KubeLinter|K8s YAML和Helm charts最佳分析工具

用户5166556

发布于 2023-03-18 11:47:47

5300

发布于 2023-03-18 11:47:47

用KubeLinter找到并修复你的Helm chart和Kubernetes配置文件中的错误。

KubeLinter是Stackrox发布的一个开源项目，用于分析Kubernetes的YAML文件，以发现安全问题和错误代码。该工具能够分析Helm charts和Kubernetes编排文件、Knative文件。使用它可以改进本地云开发、减少开发时间，并鼓励DevOps最佳实践。

下载和安装

在本教程中，我使用了Pop_OS!20.10, Helm 3，Go1.13.8，和Minikube Kubernetes 1.19。

有几个选项可以安装KubeLinter。

你可以从Git仓库手动安装:

$ git clone git@github.com:stackrox/kube-linter.git
$ cd kube-linter && make build
$ .gobin/kube-linter version

如果你使用的是Homebrew，你可以使用brew命令来安装:

$ brew install kube-linter

你也可以用Go安装它(就像我说的那样):

$ GO111MODULE=on go get golang.stackrox.io/kube-linter/cmd/kube-linter
go: finding golang.stackrox.io/kube-linter latest
go: downloading golang.stackrox.io/kube-linter v0.0.0-20201204022312-475075c74675
go: extracting golang.stackrox.io/kube-linter v0.0.0-20201204022312-475075c74675
[...]

安装完成后，你必须在~/.bashrc中创建一个别名:

$ echo "alias kube-linter=$HOME/go/bin/kube-linter" >> ~/.bashrc
$ source ~/.bashrc

Helm与KubeLinter

现在工具安装好了，在一个Helm chart上尝试一下。首先，以一个干净的构建和一些小的配置更改启动Minikube:

$ minikube config set kubernetes-version v1.19.0
$ minikube config set memory 8000
❗  These changes will take effect upon a minikube delete and then a minikube start
$ minikube config set cpus 12
❗  These changes will take effect upon a minikube delete and then a minikube start
$ minikube delete
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /home/jess/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.

$ minikube start
😄  minikube v1.14.2 on Debian bullseye/sid
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🎉  minikube 1.15.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.15.1
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

💾  Downloading Kubernetes v1.19.0 preload ...

一旦一切都开始运行，创建一个名为first_test的Helm chart示例:

$ helm create first_test
Creating first_test
$ ls
first_test

用新的未编辑的Helm chart测试KubeLinter。运行kube-linter命令查看可用的命令和标志:

$ kube-linter
Usage:
  /home/jess/go/bin/kube-linter [command]

Available Commands:
  checks      View more information on lint checks
  help        Help about any command
  lint        Lint Kubernetes YAML files and Helm charts
  templates   View more information on check templates
  version     Print version and exit

Flags:
  -h, --help   help for /home/jess/go/bin/kube-linter

Use "/home/jess/go/bin/kube-linter [command] --help" for more information about a command.

然后测试基本的lint命令对示例图表的作用。你会有很多错误，所以我将抓取一些问题的片段:

$ kube-linter lint first_test/

first_test/first_test/templates/deployment.yaml: (object: <no namespace>/test-release-first_test apps/v1, Kind=Deployment) container "first_test" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)

first_test/first_test/templates/deployment.yaml: (object: <no namespace>/test-release-first_test apps/v1, Kind=Deployment) container "first_test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number, and runAsNonRoot to true, in your pod or container securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.)
[...]
Error: found 12 lint errors

为了简洁起见，我选择了两个易于修复的安全问题。随着时间的推移，随着您测试的次数的增加，您将能够修复您发现的任何问题。

kube-linter输出提供了关于所需修复的提示。例如，第一个错误:

remediation: Set readOnlyRootFilesystem to true in your container's securityContext.

下一步很清楚:打开values.yaml。yaml文件在一个文本编辑器(我使用Vi，但你可以使用任何你喜欢的)和找到securityContext部分:

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

取消该section的注释并删除括号:

securityContext:
   capabilities:
     drop:
    - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000

保存文件并重新运行linter。这些错误不再显示在列表中，错误计数也发生了变化。

恭喜你!您已经解决了Helm chart的安全问题!

KubeLinter与Kubernetes

这个示例使用我上一篇关于Knative的文章中的一个应用程序文件来测试Kubernetes配置文件。我已经启动并运行了Knative，所以如果它没有在您的系统上运行，您可能需要查看一下这篇文章。我为这个例子下载了Kourier服务的YAML文件:

$ ls
kourier.yaml   first_test

首先，对kourier.yaml运行linter。这里还有几个问题。我将重点关注资源问题:

$ kube-linter lint kourier.yaml

kourier.yaml: (object: kourier-system/3scale-kourier-gateway apps/v1, Kind=Deployment) container "kourier-gateway" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)

kourier.yaml: (object: kourier-system/3scale-kourier-gateway apps/v1, Kind=Deployment) container "kourier-gateway" has memory request 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for more details.)

Error: found 12 lint errors

由于这是一个单独的deployment文件，您可以直接编辑它。在文本编辑器中打开它，并更改文件中的值。这个文件很长，所以我将只包括需要更改的部分。开始修改deployment文件:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: 3scale-kourier-gateway
  namespace: kourier-system
  labels:
    networking.knative.dev/ingress-provider: kourier
[...]

容器编排文件部分有一些问题:

 spec:
      containers:
      - args:
       - --base-id 1
        - -c /tmp/config/envoy-bootstrap.yaml
        - --log-level info
        command:
       - /usr/local/bin/envoy
        image: docker.io/maistra/proxyv2-ubi8:1.1.5
        imagePullPolicy: Always
        name: kourier-gateway
        ports:
        - name: http2-external
          containerPort: 8080
          protocol: TCP
        - name: http2-internal
          containerPort: 8081
          protocol: TCP
        - name: https-external
          containerPort: 8443
          protocol: TCP

在容器配置中添加一些规范:

spec:
      containers:
      - args:
       - --base-id 1
        - -c /tmp/config/envoy-bootstrap.yaml
        - --log-level info
        command:
       - /usr/local/bin/envoy
        image: docker.io/maistra/proxyv2-ubi8:1.1.5
        imagePullPolicy: Always
        name: kourier-gateway
        ports:
        - name: http2-external
          containerPort: 8080
          protocol: TCP
        - name: http2-internal
          containerPort: 8081
          protocol: TCP
        - name: https-external
          containerPort: 8443
          protocol: TCP
 resources:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 100m
      memory: 128Mi

当你重新运行linter时，你会注意到这些问题不再显示在输出中，错误计数改变了:

Error: found 8 lint errors

恭喜你!您的Kubernetes文件中有预设的资源问题!

最后的感想

KubeLinter是一个强大的工具，也是启动一个新的DevOps进程来保护和管理所有Kubernetes和应用程序配置的大好机会。将此功能添加到自动化测试中，可以加快环境部署和DevOps运行周期。

我认为KubeLinter最棒的地方在于，每个错误消息都包含了文档，所以即使您不知道错误检测输出是什么意思，文档也可以帮助您提前学习和计划。我推荐这个工具用于日常使用和处理代码问题追溯。