I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Qinisekisa i-Kubernetes YAML ngokumelene nemikhuba nezinqubomgomo ezihamba phambili

Qinisekisa i-Kubernetes YAML ngokumelene nemikhuba nezinqubomgomo ezihamba phambili

Qaphela. transl.: Ngenani elikhulayo lokucushwa kwe-YAML ezindaweni ze-K8s, isidingo sokuqinisekisa kwabo okuzenzakalelayo siba siphuthuma kakhulu. Umbhali walokhu kubuyekezwa akakhethanga kuphela izixazululo ezikhona zalo msebenzi, kodwa futhi wasebenzisa Ukuthunyelwa njengesibonelo ukuze abone ukuthi zisebenza kanjani. Kuvele ukuthi kunolwazi olukhulu kulabo abathanda lesi sihloko.

Qinisekisa i-Kubernetes YAML ngokumelene nemikhuba nezinqubomgomo ezihamba phambili

TL; DR: Lesi sihloko siqhathanisa amathuluzi ayisithupha amile ukuze kuqinisekiswe futhi kuhlolwe amafayela e-Kubernetes YAML ngokuqhathanisa nemikhuba ehamba phambili nezimfuneko.

Umthwalo we-Kubernetes uvame ukuchazwa ngendlela yemibhalo ye-YAML. Enye yezinkinga nge-YAML ubunzima bokucacisa imigoqo noma ubudlelwano phakathi kwamafayela e-manifest.

Kuthiwani uma sidinga ukwenza isiqiniseko sokuthi zonke izithombe ezithunyelwe kuqoqo zivela kurejista ethembekile?

Ngingakuvimbela kanjani ukuthunyelwa okungenawo ama-PodDisruptionBudgets ukuthi kuthunyelwe kuqoqo?

Ukuhlanganiswa kokuhlola okumile kukuvumela ukuthi ubone amaphutha kanye nokwephulwa kwenqubomgomo esigabeni sokuthuthukiswa. Lokhu kukhulisa isiqinisekiso sokuthi izincazelo zensiza zilungile futhi zivikelekile, futhi kwenza kube maningi amathuba okuthi umsebenzi omningi wokukhiqiza uzolandela izinqubo ezihamba phambili.

I-Kubernetes static ifayela lokuhlola ifayela le-YAML ecosystem ingahlukaniswa ngezigaba ezilandelayo:

  • Iziqinisekisi ze-API. Amathuluzi akulesi sigaba ahlola i-manifest ye-YAML ngokumelene nezimfuneko zeseva ye-Kubernetes API.
  • Abahloli abalungile. Amathuluzi asuka kulesi sigaba afika nokuhlolwa osekwenziwe kakade kokuphepha, ukuthobela izinqubo ezihamba phambili, njll.
  • Iziqinisekisi ngokwezifiso. Abamele lesi sigaba bakuvumela ukuthi udale ukuhlolwa kwangokwezifiso ngezilimi ezihlukahlukene, isibonelo, i-Rego ne-Javascript.

Kulesi sihloko sizochaza futhi siqhathanise amathuluzi ayisithupha ahlukene:

  1. kubeval;
  2. kube-amaphuzu;
  3. config-lint;
  4. ithusi;
  5. umbango;
  6. I-Polaris.

Awu, ake siqale!

Ihlola Ukuthunyelwa

Ngaphambi kokuthi siqale ukuqhathanisa amathuluzi, ake sakhe ingemuva esingawahlola ngalo.

I-manifesto engezansi iqukethe amaphutha amaningi kanye nokungalandeli imikhuba emihle: mangaki ongawathola?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Sizosebenzisa le YAML ukuze siqhathanise amathuluzi ahlukene.

Imanifesto engenhla base-valid.yaml kanye namanye ama-manifestos avela kulesi sihloko angatholakala ku Git izinqolobane.

I-manifest ichaza uhlelo lokusebenza lwewebhu umsebenzi walo oyinhloko uwukuphendula ngomlayezo othi β€œSawubona Mhlaba” ku-port 5678. Ingafakwa ngomyalo olandelayo:

kubectl apply -f hello-world.yaml

Futhi ngakho - hlola umsebenzi:

kubectl port-forward svc/http-echo 8080:5678

Manje iya ku http://localhost:8080 futhi uqinisekise ukuthi uhlelo lokusebenza luyasebenza. Kodwa ingabe ilandela imikhuba emihle kakhulu? Ake sihlole.

1. Kubeval

Enhlizweni ye kubeval Umbono wukuthi noma yikuphi ukusebenzisana ne-Kubernetes kwenzeka nge-REST API yayo. Ngamanye amazwi, ungasebenzisa i-schema ye-API ukuze uhlole ukuthi i-YAML enikeziwe iyahambisana yini nayo. Ake sibheke isibonelo.

Imiyalo yokufaka kubeval ayatholakala kuwebhusayithi yephrojekthi.

Ngesikhathi sokubhala isihloko sokuqala, inguqulo engu-0.15.0 yayitholakala.

Uma isifakiwe, masiyiphakele nge-manifest engenhla:

$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)

Uma kuphumelele, i-kubeval izophuma ngekhodi yokuphuma engu-0. Ungayibheka ngale ndlela elandelayo:

$ echo $?
0

Manje ake sizame i-kubeval nge-manifest ehlukile:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(kubeval-invalid.yaml)

Ungakwazi ukubona inkinga ngeso? Masiqalise:

$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)

# ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²Ρ€Π°Ρ‚Π°
$ echo $?
1

Insiza ayiqinisekiswa.

Ukuthunyelwa kusetshenziswa inguqulo ye-API apps/v1, kufanele ifake isikhethi esifana nelebula le-pod. I-manifest engenhla ayibandakanyi isikhethi, ngakho-ke i-kubeval ibike iphutha futhi yaphuma ngekhodi okungelona uziro.

Kazi kuzokwenzekani uma ngenze njalo kubectl apply -f nale manifesto?

Hhayi-ke, ake sizame:

$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false

Leli yiphutha u-kubeval axwayise ngalo. Ungalungisa lokhu ngokungeza isikhethi:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:          # !!!
    matchLabels:     # !!!
      app: http-echo # !!!
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
        image: hashicorp/http-echo
        args: ["-text", "hello-world"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 5678
    protocol: TCP
    targetPort: 5678
  selector:
    app: http-echo

(base-valid.yaml)

Inzuzo yamathuluzi afana ne-kubeval ukuthi amaphutha afana nalawa angabanjwa ekuqaleni komjikelezo wokuthunyelwa.

Ngaphezu kwalokho, lokhu kuhlola akudingi ukufinyelela kuqoqo; kungenziwa ungaxhunyiwe ku-inthanethi.

Ngokuzenzakalelayo, i-kubeval ihlola izinsiza iqhathaniswa ne-schema yakamuva ye-Kubernetes API. Kodwa-ke, ezimweni eziningi ungadinga ukuhlola ngokumelene nokukhishwa okuthile kwe-Kubernetes. Lokhu kungenziwa ngokusebenzisa ifulegi --kubernetes-version:

$ kubeval --kubernetes-version 1.16.1 base-valid.yaml

Sicela uqaphele ukuthi inguqulo kufanele icaciswe ngefomethi Major.Minor.Patch.

Ukuze uthole uhlu lwezinguqulo okusekelwa kuzo ukuqinisekiswa, sicela ubhekisele kuzo I-schema ye-JSON ku-GitHub, okusetshenziselwa i-kubeval ukuze kuqinisekiswe. Uma udinga ukusebenzisa i-kubeval ungaxhunyiwe ku-inthanethi, landa izikimu futhi ucacise indawo yazo yasendaweni usebenzisa ifulegi --schema-location.

Ngokungeziwe kumafayela e-YAML ngamanye, i-kubeval ingaphinda isebenze nezikhombisi-ndlela kanye ne-stdin.

Ngaphezu kwalokho, i-Kubeval ihlanganisa kalula epayipini le-CI. Abafisa ukwenza izivivinyo ngaphambi kokuthumela i-manifest kuqoqo bazojabula ukwazi ukuthi i-kubeval isekela amafomethi amathathu okukhiphayo:

  1. Umbhalo ongenalutho;
  2. JSON;
  3. Hlola Noma yini Iphrothokholi (TAP).

Futhi noma yimaphi amafomethi angasetshenziselwa ukuncozululwa okuqhubekayo kokuphumayo ukuze kukhiqizwe isifinyezo semiphumela yohlobo olufiswayo.

Enye yezingqinamba ze-kubeval ukuthi okwamanje ayikwazi ukubheka ukuthobelana Nezincazelo Zensiza Yangokwezifiso (CRDs). Nokho, kungenzeka ukumisa kubeval ungabanaki.

I-Kubeval iyithuluzi elihle lokuhlola nokuhlola izinsiza; Nokho, kufanele kugcizelelwe ukuthi ukuphumelela ukuhlolwa akuqinisekisi ukuthi insiza ihambisana nezinqubo ezingcono kakhulu.

Isibonelo, ukusebenzisa ithegi latest esitsheni asilandeli imikhuba emihle. Nokho, u-kubeval akakuthathi lokhu njengephutha futhi akakubiki. Okusho ukuthi, ukuqinisekiswa kwe-YAML enjalo kuzoqeda ngaphandle kwezixwayiso.

Kodwa kuthiwani uma ufuna ukuhlola i-YAML futhi uhlonze ukuphulwa okufana nethegi latest? Ngilihlola kanjani ifayela le-YAML ngokuqhathanisa nezinqubo ezihamba phambili?

2. Kube-amaphuzu

Kube-amaphuzu ihlaziya i-YAML iveza futhi iyayihlola ngokumelene nokuhlolwa okwakhelwe ngaphakathi. Lezi zivivinyo zikhethwa ngokusekelwe kuzinkombandlela zokuphepha nezinqubo ezihamba phambili, ezifana:

  • Ukuqhuba isitsha hhayi njengempande.
  • Ukutholakala kokuhlolwa kwempilo ye-pod.
  • Ukusetha izicelo nemikhawulo yezinsiza.

Ngokusekelwe emiphumeleni yokuhlolwa, kunikezwa imiphumela emithathu: OK, ISEXWAYISO ΠΈ OKUBALULEKILE.

Ungazama i-Kube-score ku-inthanethi noma uyifake endaweni.

Ngesikhathi sokubhala isihloko sokuqala, inguqulo yakamuva ye-kube-score yayingu-1.7.0.

Masiyizame ku-manifest yethu base-valid.yaml:

$ kube-score score base-valid.yaml

apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
  Β· http-echo -> Image with latest tag
      Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
  Β· The pod does not have a matching network policy
      Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
  Β· Container is missing a readinessProbe
      A readinessProbe should be used to indicate when the service is ready to receive traffic.
      Without it, the Pod is risking to receive traffic before it has booted. It is also used during
      rollouts, and can prevent downtime if a new version of the application is failing.
      More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
  Β· http-echo -> Container has no configured security context
      Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
  Β· http-echo -> CPU limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
  Β· http-echo -> Memory limit is not set
      Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
  Β· http-echo -> CPU request is not set
      Resource requests are recommended to make sure that the application can start and run without
      crashing. Set resources.requests.cpu
  Β· http-echo -> Memory request is not set
      Resource requests are recommended to make sure that the application can start and run without crashing.
      Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
  Β· No matching PodDisruptionBudget was found
      It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
      maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
  Β· Deployment does not have a host podAntiAffinity set
      It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
      being scheduled on the same node. This increases availability in case the node becomes unavailable.

I-YAML iphumelela ukuhlolwa kwe-kubeval, kanti i-kube-score ikhomba kulawa maphutha alandelayo:

  • Ukuhlola ukulungela akulungiselelwe.
  • Azikho izicelo noma imikhawulo yezinsiza ze-CPU nenkumbulo.
  • Izabelomali zokuphazamiseka kwephodi azicacisiwe.
  • Ayikho imithetho yokuhlukanisa (anti-affinity) ukukhulisa ukutholakala.
  • Isiqukathi sisebenza njengempande.

Lawa wonke amaphuzu avumelekile mayelana nokushiyeka okudingeka kubhekwane nawo ukuze kwenziwe ukuthunyelwa kusebenze kahle futhi kuthembeke.

Ithimba kube-score ibonisa ulwazi ngendlela efundeka umuntu okuhlanganisa nazo zonke izinhlobo zokwephulwa kwemithetho ISEXWAYISO ΠΈ OKUBALULEKILE, esiza kakhulu ngesikhathi sokuthuthukiswa.

Labo abafisa ukusebenzisa leli thuluzi ngaphakathi kwepayipi le-CI banganika amandla okukhiphayo okucindezelwe okwengeziwe besebenzisa ifulegi --output-format ci (kulokhu, izivivinyo ezinomphumela nazo ziyaboniswa OK):

$ kube-score score base-valid.yaml --output-format ci

[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service

Ngokufanayo ne-kubeval, i-kube-score ibuyisela ikhodi yokuphuma engeyona iqanda uma kukhona ukuhlolwa okuhlulekayo. OKUBALULEKILE. Ungakwazi futhi ukunika amandla ukucutshungulwa okufanayo ISEXWAYISO.

Ngaphezu kwalokho, kungenzeka ukuhlola izinsiza zokuthobela izinguqulo ze-API (njengaku-kubeval). Nokho, lolu lwazi lufakwe ikhodi eqinile ku-kube-score ngokwayo: awukwazi ukukhetha inguqulo ehlukile ye-Kubernetes. Lo mkhawulo ungaba inkinga enkulu uma uhlose ukuthuthukisa iqoqo lakho noma uma unamaqoqo amaningi anezinguqulo ezihlukene zama-K8.

Uyacelwa ukuthi uqaphele lokho sekukhona inkinga ngesiphakamiso sokufeza leli thuba.

Ulwazi olwengeziwe mayelana ne-kube-score lungatholakala kokuthi iwebhusayithi esemthethweni.

Ukuhlolwa kwe-Kube-score kuyithuluzi elihle kakhulu lokuqalisa imikhuba ehamba phambili, kodwa kuthiwani uma udinga ukwenza izinguquko esivivinyweni noma wengeze imithetho yakho? Maye, lokhu ngeke kwenziwe.

I-Kube-score ayinakunwebeka: awukwazi ukwengeza izinqubomgomo kuyo noma uzilungise.

Uma udinga ukubhala izivivinyo zangokwezifiso ukuze uqinisekise ukuthobelana nezinqubomgomo zenkampani, ungasebenzisa elinye lamathuluzi amane alandelayo: i-config-lint, ithusi, i-conftest, noma i-polaris.

3.Config-lint

I-Config-lint iyithuluzi lokuqinisekisa amafayela e-YAML, JSON, Terraform, CSV nama-manifest e-Kubernetes.

Ungayifaka usebenzisa imiyalelo kuwebhusayithi yephrojekthi.

Ukukhishwa kwamanje kusukela ngesikhathi sokubhala i-athikili yokuqala kungu-1.5.0.

I-Config-lint ayinakho ukuhlola okwakhelwe ngaphakathi kokuqinisekisa i-Kubernetes manifest.

Ukuze wenze noma yiziphi izivivinyo, udinga ukudala imithetho efanele. Abhalwe ngamafayela e-YAML abizwa ngokuthi "rulesets" (imithetho), futhi ibe nesakhiwo esilandelayo:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:
   # список ΠΏΡ€Π°Π²ΠΈΠ»

(rule.yaml)

Masiyifunde kabanzi:

  • Insimu type icacisa ukuthi yiluphi uhlobo lokucushwa kwe-config-lint oluzosetshenziswa. Kuma-K8s kukhombisa lokhu njalo Kubernetes.
  • Ensimini files Ngaphezu kwamafayela ngokwawo, ungacacisa uhla lwemibhalo.
  • Insimu rules okuhloselwe ukusetha ukuhlola komsebenzisi.

Ake sithi ufuna ukwenza isiqiniseko sokuthi izithombe eziku-Deployment zihlala zilandwa endaweni ethembekile njenge my-company.com/myapp:1.0. Umthetho we-config-lint owenza ukuhlola okunjalo ungabukeka kanje:

- id: MY_DEPLOYMENT_IMAGE_TAG
  severity: FAILURE
  message: Deployment must use a valid image tag
  resource: Deployment
  assertions:
    - every:
        key: spec.template.spec.containers
        expressions:
          - key: image
            op: starts-with
            value: "my-company.com/"

(rule-trusted-repo.yaml)

Umthetho ngamunye kufanele ube nezibaluli ezilandelayo:

  • id - isihlonzi esiyingqayizivele somthetho;
  • severity - Kungenzeka UKWEHLULEKA, ISEXWAYISO ΠΈ OKUNGAPHOXI;
  • message - uma umthetho wephulwa, okuqukethwe kulo mugqa kuyavezwa;
  • resource - uhlobo lwensiza lapho lo mthetho usebenza khona;
  • assertions β€” uhlu lwezimo ezizohlolwa maqondana nale nsiza.

Emthethweni ongenhla assertion ubizile every ihlola ukuthi zonke iziqukathi ziku-Deployment (key: spec.templates.spec.containers) sebenzisa izithombe ezethembekile (okungukuthi, ukuqala my-company.com/).

Isethi ephelele yemithetho ibonakala kanje:

version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
  - "*.yaml"
rules:

 - id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
    severity: FAILURE
    message: Deployment must use a valid image repository
    resource: Deployment
    assertions:
      - every:
          key: spec.template.spec.containers
          expressions:
            - key: image
              op: starts-with
              value: "my-company.com/"

(ruleset.yaml)

Ukuzama ukuhlola, masikulondoloze njenge check_image_repo.yaml. Ake sihlole ifayela base-valid.yaml:

$ config-lint -rules check_image_repo.yaml base-valid.yaml

[
  {
  "AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
  "Category": "",
  "CreatedAt": "2020-06-04T01:29:25Z",
  "Filename": "test-data/base-valid.yaml",
  "LineNumber": 0,
  "ResourceID": "http-echo",
  "ResourceType": "Deployment",
  "RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
  "RuleMessage": "Deployment must use a valid image repository",
  "Status": "FAILURE"
  }
]

Ukuhlola kuhlulekile. Manje ake sihlole i-manifest elandelayo ngenqolobane yesithombe efanele:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
      - name: http-echo
         image: my-company.com/http-echo:1.0 # !!!
         args: ["-text", "hello-world"]
         ports:
         - containerPort: 5678

(image-valid-mycompany.yaml)

Senza ukuhlolwa okufanayo nge-manifest engenhla. Azikho izinkinga ezitholakele:

$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]

I-Config-lint iwuhlaka oluthembisayo olukuvumela ukuthi udale izivivinyo zakho ukuze uqinisekise i-Kubernetes YAML manifest usebenzisa i-YAML DSL.

Kodwa kuthiwani uma udinga ukucabanga okuyinkimbinkimbi nokuhlolwa? Ingabe i-YAML ayikhawulelwe kakhulu kulokhu? Kuthiwani uma ungadala izivivinyo ngolimi olugcwele lokuhlela?

4. Ithusi

Ithusi V2 iwuhlaka lokuqinisekisa i-manifest kusetshenziswa izivivinyo zangokwezifiso (ezifana ne-config-lint).

Kodwa-ke, ihlukile kweyakamuva ngoba ayisebenzisi i-YAML ukuchaza izivivinyo. Ukuhlola kungabhalwa nge-JavaScript esikhundleni salokho. I-Copper inikeza umtapo wolwazi onamathuluzi amaningana ayisisekelo, ezikusiza ukuthi ufunde ulwazi mayelana nezinto ze-Kubernetes futhi ubike amaphutha.

Izinyathelo zokufaka i-Copper zingatholakala ku imibhalo esemthethweni.

2.0.1 ukukhishwa kwakamuva kwalolu hlelo lokusebenza ngesikhathi sokubhala isihloko sokuqala.

Njenge-config-lint, i-Copper ayinakho ukuhlola okwakhelwe ngaphakathi. Asibhale elilodwa. Ivumele ihlole ukuthi ukuthunyelwa kusebenzisa izithombe zeziqukathi ngokukhethekileyo ezisuka kumakhosombe athembekile afana nalokhu my-company.com.

Dala ifayela check_image_repo.js nokuqukethwe okulandelayo:

$$.forEach(function($){
    if ($.kind === 'Deployment') {
        $.spec.template.spec.containers.forEach(function(container) {
            var image = new DockerImage(container.image);
            if (image.registry.lastIndexOf('my-company.com/') != 0) {
                errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
            }
        });
    }
});

Manje ukuhlola i-manifest yethu base-valid.yaml, sebenzisa umyalo copper validate:

$ copper validate --in=base-valid.yaml --validator=check_image_tag.js

Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed

Kuyacaca ukuthi ngosizo lwethusi ungenza izivivinyo eziyinkimbinkimbi - isibonelo, ukuhlola amagama wesizinda kuma-Ingress abonisa noma ukwenqaba ama-pods asebenza kwimodi enelungelo.

I-Copper inemisebenzi ehlukahlukene ewusizo eyakhelwe kuyo:

  • DockerImage ifunda ifayela lokufaka elishiwo bese idala into enezibaluli ezilandelayo:
    • name - igama lesithombe,
    • tag - ithegi yesithombe,
    • registry - isithombe sokubhalisa,
    • registry_url - Iphrothokholi (https://) kanye nerejista yezithombe,
    • fqin - indawo egcwele yesithombe.
  • Umsebenzi findByName isiza ukuthola insiza ngohlobo oluthile (kind) kanye negama (name) kusuka kufayela lokufaka.
  • Umsebenzi findByLabels kusiza ukuthola insiza ngohlobo oluthile (kind) namalebula (labels).

Ungabuka yonke imisebenzi yesevisi etholakalayo lapha.

Ngokuzenzakalelayo ilayisha lonke ifayela lokufakwayo le-YAML kokuguquguqukayo $$ futhi iyenze itholakalele ukubhalwa (indlela evamile yalabo abanolwazi lwe-jQuery).

Inzuzo eyinhloko ye-Copper isobala: awudingi ukwazi ulimi olukhethekile futhi ungasebenzisa izici ezihlukahlukene ze-JavaScript ukuze uzenzele izivivinyo zakho, ezifana nokuhunyushwa kwezintambo, imisebenzi, njll.

Kufanele futhi kuqashelwe ukuthi inguqulo yamanje ye-Copper isebenza nenguqulo ye-ES5 yenjini ye-JavaScript, hhayi i-ES6.

Imininingwane itholakala ku iwebhusayithi yephrojekthi esemthethweni.

Nokho, uma ungayithandi ngempela i-JavaScript futhi ukhetha ulimi oludizayinelwe ngokukhethekile ukudala imibuzo nezinqubomgomo ezichazayo, kufanele unake ukungqubuzana.

5.Umncintiswano

I-Conftest iwuhlaka lokuhlola idatha yokumisa. Futhi ilungele ukuhlola/ukuqinisekisa i-Kubernetes manifest. Ukuhlolwa kuchazwa kusetshenziswa ulimi lwemibuzo olukhethekile Rego.

Ungafaka i-conftest usebenzisa imiyaleloezisohlwini lwewebhusayithi yephrojekthi.

Ngesikhathi sokubhala isihloko sokuqala, inguqulo yakamuva etholakalayo yayingu-0.18.2.

Ngokufanayo ne-config-lint ne-copper, i-conftest iza ngaphandle kokuhlolwa okwakhelwe ngaphakathi. Asiyizame futhi sibhale eyethu inqubomgomo. Njengezibonelo ezedlule, sizohlola ukuthi izithombe zeziqukathi zithathwe emthonjeni onokwethenjelwa.

Dala uhla lwemibhalo conftest-checks, futhi kuyo kunefayela elinegama check_image_registry.rego nokuqukethwe okulandelayo:

package main

deny[msg] {

  input.kind == "Deployment"
  image := input.spec.template.spec.containers[_].image
  not startswith(image, "my-company.com/")
  msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}

Manje ake sihlole base-valid.yaml ngokusebenzisa conftest:

$ conftest test --policy ./conftest-checks base-valid.yaml

FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure

Ukuhlola kuhlulekile ukubikezelwa ngoba izithombe zivela emthonjeni ongathenjwa.

Efayeleni le-Rego sichaza ibhulokhi deny. Iqiniso layo lithathwa njengokwephulwa. Uma amabhlogo deny eziningana, conftest uyawahlola ngokuzimela omunye komunye, futhi iqiniso lanoma iyiphi emabhuloki iphathwa njengokwephulwa.

Ngaphezu kokuphumayo okuzenzakalelayo, i-conftest isekela i-JSON, i-TAP nefomethi yethebula - isici esiwusizo kakhulu uma udinga ukushumeka imibiko epayipini elikhona le-CI. Ungasetha ifomethi oyifunayo usebenzisa ifulegi --output.

Ukuze kwenziwe kube lula ukulungisa iphutha lezinqubomgomo, i-conftest inefulegi --trace. Ikhipha umkhondo wokuthi i-conftest icozulula kanjani amafayela enqubomgomo eshiwo.

Izinqubomgomo zomncintiswano zingashicilelwa futhi kwabelwane ngazo kubabhalisi be-OCI (Open Container Initiative) njengama-artifact.

ΠšΠΎΠΌΠ°Π½Π΄Ρ‹ push ΠΈ pull ikuvumela ukuthi ushicilele i-artifact noma ubuyise i-artifact ekhona ekubhaliseni okude. Ake sizame ukushicilela inqubomgomo esiyidalile ekubhaliseni kwasendaweni kwe-Docker sisebenzisa conftest push.

Qala ukubhalisa kwakho kwasendaweni kwe-Docker:

$ docker run -it --rm -p 5000:5000 registry

Kwesinye i-terminal, hamba kumkhombandlela owudale ekuqaleni conftest-checks bese ugijima umyalo olandelayo:

$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Uma umyalo uphumelele, uzobona umlayezo ofana nalo:

2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c

Manje dala umkhombandlela wesikhashana bese usebenzisa umyalo kuwo conftest pull. Izolanda iphakheji edalwe ngumyalo odlule:

$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest

Uhla lwemibhalo olungaphansi luzovela kuhla lwemibhalo lwesikhashana policyiqukethe ifayela lethu lenqubomgomo:

$ tree
.
└── policy
  └── check_image_registry.rego

Ukuhlola kungenziwa ngokuqondile endaweni yokugcina:

$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure

Ngeshwa, i-DockerHub ayikasekelwa. Ngakho-ke zibheke njengenhlanhla uma usebenzisa I-Azure Container Registry (ACR) noma irejista yakho.

Ifomethi ye-artifact iyafana ne Vula amaphakheji e-ejensi yenqubomgomo (OPA), ekuvumela ukuthi usebenzise i-conftest ukwenza izivivinyo kusuka kumaphakheji akhona e-OPA.

Ungafunda kabanzi mayelana nokwabelana ngenqubomgomo nezinye izici zomqhudelwano ku iwebhusayithi yephrojekthi esemthethweni.

6. I-Polaris

Ithuluzi lokugcina okuzoxoxwa ngalo kulesi sihloko I-Polaris. (Isimemezelo sakhe sonyaka odlule thina isihumushiwe kakade - cishe. ukuhumusha)

I-Polaris ingafakwa kuqoqo noma isetshenziswe kumodi yomugqa womyalo. Njengoba kungenzeka uqagele, ikuvumela ukuthi uhlaziye ngezibalo i-Kubernetes manifests.

Uma usebenzisa imodi yomugqa womyalo, ukuhlola okwakhelwe ngaphakathi kuyatholakala okumboza izindawo ezifana nokuphepha nezindlela ezihamba phambili (ezifana ne-kube-score). Ngaphezu kwalokho, ungakha izivivinyo zakho (njengaku-config-lint, ithusi ne-conftest).

Ngamanye amazwi, i-Polaris ihlanganisa izinzuzo zazo zombili izigaba zamathuluzi: nokuhlolwa okwakhelwe ngaphakathi nokwezifiso.

Ukufaka i-Polaris kumodi yomugqa womyalo, sebenzisa imiyalelo kuwebhusayithi yephrojekthi.

Ngesikhathi sokubhala isihloko sokuqala, inguqulo 1.0.3 iyatholakala.

Uma ukufakwa sekuqediwe ungasebenzisa i-polaris ku-manifest base-valid.yaml ngomyalo olandelayo:

$ polaris audit --audit-path base-valid.yaml

Izokhipha iyunithi yezinhlamvu ngefomethi ye-JSON enencazelo enemininingwane yokuhlolwa okwenziwe kanye nemiphumela yako. Okukhiphayo kuzoba nesakhiwo esilandelayo:

{
  "PolarisOutputVersion": "1.0",
  "AuditTime": "0001-01-01T00:00:00Z",
  "SourceType": "Path",
  "SourceName": "test-data/base-valid.yaml",
  "DisplayName": "test-data/base-valid.yaml",
  "ClusterInfo": {
    "Version": "unknown",
    "Nodes": 0,
    "Pods": 2,
    "Namespaces": 0,
    "Controllers": 2
  },
  "Results": [
    /* Π΄Π»ΠΈΠ½Π½Ρ‹ΠΉ список */
  ]
}

Okukhiphayo okugcwele kuyatholakala lapha.

Njenge-kube-score, i-Polaris ihlonza izinkinga ezindaweni lapho i-manifest ingahlangabezani nezinqubo ezingcono kakhulu:

  • Awekho amasheke wezempilo we-pods.
  • Omaka bezithombe zesiqukathi abacacisiwe.
  • Isiqukathi sisebenza njengempande.
  • Izicelo nemikhawulo yememori ne-CPU ayicacisiwe.

Ukuhlolwa ngakunye, kuye ngemiphumela yako, kunikezwe izinga lokubaluleke kakhulu: isixwayiso noma Ingozi. Ukuze ufunde kabanzi mayelana nezivivinyo ezakhelwe ngaphakathi ezitholakalayo, sicela ubheke imibhalo.

Uma imininingwane ingadingeki, ungacacisa ifulege --format score. Kulokhu, i-Polaris izokhipha inombolo esukela ku-1 kuye ku-100 βˆ’ Umphumela (okungukuthi ukuhlola):

$ polaris audit --audit-path test-data/base-valid.yaml --format score
68

Lapho amaphuzu asondela ku-100, izinga lesivumelwano liyaphakama. Uma uhlola ikhodi yokuphuma yomyalo polaris audit, kuvela ukuthi ilingana no-0.

Phoqa polaris audit Unganqamula umsebenzi ngekhodi okungelona uziro usebenzisa amafulegi amabili:

  • Maka umkhosi --set-exit-code-below-score ithatha njengempikiswano inani le-threshold kububanzi obungu-1-100. Kulokhu, umyalo uzophuma ngekhodi yokuphuma engu-4 uma amaphuzu angaphansi komkhawulo. Lokhu kuwusizo kakhulu uma unenani elithile le-threshold (yithi 75) futhi udinga ukuthola isexwayiso uma isikolo siba ngezansi.
  • Maka umkhosi --set-exit-code-on-danger kuzobangela ukuthi umyalo wehluleke ngekhodi 3 uma okunye kokuhlolwa kwengozi kwehluleka.

Manje ake sizame ukudala ukuhlola kwangokwezifiso okuhlola ukuthi isithombe sithathwe endaweni ethembekile. Ukuhlolwa kwangokwezifiso kucaciswe ngefomethi ye-YAML, futhi ukuhlolwa ngokwako kuchazwa kusetshenziswa i-JSON Schema.

Amazwibela alandelayo ekhodi ye-YAML achaza ukuhlolwa okusha okubizwa checkImageRepo:

checkImageRepo:
  successMessage: Image registry is valid
  failureMessage: Image registry is not valid
  category: Images
  target: Container
  schema:
    '$schema': http://json-schema.org/draft-07/schema
    type: object
    properties:
      image:
        type: string
        pattern: ^my-company.com/.+$

Ake siyibhekisise:

  • successMessage β€” lo mugqa uzophrintwa uma ukuhlolwa kuqedwa ngempumelelo;
  • failureMessage β€” lo mlayezo uzoboniswa uma wehluleka;
  • category - ikhombisa esinye sezigaba: Images, Health Checks, Security, Networking ΠΈ Resources;
  • target--- inquma ukuthi hlobo luni lwento (spec) ukuhlolwa kusetshenzisiwe. Amanani angenzeka: Container, Pod noma Controller;
  • Ukuhlolwa ngokwako kucacisiwe entweni schema usebenzisa i-schema ye-JSON. Igama eliyinhloko kulokhu kuhlolwa lithi pattern esetshenziswa ukuqhathanisa umthombo wesithombe nalowo odingekayo.

Ukuze wenze ukuhlolwa okungenhla, udinga ukudala ukucushwa kwe-Polaris okulandelayo:

checks:
  checkImageRepo: danger
customChecks:
  checkImageRepo:
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(polaris-conf.yaml)

Ake sihlaziye ifayela:

  • Ensimini checks izivivinyo kanye nezinga lokubaluleke kakhulu kwazo kuyanqunywa. Njengoba kuyinto efiselekayo ukuthola isexwayiso uma isithombe sithathwa emthonjeni ongathenjwa, sibeka ileveli lapha danger.
  • Ukuhlolwa ngokwako checkImageRepo bese kubhaliswa entweni customChecks.

Londoloza ifayela njenge custom_check.yaml. Manje ungagijima polaris audit nge-manifest ye-YAML edinga ukuqinisekiswa.

Ake sihlole i-manifesto yethu base-valid.yaml:

$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml

Ithimba polaris audit yenze ukuhlolwa komsebenzisi kuphela okucaciswe ngenhla futhi kwehlulekile.

Uma ulungisa isithombe ku my-company.com/http-echo:1.0, i-Polaris izoqeda ngempumelelo. I-manifesto enezinguquko isingenile izinqolobaneukuze ukwazi ukuhlola umyalo wangaphambilini ku-manifest image-valid-mycompany.yaml.

Manje kuphakama umbuzo: kanjani ukwenza izivivinyo ezakhelwe ngaphakathi kanye ngokwezifiso? Kalula! Udinga nje ukwengeza izihlonzi zokuhlola ezakhelwe ngaphakathi kufayela lokucushwa. Ngenxa yalokho, kuzothatha ifomu elilandelayo:

checks:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  # Other inbuilt checks..
  # ..
  # custom checks
  checkImageRepo: danger # !!!
customChecks:
  checkImageRepo:        # !!!
    successMessage: Image registry is valid
    failureMessage: Image registry is not valid
    category: Images
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          pattern: ^my-company.com/.+$

(config_with_custom_check.yaml)

Isibonelo sefayela eliphelele lokumisa siyatholakala lapha.

Hlola i-manifest base-valid.yamlusebenzisa izivivinyo ezakhelwe ngaphakathi nezingokwezifiso, ungasebenzisa umyalo:

$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml

I-Polaris ihambisana nezivivinyo ezakhelwe ngaphakathi nezingokwezifiso, ngaleyo ndlela ihlanganisa okuhle kakhulu kuyo yomibili imihlaba.

Ngakolunye uhlangothi, ukungakwazi ukusebenzisa izilimi ezinamandla kakhulu njenge-Rego noma i-JavaScript kungaba yinto ekhawulelayo evimbela ukudalwa kwezivivinyo eziyinkimbinkimbi.

Ulwazi olwengeziwe mayelana ne-Polaris luyatholakala ku- iwebhusayithi yephrojekthi.

Isifingqo

Yize kunamathuluzi amaningi atholakalayo okuhlola nokuhlola amafayela e-Kubernetes YAML, kubalulekile ukuba nokuqonda okucacile kokuthi izivivinyo zizoklanywa futhi zenziwe kanjani.

Isibonelo, uma uthatha i-Kubernetes manifests edlula epayipini, kubeval kungaba isinyathelo sokuqala kumzila onjalo. Izoqapha ukuthi izincazelo zento ziyahambisana yini ne-schema ye-Kubernetes API.

Uma ukubuyekezwa okunjalo sekuqediwe, umuntu angadlulela ekuhlolweni okuyinkimbinkimbi, njengokuthobela imikhuba engcono kakhulu nezinqubomgomo ezithile. Kulapho i-kube-score kanye ne-Polaris bezosebenza khona.

Kulabo abanezidingo eziyinkimbinkimbi futhi abadinga ukwenza ngokwezifiso izivivinyo ngokuningiliziwe, ithusi, i-config-lint kanye ne-conftest izofaneleka..

I-Conftest kanye ne-config-lint isebenzisa i-YAML ukuchaza izivivinyo zangokwezifiso, futhi ithusi likunikeza ukufinyelela olimini olugcwele lokuhlela, okulenza libe ukukhetha okuhle kakhulu.

Ngakolunye uhlangothi, ingabe kufanelekile ukusebenzisa elinye lalawa mathuluzi futhi, ngakho-ke, ukudala zonke izivivinyo ngesandla, noma ukhethe i-Polaris bese wengeza kuphela okudingekayo kuyo? Ayikho impendulo ecacile yalo mbuzo.

Ithebula elingezansi linikeza incazelo emfushane yethuluzi ngalinye:

Insimbi
Injongo
amaphutha
Ukuhlolwa komsebenzisi

kubeval
Iqinisekisa i-YAML ibonakala ngokumelene nenguqulo ethile ye-schema ye-API
Ayikwazi ukusebenza nge-CRD
No

kube-amaphuzu
Ihlaziya i-YAML ibonisa ngokumelene nemikhuba ehamba phambili
Awukwazi ukukhetha inguqulo yakho ye-Kubernetes API ukuze uhlole izinsiza
No

ithusi
Uhlaka olujwayelekile lokudala ukuhlola kwe-JavaScript yangokwezifiso ye-YAML manifest
Azikho izivivinyo ezakhelwe ngaphakathi. Amadokhumenti angalungile
Yebo

config-lint
Uhlaka olujwayelekile lokudala ukuhlola ngolimi oluqondene nesizinda olushumekwe ku-YAML. Isekela amafomethi wokumisa ahlukahlukene (isb. I-Terraform)
Azikho izivivinyo esezilungile. Ukugomela okwakhelwe ngaphakathi nemisebenzi kungenzeka kunganele
Yebo

umbango
Uhlaka lokudala izivivinyo zakho usebenzisa i-Rego (ulimi lwemibuzo olukhethekile). Ivumela ukwabelana kwezinqubomgomo ngezinqwaba ze-OCI
Azikho izivivinyo ezakhelwe ngaphakathi. Kufanele ngifunde uRego. I-Docker Hub ayisekelwe lapho kushicilela izinqubomgomo
Yebo

I-Polaris
Izibuyekezo i-YAML iveza ngokumelene nemikhuba ehamba phambili evamile. Ikuvumela ukuthi udale izivivinyo zakho usebenzisa i-JSON Schema
Amakhono okuhlola asekelwe ku-JSON Schema angase anganeli
Yebo

Ngenxa yokuthi la mathuluzi awancikile ekufinyeleleni iqoqo le-Kubernetes, kulula ukuyifaka. Zikuvumela ukuthi uhlunge amafayela omthombo futhi unikeze impendulo esheshayo kubabhali bezicelo zokudonsa kumaphrojekthi.

I-PS evela kumhumushi

Funda futhi kubhulogi yethu:

Source: www.habr.com

Engeza amazwana