用KubeLinter找到並修復你的Helm chart和Kubernetes配置文件中的錯誤。
KubeLinter是Stackrox發佈的一個開源項目,用於分析Kubernetes的YAML文件,以發現安全問題和錯誤代碼。該工具能夠分析Helm charts和Kubernetes編排文件、Knative文件。使用它可以改進本地雲開發、減少開發時間,並鼓勵DevOps最佳實踐。
下載和安裝
在本教程中,我使用了Pop_OS!20.10, Helm 3,Go1.13.8,和Minikube Kubernetes 1.19。
有幾個選項可以安裝KubeLinter。
你可以從Git倉庫手動安裝:
$ git clone [email protected]:stackrox/kube-linter.git
$ cd kube-linter && make build
$ .gobin/kube-linter version
如果你使用的是Homebrew,你可以使用brew命令來安裝:
$ brew install kube-linter
你也可以用Go安裝它(就像我說的那樣):
$ GO111MODULE=on go get golang.stackrox.io/kube-linter/cmd/kube-linter
go: finding golang.stackrox.io/kube-linter latest
go: downloading golang.stackrox.io/kube-linter v0.0.0-20201204022312-475075c74675
go: extracting golang.stackrox.io/kube-linter v0.0.0-20201204022312-475075c74675
[...]
安裝完成後,你必須在~/.bashrc中創建一個別名:
$ echo "alias kube-linter=$HOME/go/bin/kube-linter" >> ~/.bashrc
$ source ~/.bashrc
Helm與KubeLinter
現在工具安裝好了,在一個Helm chart上嘗試一下。首先,以一個乾淨的構建和一些小的配置更改啓動Minikube:
$ minikube config set kubernetes-version v1.19.0
$ minikube config set memory 8000
❗ These changes will take effect upon a minikube delete and then a minikube start
$ minikube config set cpus 12
❗ These changes will take effect upon a minikube delete and then a minikube start
$ minikube delete
🔥 Deleting "minikube" in docker ...
🔥 Deleting container "minikube" ...
🔥 Removing /home/jess/.minikube/machines/minikube ...
💀 Removed all traces of the "minikube" cluster.
$ minikube start
😄 minikube v1.14.2 on Debian bullseye/sid
✨ Using the docker driver based on user configuration
👍 Starting control plane node minikube in cluster minikube
🎉 minikube 1.15.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.15.1
💡 To disable this notice, run: 'minikube config set WantUpdateNotification false'
💾 Downloading Kubernetes v1.19.0 preload ...
一旦一切都開始運行,創建一個名爲first_test的Helm chart示例:
$ helm create first_test
Creating first_test
$ ls
first_test
用新的未編輯的Helm chart測試KubeLinter。運行kube-linter命令查看可用的命令和標誌:
$ kube-linter
Usage:
/home/jess/go/bin/kube-linter [command]
Available Commands:
checks View more information on lint checks
help Help about any command
lint Lint Kubernetes YAML files and Helm charts
templates View more information on check templates
version Print version and exit
Flags:
-h, --help help for /home/jess/go/bin/kube-linter
Use "/home/jess/go/bin/kube-linter [command] --help" for more information about a command.
然後測試基本的lint命令對示例圖表的作用。你會有很多錯誤,所以我將抓取一些問題的片段:
$ kube-linter lint first_test/
first_test/first_test/templates/deployment.yaml: (object: <no namespace>/test-release-first_test apps/v1, Kind=Deployment) container "first_test" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)
first_test/first_test/templates/deployment.yaml: (object: <no namespace>/test-release-first_test apps/v1, Kind=Deployment) container "first_test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number, and runAsNonRoot to true, in your pod or container securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.)
[...]
Error: found 12 lint errors
爲了簡潔起見,我選擇了兩個易於修復的安全問題。隨着時間的推移,隨着您測試的次數的增加,您將能夠修復您發現的任何問題。
kube-linter輸出提供了關於所需修復的提示。例如,第一個錯誤:
remediation: Set readOnlyRootFilesystem to true in your container's securityContext.
下一步很清楚:打開values.yaml。yaml文件在一個文本編輯器(我使用Vi,但你可以使用任何你喜歡的)和找到securityContext部分:
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
取消該section的註釋並刪除括號:
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
保存文件並重新運行linter。這些錯誤不再顯示在列表中,錯誤計數也發生了變化。
恭喜你!您已經解決了Helm chart的安全問題!
KubeLinter與Kubernetes
這個示例使用我上一篇關於Knative的文章中的一個應用程序文件來測試Kubernetes配置文件。我已經啓動並運行了Knative,所以如果它沒有在您的系統上運行,您可能需要查看一下這篇文章。我爲這個例子下載了Kourier服務的YAML文件:
$ ls
kourier.yaml first_test
首先,對kourier.yaml運行linter。這裏還有幾個問題。我將重點關注資源問題:
$ kube-linter lint kourier.yaml
kourier.yaml: (object: kourier-system/3scale-kourier-gateway apps/v1, Kind=Deployment) container "kourier-gateway" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
kourier.yaml: (object: kourier-system/3scale-kourier-gateway apps/v1, Kind=Deployment) container "kourier-gateway" has memory request 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
Error: found 12 lint errors
由於這是一個單獨的deployment文件,您可以直接編輯它。在文本編輯器中打開它,並更改文件中的值。這個文件很長,所以我將只包括需要更改的部分。開始修改deployment文件:
apiVersion: apps/v1
kind: Deployment
metadata:
name: 3scale-kourier-gateway
namespace: kourier-system
labels:
networking.knative.dev/ingress-provider: kourier
[...]
容器編排文件部分有一些問題:
spec:
containers:
- args:
- --base-id 1
- -c /tmp/config/envoy-bootstrap.yaml
- --log-level info
command:
- /usr/local/bin/envoy
image: docker.io/maistra/proxyv2-ubi8:1.1.5
imagePullPolicy: Always
name: kourier-gateway
ports:
- name: http2-external
containerPort: 8080
protocol: TCP
- name: http2-internal
containerPort: 8081
protocol: TCP
- name: https-external
containerPort: 8443
protocol: TCP
在容器配置中添加一些規範:
spec:
containers:
- args:
- --base-id 1
- -c /tmp/config/envoy-bootstrap.yaml
- --log-level info
command:
- /usr/local/bin/envoy
image: docker.io/maistra/proxyv2-ubi8:1.1.5
imagePullPolicy: Always
name: kourier-gateway
ports:
- name: http2-external
containerPort: 8080
protocol: TCP
- name: http2-internal
containerPort: 8081
protocol: TCP
- name: https-external
containerPort: 8443
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
當你重新運行linter時,你會注意到這些問題不再顯示在輸出中,錯誤計數改變了:
Error: found 8 lint errors
恭喜你!您的Kubernetes文件中有預設的資源問題!
最後的感想
KubeLinter是一個強大的工具,也是啓動一個新的DevOps進程來保護和管理所有Kubernetes和應用程序配置的大好機會。將此功能添加到自動化測試中,可以加快環境部署和DevOps運行週期。
我認爲KubeLinter最棒的地方在於,每個錯誤消息都包含了文檔,所以即使您不知道錯誤檢測輸出是什麼意思,文檔也可以幫助您提前學習和計劃。我推薦這個工具用於日常使用和處理代碼問題追溯。
推薦
本文分享自微信公衆號 - 雲原生技術愛好者社區(programmer_java)。
如有侵權,請聯繫 [email protected] 刪除。
本文參與“OSC源創計劃”,歡迎正在閱讀的你也加入,一起分享。