I-ProHoster > Блог > Ukuphatha > Helm Security

Helm Security

Umongo wendaba emayelana nomphathi wephakheji odume kakhulu we-Kubernetes ungavezwa kusetshenziswa i-emoji:

  • ibhokisi elithi Helm (okuyinto eseduze kakhulu nokukhishwa kwakamuva kwe-Emoji);
  • ukukhiya - ukuphepha;
  • indoda encane iyisixazululo senkinga.

Helm Security

Eqinisweni, yonke into izoba yinkimbinkimbi, futhi indaba igcwele imininingwane yezobuchwepheshe mayelana Indlela yokwenza i-Helm iphephe.

  • Kafushane ukuthi yini iHelm uma ungazi noma ukhohlwe. Ixazulula ziphi izinkinga futhi itholakala kuphi ku-ecosystem.
  • Ake sibheke i-Helm architecture. Ayikho ingxoxo emayelana nokuphepha kanye nendlela yokwenza ithuluzi noma isixazululo sivikeleke kakhulu eqediwe ngaphandle kokuqonda ukwakheka kwengxenye.
  • Ake sixoxe ngezingxenye ze-Helm.
  • Umbuzo oshisa kakhulu yikusasa - inguqulo entsha ye-Helm 3. 

Yonke into kulesi sihloko isebenza ku-Helm 2. Le nguqulo iyakhiqizwa okwamanje futhi cishe yiyona oyisebenzisayo njengamanje, futhi iyinguqulo equkethe ubungozi bokuphepha.


Mayelana nesipikha: Alexander Khayorov (allxx) isineminyaka engu-10 ithuthuka, isiza ukuthuthukisa okuqukethwe I-Moscow Python Conf++ futhi wajoyina ikomidi Helm Summit. Manje usebenza e-Chainstack njengomholi wezokuthuthukiswa - lokhu kuyingxube phakathi komphathi wezokuthuthukiswa komuntu onomthwalo wemfanelo wokuletha okukhishwe kokugcina. Okusho ukuthi, itholakala enkundleni yempi, lapho yonke into eyenzekayo kusukela ekudalweni komkhiqizo kuya ekusebenzeni kwawo.

I-Chainstack iyisiqalo esincane, esikhula ngenkuthalo umgomo wayo uwukwenza amaklayenti akhohlwe ngengqalasizinda kanye nobunzima bokusebenzisa izinhlelo zokusebenza ezihlukaniselwe izwe; ithimba lokuthuthukisa liseSingapore. Ungaceli i-Chainstack ukuthi ithengise noma ithenge i-cryptocurrency, kodwa zinikeze ukukhuluma ngezinhlaka ze-blockchain yebhizinisi, futhi bayokuphendula ngenjabulo.

Helm

Lona umphathi wephakheji (ishadi) le-Kubernetes. Indlela enembile nesebenza jikelele yokuletha izinhlelo zokusebenza kuqoqo le-Kubernetes.

Helm Security

Yebo, sikhuluma ngendlela ehlelekile kakhulu neyezimboni kunokudala eyakho i-YAML ebonisa nokubhala izinsiza ezincane.

I-Helm iyona engcono kunazo zonke etholakalayo futhi edumile.

Kungani Helm? Ikakhulukazi ngoba isekelwa yi-CNCF. I-Cloud Native iyinhlangano enkulu futhi iyinkampani engumzali yamaphrojekthi i-Kubernetes, njlld, i-Fluentd namanye.

Elinye iqiniso elibalulekile ukuthi i-Helm iphrojekthi ethandwa kakhulu. Lapho ngiqala ukukhuluma ngendlela yokwenza iHelm ivikeleke ngoJanuwari 2019, iphrojekthi yayinezinkanyezi eziyinkulungwane ku-GitHub. NgoMeyi base beyizinkulungwane eziyi-12.

Abantu abaningi banentshisekelo ku-Helm, ngakho-ke noma ungayisebenzisi okwamanje, uzozuza ekwazini ngokuvikeleka kwayo. Ukuphepha kubalulekile.

Ithimba eliyinhloko le-Helm lisekelwa i-Microsoft Azure ngakho-ke iphrojekthi ezinzile, ngokungafani nezinye eziningi. Ukukhishwa kweHelm 3 Alpha 2 maphakathi noJulayi kukhombisa ukuthi baningi impela abantu abasebenza kuphrojekthi, futhi banesifiso namandla okuthuthukisa nokwenza ngcono iHelm.

Helm Security

I-Helm ixazulula izinkinga ezimbalwa zezimpande zokuphathwa kohlelo lokusebenza ku-Kubernetes.

  • Ukupakishwa kohlelo. Ngisho nohlelo oluthi “Sawubona, Umhlaba” ku-WordPress seluvele luqukethe izinsiza ezimbalwa, futhi ufuna ukuzihlanganisa ndawonye.
  • Ukuphatha ukuxaka okuza nokuphatha lezi zinhlelo zokusebenza.
  • Umjikelezo wempilo ongapheli ngemva kokufakwa noma ukusetshenziswa kohlelo lokusebenza. Iyaqhubeka iphila, idinga ukubuyekezwa, futhi i-Helm iyasiza ngalokhu futhi izama ukuletha izinyathelo ezifanele nezinqubomgomo zalokhu.

Ukufaka isikhwama ihlelwe ngendlela ecacile: kunemethadatha ehambisana ngokugcwele nomsebenzi womphathi wephakheji evamile we-Linux, Windows noma i-MacOS. Okungukuthi, inqolobane, ukuncika kumaphakheji ahlukahlukene, imininingwane yemetha yezinhlelo zokusebenza, izilungiselelo, izici zokumisa, ukukhomba ulwazi, njll. I-Helm ikuvumela ukuthi uthole futhi ukusebenzise konke lokhu ezinhlelweni zokusebenza.

Ukuphathwa Okuyinkimbinkimbi. Uma unezinhlelo zokusebenza eziningi zohlobo olufanayo, kudingeka ipharamitha. Izifanekiso zivela kulokhu, kodwa ukuze ugweme ukuza nendlela yakho yokwakha izifanekiso, ungasebenzisa lokho uHelm akunikezayo ngaphandle kwebhokisi.

Isicelo Lifecycle Management - ngokubona kwami, lo ngumbuzo othakazelisa kakhulu futhi ongaxazululiwe. Yingakho ngize eHelm emuva kosuku. Besidinga ukubeka iso kumjikelezo wokuphila wohlelo lokusebenza futhi sifuna ukuhambisa i-CI/CD yethu nemijikelezo yohlelo lokusebenza kule paradigm.

I-Helm ikuvumela ukuthi:

  • lawula ukuthunyelwa, wethula umqondo wokumisa nokubukeza;
  • ukwenza ngempumelelo ukubuyisela emuva;
  • sebenzisa izingwegwe ezenzakalweni ezahlukene;
  • engeza ukuhlola kwezinhlelo zokusebenza ezengeziwe futhi uphendule emiphumeleni yabo.

Ngaphezu kwalokho I-Helm "inamabhethri" - inani elikhulu lezinto ezihlwabusayo ezingafakwa ngendlela yama-plugin, okwenza ukuphila kwakho kube lula. Ama-plugin angabhalwa ngokuzimela, ahlukanisiwe futhi awadingi ukwakheka okuvumelanayo. Uma ufuna ukwenza okuthile, ngincoma ukuthi ukwenze njenge-plugin, bese mhlawumbe ukuyifaka enhla nomfula.

I-Helm isuselwe emiqondweni emithathu eyinhloko:

  • Ishadi Repo - incazelo nohlu lwamapharamitha angenzeka ku-manifest yakho. 
  • Lungiselela —okungukuthi, amanani azosetshenziswa (umbhalo, amanani ezinombolo, njll.).
  • release iqoqa izingxenye ezimbili eziphezulu, futhi ndawonye ziphenduka zibe Ukukhululwa. Ukukhishwa kungenziwa inguqulo, ngaleyo ndlela kuzuzwe umjikelezo wempilo ohlelekile: kuncane ngesikhathi sokufakwa futhi kukhulu ngesikhathi sokuthuthukisa, ukwehlisa noma ukubuyisela emuva.

I-Helm Architecture

Umdwebo ubonisa ngokomqondo isakhiwo sezinga eliphezulu se-Helm.

Helm Security

Ake ngikukhumbuze ukuthi i-Helm yinto ehlobene ne-Kubernetes. Ngakho-ke, asikwazi ukwenza ngaphandle kweqoqo le-Kubernetes (unxande). Ingxenye ye-kube-apiserver ihlala phezu kwenkosi. Ngaphandle kweHelm sineKubeconfig. I-Helm iletha kanambambili eyodwa encane, uma ungayibiza kanjalo, i-Helm CLI utility, efakwe kukhompyutha, i-laptop, i-mainframe - kunoma yini.

Kodwa lokhu akwanele. I-Helm inengxenye yeseva ebizwa ngokuthi i-Tiller. Imele izintshisekelo ze-Helm ngaphakathi kweqoqo; iwuhlelo lokusebenza ngaphakathi kweqoqo le-Kubernetes, njenganoma yiliphi elinye.

Ingxenye elandelayo ye-Chart Repo iyinqolobane enamashadi. Kunenqolobane esemthethweni, futhi kungase kube nendawo yokugcina yangasese yenkampani noma iphrojekthi.

Ukusebenzisana

Ake sibheke ukuthi izingxenye zezakhiwo zisebenzisana kanjani uma sifuna ukufaka uhlelo lokusebenza sisebenzisa i-Helm.

  • Siyakhuluma Helm install, finyelela inqolobane (Ishadi Repo) futhi uthole ishadi le-Helm.

  • I-Helm Utility (Helm CLI) isebenzisana ne-Kubeconfig ukuze ithole ukuthi yiliphi iqoqo ongalithinta. 
  • Ngemva kokuthola lolu lwazi, insiza ibhekisela ku-Tiller, etholakala kuqoqo lethu, njengesicelo. 
  • I-Tiller ishayela u-Kube-apiserver ukuthi enze izenzo ku-Kubernetes, adale izinto ezithile (amasevisi, ama-pods, ama-replicas, izimfihlo, njll.).

Okulandelayo, sizohlanganisa umdwebo ukuze sibone i-vector yokuhlasela yonke i-Helm architecture yonke engavezwa kuyo. Bese sizozama ukumvikela.

I-vector yokuhlasela

Iphuzu lokuqala elingase libe buthaka liwukuthi privileged API-umsebenzisi. Njengengxenye yohlelo, lesi isigebengu esithole ukufinyelela komqondisi ku-Helm CLI.

Umsebenzisi we-API ongenamalungelo ingase futhi ibe yingozi uma isendaweni ethile eduzane. Umsebenzisi onjalo uzoba nomongo ohlukile, isibonelo, angalungiswa endaweni yegama yeqoqo elilodwa kuzilungiselelo ze-Kubeconfig.

Ivektha yokuhlasela ethakazelisa kakhulu ingaba inqubo ehlala phakathi kweqoqo endaweni ethile eduze neTiller futhi engakwazi ukuyifinyelela. Lokhu kungaba iseva yewebhu noma i-microservice ebona indawo yenethiwekhi yeqoqo.

Okuhlukile, kodwa okuya ngokuduma, okuhlukile kokuhlasela kubandakanya i-Chart Repo. Ishadi elidalwe umlobi ongathembekile lingase libe nezinsiza ezingaphephile, futhi uzoligcwalisa ngokuthatha ukholo. Noma lingangena esikhundleni seshadi olilandayo endaweni yokugcina esemthethweni futhi, isibonelo, lidale insiza ngendlela yezinqubomgomo futhi likhuphule ukufinyelela kwalo.

Helm Security

Ake sizame ukuvikela ukuhlaselwa kuzo zonke lezi zinhlangothi ezine futhi sithole ukuthi kukhona izinkinga ekwakhiweni kwe-Helm, futhi lapho, mhlawumbe, kungekho.

Ake sikhulise umdwebo, sengeze izakhi ezengeziwe, kodwa sigcine zonke izingxenye eziyisisekelo.

Helm Security

I-Helm CLI ixhumana ne-Chart Repo, ixhumana ne-Kubeconfig, futhi umsebenzi udluliselwa kuqoqo kungxenye yeTiller.

I-Tiller imelelwa izinto ezimbili:

  • I-Tiller-deploy svc, edalula isevisi ethile;
  • I-Tiller-deploy pod (emdwebeni wekhophi eyodwa ku-replica eyodwa), lapho wonke umthwalo ugijima, ofinyelela iqoqo.

Amaphrothokholi ahlukene kanye nezikimu zisetshenziselwa ukuxhumana. Ngokombono wezokuphepha, sinentshisekelo enkulu kulokhu:

  • Indlela i-Helm CLI efinyelela ngayo ku-repo yeshadi: iyiphi iphrothokholi, kukhona ukuqinisekiswa nokuthi yini engenziwa ngayo.
  • Iphrothokholi i-Helm CLI, esebenzisa i-kubectl, ixhumana ne-Tiller. Lena iseva ye-RPC efakwe ngaphakathi kweqoqo.
  • I-Tiller ngokwayo iyafinyeleleka kuma-microservices ahlala kuqoqo futhi axhumana ne-Kube-apiserver.

Helm Security

Ake sixoxe ngazo zonke lezi zindawo ngokulandelana kwazo.

I-RBAC

Asikho isidingo sokukhuluma nganoma yikuphi ukuphepha kwe-Helm nanoma iyiphi enye isevisi ngaphakathi kweqoqo ngaphandle kokuthi i-RBAC inikwe amandla.

Kubonakala sengathi lesi akusona isincomo sakamuva, kodwa nginesiqiniseko sokuthi abantu abaningi abakayivumeli i-RBAC ngisho nasekukhiqizeni, ngoba kunomsindo omkhulu futhi izinto eziningi zidinga ukulungiswa. Nokho, ngiyakukhuthaza ukuba wenze lokhu.

Helm Security

https://rbac.dev/ - Ummeli wewebhusayithi ye-RBAC. Iqukethe inani elikhulu lezinto ezithakazelisayo ezizokusiza ukuthi usethe i-RBAC, ibonise ukuthi kungani iyinhle nokuthi ungaphila kanjani nayo ekukhiqizeni.

Ngizozama ukuchaza ukuthi iTiller ne-RBAC basebenza kanjani. I-Tiller isebenza ngaphakathi kweqoqo ngaphansi kwe-akhawunti ethile yesevisi. Ngokuvamile, uma i-RBAC ingalungiselelwe, lokhu kuzoba umsebenzisi omkhulu. Ekucushweni okuyisisekelo, u-Tiller uzoba umlawuli. Yingakho ngokuvamile kuthiwa i-Tiller ingumhubhe we-SSH kuqoqo lakho. Eqinisweni, lokhu kuyiqiniso, ngakho ungasebenzisa i-akhawunti yesevisi ehlukile esikhundleni se-Akhawunti Yesevisi Ezenzakalelayo kumdwebo ongenhla.

Uma uqalisa i-Helm futhi uyifake kuseva okokuqala ngqa, ungasetha i-akhawunti yesevisi usebenzisa --service-account. Lokhu kuzokuvumela ukuthi usebenzise umsebenzisi onesethi encane yamalungelo adingekayo. Yiqiniso, kuzodingeka udale "i-garland" enjalo: Indima kanye ne-RoleBinding.

Helm Security

Ngeshwa, i-Helm ngeke ikwenzele lokhu. Wena noma umlawuli wakho weqoqo le-Kubernetes nidinga ukulungiselela isethi Yezindima kanye Nezibopho Zezindima ze-akhawunti yesevisi kusengaphambili ukuze nidlule i-Helm.

Umbuzo ophakamayo - uyini umehluko phakathi kweRole kanye ne-ClusterRole? Umehluko ukuthi i-ClusterRole isebenza kuzo zonke izikhala zamagama, ngokungafani ne-Roles evamile kanye ne-RoleBindings, esebenza kuphela endaweni yamagama ekhethekile. Ungakwazi ukumisa izinqubomgomo zalo lonke iqoqo nazo zonke izikhala zamagama, noma wenze kube ngokwakho indawo yamagama ngayinye ngayinye.

Kuhle ukusho ukuthi i-RBAC ixazulula enye inkinga enkulu. Abantu abaningi bakhala ngokuthi iHelm, ngeshwa, ayiyona i-multitenancy (ayisekeli i-multitenancy). Uma amaqembu amaningana edla iqoqo futhi asebenzisa i-Helm, empeleni akunakwenzeka ukusetha izinqubomgomo futhi ukhawulele ukufinyelela kwawo ngaphakathi kwaleli qoqo, ngoba kukhona i-akhawunti ethile yesevisi lapho i-Helm isebenza ngaphansi kwayo, futhi idala zonke izinsiza kuqoqo kusukela ngaphansi kwayo. , ngezinye izikhathi eziphazamisa kakhulu. Lokhu kuyiqiniso - njengefayela kanambambili uqobo, njengenqubo, IHelm Tiller ayinawo umqondo wokwenza izinto eziningi.

Nokho, kunendlela enhle ekuvumela ukuthi usebenzise iTiller izikhathi eziningi kuqoqo. Akunankinga ngalokhu, iTiller ingathulwa kuyo yonke indawo yamagama. Ngakho-ke, ungasebenzisa i-RBAC, i-Kubeconfig njengomongo, futhi ukhawulele ukufinyelela ku-Helm ekhethekile.

Kuzobukeka kanje.

Helm Security

Isibonelo, kukhona ama-Kubeconfigs amabili anomongo wamaqembu ahlukene (izikhala zamagama ezimbili): Ithimba le-X lethimba lokuthuthukisa kanye neqoqo lomlawuli. Iqoqo labaphathi lineTiller yalo ebanzi, etholakala endaweni yegama ye-Kube-system, i-akhawunti yesevisi ethuthukisiwe ngokuhambisanayo. Futhi indawo yamagama ehlukile yethimba lokuthuthukisa, bazokwazi ukuphakela izinsiza zabo endaweni yamagama ekhethekile.

Lena indlela esebenzisekayo, iTiller ayilambi amandla kangangokuthi izothinta kakhulu ibhajethi yakho. Lesi esinye sezixazululo ezisheshayo.

Zizwe ukhululekile ukulungisa i-Tiller ngokuhlukana futhi unikeze i-Kubeconfig nomxholo weqembu, kunjiniyela othile noma imvelo: I-Dev, Staging, Production (kuyangabazeka ukuthi konke kuzoba kuqoqo elifanayo, nokho, lokhu kungenziwa).

Siqhubeka nendaba yethu, masisuke ku-RBAC sikhulume nge-ConfigMaps.

I-ConfigMaps

I-Helm isebenzisa i-ConfigMaps njengesitolo sayo sedatha. Lapho sikhuluma ngezakhiwo, bekungekho idatha egciniwe noma kuphi lapho ingagcina khona ulwazi mayelana nokukhishwa, ukulungiselelwa, ukubuyisela emuva, njll. I-ConfigMaps isetshenziselwa lokhu.

Inkinga enkulu nge-ConfigMaps iyaziwa - ayiphephile ngokomthetho; akunakwenzeka ukugcina idatha ebucayi. Sikhuluma ngakho konke okungafanele kudlulele ngale kwenkonzo, isibonelo, amaphasiwedi. Indlela yomdabu kakhulu ye-Helm njengamanje ukushintsha ukusuka ekusebenziseni i-ConfigMaps uye kwezimfihlo.

Lokhu kwenziwa kalula kakhulu. Khipha ukulungiselelwa kweTiller futhi ucacise ukuthi isitoreji sizoba izimfihlo. Lapho-ke ekusetshenzisweni ngakunye ngeke uthole i-ConfigMap, kodwa imfihlo.

Helm Security

Ungase uphikise ngokuthi izimfihlo ngokwazo ziwumqondo ongavamile futhi azivikelekile kakhulu. Kodwa-ke, kufanelekile ukuqonda ukuthi abathuthukisi be-Kubernetes ngokwabo benza lokhu. Kusukela kunguqulo 1.10, i.e. Isikhathi eside manje, kuye kwenzeka, okungenani emafwini omphakathi, ukuxhuma isitoreji esifanele ukugcina izimfihlo. Ithimba manje lisebenzela izindlela zokusabalalisa kangcono ukufinyelela kwezimfihlo, ama-pods angawodwana, noma ezinye izinhlangano.

Kungcono ukudlulisa i-Store Helm kuzimfihlo, futhi zona, zivikelekile phakathi nendawo.

Impela izosala umkhawulo wokugcina idatha ongu-1 MB. I-Helm lapha isebenzisa njlld njengesitoreji esisabalalisiwe se-ConfigMaps. Futhi lapho bacabange ukuthi lesi kwakuyisiqephu sedatha esifanele sokuphindaphinda, njll. Kunengxoxo ethokozisayo mayelana nalokhu ku-Reddit, ngincoma ukuthi ngithole lokhu kufundwe okuhlekisayo ngempelasonto noma ukufunda okucashuniwe lapha.

Ishadi Repos

Amashadi yiwona asengozini kakhulu emphakathini futhi angaba umthombo "weNdoda ephakathi", ikakhulukazi uma usebenzisa isixazululo sesitoko. Okokuqala, sikhuluma ngamakhosombe adalulwa nge-HTTP.

Impela udinga ukudalula i-Helm Repo nge-HTTPS - lena inketho engcono kakhulu futhi ayibizi.

naka indlela yesiginesha yeshadi. Ubuchwepheshe bulula njengesihogo. Lena into efanayo oyisebenzisa ku-GitHub, umshini we-PGP ojwayelekile onokhiye basesidlangalaleni nabayimfihlo. Setha futhi uqiniseke, ngokuba nokhiye abadingekayo futhi usayine yonke into, ukuthi leli yishadi lakho ngempela.

Ngaphezu kwalokho, Iklayenti le-Helm lisekela i-TLS (hhayi ngomqondo we-HTTP wohlangothi lweseva, kodwa i-TLS ehlangene). Ungasebenzisa izinkinobho zeseva neklayenti ukuze uxhumane. Uma ngikhuluma iqiniso, angisebenzisi indlela enjalo ngoba angithandi izitifiketi ezihambisanayo. Empeleni, chartmuseum - ithuluzi eliyinhloko lokusetha i-Helm Repo ye-Helm 2 - futhi isekela i-auth eyisisekelo. Ungasebenzisa i-basic auth uma ilula futhi ithule.

Kukhona ne-plugin i-helm-gcs, okukuvumela ukuthi usingathe i-Chart Repos ku-Google Cloud Storage. Lokhu kulula kakhulu, kusebenza kahle futhi kuphephe kakhulu, ngoba zonke izindlela ezichaziwe zigaywa kabusha.

Helm Security

Uma unika amandla i-HTTPS noma i-TLS, sebenzisa i-mTLS, futhi unike amandla i-auth eyisisekelo ukuze uqhubeke unciphisa izingozi, uzothola isiteshi sokuxhumana esivikelekile ne-Helm CLI kanye ne-Chart Repo.

gRPC API

Isinyathelo esilandelayo sibaluleke kakhulu - ukuvikela iTiller, etholakala ku-cluster futhi, ngakolunye uhlangothi, iseva, ngakolunye uhlangothi, yona ngokwayo ifinyelela kwezinye izingxenye futhi izama ukuzenza umuntu.

Njengoba bese ngishilo, iTiller iyisevisi edalula i-gRPC, iklayenti le-Helm liza kuyo nge-gRPC. Ngokuzenzakalelayo, kunjalo, i-TLS ivaliwe. Kungani lokhu kwenziwa kuwumbuzo ongaxoxiswana ngawo, kubonakala kimina ukwenza lula ukusetha ekuqaleni.

Ngokukhiqiza ngisho nesiteji, ngincoma ukuthi uvule i-TLS ku-gRPC.

Ngokubona kwami, ngokungafani ne-mTLS yamashadi, lokhu kufanelekile lapha futhi kwenziwa kalula kakhulu - khiqiza ingqalasizinda ye-PQI, dala isitifiketi, uqalise iTiller, udlulise isitifiketi ngesikhathi sokuqalisa. Ngemva kwalokhu, ungakwazi ukukhipha yonke imiyalo ye-Helm, uzethule ngesitifiketi esikhiqiziwe nokhiye oyimfihlo.

Helm Security

Ngale ndlela uzozivikela kuzo zonke izicelo eziya kuTiller ngaphandle kweqoqo.

Ngakho-ke, sivikele isiteshi sokuxhuma ku-Tiller, sesixoxile kakade nge-RBAC futhi salungisa amalungelo e-Kubernetes apiserver, sehlisa isizinda esingasebenzisana naso.

I-Helm Evikelekile

Ake sibheke umdwebo wokugcina. Yisakhiwo esifanayo esinemicibisholo efanayo.

Helm Security

Konke ukuxhumeka manje kungadwetshwa ngokuphephile ngokuluhlaza:

  • ku-Chart Repo sisebenzisa i-TLS noma i-mTLS kanye ne-auth eyisisekelo;
  • mTLS yeTiller, futhi ivezwa njengesevisi ye-gRPC ene-TLS, sisebenzisa izitifiketi;
  • iqoqo lisebenzisa i-akhawunti yesevisi ekhethekile ene-Role kanye ne-RoleBinding. 

Silivikele kakhulu iqoqo, kodwa othile ohlakaniphile wathi:

"Kungaba nesixazululo esisodwa esiphephe ngokuphelele - ikhompuyutha evaliwe, etholakala ebhokisini likakhonkolo futhi egadiwe amasosha."

Kunezindlela ezihlukene zokukhohlisa idatha futhi uthole ama-vector amasha okuhlasela. Nokho, nginesiqiniseko sokuthi lezi zincomo zizofinyelela izinga eliyisisekelo lemboni lokuphepha.

Ibhonasi

Le ngxenye ayihlobene ngokuqondile nokuphepha, kodwa futhi izoba usizo. Ngizokukhombisa izinto ezithakazelisayo abantu abambalwa abazi ngazo. Isibonelo, indlela yokusesha amashadi - esemthethweni futhi engekho emthethweni.

Endaweni yokugcina github.com/helm/charts Manje kunamashadi angaba ngu-300 nemifudlana emibili: ezinzile kanye ne-incubator. Noma ubani onikelayo wazi kahle kamhlophe ukuthi kunzima kangakanani ukusuka ku-incubator uye esitebeleni, nokuthi kulula kangakanani ukundiza uphume esitebeleni. Kodwa-ke, leli akulona ithuluzi elingcono kakhulu lokucinga amashadi e-Prometheus nanoma yini enye oyithandayo, ngesizathu esisodwa esilula - akuyona ingosi lapho ungasesha khona amaphakheji kalula.

Kodwa kukhona inkonzo hub.helm.sh, okwenza kube lula kakhulu ukuthola amashadi. Okubaluleke kakhulu, ziningi ezinye izinqolobane zangaphandle kanye nezintelezi ezicishe zibe ngu-800 ezitholakalayo. Futhi, ungakwazi ukuxhuma inqolobane yakho uma ngesizathu esithile ungafuni ukuthumela amashadi akho ukuthi azinze.

Zama i-hub.helm.sh futhi masiyithuthukise ndawonye. Le sevisi ingaphansi kwephrojekthi ye-Helm, futhi ungakwazi ukufaka isandla ku-UI yayo uma ungunjiniyela osekupheleni futhi ufuna nje ukuthuthukisa ukubukeka.

Ngingathanda futhi ukukudonsela ukunaka kwakho Vula ukuhlanganiswa kwe-Service Broker API. Kuzwakala kunzima futhi kungacacile, kodwa kuxazulula izinkinga wonke umuntu abhekene nazo. Ake ngichaze ngesibonelo esilula.

Helm Security

Kukhona iqoqo le-Kubernetes lapho sifuna ukusebenzisa uhlelo lwakudala - WordPress. Ngokuvamile, isizindalwazi siyadingeka ukuze kusebenze ngokugcwele. Kukhona izixazululo eziningi ezahlukene, isibonelo, ungakwazi uqalise isevisi yakho statefull. Lokhu akulula kakhulu, kodwa abantu abaningi bayakwenza.

Abanye, njengathi kwa-Chainstack, basebenzisa isizindalwazi esiphethwe njenge-MySQL noma i-PostgreSQL kumaseva abo. Yingakho isizindalwazi sethu sitholakala ndawana thize efwini.

Kodwa kuphakama inkinga: sidinga ukuxhuma insizakalo yethu nesizindalwazi, sakhe ukunambitheka kwesizindalwazi, sidlulise imininingwane bese siyiphatha ngandlela thize. Konke lokhu kuvamise ukwenziwa ngesandla ngumlawuli wesistimu noma umthuthukisi. Futhi ayikho inkinga uma kunezicelo ezimbalwa. Uma ziziningi, udinga ukuhlanganisa. Kukhona isivuni esinjalo - yi-Service Broker. Ikuvumela ukuthi usebenzise i-plugin ekhethekile yeqoqo lefu lomphakathi futhi u-oda izinsiza kusuka kumhlinzeki nge-Broker, njengokungathi i-API. Ukuze wenze lokhu, ungasebenzisa amathuluzi omdabu we-Kubernetes.

Kulula kakhulu. Ungakwazi ukubuza, isibonelo, i-MySQL ephethwe e-Azure nge-base tier (lokhu kungalungiselelwa). Ngokusebenzisa i-Azure API, i-database izokwakhiwa futhi ilungiselelwe ukusetshenziswa. Awudingi ukuphazamisa lokhu, i-plugin inesibopho salokhu. Isibonelo, i-OSBA (i-plugin ye-Azure) izobuyisela imininingwane kusevisi futhi idlulisele ku-Helm. Uzokwazi ukusebenzisa i-WordPress nge-MySQL yamafu, ungasebenzisi imininingwane egciniwe ephethwe nhlobo futhi ungakhathazeki ngamasevisi aphelele ngaphakathi.

Singasho ukuthi iHelm isebenza njengeglue, ngakolunye uhlangothi, ikuvumela ukuthi usebenzise izinsizakalo, futhi ngakolunye, udle izinsiza zabahlinzeki bamafu.

Ungabhala i-plugin yakho futhi usebenzise yonke le ndaba endaweni. Khona-ke uzomane ube ne-plugin yakho yomhlinzeki we-Cloud wenkampani. Ngincoma ukuthi uzame le ndlela, ikakhulukazi uma unesilinganiso esikhulu futhi ufuna ukuphakela ngokushesha i-dev, isiteji, noma yonke ingqalasizinda yesici. Lokhu kuzokwenza impilo ibe lula ekusebenzeni kwakho noma i-DevOps.

Okunye okutholakele engivele ngikushilo i-helm-gcs plugin, okukuvumela ukuthi usebenzise amabhakede e-Google (isitoreji sento) ukuze ugcine amashadi e-Helm.

Helm Security

Udinga kuphela imiyalo emine ukuze uqale ukuyisebenzisa:

  1. faka i-plugin;
  2. yiqale;
  3. setha indlela eya ebhakedeni, etholakala ku-gcp;
  4. shicilela amashadi ngendlela evamile.

Ubuhle ukuthi indlela yomdabu ye-gcp izosetshenziselwa ukugunyazwa. Ungasebenzisa i-akhawunti yesevisi, i-akhawunti kanjiniyela, noma yini oyifunayo. Kulula kakhulu futhi akubizi lutho ukuyisebenzisa. Uma, njengami, ukhuthaza ifilosofi ye-opsless, khona-ke lokhu kuzoba lula kakhulu, ikakhulukazi emaqenjini amancane.

Ezinye izindlela

I-Helm akusona ukuphela kwesixazululo sokuphatha isevisi. Kunemibuzo eminingi ngakho, okungenzeka ukuthi kungani inguqulo yesithathu ivele ngokushesha. Yebo zikhona ezinye izindlela.

Lezi kungaba izixazululo ezikhethekile, isibonelo, Ksonnet noma Metaparticle. Ungasebenzisa amathuluzi akho akudala okuphatha ingqalasizinda (Ansible, Terraform, Chef, njll.) ngezinjongo ezifanayo nalezo engikhulume ngazo.

Ekugcineni kunesixazululo I-Operator Framework, odumo lwakhe luyakhula.

I-Operator Framework ingenye ye-Helm ephezulu okufanele icatshangelwe.

Itholakala kakhulu ku-CNCF naseKubernetes, kodwa isithiyo sokungena siphezulu kakhulu, udinga ukuhlela okuningi futhi uchaze i-manifest encane.

Kukhona ama-addon ahlukahlukene, njenge-Draft, Scaffold. Benza impilo ibe lula kakhulu, isibonelo, benza lula umjikelezo wokuthumela nokwethula i-Helm ukuze abathuthukisi basebenzise indawo yokuhlola. Ngingababiza abahlomisa amandla.

Nali ishadi elibonakalayo lapho yonke into ikuphi.

Helm Security

Ku-x-eksisi izinga lokulawula kwakho komuntu siqu kulokho okwenzekayo, ku-axis ka-y izinga lomdabu we-Kubernetes. Helm version 2 iwe ndawana thize phakathi. Kunguqulo yesi-3, hhayi kakhulu, kodwa kokubili ukulawula kanye nezinga lomdabu kuye kwathuthukiswa. Izixazululo ezingeni le-Ksonnet zisaphansi ngisho ne-Helm 2. Kodwa-ke, kufanelekile ukubheka ukuze wazi ukuthi yini enye ekhona kulo mhlaba. Vele, umphathi wakho wokucushwa uzoba ngaphansi kokulawula kwakho, kodwa akukona okwendabuko yakwa-Kubernetes.

I-Operator Framework ingeyendabuko yakwa-Kubernetes futhi ikuvumela ukuthi uyiphathe kahle kakhulu nangokucophelela (kodwa khumbula ngezinga lokungena). Kunalokho, lokhu kulungele uhlelo lokusebenza olukhethekile nokudalwa kokuphathwa kwalo, kunokuba umvuni omkhulu wokupakisha inani elikhulu lezinhlelo zokusebenza usebenzisa i-Helm.

Izandisi zivele zithuthukise ukulawula kancane, ziphelelise ukuhamba komsebenzi, noma zisike amakhona kumapayipi e-CI/CD.

Ikusasa likaHelm

Izindaba ezinhle ukuthi i-Helm 3 iyeza. Inguqulo ye-alpha ye-Helm 3.0.0-alpha.2 isikhishiwe, ungayizama. Izinzile impela, kodwa ukusebenza kusanomkhawulo.

Kungani udinga i-Helm 3? Okokuqala nje, lena yindaba ukunyamalala kukaTiller, njengengxenye. Lokhu, njengoba usuqonda kakade, kuyisinyathelo esikhulu esiya phambili, ngoba ngokombono wokuphepha kwezakhiwo, konke kwenziwa lula.

Ngenkathi i-Helm 2 idalwa, eyayiseduze nesikhathi se-Kubernetes 1.8 noma nangaphambili, imiqondo eminingi yayingakavuthwa. Isibonelo, umqondo we-CRD manje ususetshenziswa ngenkuthalo, futhi i-Helm izosebenza sebenzisa i-CRDukugcina izakhiwo. Kuzokwazi ukusebenzisa iklayenti kuphela futhi ungagcini ingxenye yeseva. Ngokufanelekile, sebenzisa imiyalo yomdabu ye-Kubernetes ukuze usebenze ngezakhiwo nezinsiza. Lesi yisinyathelo esikhulu esiya phambili.

Izovela ukwesekwa kwamakhosombe omdabu we-OCI (Open Container Initiative). Lesi yisinyathelo esikhulu, futhi i-Helm inentshisekelo ngokuyinhloko ukuze ithumele amashadi ayo. Kufika ephuzwini lokuthi, ngokwesibonelo, i-Docker Hub isekela izindinganiso eziningi ze-OCI. Angiqageli, kodwa mhlawumbe abahlinzeki bendawo yokugcina ye-Docker bazoqala ukukunikeza ithuba lokusingatha amashadi akho e-Helm.

Indaba eyindida kimina Lua ukwesekwa, njengenjini yesifanekiso yokubhala imibhalo. Angiyena umlandeli omkhulu we-Lua, kodwa lokhu kungaba isici ongasikhetha ngokuphelele. Ngihlole lokhu izikhathi ezi-3 - ukusebenzisa i-Lua ngeke kudingeke. Ngakho-ke, labo abafuna ukukwazi ukusebenzisa i-Lua, labo abathanda i-Go, bajoyine ikamu lethu elikhulu futhi basebenzise i-go-tmpl kulokhu.

Ekugcineni, engangikukhumbula ngempela kwaba ukuvela kwe-schema nokuqinisekiswa kohlobo lwedatha. Ngeke kusaba khona izinkinga nge-int noma iyunithi yezinhlamvu, asikho isidingo sokugoqa uziro ngezingcaphuno ezimbili. Kuzovela i-schema se-JSONS esizokuvumela ukuthi uchaze lokhu ngokusobala ngamavelu.

Kuzosetshenzwa kabusha kakhulu imodeli eqhutshwa umcimbi. Sekuvele kuchaziwe ngokomqondo. Bheka igatsha le-Helm 3, futhi uzobona ukuthi zingaki izehlakalo nezingwegwe nezinye izinto ezingeziwe, ezizokwenza kube lula kakhulu futhi, ngakolunye uhlangothi, zengeze ukulawula izinqubo zokuthunyelwa kanye nokusabela kuzo.

I-Helm 3 izoba lula, iphephe, futhi ibe mnandi kakhulu, hhayi ngoba singathandi i-Helm 2, kodwa ngoba i-Kubernetes ithuthuka kakhulu. Ngakho-ke, i-Helm ingasebenzisa ukuthuthukiswa kwe-Kubernetes futhi idale abaphathi abahle kakhulu be-Kubernetes kuyo.

Ezinye izindaba ezinhle yilezo I-DevOpsConf U-Alexander Khayorov uzokutshela, ingabe iziqukathi zingavikeleka? Ake sikukhumbuze ukuthi ingqungquthela yokuhlanganiswa kwezinqubo zentuthuko, ukuhlolwa kanye nokusebenza izobanjelwa eMoscow Septhemba 30 no-Okthoba 1. Usengakwenza kuze kube u-Agasti 20 hambisa umbiko futhi usitshele ngolwazi lwakho ngesixazululo omunye kwabaningi imisebenzi yendlela ye-DevOps.

Landela izindawo zokuhlola ingqungquthela kanye nezindaba ku uhlu lwamakheli и ishaneli yocingo.

Source: www.habr.com

Engeza amazwana