwiifayile ze-YAML zomntu ngamnye, kubeval inokusebenza nabalawuli kunye ne-stdin.
Ukongeza, i-Kubeval idibanisa ngokulula kumbhobho weCI. Abo banqwenela ukuqhuba iimvavanyo phambi kokuthumela i-manifest kwiqela baya konwaba ukwazi ukuba kubeval ixhasa iifomati ezintathu zemveliso:
- Amagama alula;
- JSON;
- Vavanya Nantoni na iProtocol (TAP).
Kwaye naziphi na iifomati zingasetyenziselwa ukwahlula-hlula okungaphezulu kwemveliso ukuvelisa isishwankathelo seziphumo zohlobo olufunwayo.
Enye yeengxaki ze-kubeval kukuba okwangoku ayinakukhangela ukuthotyelwa kweeNkcazo zeSibonelelo seSiko (CRDs). Nangona kunjalo, kuyenzeka ukuqwalasela i-kubeval
I-Kubeval sisixhobo esihle sokujonga kunye nokuvavanya izixhobo; Nangona kunjalo, kufanele kugxininiswe ukuba ukuphumelela uvavanyo akuqinisekisi ukuba uvimba wolwazi uyangqinelana nezona ndlela zingcono zokusebenza.
Umzekelo, usebenzisa ithegi latest
kwisikhongozeli asizilandeli iindlela ezilungileyo. Nangona kunjalo, u-kubeval akayithathi le mpazamo kwaye akayixeli. Oko kukuthi, ukuqinisekiswa kweYAML kuya kugqiba ngaphandle kwezilumkiso.
Kodwa kuthekani ukuba ufuna ukuvavanya i-YAML kwaye uchonge ukwaphulwa okufana nethegi latest
? Ndiyijonga njani ifayile yeYAML ngokuchasene nezona zenzo zilungileyo?
2. Kube-inqaku
- Ukuqhuba isikhongozeli njengomsebenzisi ongeyongcambu.
- Ubukho bokuhlolwa kwempilo ye-pod.
- Ukumisela izicelo kunye nemida yezibonelelo.
Ngokusekelwe kwiziphumo zovavanyo, iziphumo ezithathu zinikwa: OK, Isilumkiso ΠΈ EZIQHELEKILEYO.
Ungazama i-Kube-score kwi-intanethi okanye uyifake ekuhlaleni.
Ngexesha lokubhalwa kwenqaku lokuqala, inguqulo yakamuva ye-kube-score yayingu-1.7.0.
Masiyizame kwimanifest yethu base-valid.yaml
:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
I-YAML iphumelela iimvavanyo ze-kubeval, ngelixa i-kube-inqaku likhomba kwezi ziphene zilandelayo:
- Ukuhlolwa kokulungela akumiselwanga.
- Akukho zicelo okanye imida yezixhobo ze-CPU kunye nememori.
- Uhlahlo lwabiwo-mali lokuphazamiseka kwePod aluchazwanga.
- Akukho migaqo yokwahlula (anti-affinity) ukwandisa ukufumaneka.
- Isikhongozeli sibaleka njengengcambu.
Ezi zonke ngamanqaku afanelekileyo malunga neentsilelo ekufuneka ziqwalaselwe ukwenza ukusasazwa kusebenze ngakumbi kwaye kunokwethenjelwa.
Iqela kube-score
ibonisa ulwazi olukwimo efundeka ngabantu kuquka lonke uhlobo lokwaphulwa komthetho Isilumkiso ΠΈ EZIQHELEKILEYO, enceda kakhulu ngexesha lophuhliso.
Abo banqwenela ukusebenzisa esi sixhobo ngaphakathi kumbhobho weCI banokwenza imveliso ecinezelekileyo ngakumbi usebenzisa iflegi --output-format ci
(kule meko, iimvavanyo ezinesiphumo nazo ziyaboniswa OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Ngokufana ne kubeval, kube-score ibuyisela ikhowudi yokuphuma engeyiyo-zero xa kukho uvavanyo olungaphumeleliyo. EZIQHELEKILEYO. Unako kwakhona ukwenza inkqubo efanayo ye Isilumkiso.
Ukongeza, kuyenzeka ukujonga izixhobo zokuthobela iinguqulelo ezahlukeneyo ze-API (njengakukubeval). Nangona kunjalo, olu lwazi lufakwe nzima kwi-kube-score ngokwayo: awukwazi ukukhetha uguqulelo olwahlukileyo lwe Kubernetes. Lo mda unokuba yingxaki enkulu ukuba ujonge ukuphucula iqela lakho okanye ukuba unamaqela amaninzi aneenguqulelo ezahlukeneyo ze K8s.
Qaphela oko
sele kukho umcimbi ngesiphakamiso sokuphumeza eli thuba.
Ulwazi oluthe vetshe malunga ne-kube-score lunokufumaneka apha
Iimvavanyo ze-Kube-score sisixhobo esihle sokuphumeza izenzo ezilungileyo, kodwa kuthekani ukuba kufuneka wenze utshintsho kuvavanyo okanye wongeze imithetho yakho? Yeha, ayinakwenziwa le nto.
I-Kube-score ayongezeleki: awukwazi ukongeza imigaqo-nkqubo kuyo okanye ulungelelanise yona.
Ukuba ufuna ukubhala iimvavanyo zesiko ukuqinisekisa ukuthotyelwa kwemigaqo-nkqubo yenkampani, ungasebenzisa esinye sezi zixhobo zine zilandelayo: i-config-lint, ubhedu, i-conftest, okanye i-polaris.
3.Config-lint
Config-lint sisixhobo sokuqinisekisa iYAML, JSON, Terraform, CSV iifayile zoqwalaselo kunye neKubernetes ibonakalisa.
Ungayifaka usebenzisa
Ukukhutshwa kwangoku njengokuba ngexesha lokubhala inqaku lokuqala yi-1.5.0.
I-Config-lint ayinamvavanyo eyakhelwe-ngaphakathi yokuqinisekisa umboniso we-Kubernetes.
Ukuqhuba naluphi na uvavanyo, kufuneka udale imithetho efanelekileyo. Zibhalwe kwiifayile ze-YAML ezibizwa ngokuba yi "rulesets" (imithetho), kwaye ube nolwakhiwo lulandelayo:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# ΡΠΏΠΈΡΠΎΠΊ ΠΏΡΠ°Π²ΠΈΠ»
(rule.yaml
)
Masiyifundisise ngakumbi:
- Intsimi
type
ixela ukuba loluphi uhlobo loqwalaselo-lint oluya kusebenzisa. Kwi K8s ibonakalisa oku rhoqoKubernetes
. - Kwintsimi
files
Ukongeza kwiifayile ngokwazo, ungakhankanya uvimba weefayili. - Intsimi
rules
yenzelwe ukuseta iimvavanyo zabasebenzisi.
Masithi ufuna ukuqiniseka ukuba imifanekiso ekuDeployment ihlala ikhutshelwa kwindawo yokugcina ethembekileyo njenge my-company.com/myapp:1.0
. Umgaqo-nkqubo woqwalaselo owenza uqwalaselo olunjalo unokujongeka ngolu hlobo:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml
)
Umgaqo ngamnye kufuneka ube nezi mpawu zilandelayo:
id
- isazisi esisodwa somgaqo;severity
- Ingayiyo UKUSILELA, Isilumkiso ΠΈ UNGAHLANGANISI;message
- ukuba umgaqo uphulwa, iziqulatho zalo mgca ziboniswa;resource
β uhlobo lobutyebi osebenza kubo lo mgaqo;assertions
β uluhlu lweemeko eziya kuvavanywa ngokunxulumene nesi sixhobo.
Kulo mthetho ungentla assertion
phantsi kwegama every
key: spec.templates.spec.containers
) sebenzisa imifanekiso ethembekileyo (oko kukuthi ukuqala nge my-company.com/
).
Isethi yomthetho epheleleyo ibonakala ngolu hlobo:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(ruleset.yaml
)
Ukuzama uvavanyo, masilugcine njenge check_image_repo.yaml
. Masiqhube ukukhangela kwifayile base-valid.yaml
:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]
Itshekhi ayiphumelelanga. Ngoku makhe sijonge le mbonakalo ilandelayo enomfanekiso ochanekileyo wogcino:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
(image-valid-mycompany.yaml
)
Siqhuba uvavanyo olufanayo kunye ne-manifest engentla. Akukho zingxaki zifunyenweyo:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]
Config-lint sisikhokelo esithembisayo esikuvumela ukuba wenze olwakho uvavanyo ukuze uqinisekise i-Kubernetes YAML ibonisa usebenzisa i-YAML DSL.
Kodwa kuthekani ukuba ufuna ingqiqo kunye novavanyo oluntsonkothileyo? Ngaba i-YAML ayiphelelanga kakhulu kule nto? Kuthekani ukuba unokwenza iimvavanyo ngolwimi olupheleleyo lokuprograma?
4. Ubhedu
Nangona kunjalo, iyahluka kule yokugqibela kuba ayisebenzisi i-YAML ukuchaza iimvavanyo. Uvavanyo lungabhalwa kwiJavaScript endaweni yoko. Ubhedu lubonelela ngethala leencwadi elinezixhobo ezininzi ezisisiseko, ekunceda ukuba ufunde ulwazi malunga nezinto ze-Kubernetes kwaye ubike iimpazamo.
Amanyathelo okufaka iCopper anokufumaneka kwi
2.0.1 lukhutshwe lwamva nje lwesi sixhobo ngexesha lokubhalwa kwenqaku lokuqala.
Njengo-config-lint, iCopper ayinayo iimvavanyo ezakhelweyo. Masibhale ibe nye. Mayijonge ukuba ukuthunyelwa kusebenzisa imifanekiso yesikhongozeli ngokukodwa kwiindawo zokugcina ezithembekileyo ezifana my-company.com
.
Yenza ifayile check_image_repo.js
ngomxholo olandelayo:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Ngoku ukuvavanya i-manifest yethu base-valid.yaml
, sebenzisa umyalelo copper validate
:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Kucacile ukuba ngoncedo lobhedu unokwenza iimvavanyo ezinzima ngakumbi - umzekelo, ukujonga amagama e-domain kwi-Ingress ibonakalisa okanye ukugatya iipods ezisebenza kwimodi enelungelo.
Ubhedu lunemisebenzi eyahlukeneyo eyakhelwe kuyo:
DockerImage
ifunda ifayile yegalelo ekhankanyiweyo kwaye idale into enezi mpawu zilandelayo:name
-igama lomfanekiso,tag
-ithegi yomfanekiso,registry
-irejista yomfanekiso,registry_url
-iprothokholi (https://
) kunye nobhaliso lomfanekiso,fqin
- indawo epheleleyo yomfanekiso.
- Umsebenzi
findByName
inceda ukufumana uvimba ngodidi olunikiweyo (kind
) kunye negama (name
) ukusuka kwifayile yegalelo. - Umsebenzi
findByLabels
inceda ukufumana uvimba ngodidi olukhankanyiweyo (kind
) kunye neelebhile (labels
).
Ungajonga yonke imisebenzi yenkonzo ekhoyo
Ngokungagqibekanga ilayisha lonke igalelo lefayile ye-YAML kuguquko $$
kwaye iyenze ifumaneke kwiscripting (ubuchule obuqhelekileyo kwabo banamava ejQuery).
Olona ncedo luphambili lweCopper luyabonakala: awudingi ukuba nolwazi ngolwimi olukhethekileyo kwaye ungasebenzisa izinto ezahlukeneyo zeJavaScript ukwenza iimvavanyo zakho, njengokuguqulelwa komtya, imisebenzi, njl.
Kufuneka kwakhona kuqatshelwe ukuba inguqu yangoku yeCopper isebenza kunye ne-ES5 version ye-injini yeJavaScript, kungekhona i-ES6.
Iinkcukacha ziyafumaneka kwi
Nangona kunjalo, ukuba awuyithandi ncam iJavaScript kwaye ukhetha ulwimi oluyilelwe ngokukodwa ukudala imibuzo kunye nemigaqo-nkqubo echazayo, kuya kufuneka unikele ingqalelo kukhuphiswano.
5.Ukhuphiswano
Conftest sisikhokelo sovavanyo lwedatha yoqwalaselo. Ikwalungele ukuvavanya/ukuqinisekisa ukubonakaliswa kweKubernetes. Iimvavanyo zichazwa kusetyenziswa ulwimi olukhethekileyo lombuzo
Ungafaka i-conftest usebenzisa
Ngexesha lokubhalwa kwenqaku lokuqala, inguqulelo yamva nje ekhoyo yayiyi-0.18.2.
Ngokufana ne-config-lint kunye nobhedu, i-conftest iza ngaphandle kovavanyo olwakhelwe ngaphakathi. Masiyizame kwaye sibhale eyethu ipolisi. Njengakwimizekelo yangaphambili, siya kujonga ukuba ingaba imifanekiso yesikhongozeli ithathwe kumthombo othembekileyo.
Yenza uvimba weefayili conftest-checks
, kwaye kuyo kukho ifayile ebizwa ngegama check_image_registry.rego
ngomxholo olandelayo:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
Ngoku masivavanye base-valid.yaml
ngokusebenzisa conftest
:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
Uvavanyo aluphumelelanga ngenxa yokuba imifanekiso iphuma kumthombo ongathenjwayo.
Kwifayile yeRego sichaza ibhloko deny
. Inyaniso yayo ithathwa njengokwaphulwa. Ukuba iibhloko deny
eziliqela, conftest iitshekhi kubo ngokuzimeleyo omnye komnye, kwaye inyaniso naziphi na iibhloko iphathwa njengokwaphulwa.
Ukongeza kwimveliso engagqibekanga, i-conftest ixhasa i-JSON, i-TAP kunye nefomathi yetafile-uphawu oluluncedo kakhulu ukuba ufuna ukushumeka iingxelo kumbhobho okhoyo weCI. Unokuseta ifomathi oyifunayo usebenzisa iflegi --output
.
Ukwenza kube lula ukulungisa imigaqo-nkqubo, i-conftest ineflegi --trace
. Ikhupha umkhondo wendlela i-conftest ecalula ngayo iifayile zenkqubo ekhankanyiweyo.
Imigaqo-nkqubo yokhuphiswano inokupapashwa kwaye kwabelwane ngayo kwi-OCI (i-Open Container Initiative) iirejistri njengezinto zakudala.
Izixhobo push
ΠΈ pull
ikuvumela ukuba upapashe i-artifact okanye ufumane i-artifact ekhoyo kwindawo yobhaliso. Makhe sizame ukupapasha umgaqo-nkqubo esiwuyileyo kubhaliso lwasekhaya lweDocker sisebenzisa conftest push
.
Qala irejista yakho yeDocker yasekhaya:
$ docker run -it --rm -p 5000:5000 registry
Kwesinye i-terminal, yiya kuluhlu olwenzile ngaphambili conftest-checks
kwaye sebenzisa lo myalelo ulandelayo:
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Ukuba umyalelo uphumelele, uya kubona umyalezo onje:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c
Ngoku yenza uluhlu lwexeshana kwaye usebenzise umyalelo kuyo conftest pull
. Iza kukhuphela ipakethe eyenziwe ngumyalelo wangaphambili:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Uvimba weefayili onganeno uya kuvela kulawulo lwexeshana policy
equlathe ifayile yethu yepolisi:
$ tree
.
βββ policy
βββ check_image_registry.rego
Iimvavanyo zinokuqhutywa ngokuthe ngqo kwindawo yokugcina:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure
Ngelishwa, i-DockerHub ayikaxhaswa. Ngoko zithathele ingqalelo unethamsanqa ukuba usebenzisa
Ifomathi ye-Artifact iyafana ne
Unokufunda ngakumbi malunga nokwabelana ngepolisi kunye nezinye iimpawu zokhuphiswano
6. IPolaris
Isixhobo sokugqibela esiza kuxutyushwa kweli nqaku
I-Polaris inokufakwa kwi-cluster okanye isetyenziswe kwimodi yomgca womyalelo. Njengoko usenokuba uqikelele, ikuvumela ukuba uhlalutye ngokwezibalo i-Kubernetes ibonakalisa.
Xa uqhuba kwimo yomgca womyalelo, iimvavanyo ezakhelwe ngaphakathi zikhona ezigquma iindawo ezifana nokhuseleko kunye nezenzo ezingcono (ezifana ne-kube-inqaku). Ukongeza, unokwenza iimvavanyo zakho (njengakwi-config-lint, ubhedu kunye ne-conftest).
Ngamanye amazwi, iPolaris idibanisa izibonelelo zazo zombini iindidi zezixhobo: kunye novavanyo olwakhelwe ngaphakathi kunye nesiko.
Ukufakela iPolaris kwimowudi yomgca womyalelo, sebenzisa
Ngexesha lokubhalwa kwenqaku lokuqala, i-version 1.0.3 iyafumaneka.
Nje ukuba ufakelo lugqityiwe ungaqhuba i-polaris kwi-manifest base-valid.yaml
ngalo myalelo ulandelayo:
$ polaris audit --audit-path base-valid.yaml
Iya kukhupha umtya kwifomathi ye-JSON kunye nenkcazo ecacileyo yovavanyo olwenziweyo kunye neziphumo zabo. Isiphumo siya kuba nolwakhiwo lulandelayo:
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* Π΄Π»ΠΈΠ½Π½ΡΠΉ ΡΠΏΠΈΡΠΎΠΊ */
]
}
Imveliso epheleleyo ekhoyo
Njengokube-amanqaku, i-Polaris ichonga imiba kwiindawo apho i-manifest ingadibani neendlela ezingcono:
- Akukho zitshekisho lwempilo yeepods.
- Iithegi zemifanekiso yesikhongozeli azichazwanga.
- Isikhongozeli sibaleka njengengcambu.
- Izicelo kunye nemida yememori kunye ne-CPU ayichazwanga.
Uvavanyo ngalunye, ngokuxhomekeke kwiziphumo zalo, lunikwa iqondo lokugxeka: isilumkiso okanye Ingozi. Ukuze ufunde ngakumbi malunga novavanyo olukhoyo olwakhelwe ngaphakathi, nceda ujonge ku
Ukuba iinkcukacha azifuneki, ungakhankanya iflegi --format score
. Kule meko, i-Polaris iya kuvelisa inani ukusuka kwi-1 ukuya kwi-100 - Inqaku (okt. uvavanyo):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68
Okukhona inqaku lisondela kwi-100, kokukhona iqondo eliphezulu lesivumelwano. Ukuba ujonga ikhowudi yokuphuma yomyalelo polaris audit
, kwavela ukuba ilingana no-0.
Ngenyanzelo polaris audit
Ungawuphelisa umsebenzi ngekhowudi engeyo-zero usebenzisa iiflegi ezimbini:
- Iflegi
--set-exit-code-below-score
ithatha njenge mpikiswano ixabiso le-threshold kuluhlu lwe-1-100. Kule meko, umyalelo uya kuphuma ngekhowudi yokuphuma yesi-4 ukuba amanqaku angaphantsi komqobo. Oku kuluncedo kakhulu xa unexabiso elithile le-threshold (yithi 75) kwaye kufuneka ufumane isilumkiso ukuba amanqaku aya ngaphantsi. - Iflegi
--set-exit-code-on-danger
iya kubangela ukuba umyalelo usilele ngekhowudi yesi-3 ukuba olunye lovavanyo lwengozi aluphumeleli.
Ngoku makhe sizame ukwenza uvavanyo lwesiko olujonga ukuba umfanekiso uthatyathwe kwindawo yokugcina ethembekileyo. Uvavanyo lwesiko luchazwe kwifomathi ye-YAML, kwaye uvavanyo ngokwalo luchazwa kusetyenziswa i-JSON Schema.
Isiqwengana sekhowudi yeYAML ilandelayo ichaza uvavanyo olutsha olubizwa ngokuba checkImageRepo
:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Masiyijonge ngakumbi:
successMessage
β lo mgca uya kuprintwa ukuba uvavanyo lugqiba ngempumelelo;failureMessage
β lo myalezo uzakuboniswa xa usilela;category
β ibonisa olunye lweendidi:Images
,Health Checks
,Security
,Networking
ΠΈResources
;target
--- imisela ukuba loluphi uhlobo lwento (spec
uvavanyo lusetyenziswa. Amaxabiso anokubakho:Container
,Pod
okanyeController
;- Uvavanyo ngokwalo luchazwe kwinto
schema
usebenzisa iJSON schema. Igama eliphambili kolu vavanyo lithipattern
isetyenziselwe ukuthelekisa umthombo womfanekiso kunye nofunekayo.
Ukwenza olu vavanyo lungentla, kufuneka wenze olu qwalaselo lwePolaris lulandelayo:
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(polaris-conf.yaml
)
Masicazulule ifayile:
- Kwintsimi
checks
iimvavanyo kunye nenqanaba labo lokugxeka limiselwe. Ekubeni kunqweneleka ukufumana isilumkiso xa umfanekiso uthathwa kumthombo ongathembekanga, sibeka inqanaba aphadanger
. - Uvavanyo ngokwalo
checkImageRepo
emva koko ibhaliswe kwintocustomChecks
.
Gcina ifayile njenge custom_check.yaml
. Ngoku ungabaleka polaris audit
ngomboniso weYAML ofuna uqinisekiso.
Masivavanye i-manifesto yethu base-valid.yaml
:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml
Iqela polaris audit
iqhube kuphela uvavanyo lomsebenzisi oluchazwe ngasentla kwaye aluphumelelanga.
Ukuba ulungisa umfanekiso ku my-company.com/http-echo:1.0
, I-Polaris iya kugqiba ngempumelelo. Imanifesto enotshintsho sele ingenile image-valid-mycompany.yaml
.
Ngoku umbuzo uvela: indlela yokuqhuba iimvavanyo ezakhelwe ngaphakathi kunye neziko? Ngokulula! Ufuna nje ukongeza izichazi zovavanyo ezakhelweyo kwifayile yoqwalaselo. Ngenxa yoko, iya kuthatha le fomu ilandelayo:
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(config_with_custom_check.yaml
)
Umzekelo wefayile yoqwalaselo epheleleyo iyafumaneka
Khangela i-manifest base-valid.yaml
usebenzisa eyakhelwe-ngaphakathi kunye novavanyo lwesiko, ungasebenzisa umyalelo:
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml
I-Polaris incedisa uvavanyo olwakhelwe ngaphakathi kunye neziko, ngaloo ndlela idibanisa ezona hlabathi zimbini.
Kwelinye icala, ukungakwazi ukusebenzisa iilwimi ezinamandla ngakumbi njengeRego okanye iJavaScript kunokuba yinto ethintela ukwenziwa kovavanyo oluntsonkothileyo.
Olunye ulwazi malunga nePolaris luyafumaneka kwi
Isishwankathelo
Ngelixa zininzi izixhobo ezikhoyo zokuhlola kunye nokuvavanya iifayile ze-Kubernetes YAML, kubalulekile ukuqonda ngokucacileyo ukuba iimvavanyo ziya kuyilwa kwaye zenziwe njani.
Ngokomzekelo, ukuba uthatha iKubernetes ibonakalisa idlula kumbhobho, kubeval inokuba linyathelo lokuqala kumbhobho onjalo. Iyakubeka iliso ukuba ingaba iinkcazelo zento ziyahambelana ne-Kubernetes API schema.
Nje ukuba uphononongo olunjalo lugqityiwe, umntu unokuqhubela phambili kwiimvavanyo ezintsonkothileyo, ezinjengokuthotyelwa kweendlela zokuziphatha ezisemgangathweni kunye nemigaqo-nkqubo ethile. Apha kulapho kube-inqaku kunye nePolaris ziya kunceda.
Kwabo baneemfuno ezinzima kwaye bafuna ukwenza ngokwezifiso iimvavanyo ngokweenkcukacha, ubhedu, i-config-lint kunye ne-confstst iya kufaneleka..
I-Conftest kunye ne-config-lint isebenzisa i-YAML ukuchaza iimvavanyo zesiko, kunye nobhedu lukunika ukufikelela kulwimi olupheleleyo lwenkqubo, luyenza ibe lukhetho oluhle.
Ngakolunye uhlangothi, ngaba kufanelekile ukusebenzisa enye yezi zixhobo kwaye, ngoko ke, ukudala zonke iimvavanyo ngesandla, okanye ukhetha i-Polaris kwaye wongeze kuphela into efunekayo kuyo? Akukho mpendulo icacileyo kulo mbuzo.
Itheyibhile engezantsi inika inkcazo emfutshane yesixhobo ngasinye:
Isixhobo
Injongo
Iingxaki
Iimvavanyo zabasebenzisi
kubeval
Iqinisekisa i-YAML ibonakalisa ngokuchasene noguqulelo oluthile lwe-API schema
Ayikwazi ukusebenza ngeCRD
akukho
kube-inqaku
Ihlalutya i-YAML ibonakalisa ngokuchasene nezenzo ezingcono
Awunakukhetha inguqulo yakho ye-Kubernetes API ukujonga izixhobo
akukho
zobhedu
Isakhelo esiqhelekileyo sokwenza uvavanyo lweJavaScript yesiko lwe-YAML lubonakalisa
Akukho mvavanyo eyakhelwe-ngaphakathi. Amaxwebhu angalunganga
ukuba
config-lint
Isakhelo esiqhelekileyo sokudala iimvavanyo kulwimi oluthe ngqo olufakwe kwi-YAML. Ixhasa iifomati zoqwalaselo ezahlukeneyo (umzekelo, iTerraform)
Akukho zimvavanyo zisele zenziwe. Iingxelo ezakhelwe-ngaphakathi kunye nemisebenzi isenokunganeli
ukuba
ukhuphiswano
Isakhelo sokudala iimvavanyo zakho usebenzisa iRego (ulwimi lombuzo olukhethekileyo). Ivumela ukwabelana ngemigaqo-nkqubo kusetyenziswa iinyanda ze-OCI
Akukho mvavanyo eyakhelwe-ngaphakathi. Kufuneka ndifunde iRego. I-Docker Hub ayixhaswanga xa kupapashwa imigaqo-nkqubo
ukuba
Polaris
Uphononongo lwe-YAML lubonakalisa ngokuchasene nezona nkqubo zisemgangathweni. Ikuvumela ukuba wenze iimvavanyo zakho usebenzisa i-JSON Schema
Uvavanyo lobuchule olusekwe kwi-JSON Schema lusenokungonelanga
ukuba
Ngenxa yokuba ezi zixhobo azithembeli ekufikeleleni kwi-cluster ye-Kubernetes, kulula ukuyifaka. Bakuvumela ukuba ucofe iifayile zemithombo kwaye unikeze impendulo ekhawulezayo kubabhali bezicelo zokutsala kwiiprojekthi.
PS evela kumguquleli
Funda nakwibhlog yethu:
- Β«
I-Polaris yaziswa ukugcina amaqela e-Kubernetes esempilweni "; - Β«
Vim ngenkxaso ye-YAML ye-Kubernetes "; - Β«
Iindlela ezi-7 ezilungileyo zokusebenzisa izikhongozeli ngokukaGoogle Β».
umthombo: www.habr.com