推薦一款Kubernetes YAML文件靜態分析工具KubeLinter
在 Kubernetes 的世界中,我們使用 YAML 文件,對其進行部署以創建各種 Kubernetes 對象,但挑戰在于編寫它們時是否遵循最佳實踐?我們使用的是正確的標準配置集嗎?在部署應用程序甚至 Helm 圖表之前,可以檢查 YAML 嗎?所有這些問題的答案都是肯定的,我們可以。2020年10月28日,StackRox 引入了一個名為 KubeLinter 的新開源工具,旨在識別 YAML 文件中的任何錯誤配置。
根據定義,KubeLinter 是一個靜態分析工具,用于檢查 Kubernetes YAML 文件和 Helm 圖表,以確保其中所代表的應用程序遵循最佳實踐。將 YAML 文件提供給該工具后,它將通過內置檢查運行,然后詳細報告任何錯誤以及解決這些錯誤的補救措施。關于此工具的最好之處在于它是可配置和可擴展的:可以啟用或禁用內置檢查,并且您可以定義和使用自己的自定義檢查。
用法
我將在 Mac 上安裝 KubeLinter,但只需下載適用于您操作系統的發行版,即可將相同的說明用于Linux。
你可以從https://github.com/stackrox/kube-linter/releases/下載 KubeLinter CLI,如下所示:
- $ curl -LO https://github.com/stackrox/kube-linter/releases/download/0.1.1/kube-linter-darwin.zip
- $ unzip kube-linter-darwin.zip
- $ mv kube-linter /usr/local/bin
- #check if it's working
- $ kube-linter version
- 0.1.1
現在,為了簡單地檢查單個 YAML 文件,只需提供 YAML 文件名。假設 deploy.yaml 您要檢查以下文件,以檢查其當前目錄中保存的最佳安全性和配置做法:
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: portainer
- namespace: portainer
- labels:
- io.portainer.kubernetes.application.stack: portainer
- app.kubernetes.io/name: portainer
- app.kubernetes.io/instance: portainer
- app.kubernetes.io/version: "2.0.0"
- spec:
- replicas: 1
- strategy:
- type: "Recreate"
- selector:
- matchLabels:
- app.kubernetes.io/name: portainer
- app.kubernetes.io/instance: portainer
- template:
- metadata:
- labels:
- app.kubernetes.io/name: portainer
- app.kubernetes.io/instance: portainer
- spec:
- serviceAccountName: portainer-sa-clusteradmin
- volumes:
- - name: "data"
- persistentVolumeClaim:
- claimName: portainer
- containers:
- - name: portainer
- image: "portainer/portainer-ce:latest"
- imagePullPolicy: IfNotPresent
- args: [ '--tunnel-port','30776' ]
- volumeMounts:
- - name: data
- mountPath: /data
- ports:
- - name: http
- containerPort: 9000
- protocol: TCP
- - name: tcp-edge
- containerPort: 8000
- protocol: TCP
- livenessProbe:
- httpGet:
- path: /
- port: 9000
- readinessProbe:
- httpGet:
- path: /
- port: 9000
- resources:
- {}
讓我們進行測試 kube-linter lint deploy.yaml。我們應該得到如下輸出:
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) serviceAccount "portainer-sa-clusteradmin" not found (check: non-existent-service-account, remediation: Make sure to create the service account, or to refer to an existing service account.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number, and runAsNonRoot to true, in your pod or container securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" has cpu request 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" has memory request 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
- deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) container "portainer" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)
- Error: found 7 lint errors
檢測類型
如您所見,YAML 文件中發現了錯誤,每個錯誤都有明確的補救步驟。
如果您想看一下內置檢查,可以在https://github.com/stackrox/kube-linter/blob/main/docs/genic/checks.md中列出所有這些檢查,或者也可以使用 KubeLinter 查看清單:
- $ kube-linter checks list
- Name: dangling-service
- Description: Alert on services that don't have any matching deployments
- Remediation: Make sure your service's selector correctly matches the labels on one of your deployments.
- Template: dangling-service
- Parameters: map[]
- Enabled by default: true
- ------------------------------
- Name: default-service-account
- Description: Alert on pods that use the default service account
- Remediation: Create a dedicated service account for your pod. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for more details.
- Template: service-account
- Parameters: map[serviceAccount:^(|default)$]
- Enabled by default: false
- |
- |
- |
- and many more
忽略檢測
您可以使用以下注釋忽略針對 YAML 文件的特定檢查,也可以根據需要忽略檢查組:
- ignore-check.kube-linter.io/<check-name>
例如:
- ignore-check.kube-linter.io/unset-cpu-requirements
您可以像上面這樣在上面的部署文件示例中添加忽略檢查規則:
- metadata:
- name: portainer
- namespace: portainer
- labels:
- io.portainer.kubernetes.application.stack: portainer
- app.kubernetes.io/name: portainer
- app.kubernetes.io/instance: portainer
- app.kubernetes.io/version: "2.0.0"
- annotations:
- ignore-check.kube-linter.io/unset-cpu-requirements : "cpu requirements not required"
現在,當您 kube-linter lint deploy.yaml 再次運行時,您應該不會看到與 CPU 要求相關的錯誤提示。
使用配置運行
KubeLinter 也可以使用配置運行,您可以在其中提供要包含/排除的所有檢測信息。以下是存儲庫中的示例配置:
- # customChecks defines custom checks.
- customChecks:
- - name: "required-label-app"
- template: "required-label"
- params:
- key: "app"
- checks:
- # if doNotAutoAddDefaults is true, default checks are not automatically added.
- doNotAutoAddDefaults: false
- # addAllBuiltIn, if set, adds all built-in checks. This allows users to
- # explicitly opt-out of checks that are not relevant using Exclude.
- # Takes precedence over doNotAutoAddDefaults, if both are set.
- addAllBuiltIn: false
- # include explicitly adds checks, by name. You can reference any of the built-in checks.
- # Note that customChecks defined above are included automatically.
- include:
- - "required-label-owner"
- # exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is
- # in exclude, then it is not considered, even if it is in include as well.
- exclude:
- - "privileged"
如果你運行kubelinter --config config lint deploy.yaml,其中 config 與上述配置的文件,你應該可以看到添加了需要標簽的檢查:
deploy.yaml: (object: portainer/portainer apps/v1, Kind=Deployment) no label matching "owner=<any>" found (check: required-label-owner, remediation: Add an email annotation to your object with information about the object's owner.)
當內置到 CI 管道中時,KubeLinter 可以證明是非常有用的工具。可以檢查和驗證推送到存儲庫中的編排文件,以獲取最佳實踐和安全考慮,并在檢測到問題時生成警報。
這樣,可以將部署到集群的應用程序進行健康的就緒檢查。該項目處于 Alpha 階段,但有望作為 CI 集成工具在實際部署到生產之前驗證所有部署。
