ProHoster > Блог > Isakoso > Ṣe ifọwọsi Kubernetes YAML lodi si awọn iṣe ati awọn ilana imulo to dara julọ

Ṣe ifọwọsi Kubernetes YAML lodi si awọn iṣe ati awọn ilana imulo to dara julọ

Akiyesi. itumọ.: Pẹlu nọmba ti ndagba ti awọn atunto YAML fun awọn agbegbe K8s, iwulo fun ijẹrisi adaṣe wọn di iyara ati siwaju sii. Onkọwe ti atunyẹwo yii kii ṣe yan awọn solusan ti o wa tẹlẹ fun iṣẹ yii, ṣugbọn tun lo Ifilọlẹ bi apẹẹrẹ lati wo bi wọn ṣe n ṣiṣẹ. O wa ni alaye pupọ fun awọn ti o nifẹ si koko yii.

Ṣe ifọwọsi Kubernetes YAML lodi si awọn iṣe ati awọn ilana imulo to dara julọ

TL; DRNkan yii ṣe afiwe awọn irinṣẹ aimi mẹfa lati fọwọsi ati ṣe iṣiro awọn faili Kubernetes YAML lodi si awọn iṣe ti o dara julọ ati awọn ibeere.

Awọn fifuye iṣẹ Kubernetes jẹ asọye deede ni irisi awọn iwe aṣẹ YAML. Ọkan ninu awọn iṣoro pẹlu YAML ni iṣoro ti sisọ awọn ihamọ tabi awọn ibatan laarin awọn faili ifihan.

Ti a ba nilo lati rii daju pe gbogbo awọn aworan ti a fi ranṣẹ si iṣupọ wa lati iforukọsilẹ ti o gbẹkẹle?

Bawo ni MO ṣe le ṣe idiwọ Awọn imuṣiṣẹ ti ko ni Awọn inawo PodDisruption lati firanṣẹ si iṣupọ naa?

Ijọpọ ti idanwo aimi gba ọ laaye lati ṣe idanimọ awọn aṣiṣe ati awọn irufin eto imulo ni ipele idagbasoke. Eyi mu iṣeduro pọ si pe awọn asọye orisun jẹ deede ati aabo, ati pe o jẹ ki o ṣeeṣe diẹ sii pe awọn iṣẹ ṣiṣe iṣelọpọ yoo tẹle awọn iṣe ti o dara julọ.

Eto ilolupo faili YAML aimi Kubernetes le pin si awọn ẹka wọnyi:

  • API afọwọsi. Awọn irinṣẹ ni ẹka yii ṣayẹwo ifihan YAML lodi si awọn ibeere ti olupin Kubernetes API.
  • Awọn idanwo ti o ṣetan. Awọn irinṣẹ lati ẹya yii wa pẹlu awọn idanwo ti a ti ṣetan fun aabo, ibamu pẹlu awọn iṣe ti o dara julọ, ati bẹbẹ lọ.
  • Aṣa validators. Awọn aṣoju ti ẹya yii gba ọ laaye lati ṣẹda awọn idanwo aṣa ni awọn ede oriṣiriṣi, fun apẹẹrẹ, Rego ati Javascript.

Ninu nkan yii a yoo ṣe apejuwe ati ṣe afiwe awọn irinṣẹ oriṣiriṣi mẹfa:

  1. kubeval;
  2. kube-score;
  3. atunto-lint;
  4. bàbà;
  5. idije;
  6. polaris.

O dara, jẹ ki a bẹrẹ!

Ṣiṣayẹwo Awọn imuṣiṣẹ

Ṣaaju ki a to bẹrẹ awọn irinṣẹ afiwera, jẹ ki a ṣẹda ipilẹ diẹ lori eyiti a le ṣe idanwo wọn.

Afihan ti o wa ni isalẹ ni nọmba awọn aṣiṣe ati aisi ibamu pẹlu awọn iṣe ti o dara julọ: melo ninu wọn ni o le rii?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

A yoo lo YAML yii lati ṣe afiwe awọn irinṣẹ oriṣiriṣi.

Awọn loke manifesto base-valid.yaml ati awọn miiran manifestos lati yi article le ri ni Awọn ibi ipamọ Git.

Afihan naa ṣapejuwe ohun elo wẹẹbu kan ti iṣẹ akọkọ rẹ ni lati dahun pẹlu ifiranṣẹ “Hello World” si ibudo 5678. O le gbe lọ pẹlu aṣẹ atẹle:

kubectl apply -f hello-world.yaml

Ati bẹ - ṣayẹwo iṣẹ naa:

kubectl port-forward svc/http-echo 8080:5678

Bayi lọ si http://localhost:8080 ati jẹrisi pe ohun elo naa n ṣiṣẹ. Ṣugbọn ṣe o tẹle awọn iṣe ti o dara julọ bi? Jẹ ki a ṣayẹwo.

1. Kubeval

Ni okan ti kubeval Ero naa ni pe eyikeyi ibaraenisepo pẹlu Kubernetes waye nipasẹ REST API rẹ. Ni awọn ọrọ miiran, o le lo ero API kan lati ṣayẹwo boya YAML ti a fun ni ibamu si. Jẹ́ ká wo àpẹẹrẹ kan.

Awọn ilana fifi sori ẹrọ kubeval wa lori aaye ayelujara ise agbese.

Ni akoko kikọ nkan atilẹba, ẹya 0.15.0 wa.

Ni kete ti o ti fi sii, jẹ ki a jẹun ni ifihan ti o wa loke:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Ti o ba ṣaṣeyọri, kubeval yoo jade pẹlu koodu ijade 0. O le ṣayẹwo bi atẹle:

$ echo $?
0

Jẹ ki a gbiyanju kubeval bayi pẹlu ifihan ti o yatọ:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Ṣe o le rii iṣoro naa nipasẹ oju? Jẹ ki a ṣe ifilọlẹ:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# проверим код возврата
$ echo $?
1

Awọn oluşewadi ko ti wa ni wadi.

Awọn imuṣiṣẹ nipa lilo ẹya API apps/v1, gbọdọ ni yiyan ti o baamu aami podu naa. Ifihan ti o wa loke ko pẹlu yiyan, nitorinaa kubeval royin aṣiṣe kan ati jade pẹlu koodu ti kii-odo.

Mo Iyanu ohun ti yoo ṣẹlẹ ti o ba ti mo ti ṣe kubectl apply -f pẹlu yi manifesto?

O dara, jẹ ki a gbiyanju:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Eyi jẹ gangan aṣiṣe ti kubeval kilo nipa. O le ṣatunṣe rẹ nipa fifi oluyan kan kun:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Anfani ti awọn irinṣẹ bii kubeval ni pe awọn aṣiṣe bii iwọnyi le mu ni kutukutu ni ọmọ imuṣiṣẹ.

Ni afikun, awọn sọwedowo wọnyi ko nilo iraye si iṣupọ; wọn le ṣe ni aisinipo.

Nipa aiyipada, kubeval ṣayẹwo awọn orisun lodi si ero Kubernetes API tuntun. Sibẹsibẹ, ni ọpọlọpọ igba o le nilo lati ṣayẹwo lodi si itusilẹ Kubernetes kan pato. Eyi le ṣee ṣe nipa lilo asia --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Jọwọ ṣe akiyesi pe ẹya gbọdọ wa ni pato ni ọna kika Major.Minor.Patch.

Fun atokọ ti awọn ẹya eyiti o jẹ atilẹyin ijẹrisi, jọwọ tọka si Ilana JSON lori GitHub, eyi ti kubeval nlo fun afọwọsi. Ti o ba nilo lati ṣiṣẹ kubeval offline, ṣe igbasilẹ awọn eto naa ki o pato ipo agbegbe wọn nipa lilo asia --schema-location.

Ni afikun si awọn faili YAML kọọkan, kubeval tun le ṣiṣẹ pẹlu awọn ilana ati stdin.

Ni afikun, Kubeval ni irọrun ṣepọ sinu opo gigun ti epo CI. Awọn ti o nfẹ lati ṣiṣe awọn idanwo ṣaaju fifiranṣẹ awọn ifihan si iṣupọ yoo ni idunnu lati mọ pe kubeval ṣe atilẹyin awọn ọna kika iṣelọpọ mẹta:

  1. Ọrọ itele;
  2. JSON;
  3. Ṣe idanwo Ilana Ohunkohun (TAP).

Ati eyikeyi ninu awọn ọna kika le ṣee lo fun itọka siwaju sii ti iṣelọpọ lati ṣe agbekalẹ akojọpọ awọn abajade ti iru ti o fẹ.

Ọkan ninu awọn apadabọ ti kubeval ni pe lọwọlọwọ ko le ṣayẹwo fun ibamu pẹlu Awọn Itumọ Awọn orisun Aṣa (CRDs). Sibẹsibẹ, o jẹ ṣee ṣe lati tunto kubeval foju wọn.

Kubeval jẹ ọpa nla fun ṣiṣe ayẹwo ati iṣiro awọn orisun; Sibẹsibẹ, o yẹ ki o tẹnumọ pe ṣiṣe idanwo naa ko ṣe iṣeduro pe awọn orisun ni ibamu pẹlu awọn iṣe ti o dara julọ.

Fun apẹẹrẹ, lilo awọn tag latest ninu apoti kan ko tẹle awọn iṣe ti o dara julọ. Sibẹsibẹ, kubeval ko ka eyi jẹ aṣiṣe ati pe ko ṣe ijabọ rẹ. Iyẹn ni, ijẹrisi iru YAML yoo pari laisi ikilọ.

Ṣugbọn kini ti o ba fẹ ṣe iṣiro YAML ati ṣe idanimọ awọn irufin bi tag naa latest? Bawo ni MO ṣe ṣayẹwo faili YAML kan lodi si awọn iṣe ti o dara julọ?

2. Kube-score

Kube-score ṣe itupalẹ YAML ṣafihan ati ṣe iṣiro wọn lodi si awọn idanwo ti a ṣe sinu. Awọn idanwo wọnyi ni a yan da lori awọn itọsọna aabo ati awọn iṣe ti o dara julọ, gẹgẹbi:

  • Ṣiṣe awọn eiyan ko bi root.
  • Wiwa ti awọn sọwedowo ilera podu.
  • Ṣiṣeto awọn ibeere ati awọn opin fun awọn orisun.

Da lori awọn abajade idanwo, awọn abajade mẹta ni a fun: OK, IKILO и OBIRIN.

O le gbiyanju Kube-score lori ayelujara tabi fi sii ni agbegbe.

Ni akoko kikọ nkan atilẹba, ẹya tuntun ti kube-score jẹ 1.7.0.

Jẹ ká gbiyanju o jade lori wa farahan base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  · http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  · The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  · Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  · http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  · http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  · http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  · http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  · http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  · No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  · Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

YAML kọja awọn idanwo kubeval, lakoko ti kube-score tọka si awọn abawọn wọnyi:

  • Awọn sọwedowo imurasilẹ ko ni tunto.
  • Ko si awọn ibeere tabi awọn opin fun awọn orisun Sipiyu ati iranti.
  • Awọn isuna idalọwọduro Pod ko ni pato.
  • Ko si awọn ofin ti Iyapa (Atako-ibasepo) lati mu iwọn wiwa.
  • Eiyan nṣiṣẹ bi root.

Iwọnyi jẹ gbogbo awọn aaye to wulo nipa awọn ailagbara ti o nilo lati koju lati jẹ ki Imuṣiṣẹ ṣiṣẹ daradara ati igbẹkẹle.

Egbe kube-score ṣafihan alaye ni fọọmu kika eniyan pẹlu gbogbo iru awọn irufin IKILO и OBIRIN, eyiti o ṣe iranlọwọ pupọ lakoko idagbasoke.

Awọn ti nfẹ lati lo ọpa yii laarin opo gigun ti epo CI le jẹ ki iṣelọpọ fisinuirindigbindigbin diẹ sii nipa lilo asia --output-format ci (ninu ọran yii, awọn idanwo pẹlu abajade tun han OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Iru si kubeval, kube-score da koodu ijade ti kii-odo pada nigbati idanwo kan wa ti o kuna OBIRIN. O tun le jeki iru processing fun IKILO.

Ni afikun, o ṣee ṣe lati ṣayẹwo awọn orisun fun ibamu pẹlu awọn ẹya API ti o yatọ (bii ni kubeval). Sibẹsibẹ, alaye yii jẹ koodu lile ni kube-score funrararẹ: o ko le yan ẹya ti o yatọ ti Kubernetes. Idiwọn yii le jẹ iṣoro nla ti o ba pinnu lati ṣe igbesoke iṣupọ rẹ tabi ti o ba ni awọn iṣupọ pupọ pẹlu awọn ẹya oriṣiriṣi ti K8s.

ṣe akiyesi pe ọrọ kan ti wa tẹlẹ pẹlu imọran lati mọ anfani yii.

Alaye diẹ sii nipa kube-score ni a le rii ni aaye ayelujara osise.

Awọn idanwo Kube-score jẹ irinṣẹ nla fun imuse awọn iṣe ti o dara julọ, ṣugbọn kini ti o ba nilo lati ṣe awọn ayipada si idanwo naa tabi ṣafikun awọn ofin tirẹ? Alas, eyi ko le ṣee ṣe.

Kube-score kii ṣe extensible: o ko le ṣafikun awọn eto imulo si tabi ṣatunṣe wọn.

Ti o ba nilo lati kọ awọn idanwo aṣa lati rii daju ibamu pẹlu awọn ilana ile-iṣẹ, o le lo ọkan ninu awọn irinṣẹ mẹrin wọnyi: config-lint, Ejò, conftest, tabi polaris.

3.Config-lint

Config-lint jẹ ohun elo fun ijẹrisi YAML, JSON, Terraform, awọn faili iṣeto CSV ati awọn ifihan Kubernetes.

O le fi sori ẹrọ ni lilo ilana lori aaye ayelujara ise agbese.

Itusilẹ lọwọlọwọ bi ti akoko kikọ nkan atilẹba jẹ 1.5.0.

Config-lint ko ni awọn idanwo-itumọ ti fun ijẹrisi awọn ifihan Kubernetes.

Lati ṣe awọn idanwo eyikeyi, o jẹ dandan lati ṣẹda awọn ofin ti o yẹ. Wọn ti kọ sinu awọn faili YAML ti a pe ni "rulesets" (awọn ofin), ati pe o ni eto atẹle:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список правил

(rule.yaml)

Jẹ ki a ṣe iwadi rẹ ni pẹkipẹki:

  • Aaye type pato iru iru atunto konfigi-lint yoo lo. Fun K8s farahan eyi ni nigbagbogbo Kubernetes.
  • Ni aaye files Ni afikun si awọn faili ara wọn, o le pato kan liana.
  • Aaye rules ti a pinnu fun ṣeto awọn idanwo olumulo.

Jẹ ki a sọ pe o fẹ lati rii daju pe awọn aworan ni Ifilọlẹ jẹ igbasilẹ nigbagbogbo lati ibi ipamọ ti o gbẹkẹle bi my-company.com/myapp:1.0. Ofin atunto-lint ti o ṣe iru ayẹwo yoo dabi eyi:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Ofin kọọkan gbọdọ ni awọn abuda wọnyi:

  • id - idamo oto ti ofin;
  • severity - Boya Ikuna, IKILO и NON_COMPLIANT;
  • message - ti ofin ba ṣẹ, awọn akoonu ti laini yii yoo han;
  • resource - iru orisun ti ofin yii kan;
  • assertions - akojọ awọn ipo ti yoo ṣe ayẹwo ni ibatan si orisun yii.

Ni ofin loke assertion ẹtọ ni every ṣayẹwo pe gbogbo awọn apoti wa ni Ifilọlẹ (key: spec.templates.spec.containers) lo awọn aworan ti o gbẹkẹle (ie bibẹrẹ pẹlu my-company.com/).

Awọn ofin pipe dabi eyi:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Lati gbiyanju idanwo naa, jẹ ki a fipamọ bi check_image_repo.yaml. Jẹ ki a ṣiṣẹ ayẹwo lori faili naa base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Ayẹwo naa kuna. Bayi jẹ ki a ṣayẹwo afihan atẹle yii pẹlu ibi ipamọ aworan ti o pe:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

A ṣiṣe awọn kanna igbeyewo pẹlu awọn loke farahan. Ko si awọn iṣoro ti a rii:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

Config-lint jẹ ilana ti o ni ileri ti o fun ọ laaye lati ṣẹda awọn idanwo tirẹ lati fọwọsi awọn ifihan Kubernetes YAML nipa lilo YAML DSL.

Ṣugbọn kini ti o ba nilo imọ-jinlẹ ati awọn idanwo diẹ sii? Ṣe YAML ko ni opin pupọ fun eyi? Ti o ba le ṣẹda awọn idanwo ni ede siseto ni kikun?

4. Ejò

Ejò V2 jẹ ilana fun afọwọsi awọn ifihan nipa lilo awọn idanwo aṣa (iru si atunto-lint).

Sibẹsibẹ, o yatọ si igbehin ni pe ko lo YAML lati ṣe apejuwe awọn idanwo. Awọn idanwo le kọ ni JavaScript dipo. Ejò pese ile-ikawe pẹlu ọpọlọpọ awọn irinṣẹ ipilẹ, eyiti o ṣe iranlọwọ fun ọ lati ka alaye nipa awọn nkan Kubernetes ati ijabọ awọn aṣiṣe.

Awọn igbesẹ fun fifi sori Ejò ni a le rii ni osise iwe aṣẹ.

2.0.1 jẹ idasilẹ tuntun ti ohun elo yii ni akoko kikọ nkan atilẹba.

Bii atunto-lint, Ejò ko ni awọn idanwo ti a ṣe sinu. Jẹ ki a kọ ọkan. Jẹ ki o ṣayẹwo pe awọn imuṣiṣẹ lo awọn aworan eiyan ni iyasọtọ lati awọn ibi ipamọ ti o ni igbẹkẹle bii my-company.com.

Ṣẹda faili kan check_image_repo.js pẹlu akoonu wọnyi:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Bayi lati ṣe idanwo ifihan wa base-valid.yaml, lo pipaṣẹ copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

O han gbangba pe pẹlu iranlọwọ ti bàbà o le ṣe awọn idanwo eka diẹ sii - fun apẹẹrẹ, ṣiṣe ayẹwo awọn orukọ ìkápá ni Ingress farahan tabi kọ awọn adarọ-ese ti nṣiṣẹ ni ipo anfani.

Ejò ni ọpọlọpọ awọn iṣẹ iwulo ti a ṣe sinu rẹ:

  • DockerImage ka faili igbewọle ti a sọ ati ṣẹda ohun kan pẹlu awọn abuda wọnyi:
    • name - orukọ aworan,
    • tag - aami aworan,
    • registry - iforukọsilẹ aworan,
    • registry_url - Ilana (https://) ati iforukọsilẹ aworan,
    • fqin - kikun ipo ti awọn aworan.
  • Išẹ findByName ṣe iranlọwọ lati wa orisun kan nipasẹ iru ti a fun (kind) ati orukọ (name) lati inu faili titẹ sii.
  • Išẹ findByLabels ṣe iranlọwọ lati wa orisun kan nipasẹ iru pàtó kan (kind) ati awọn akole (labels).

O le wo gbogbo awọn iṣẹ iṣẹ to wa nibi.

Nipa aiyipada o gbe gbogbo faili YAML titẹ sii sinu oniyipada kan $$ o si jẹ ki o wa fun iwe afọwọkọ (ilana ti o faramọ fun awọn ti o ni iriri jQuery).

Anfani akọkọ ti Ejò jẹ kedere: iwọ ko nilo lati ṣakoso ede amọja kan ati pe o le lo ọpọlọpọ awọn ẹya JavaScript lati ṣẹda awọn idanwo tirẹ, gẹgẹbi interpolation okun, awọn iṣẹ, ati bẹbẹ lọ.

O yẹ ki o tun ṣe akiyesi pe ẹya lọwọlọwọ ti Ejò ṣiṣẹ pẹlu ẹya ES5 ti ẹrọ JavaScript, kii ṣe ES6.

Awọn alaye wa ni osise aaye ayelujara ti ise agbese.

Bibẹẹkọ, ti o ko ba fẹran JavaScript gaan ati fẹran ede kan ti a ṣe apẹrẹ pataki fun ṣiṣẹda awọn ibeere ati awọn ilana ṣiṣe apejuwe, o yẹ ki o fiyesi si conftest.

5.Conftest

Conftest jẹ ilana fun idanwo data iṣeto ni. Tun dara fun igbeyewo / mọ daju Kubernetes farahan. A ṣe apejuwe awọn idanwo ni lilo ede ibeere pataki kan Rego.

O le fi conftest sori ẹrọ ni lilo ilanaakojọ si lori ise agbese aaye ayelujara.

Ni akoko kikọ nkan atilẹba, ẹya tuntun ti o wa ni 0.18.2.

Iru si atunto-lint ati bàbà, conftest wa laisi eyikeyi awọn idanwo ti a ṣe sinu. Jẹ ká gbiyanju o jade ki o si kọ wa ti ara eto imulo. Gẹgẹbi awọn apẹẹrẹ ti tẹlẹ, a yoo ṣayẹwo boya awọn aworan eiyan ti ya lati orisun ti o gbẹkẹle.

Ṣẹda a liana conftest-checks, ati ninu rẹ nibẹ ni faili kan ti a npè ni check_image_registry.rego pẹlu akoonu wọnyi:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Bayi jẹ ki a ṣe idanwo base-valid.yaml nipasẹ conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Idanwo ni asọtẹlẹ kuna nitori awọn aworan wa lati orisun ti a ko gbẹkẹle.

Ni awọn Rego faili ti a setumo awọn Àkọsílẹ deny. Otitọ rẹ ni a ka si irufin. Ti awọn bulọọki deny orisirisi awọn, conftest sọwedowo wọn ominira ti kọọkan miiran, ati awọn otitọ ti eyikeyi ninu awọn ohun amorindun ti wa ni mu bi o ṣẹ.

Ni afikun si iṣelọpọ aiyipada, conftest ṣe atilẹyin JSON, TAP ati ọna kika tabili - ẹya ti o wulo pupọ ti o ba nilo lati fi sabe awọn ijabọ sinu opo gigun ti epo CI ti o wa. O le ṣeto ọna kika ti o fẹ nipa lilo asia --output.

Lati jẹ ki o rọrun lati ṣatunṣe awọn eto imulo, conftest ni asia kan --trace. O ṣejade itọpa ti bii conftest ṣe ntupalẹ awọn faili eto imulo ti a sọ.

Awọn eto imulo idije le ṣe atẹjade ati pinpin ni awọn iforukọsilẹ OCI (Ipilẹṣẹ Apoti Ṣii) bi awọn ohun-ọṣọ.

Awọn ofin push и pull gba ọ laaye lati ṣe atẹjade ohun-ọṣọ kan tabi gba ohun elo ti o wa tẹlẹ lati iforukọsilẹ latọna jijin. Jẹ ki a gbiyanju titẹjade eto imulo ti a ṣẹda si iforukọsilẹ Docker agbegbe ni lilo conftest push.

Bẹrẹ iforukọsilẹ Docker agbegbe rẹ:

$ docker run -it --rm -p 5000:5000 registry

Ni ebute miiran, lọ si itọsọna ti o ṣẹda tẹlẹ conftest-checks ati ṣiṣe aṣẹ wọnyi:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Ti aṣẹ naa ba ṣaṣeyọri, iwọ yoo rii ifiranṣẹ bii eyi:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Bayi ṣẹda iwe-ipamọ igba diẹ ati ṣiṣe aṣẹ ninu rẹ conftest pull. Yoo ṣe igbasilẹ package ti o ṣẹda nipasẹ aṣẹ iṣaaju:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Itọka-ipin-ipin yoo han ninu ilana igba diẹ policyti o ni faili eto imulo wa ninu:

$ tree
.
└── policy
  └── check_image_registry.rego

Awọn idanwo le ṣee ṣiṣẹ taara lati ibi ipamọ:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Laanu, DockerHub ko ti ni atilẹyin sibẹsibẹ. Nitorina ro ara rẹ ni orire ti o ba lo Azure Eiyan Registry (ACR) tabi iforukọsilẹ tirẹ.

Artifact kika jẹ kanna bi Ṣii Awọn idii Aṣoju Afihan (OPA), eyiti o fun ọ laaye lati lo conftest lati ṣiṣe awọn idanwo lati awọn idii OPA ti o wa tẹlẹ.

O le kọ ẹkọ diẹ sii nipa pinpin eto imulo ati awọn ẹya miiran ti conftest ni osise aaye ayelujara ti ise agbese.

6. Polaris

Awọn ti o kẹhin ọpa ti o yoo wa ni sísọ ni yi article ni Polaris. (Ikede ti ọdun to kọja awa ti tumọ tẹlẹ - isunmọ. itumọ)

Polaris le fi sori ẹrọ ni iṣupọ tabi lo ni ipo laini aṣẹ. Bi o ṣe le ti gboju, o fun ọ laaye lati ṣe itupalẹ awọn ifihan Kubernetes ni iṣiro.

Nigbati o ba nṣiṣẹ ni ipo laini aṣẹ, awọn idanwo ti a ṣe sinu wa ni wiwa awọn agbegbe bii aabo ati awọn iṣe ti o dara julọ (bii kube-score). Ni afikun, o le ṣẹda awọn idanwo tirẹ (bii ni atunto-lint, bàbà ati conftest).

Ni awọn ọrọ miiran, Polaris daapọ awọn anfani ti awọn ẹka mejeeji ti awọn irinṣẹ: pẹlu itumọ-sinu ati awọn idanwo aṣa.

Lati fi Polaris sori ipo laini aṣẹ, lo ilana lori ise agbese aaye ayelujara.

Ni akoko kikọ nkan atilẹba, ẹya 1.0.3 wa.

Ni kete ti fifi sori ẹrọ ti pari o le ṣiṣẹ polaris lori ifihan base-valid.yaml pẹlu aṣẹ wọnyi:

$ polaris audit --audit-path base-valid.yaml

Yoo ṣe agbejade okun kan ni ọna kika JSON pẹlu apejuwe alaye ti awọn idanwo ti a ṣe ati awọn abajade wọn. Ijade yoo ni eto atẹle:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* длинный список */
  ]
}

Ijade ni kikun wa nibi.

Bii kube-score, Polaris ṣe idanimọ awọn ọran ni awọn agbegbe nibiti ifihan ko ba pade awọn iṣe ti o dara julọ:

  • Ko si awọn sọwedowo ilera fun awọn podu.
  • Awọn afi fun awọn aworan eiyan ko ni pato.
  • Eiyan nṣiṣẹ bi root.
  • Awọn ibeere ati awọn opin fun iranti ati Sipiyu ko ni pato.

Idanwo kọọkan, ti o da lori awọn abajade rẹ, jẹ ipin iwọn ti pataki: Ikilọ tabi Ijamba. Lati kọ diẹ sii nipa awọn idanwo ti a ṣe sinu, jọwọ tọka si iwe.

Ti awọn alaye ko ba nilo, o le pato asia --format score. Ni idi eyi, Polaris yoo gbejade nọmba kan lati 1 si 100 - O wole (ie iṣiro):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Isunmọ Dimegilio naa jẹ 100, iwọn adehun ti o ga julọ. Ti o ba ṣayẹwo koodu ijade ti aṣẹ naa polaris audit, o wa ni pe o dọgba si 0.

Ipa polaris audit O le fopin si iṣẹ pẹlu koodu ti kii-odo nipa lilo awọn asia meji:

  • Flag --set-exit-code-below-score gba bi ariyanjiyan iye ala ni iwọn 1-100. Ni idi eyi, aṣẹ naa yoo jade pẹlu koodu ijade 4 ti Dimegilio ba wa ni isalẹ ala. Eyi wulo pupọ nigbati o ba ni iye ala kan (sọ 75) ati pe o nilo lati gba itaniji ti Dimegilio ba lọ ni isalẹ.
  • Flag --set-exit-code-on-danger yoo fa pipaṣẹ lati kuna pẹlu koodu 3 ti ọkan ninu awọn idanwo ewu ba kuna.

Bayi jẹ ki a gbiyanju lati ṣẹda idanwo aṣa ti o ṣayẹwo boya aworan ti ya lati ibi ipamọ ti o gbẹkẹle. Awọn idanwo aṣa jẹ pato ni ọna kika YAML, ati pe idanwo naa funrararẹ jẹ apejuwe nipa lilo Ilana JSON.

snippet koodu YAML ti o tẹle ṣe apejuwe idanwo tuntun ti a pe checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Ẹ jẹ́ ká gbé e yẹ̀ wò dáadáa:

  • successMessage - ila yii yoo tẹjade ti idanwo naa ba pari ni aṣeyọri;
  • failureMessage - ifiranṣẹ yii yoo han ni ọran ikuna;
  • category - tọkasi ọkan ninu awọn ẹka: Images, Health Checks, Security, Networking и Resources;
  • target--- pinnu iru nkan wo (spec) idanwo ti lo. Awọn iye to ṣeeṣe: Container, Pod tabi Controller;
  • Idanwo funrararẹ jẹ pato ninu nkan naa schema lilo eto JSON. Ọrọ pataki ninu idanwo yii ni pattern ti a lo lati ṣe afiwe orisun aworan pẹlu ọkan ti o nilo.

Lati ṣiṣe idanwo ti o wa loke, o nilo lati ṣẹda iṣeto Polaris atẹle:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Jẹ ki a ṣagbekalẹ faili naa:

  • Ni aaye checks Awọn idanwo ati ipele pataki wọn ni a fun ni aṣẹ. Niwọn bi o ti jẹ iwunilori lati gba ikilọ nigbati a ba ya aworan lati orisun ti a ko gbẹkẹle, a ṣeto ipele naa nibi danger.
  • Idanwo funrararẹ checkImageRepo lẹhinna forukọsilẹ ninu nkan naa customChecks.

Fi faili pamọ bi custom_check.yaml. Bayi o le ṣiṣe polaris audit pẹlu ifihan YAML ti o nilo ijẹrisi.

Jẹ ká idanwo wa manifesto base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

Egbe polaris audit Ṣiṣe idanwo olumulo nikan ti o sọ loke ati pe o kuna.

Ti o ba ṣatunṣe aworan naa si my-company.com/http-echo:1.0, Polaris yoo pari ni aṣeyọri. Awọn manifesto pẹlu awọn ayipada ti wa ni tẹlẹ ninu awọn ibi ipamọnitorina o le ṣayẹwo aṣẹ ti tẹlẹ lori ifihan image-valid-mycompany.yaml.

Bayi ibeere naa waye: bawo ni lati ṣiṣe awọn idanwo ti a ṣe sinu pọ pẹlu awọn aṣa? Ni irọrun! O kan nilo lati ṣafikun awọn idamọ idanwo ti a ṣe sinu faili iṣeto ni. Bi abajade, yoo gba fọọmu wọnyi:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Apeere ti faili atunto pipe wa nibi.

Ṣayẹwo farahan base-valid.yamllilo awọn idanwo ti a ṣe sinu ati aṣa, o le lo aṣẹ naa:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

Polaris ṣe afikun awọn idanwo ti a ṣe sinu pẹlu awọn aṣa, nitorinaa apapọ ohun ti o dara julọ ti awọn agbaye mejeeji.

Ni apa keji, ailagbara lati lo awọn ede ti o lagbara diẹ sii gẹgẹbi Rego tabi JavaScript le jẹ ipin idiwọn idilọwọ awọn ẹda ti awọn idanwo fafa diẹ sii.

Alaye diẹ sii nipa Polaris wa ni ise agbese aaye ayelujara.

Akopọ

Lakoko ti ọpọlọpọ awọn irinṣẹ wa lati ṣayẹwo ati ṣe iṣiro awọn faili Kubernetes YAML, o jẹ pataki lati ni kan ko o oye ti bi awọn igbeyewo yoo wa ni a še ati ki o ṣiṣẹ.

Fun apẹẹrẹ, ti o ba mu awọn ifihan Kubernetes ti n lọ nipasẹ opo gigun ti epo, kubeval le jẹ igbesẹ akọkọ ni iru opo gigun ti epo.. Yoo ṣe atẹle boya awọn asọye ohun ni ibamu si ero Kubernetes API.

Ni kete ti iru atunyẹwo bẹ ba ti pari, eniyan le tẹsiwaju si awọn idanwo fafa diẹ sii, gẹgẹbi ibamu pẹlu awọn iṣe ti o dara julọ boṣewa ati awọn eto imulo kan pato. Eyi ni ibi ti kube-score ati Polaris yoo wa ni ọwọ.

Fun awọn ti o ni awọn ibeere idiju ati nilo lati ṣe akanṣe awọn idanwo ni awọn alaye, Ejò, atunto-lint ati conftest yoo dara.

Conftest ati atunto-lint lo YAML lati ṣalaye awọn idanwo aṣa, ati bàbà fun ọ ni iraye si ede siseto ni kikun, ti o jẹ ki o jẹ yiyan ti o wuyi.

Ni apa keji, ṣe o tọ lati lo ọkan ninu awọn irinṣẹ wọnyi ati, nitorinaa, ṣiṣẹda gbogbo awọn idanwo pẹlu ọwọ, tabi fẹ Polaris ati ṣafikun ohun ti o nilo nikan si? Ko si idahun ti o daju si ibeere yii.

Tabili ti o wa ni isalẹ n pese apejuwe kukuru ti ọpa kọọkan:

Irinṣẹ
Idi
shortcomings
Awọn idanwo olumulo

kubeval
Ṣe ifọwọsi YAML farahan lodi si ẹya kan pato ti ero API
Ko le ṣiṣẹ pẹlu CRD
No

kube-Dimegilio
Ṣe itupalẹ YAML farahan lodi si awọn iṣe ti o dara julọ
Ko le yan ẹya Kubernetes API lati ṣayẹwo awọn orisun
No

Ejò
Ilana gbogbogbo fun ṣiṣẹda awọn idanwo JavaScript aṣa fun awọn ifihan YAML
Ko si awọn idanwo ti a ṣe sinu. Awọn iwe aṣẹ ti ko dara
Bẹẹni

atunto-lint
Ilana gbogboogbo fun ṣiṣẹda awọn idanwo ni ede kan pato-ašẹ ti a fi sii ni YAML. Ṣe atilẹyin ọpọlọpọ awọn ọna kika iṣeto (fun apẹẹrẹ Terraform)
Ko si awọn idanwo ti a ti ṣetan. Awọn iṣeduro ti a ṣe sinu ati awọn iṣẹ le ma to
Bẹẹni

idije
Ilana fun ṣiṣẹda awọn idanwo tirẹ nipa lilo Rego (ede ibeere pataki kan). Faye gba pinpin awọn eto imulo nipasẹ awọn edidi OCI
Ko si awọn idanwo ti a ṣe sinu. Mo ni lati kọ ẹkọ Rego. Docker Hub ko ni atilẹyin nigbati o ba ntẹjade awọn ilana imulo
Bẹẹni

Polaris
Awọn atunyẹwo YAML ṣe afihan lodi si awọn iṣe ti o dara julọ boṣewa. Gba ọ laaye lati ṣẹda awọn idanwo tirẹ nipa lilo Ilana JSON
Awọn agbara idanwo ti o da lori JSON Schema le ma to
Bẹẹni

Nitoripe awọn irinṣẹ wọnyi ko gbẹkẹle iraye si iṣupọ Kubernetes, wọn rọrun lati fi sori ẹrọ. Wọn gba ọ laaye lati ṣe àlẹmọ awọn faili orisun ati pese awọn esi iyara si awọn onkọwe ti awọn ibeere fa ni awọn iṣẹ akanṣe.

PS lati onitumọ

Ka tun lori bulọọgi wa:

orisun: www.habr.com

Fi ọrọìwòye kun