Qaphela. transl.: Ngenani elikhulayo lokucushwa kwe-YAML ezindaweni ze-K8s, isidingo sokuqinisekisa kwabo okuzenzakalelayo siba siphuthuma kakhulu. Umbhali walokhu kubuyekezwa akakhethanga kuphela izixazululo ezikhona zalo msebenzi, kodwa futhi wasebenzisa Ukuthunyelwa njengesibonelo ukuze abone ukuthi zisebenza kanjani. Kuvele ukuthi kunolwazi olukhulu kulabo abathanda lesi sihloko.
TL; DR: Lesi sihloko siqhathanisa amathuluzi ayisithupha amile ukuze kuqinisekiswe futhi kuhlolwe amafayela e-Kubernetes YAML ngokuqhathanisa nemikhuba ehamba phambili nezimfuneko.
Umthwalo we-Kubernetes uvame ukuchazwa ngendlela yemibhalo ye-YAML. Enye yezinkinga nge-YAML ubunzima bokucacisa imigoqo noma ubudlelwano phakathi kwamafayela e-manifest.
Kuthiwani uma sidinga ukwenza isiqiniseko sokuthi zonke izithombe ezithunyelwe kuqoqo zivela kurejista ethembekile?
Ngingakuvimbela kanjani ukuthunyelwa okungenawo ama-PodDisruptionBudgets ukuthi kuthunyelwe kuqoqo?
Ukuhlanganiswa kokuhlola okumile kukuvumela ukuthi ubone amaphutha kanye nokwephulwa kwenqubomgomo esigabeni sokuthuthukiswa. Lokhu kukhulisa isiqinisekiso sokuthi izincazelo zensiza zilungile futhi zivikelekile, futhi kwenza kube maningi amathuba okuthi umsebenzi omningi wokukhiqiza uzolandela izinqubo ezihamba phambili.
I-Kubernetes static ifayela lokuhlola ifayela le-YAML ecosystem ingahlukaniswa ngezigaba ezilandelayo:
- Iziqinisekisi ze-API. Amathuluzi akulesi sigaba ahlola i-manifest ye-YAML ngokumelene nezimfuneko zeseva ye-Kubernetes API.
- Abahloli abalungile. Amathuluzi asuka kulesi sigaba afika nokuhlolwa osekwenziwe kakade kokuphepha, ukuthobela izinqubo ezihamba phambili, njll.
- Iziqinisekisi ngokwezifiso. Abamele lesi sigaba bakuvumela ukuthi udale ukuhlolwa kwangokwezifiso ngezilimi ezihlukahlukene, isibonelo, i-Rego ne-Javascript.
Kulesi sihloko sizochaza futhi siqhathanise amathuluzi ayisithupha ahlukene:
- kubeval;
- kube-amaphuzu;
- config-lint;
- ithusi;
- umbango;
- I-Polaris.
Awu, ake siqale!
Ihlola Ukuthunyelwa
Ngaphambi kokuthi siqale ukuqhathanisa amathuluzi, ake sakhe ingemuva esingawahlola ngalo.
I-manifesto engezansi iqukethe amaphutha amaningi kanye nokungalandeli imikhuba emihle: mangaki ongawathola?
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Sizosebenzisa le YAML ukuze siqhathanise amathuluzi ahlukene.
Imanifesto engenhla
base-valid.yaml
kanye namanye ama-manifestos avela kulesi sihloko angatholakala kuGit izinqolobane .
I-manifest ichaza uhlelo lokusebenza lwewebhu umsebenzi walo oyinhloko uwukuphendula ngomlayezo othi βSawubona Mhlabaβ ku-port 5678. Ingafakwa ngomyalo olandelayo:
kubectl apply -f hello-world.yaml
Futhi ngakho - hlola umsebenzi:
kubectl port-forward svc/http-echo 8080:5678
Manje iya ku
1. Kubeval
Enhlizweni ye
Ngesikhathi sokubhala isihloko sokuqala, inguqulo engu-0.15.0 yayitholakala.
Uma isifakiwe, masiyiphakele nge-manifest engenhla:
$ kubeval base-valid.yaml
PASS - base-valid.yaml contains a valid Deployment (http-echo)
PASS - base-valid.yaml contains a valid Service (http-echo)
Uma kuphumelele, i-kubeval izophuma ngekhodi yokuphuma engu-0. Ungayibheka ngale ndlela elandelayo:
$ echo $?
0
Manje ake sizame i-kubeval nge-manifest ehlukile:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(kubeval-invalid.yaml
)
Ungakwazi ukubona inkinga ngeso? Masiqalise:
$ kubeval kubeval-invalid.yaml
WARN - kubeval-invalid.yaml contains an invalid Deployment (http-echo) - selector: selector is required
PASS - kubeval-invalid.yaml contains a valid Service (http-echo)
# ΠΏΡΠΎΠ²Π΅ΡΠΈΠΌ ΠΊΠΎΠ΄ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°
$ echo $?
1
Insiza ayiqinisekiswa.
Ukuthunyelwa kusetshenziswa inguqulo ye-API apps/v1
, kufanele ifake isikhethi esifana nelebula le-pod. I-manifest engenhla ayibandakanyi isikhethi, ngakho-ke i-kubeval ibike iphutha futhi yaphuma ngekhodi okungelona uziro.
Kazi kuzokwenzekani uma ngenze njalo kubectl apply -f
nale manifesto?
Hhayi-ke, ake sizame:
$ kubectl apply -f kubeval-invalid.yaml
error: error validating "kubeval-invalid.yaml": error validating data: ValidationError(Deployment.spec):
missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec; if you choose to ignore these errors,
turn validation off with --validate=false
Leli yiphutha u-kubeval axwayise ngalo. Ungalungisa lokhu ngokungeza isikhethi:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector: # !!!
matchLabels: # !!!
app: http-echo # !!!
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: hashicorp/http-echo
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: http-echo
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
app: http-echo
(base-valid.yaml
)
Inzuzo yamathuluzi afana ne-kubeval ukuthi amaphutha afana nalawa angabanjwa ekuqaleni komjikelezo wokuthunyelwa.
Ngaphezu kwalokho, lokhu kuhlola akudingi ukufinyelela kuqoqo; kungenziwa ungaxhunyiwe ku-inthanethi.
Ngokuzenzakalelayo, i-kubeval ihlola izinsiza iqhathaniswa ne-schema yakamuva ye-Kubernetes API. Kodwa-ke, ezimweni eziningi ungadinga ukuhlola ngokumelene nokukhishwa okuthile kwe-Kubernetes. Lokhu kungenziwa ngokusebenzisa ifulegi --kubernetes-version
:
$ kubeval --kubernetes-version 1.16.1 base-valid.yaml
Sicela uqaphele ukuthi inguqulo kufanele icaciswe ngefomethi Major.Minor.Patch
.
Ukuze uthole uhlu lwezinguqulo okusekelwa kuzo ukuqinisekiswa, sicela ubhekisele kuzo --schema-location
.
Ngokungeziwe kumafayela e-YAML ngamanye, i-kubeval ingaphinda isebenze nezikhombisi-ndlela kanye ne-stdin.
Ngaphezu kwalokho, i-Kubeval ihlanganisa kalula epayipini le-CI. Abafisa ukwenza izivivinyo ngaphambi kokuthumela i-manifest kuqoqo bazojabula ukwazi ukuthi i-kubeval isekela amafomethi amathathu okukhiphayo:
- Umbhalo ongenalutho;
- JSON;
- Hlola Noma yini Iphrothokholi (TAP).
Futhi noma yimaphi amafomethi angasetshenziselwa ukuncozululwa okuqhubekayo kokuphumayo ukuze kukhiqizwe isifinyezo semiphumela yohlobo olufiswayo.
Enye yezingqinamba ze-kubeval ukuthi okwamanje ayikwazi ukubheka ukuthobelana Nezincazelo Zensiza Yangokwezifiso (CRDs). Nokho, kungenzeka ukumisa kubeval
I-Kubeval iyithuluzi elihle lokuhlola nokuhlola izinsiza; Nokho, kufanele kugcizelelwe ukuthi ukuphumelela ukuhlolwa akuqinisekisi ukuthi insiza ihambisana nezinqubo ezingcono kakhulu.
Isibonelo, ukusebenzisa ithegi latest
esitsheni asilandeli imikhuba emihle. Nokho, u-kubeval akakuthathi lokhu njengephutha futhi akakubiki. Okusho ukuthi, ukuqinisekiswa kwe-YAML enjalo kuzoqeda ngaphandle kwezixwayiso.
Kodwa kuthiwani uma ufuna ukuhlola i-YAML futhi uhlonze ukuphulwa okufana nethegi latest
? Ngilihlola kanjani ifayela le-YAML ngokuqhathanisa nezinqubo ezihamba phambili?
2. Kube-amaphuzu
- Ukuqhuba isitsha hhayi njengempande.
- Ukutholakala kokuhlolwa kwempilo ye-pod.
- Ukusetha izicelo nemikhawulo yezinsiza.
Ngokusekelwe emiphumeleni yokuhlolwa, kunikezwa imiphumela emithathu: OK, ISEXWAYISO ΠΈ OKUBALULEKILE.
Ungazama i-Kube-score ku-inthanethi noma uyifake endaweni.
Ngesikhathi sokubhala isihloko sokuqala, inguqulo yakamuva ye-kube-score yayingu-1.7.0.
Masiyizame ku-manifest yethu base-valid.yaml
:
$ kube-score score base-valid.yaml
apps/v1/Deployment http-echo
[CRITICAL] Container Image Tag
Β· http-echo -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
[CRITICAL] Pod NetworkPolicy
Β· The pod does not have a matching network policy
Create a NetworkPolicy that targets this pod
[CRITICAL] Pod Probes
Β· Container is missing a readinessProbe
A readinessProbe should be used to indicate when the service is ready to receive traffic.
Without it, the Pod is risking to receive traffic before it has booted. It is also used during
rollouts, and can prevent downtime if a new version of the application is failing.
More information: https://github.com/zegl/kube-score/blob/master/README_PROBES.md
[CRITICAL] Container Security Context
Β· http-echo -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
Β· http-echo -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
Β· http-echo -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
Β· http-echo -> CPU request is not set
Resource requests are recommended to make sure that the application can start and run without
crashing. Set resources.requests.cpu
Β· http-echo -> Memory request is not set
Resource requests are recommended to make sure that the application can start and run without crashing.
Set resources.requests.memory
[CRITICAL] Deployment has PodDisruptionBudget
Β· No matching PodDisruptionBudget was found
It is recommended to define a PodDisruptionBudget to avoid unexpected downtime during Kubernetes
maintenance operations, such as when draining a node.
[WARNING] Deployment has host PodAntiAffinity
Β· Deployment does not have a host podAntiAffinity set
It is recommended to set a podAntiAffinity that stops multiple pods from a deployment from
being scheduled on the same node. This increases availability in case the node becomes unavailable.
I-YAML iphumelela ukuhlolwa kwe-kubeval, kanti i-kube-score ikhomba kulawa maphutha alandelayo:
- Ukuhlola ukulungela akulungiselelwe.
- Azikho izicelo noma imikhawulo yezinsiza ze-CPU nenkumbulo.
- Izabelomali zokuphazamiseka kwephodi azicacisiwe.
- Ayikho imithetho yokuhlukanisa (anti-affinity) ukukhulisa ukutholakala.
- Isiqukathi sisebenza njengempande.
Lawa wonke amaphuzu avumelekile mayelana nokushiyeka okudingeka kubhekwane nawo ukuze kwenziwe ukuthunyelwa kusebenze kahle futhi kuthembeke.
Ithimba kube-score
ibonisa ulwazi ngendlela efundeka umuntu okuhlanganisa nazo zonke izinhlobo zokwephulwa kwemithetho ISEXWAYISO ΠΈ OKUBALULEKILE, esiza kakhulu ngesikhathi sokuthuthukiswa.
Labo abafisa ukusebenzisa leli thuluzi ngaphakathi kwepayipi le-CI banganika amandla okukhiphayo okucindezelwe okwengeziwe besebenzisa ifulegi --output-format ci
(kulokhu, izivivinyo ezinomphumela nazo ziyaboniswa OK):
$ kube-score score base-valid.yaml --output-format ci
[OK] http-echo apps/v1/Deployment
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory limit is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) CPU request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Memory request is not set
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Image with latest tag
[OK] http-echo apps/v1/Deployment
[CRITICAL] http-echo apps/v1/Deployment: The pod does not have a matching network policy
[CRITICAL] http-echo apps/v1/Deployment: Container is missing a readinessProbe
[CRITICAL] http-echo apps/v1/Deployment: (http-echo) Container has no configured security context
[CRITICAL] http-echo apps/v1/Deployment: No matching PodDisruptionBudget was found
[WARNING] http-echo apps/v1/Deployment: Deployment does not have a host podAntiAffinity set
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
[OK] http-echo v1/Service
Ngokufanayo ne-kubeval, i-kube-score ibuyisela ikhodi yokuphuma engeyona iqanda uma kukhona ukuhlolwa okuhlulekayo. OKUBALULEKILE. Ungakwazi futhi ukunika amandla ukucutshungulwa okufanayo ISEXWAYISO.
Ngaphezu kwalokho, kungenzeka ukuhlola izinsiza zokuthobela izinguqulo ze-API (njengaku-kubeval). Nokho, lolu lwazi lufakwe ikhodi eqinile ku-kube-score ngokwayo: awukwazi ukukhetha inguqulo ehlukile ye-Kubernetes. Lo mkhawulo ungaba inkinga enkulu uma uhlose ukuthuthukisa iqoqo lakho noma uma unamaqoqo amaningi anezinguqulo ezihlukene zama-K8.
Uyacelwa ukuthi uqaphele lokho
sekukhona inkinga ngesiphakamiso sokufeza leli thuba.
Ulwazi olwengeziwe mayelana ne-kube-score lungatholakala kokuthi
Ukuhlolwa kwe-Kube-score kuyithuluzi elihle kakhulu lokuqalisa imikhuba ehamba phambili, kodwa kuthiwani uma udinga ukwenza izinguquko esivivinyweni noma wengeze imithetho yakho? Maye, lokhu ngeke kwenziwe.
I-Kube-score ayinakunwebeka: awukwazi ukwengeza izinqubomgomo kuyo noma uzilungise.
Uma udinga ukubhala izivivinyo zangokwezifiso ukuze uqinisekise ukuthobelana nezinqubomgomo zenkampani, ungasebenzisa elinye lamathuluzi amane alandelayo: i-config-lint, ithusi, i-conftest, noma i-polaris.
3.Config-lint
I-Config-lint iyithuluzi lokuqinisekisa amafayela e-YAML, JSON, Terraform, CSV nama-manifest e-Kubernetes.
Ungayifaka usebenzisa
Ukukhishwa kwamanje kusukela ngesikhathi sokubhala i-athikili yokuqala kungu-1.5.0.
I-Config-lint ayinakho ukuhlola okwakhelwe ngaphakathi kokuqinisekisa i-Kubernetes manifest.
Ukuze wenze noma yiziphi izivivinyo, udinga ukudala imithetho efanele. Abhalwe ngamafayela e-YAML abizwa ngokuthi "rulesets" (imithetho), futhi ibe nesakhiwo esilandelayo:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
# ΡΠΏΠΈΡΠΎΠΊ ΠΏΡΠ°Π²ΠΈΠ»
(rule.yaml
)
Masiyifunde kabanzi:
- Insimu
type
icacisa ukuthi yiluphi uhlobo lokucushwa kwe-config-lint oluzosetshenziswa. Kuma-K8s kukhombisa lokhu njaloKubernetes
. - Ensimini
files
Ngaphezu kwamafayela ngokwawo, ungacacisa uhla lwemibhalo. - Insimu
rules
okuhloselwe ukusetha ukuhlola komsebenzisi.
Ake sithi ufuna ukwenza isiqiniseko sokuthi izithombe eziku-Deployment zihlala zilandwa endaweni ethembekile njenge my-company.com/myapp:1.0
. Umthetho we-config-lint owenza ukuhlola okunjalo ungabukeka kanje:
- id: MY_DEPLOYMENT_IMAGE_TAG
severity: FAILURE
message: Deployment must use a valid image tag
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(rule-trusted-repo.yaml
)
Umthetho ngamunye kufanele ube nezibaluli ezilandelayo:
id
- isihlonzi esiyingqayizivele somthetho;severity
- Kungenzeka UKWEHLULEKA, ISEXWAYISO ΠΈ OKUNGAPHOXI;message
- uma umthetho wephulwa, okuqukethwe kulo mugqa kuyavezwa;resource
- uhlobo lwensiza lapho lo mthetho usebenza khona;assertions
β uhlu lwezimo ezizohlolwa maqondana nale nsiza.
Emthethweni ongenhla assertion
ubizile every
key: spec.templates.spec.containers
) sebenzisa izithombe ezethembekile (okungukuthi, ukuqala my-company.com/
).
Isethi ephelele yemithetho ibonakala kanje:
version: 1
description: Rules for Kubernetes spec files
type: Kubernetes
files:
- "*.yaml"
rules:
- id: DEPLOYMENT_IMAGE_REPOSITORY # !!!
severity: FAILURE
message: Deployment must use a valid image repository
resource: Deployment
assertions:
- every:
key: spec.template.spec.containers
expressions:
- key: image
op: starts-with
value: "my-company.com/"
(ruleset.yaml
)
Ukuzama ukuhlola, masikulondoloze njenge check_image_repo.yaml
. Ake sihlole ifayela base-valid.yaml
:
$ config-lint -rules check_image_repo.yaml base-valid.yaml
[
{
"AssertionMessage": "Every expression fails: And expression fails: image does not start with my-company.com/",
"Category": "",
"CreatedAt": "2020-06-04T01:29:25Z",
"Filename": "test-data/base-valid.yaml",
"LineNumber": 0,
"ResourceID": "http-echo",
"ResourceType": "Deployment",
"RuleID": "DEPLOYMENT_IMAGE_REPOSITORY",
"RuleMessage": "Deployment must use a valid image repository",
"Status": "FAILURE"
}
]
Ukuhlola kuhlulekile. Manje ake sihlole i-manifest elandelayo ngenqolobane yesithombe efanele:
apiVersion: apps/v1
kind: Deployment
metadata:
name: http-echo
spec:
replicas: 2
selector:
matchLabels:
app: http-echo
template:
metadata:
labels:
app: http-echo
spec:
containers:
- name: http-echo
image: my-company.com/http-echo:1.0 # !!!
args: ["-text", "hello-world"]
ports:
- containerPort: 5678
(image-valid-mycompany.yaml
)
Senza ukuhlolwa okufanayo nge-manifest engenhla. Azikho izinkinga ezitholakele:
$ config-lint -rules check_image_repo.yaml image-valid-mycompany.yaml
[]
I-Config-lint iwuhlaka oluthembisayo olukuvumela ukuthi udale izivivinyo zakho ukuze uqinisekise i-Kubernetes YAML manifest usebenzisa i-YAML DSL.
Kodwa kuthiwani uma udinga ukucabanga okuyinkimbinkimbi nokuhlolwa? Ingabe i-YAML ayikhawulelwe kakhulu kulokhu? Kuthiwani uma ungadala izivivinyo ngolimi olugcwele lokuhlela?
4. Ithusi
Kodwa-ke, ihlukile kweyakamuva ngoba ayisebenzisi i-YAML ukuchaza izivivinyo. Ukuhlola kungabhalwa nge-JavaScript esikhundleni salokho. I-Copper inikeza umtapo wolwazi onamathuluzi amaningana ayisisekelo, ezikusiza ukuthi ufunde ulwazi mayelana nezinto ze-Kubernetes futhi ubike amaphutha.
Izinyathelo zokufaka i-Copper zingatholakala ku
2.0.1 ukukhishwa kwakamuva kwalolu hlelo lokusebenza ngesikhathi sokubhala isihloko sokuqala.
Njenge-config-lint, i-Copper ayinakho ukuhlola okwakhelwe ngaphakathi. Asibhale elilodwa. Ivumele ihlole ukuthi ukuthunyelwa kusebenzisa izithombe zeziqukathi ngokukhethekileyo ezisuka kumakhosombe athembekile afana nalokhu my-company.com
.
Dala ifayela check_image_repo.js
nokuqukethwe okulandelayo:
$$.forEach(function($){
if ($.kind === 'Deployment') {
$.spec.template.spec.containers.forEach(function(container) {
var image = new DockerImage(container.image);
if (image.registry.lastIndexOf('my-company.com/') != 0) {
errors.add_error('no_company_repo',"Image " + $.metadata.name + " is not from my-company.com repo", 1)
}
});
}
});
Manje ukuhlola i-manifest yethu base-valid.yaml
, sebenzisa umyalo copper validate
:
$ copper validate --in=base-valid.yaml --validator=check_image_tag.js
Check no_company_repo failed with severity 1 due to Image http-echo is not from my-company.com repo
Validation failed
Kuyacaca ukuthi ngosizo lwethusi ungenza izivivinyo eziyinkimbinkimbi - isibonelo, ukuhlola amagama wesizinda kuma-Ingress abonisa noma ukwenqaba ama-pods asebenza kwimodi enelungelo.
I-Copper inemisebenzi ehlukahlukene ewusizo eyakhelwe kuyo:
DockerImage
ifunda ifayela lokufaka elishiwo bese idala into enezibaluli ezilandelayo:name
- igama lesithombe,tag
- ithegi yesithombe,registry
- isithombe sokubhalisa,registry_url
- Iphrothokholi (https://
) kanye nerejista yezithombe,fqin
- indawo egcwele yesithombe.
- Umsebenzi
findByName
isiza ukuthola insiza ngohlobo oluthile (kind
) kanye negama (name
) kusuka kufayela lokufaka. - Umsebenzi
findByLabels
kusiza ukuthola insiza ngohlobo oluthile (kind
) namalebula (labels
).
Ungabuka yonke imisebenzi yesevisi etholakalayo
Ngokuzenzakalelayo ilayisha lonke ifayela lokufakwayo le-YAML kokuguquguqukayo $$
futhi iyenze itholakalele ukubhalwa (indlela evamile yalabo abanolwazi lwe-jQuery).
Inzuzo eyinhloko ye-Copper isobala: awudingi ukwazi ulimi olukhethekile futhi ungasebenzisa izici ezihlukahlukene ze-JavaScript ukuze uzenzele izivivinyo zakho, ezifana nokuhunyushwa kwezintambo, imisebenzi, njll.
Kufanele futhi kuqashelwe ukuthi inguqulo yamanje ye-Copper isebenza nenguqulo ye-ES5 yenjini ye-JavaScript, hhayi i-ES6.
Imininingwane itholakala ku
Nokho, uma ungayithandi ngempela i-JavaScript futhi ukhetha ulimi oludizayinelwe ngokukhethekile ukudala imibuzo nezinqubomgomo ezichazayo, kufanele unake ukungqubuzana.
5.Umncintiswano
I-Conftest iwuhlaka lokuhlola idatha yokumisa. Futhi ilungele ukuhlola/ukuqinisekisa i-Kubernetes manifest. Ukuhlolwa kuchazwa kusetshenziswa ulimi lwemibuzo olukhethekile
Ungafaka i-conftest usebenzisa
Ngesikhathi sokubhala isihloko sokuqala, inguqulo yakamuva etholakalayo yayingu-0.18.2.
Ngokufanayo ne-config-lint ne-copper, i-conftest iza ngaphandle kokuhlolwa okwakhelwe ngaphakathi. Asiyizame futhi sibhale eyethu inqubomgomo. Njengezibonelo ezedlule, sizohlola ukuthi izithombe zeziqukathi zithathwe emthonjeni onokwethenjelwa.
Dala uhla lwemibhalo conftest-checks
, futhi kuyo kunefayela elinegama check_image_registry.rego
nokuqukethwe okulandelayo:
package main
deny[msg] {
input.kind == "Deployment"
image := input.spec.template.spec.containers[_].image
not startswith(image, "my-company.com/")
msg := sprintf("image '%v' doesn't come from my-company.com repository", [image])
}
Manje ake sihlole base-valid.yaml
ngokusebenzisa conftest
:
$ conftest test --policy ./conftest-checks base-valid.yaml
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
1 tests, 1 passed, 0 warnings, 1 failure
Ukuhlola kuhlulekile ukubikezelwa ngoba izithombe zivela emthonjeni ongathenjwa.
Efayeleni le-Rego sichaza ibhulokhi deny
. Iqiniso layo lithathwa njengokwephulwa. Uma amabhlogo deny
eziningana, conftest uyawahlola ngokuzimela omunye komunye, futhi iqiniso lanoma iyiphi emabhuloki iphathwa njengokwephulwa.
Ngaphezu kokuphumayo okuzenzakalelayo, i-conftest isekela i-JSON, i-TAP nefomethi yethebula - isici esiwusizo kakhulu uma udinga ukushumeka imibiko epayipini elikhona le-CI. Ungasetha ifomethi oyifunayo usebenzisa ifulegi --output
.
Ukuze kwenziwe kube lula ukulungisa iphutha lezinqubomgomo, i-conftest inefulegi --trace
. Ikhipha umkhondo wokuthi i-conftest icozulula kanjani amafayela enqubomgomo eshiwo.
Izinqubomgomo zomncintiswano zingashicilelwa futhi kwabelwane ngazo kubabhalisi be-OCI (Open Container Initiative) njengama-artifact.
ΠΠΎΠΌΠ°Π½Π΄Ρ push
ΠΈ pull
ikuvumela ukuthi ushicilele i-artifact noma ubuyise i-artifact ekhona ekubhaliseni okude. Ake sizame ukushicilela inqubomgomo esiyidalile ekubhaliseni kwasendaweni kwe-Docker sisebenzisa conftest push
.
Qala ukubhalisa kwakho kwasendaweni kwe-Docker:
$ docker run -it --rm -p 5000:5000 registry
Kwesinye i-terminal, hamba kumkhombandlela owudale ekuqaleni conftest-checks
bese ugijima umyalo olandelayo:
$ conftest push 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Uma umyalo uphumelele, uzobona umlayezo ofana nalo:
2020/06/10 14:25:43 pushed bundle with digest: sha256:e9765f201364c1a8a182ca637bc88201db3417bacc091e7ef8211f6c2fd2609c
Manje dala umkhombandlela wesikhashana bese usebenzisa umyalo kuwo conftest pull
. Izolanda iphakheji edalwe ngumyalo odlule:
$ cd $(mktemp -d)
$ conftest pull 127.0.0.1:5000/amitsaha/opa-bundle-example:latest
Uhla lwemibhalo olungaphansi luzovela kuhla lwemibhalo lwesikhashana policy
iqukethe ifayela lethu lenqubomgomo:
$ tree
.
βββ policy
βββ check_image_registry.rego
Ukuhlola kungenziwa ngokuqondile endaweni yokugcina:
$ conftest test --update 127.0.0.1:5000/amitsaha/opa-bundle-example:latest base-valid.yaml
..
FAIL - base-valid.yaml - image 'hashicorp/http-echo' doesn't come from my-company.com repository
2 tests, 1 passed, 0 warnings, 1 failure
Ngeshwa, i-DockerHub ayikasekelwa. Ngakho-ke zibheke njengenhlanhla uma usebenzisa
Ifomethi ye-artifact iyafana ne
Ungafunda kabanzi mayelana nokwabelana ngenqubomgomo nezinye izici zomqhudelwano ku
6. I-Polaris
Ithuluzi lokugcina okuzoxoxwa ngalo kulesi sihloko
I-Polaris ingafakwa kuqoqo noma isetshenziswe kumodi yomugqa womyalo. Njengoba kungenzeka uqagele, ikuvumela ukuthi uhlaziye ngezibalo i-Kubernetes manifests.
Uma usebenzisa imodi yomugqa womyalo, ukuhlola okwakhelwe ngaphakathi kuyatholakala okumboza izindawo ezifana nokuphepha nezindlela ezihamba phambili (ezifana ne-kube-score). Ngaphezu kwalokho, ungakha izivivinyo zakho (njengaku-config-lint, ithusi ne-conftest).
Ngamanye amazwi, i-Polaris ihlanganisa izinzuzo zazo zombili izigaba zamathuluzi: nokuhlolwa okwakhelwe ngaphakathi nokwezifiso.
Ukufaka i-Polaris kumodi yomugqa womyalo, sebenzisa
Ngesikhathi sokubhala isihloko sokuqala, inguqulo 1.0.3 iyatholakala.
Uma ukufakwa sekuqediwe ungasebenzisa i-polaris ku-manifest base-valid.yaml
ngomyalo olandelayo:
$ polaris audit --audit-path base-valid.yaml
Izokhipha iyunithi yezinhlamvu ngefomethi ye-JSON enencazelo enemininingwane yokuhlolwa okwenziwe kanye nemiphumela yako. Okukhiphayo kuzoba nesakhiwo esilandelayo:
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "test-data/base-valid.yaml",
"DisplayName": "test-data/base-valid.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 2,
"Namespaces": 0,
"Controllers": 2
},
"Results": [
/* Π΄Π»ΠΈΠ½Π½ΡΠΉ ΡΠΏΠΈΡΠΎΠΊ */
]
}
Okukhiphayo okugcwele kuyatholakala
Njenge-kube-score, i-Polaris ihlonza izinkinga ezindaweni lapho i-manifest ingahlangabezani nezinqubo ezingcono kakhulu:
- Awekho amasheke wezempilo we-pods.
- Omaka bezithombe zesiqukathi abacacisiwe.
- Isiqukathi sisebenza njengempande.
- Izicelo nemikhawulo yememori ne-CPU ayicacisiwe.
Ukuhlolwa ngakunye, kuye ngemiphumela yako, kunikezwe izinga lokubaluleke kakhulu: isixwayiso noma Ingozi. Ukuze ufunde kabanzi mayelana nezivivinyo ezakhelwe ngaphakathi ezitholakalayo, sicela ubheke
Uma imininingwane ingadingeki, ungacacisa ifulege --format score
. Kulokhu, i-Polaris izokhipha inombolo esukela ku-1 kuye ku-100 β Umphumela (okungukuthi ukuhlola):
$ polaris audit --audit-path test-data/base-valid.yaml --format score
68
Lapho amaphuzu asondela ku-100, izinga lesivumelwano liyaphakama. Uma uhlola ikhodi yokuphuma yomyalo polaris audit
, kuvela ukuthi ilingana no-0.
Phoqa polaris audit
Unganqamula umsebenzi ngekhodi okungelona uziro usebenzisa amafulegi amabili:
- Maka umkhosi
--set-exit-code-below-score
ithatha njengempikiswano inani le-threshold kububanzi obungu-1-100. Kulokhu, umyalo uzophuma ngekhodi yokuphuma engu-4 uma amaphuzu angaphansi komkhawulo. Lokhu kuwusizo kakhulu uma unenani elithile le-threshold (yithi 75) futhi udinga ukuthola isexwayiso uma isikolo siba ngezansi. - Maka umkhosi
--set-exit-code-on-danger
kuzobangela ukuthi umyalo wehluleke ngekhodi 3 uma okunye kokuhlolwa kwengozi kwehluleka.
Manje ake sizame ukudala ukuhlola kwangokwezifiso okuhlola ukuthi isithombe sithathwe endaweni ethembekile. Ukuhlolwa kwangokwezifiso kucaciswe ngefomethi ye-YAML, futhi ukuhlolwa ngokwako kuchazwa kusetshenziswa i-JSON Schema.
Amazwibela alandelayo ekhodi ye-YAML achaza ukuhlolwa okusha okubizwa checkImageRepo
:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
Ake siyibhekisise:
successMessage
β lo mugqa uzophrintwa uma ukuhlolwa kuqedwa ngempumelelo;failureMessage
β lo mlayezo uzoboniswa uma wehluleka;category
- ikhombisa esinye sezigaba:Images
,Health Checks
,Security
,Networking
ΠΈResources
;target
--- inquma ukuthi hlobo luni lwento (spec
) ukuhlolwa kusetshenzisiwe. Amanani angenzeka:Container
,Pod
nomaController
;- Ukuhlolwa ngokwako kucacisiwe entweni
schema
usebenzisa i-schema ye-JSON. Igama eliyinhloko kulokhu kuhlolwa lithipattern
esetshenziswa ukuqhathanisa umthombo wesithombe nalowo odingekayo.
Ukuze wenze ukuhlolwa okungenhla, udinga ukudala ukucushwa kwe-Polaris okulandelayo:
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(polaris-conf.yaml
)
Ake sihlaziye ifayela:
- Ensimini
checks
izivivinyo kanye nezinga lokubaluleke kakhulu kwazo kuyanqunywa. Njengoba kuyinto efiselekayo ukuthola isexwayiso uma isithombe sithathwa emthonjeni ongathenjwa, sibeka ileveli laphadanger
. - Ukuhlolwa ngokwako
checkImageRepo
bese kubhaliswa entwenicustomChecks
.
Londoloza ifayela njenge custom_check.yaml
. Manje ungagijima polaris audit
nge-manifest ye-YAML edinga ukuqinisekiswa.
Ake sihlole i-manifesto yethu base-valid.yaml
:
$ polaris audit --config custom_check.yaml --audit-path base-valid.yaml
Ithimba polaris audit
yenze ukuhlolwa komsebenzisi kuphela okucaciswe ngenhla futhi kwehlulekile.
Uma ulungisa isithombe ku my-company.com/http-echo:1.0
, i-Polaris izoqeda ngempumelelo. I-manifesto enezinguquko isingenile image-valid-mycompany.yaml
.
Manje kuphakama umbuzo: kanjani ukwenza izivivinyo ezakhelwe ngaphakathi kanye ngokwezifiso? Kalula! Udinga nje ukwengeza izihlonzi zokuhlola ezakhelwe ngaphakathi kufayela lokucushwa. Ngenxa yalokho, kuzothatha ifomu elilandelayo:
checks:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
# Other inbuilt checks..
# ..
# custom checks
checkImageRepo: danger # !!!
customChecks:
checkImageRepo: # !!!
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
properties:
image:
type: string
pattern: ^my-company.com/.+$
(config_with_custom_check.yaml
)
Isibonelo sefayela eliphelele lokumisa siyatholakala
Hlola i-manifest base-valid.yaml
usebenzisa izivivinyo ezakhelwe ngaphakathi nezingokwezifiso, ungasebenzisa umyalo:
$ polaris audit --config config_with_custom_check.yaml --audit-path base-valid.yaml
I-Polaris ihambisana nezivivinyo ezakhelwe ngaphakathi nezingokwezifiso, ngaleyo ndlela ihlanganisa okuhle kakhulu kuyo yomibili imihlaba.
Ngakolunye uhlangothi, ukungakwazi ukusebenzisa izilimi ezinamandla kakhulu njenge-Rego noma i-JavaScript kungaba yinto ekhawulelayo evimbela ukudalwa kwezivivinyo eziyinkimbinkimbi.
Ulwazi olwengeziwe mayelana ne-Polaris luyatholakala ku-
Isifingqo
Yize kunamathuluzi amaningi atholakalayo okuhlola nokuhlola amafayela e-Kubernetes YAML, kubalulekile ukuba nokuqonda okucacile kokuthi izivivinyo zizoklanywa futhi zenziwe kanjani.
Isibonelo, uma uthatha i-Kubernetes manifests edlula epayipini, kubeval kungaba isinyathelo sokuqala kumzila onjalo. Izoqapha ukuthi izincazelo zento ziyahambisana yini ne-schema ye-Kubernetes API.
Uma ukubuyekezwa okunjalo sekuqediwe, umuntu angadlulela ekuhlolweni okuyinkimbinkimbi, njengokuthobela imikhuba engcono kakhulu nezinqubomgomo ezithile. Kulapho i-kube-score kanye ne-Polaris bezosebenza khona.
Kulabo abanezidingo eziyinkimbinkimbi futhi abadinga ukwenza ngokwezifiso izivivinyo ngokuningiliziwe, ithusi, i-config-lint kanye ne-conftest izofaneleka..
I-Conftest kanye ne-config-lint isebenzisa i-YAML ukuchaza izivivinyo zangokwezifiso, futhi ithusi likunikeza ukufinyelela olimini olugcwele lokuhlela, okulenza libe ukukhetha okuhle kakhulu.
Ngakolunye uhlangothi, ingabe kufanelekile ukusebenzisa elinye lalawa mathuluzi futhi, ngakho-ke, ukudala zonke izivivinyo ngesandla, noma ukhethe i-Polaris bese wengeza kuphela okudingekayo kuyo? Ayikho impendulo ecacile yalo mbuzo.
Ithebula elingezansi linikeza incazelo emfushane yethuluzi ngalinye:
Insimbi
Injongo
amaphutha
Ukuhlolwa komsebenzisi
kubeval
Iqinisekisa i-YAML ibonakala ngokumelene nenguqulo ethile ye-schema ye-API
Ayikwazi ukusebenza nge-CRD
No
kube-amaphuzu
Ihlaziya i-YAML ibonisa ngokumelene nemikhuba ehamba phambili
Awukwazi ukukhetha inguqulo yakho ye-Kubernetes API ukuze uhlole izinsiza
No
ithusi
Uhlaka olujwayelekile lokudala ukuhlola kwe-JavaScript yangokwezifiso ye-YAML manifest
Azikho izivivinyo ezakhelwe ngaphakathi. Amadokhumenti angalungile
Yebo
config-lint
Uhlaka olujwayelekile lokudala ukuhlola ngolimi oluqondene nesizinda olushumekwe ku-YAML. Isekela amafomethi wokumisa ahlukahlukene (isb. I-Terraform)
Azikho izivivinyo esezilungile. Ukugomela okwakhelwe ngaphakathi nemisebenzi kungenzeka kunganele
Yebo
umbango
Uhlaka lokudala izivivinyo zakho usebenzisa i-Rego (ulimi lwemibuzo olukhethekile). Ivumela ukwabelana kwezinqubomgomo ngezinqwaba ze-OCI
Azikho izivivinyo ezakhelwe ngaphakathi. Kufanele ngifunde uRego. I-Docker Hub ayisekelwe lapho kushicilela izinqubomgomo
Yebo
I-Polaris
Izibuyekezo i-YAML iveza ngokumelene nemikhuba ehamba phambili evamile. Ikuvumela ukuthi udale izivivinyo zakho usebenzisa i-JSON Schema
Amakhono okuhlola asekelwe ku-JSON Schema angase anganeli
Yebo
Ngenxa yokuthi la mathuluzi awancikile ekufinyeleleni iqoqo le-Kubernetes, kulula ukuyifaka. Zikuvumela ukuthi uhlunge amafayela omthombo futhi unikeze impendulo esheshayo kubabhali bezicelo zokudonsa kumaphrojekthi.
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- Β«
I-Polaris yethulwa ukugcina amaqoqo e-Kubernetes enempilo "; - Β«
I-Vim ngosekelo lwe-YAML lwe-Kubernetes "; - Β«
Izindlela ezi-7 ezihamba phambili zokusebenzisa iziqukathi ngokuya nge-Google ".
Source: www.habr.com