安装Polaris,这里只安装命令行模式
wget https://github.com/FairwindsOps/polaris/releases/download/1.2.1/polaris_1.2.1_linux_amd64.tar.gz
tar -zxf polaris_1.2.1_linux_amd64.tar.gz
mv polaris /usr/local/bin/
安装完成后,就可以使用Polaris对base.yaml进行检查
[root@k8s-node001 Test]# polaris audit --audit-path base.yaml
结果如下,信息比较多,这里只截取部分信息,自己可以仔细看看分析出来的结果。
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "base.yaml",
"DisplayName": "base.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 1,
"Namespaces": 0,
"Controllers": 1
},
"Results": [
{
"Name": "http-echo",
"Namespace": "",
"Kind": "Deployment",
"Results": {},
"PodResult": {
"Name": "",
"Results": {
"hostIPCSet": {
"ID": "hostIPCSet",
"Message": "Host IPC is not configured",
"Success": true,
"Severity": "danger",
"Category": "Security"
..............
"tagNotSpecified": {
"ID": "tagNotSpecified",
"Message": "Image tag is specified",
"Success": true,
"Severity": "danger",
"Category": "Images"
}
}
}
]
},
"CreatedTime": "0001-01-01T00:00:00Z"
}
]
}
另外,可以只输出评分
[root@k8s-node001 Test]# polaris audit --audit-path base.yaml --format score
66
下面使用YAML代码段定义了一个称为checkImageRepo的新检查:
config_with_custom_check.yaml
checks:
checkImageRepo: danger
customChecks:
checkImageRepo:
successMessage: Image registry is valid
failureMessage: Image registry is not valid
category: Images
target: Container
schema:
'$schema':
type: object
properties:
image:
type: string
pattern: ^kubeops.net/.+$
现在base.yaml的image为:image: docker.io/http-echo:v1.0.0
我们来使用自定义的规则执行检查
[root@k8s-node001 Test]# polaris audit --config config_with_custom_check.yaml --audit-path base.yaml
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "base.yaml",
"DisplayName": "base.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 1,
"Namespaces": 0,
"Controllers": 1
},
"Results": [
{
"Name": "http-echo",
"Namespace": "",
"Kind": "Deployment",
"Results": {},
"PodResult": {
"Name": "",
"Results": {},
"ContainerResults": [
{
"Name": "http-echo",
"Results": {
"checkImageRepo": {
"ID": "checkImageRepo",
"Message": "Image registry is not valid",
"Success": false,
"Severity": "danger",
"Category": "Images"
}
}
}
]
},
"CreatedTime": "0001-01-01T00:00:00Z"
}
]
}
结果显示"Message": "Image registry is not valid", "Success": false,
然后修改base.yaml的image为:image: kubeops.net/http-echo:v1.0.0
再次执行检查
[root@k8s-node001 Test]# polaris audit --config config_with_custom_check.yaml --audit-path base.yaml
{
"PolarisOutputVersion": "1.0",
"AuditTime": "0001-01-01T00:00:00Z",
"SourceType": "Path",
"SourceName": "base.yaml",
"DisplayName": "base.yaml",
"ClusterInfo": {
"Version": "unknown",
"Nodes": 0,
"Pods": 1,
"Namespaces": 0,
"Controllers": 1
},
"Results": [
{
"Name": "http-echo",
"Namespace": "",
"Kind": "Deployment",
"Results": {},
"PodResult": {
"Name": "",
"Results": {},
"ContainerResults": [
{
"Name": "http-echo",
"Results": {
"checkImageRepo": {
"ID": "checkImageRepo",
"Message": "Image registry is valid",
"Success": true,
"Severity": "danger",
"Category": "Images"
}
}
}
]
},
"CreatedTime": "0001-01-01T00:00:00Z"
}
]
}
从输出看到 "Message": "Image registry is valid","Success": true,,检查通过。。。
更多用法参见
总结
尽管有很多工具可以对Kubernetes YAML文件进行验证,评分和整理,但重要的是要有一个健康的模型来设计和执行检查。
例如,如果你要考虑通过管道的Kubernetes清单,则kubeval可能是该管道中的第一步,因为它可以验证对象定义是否符合Kubernetes API模式。一旦此检查成功,你可以继续进行更详尽的测试,例如标准最佳实践和自定义策略。
Kube-score和Polaris是比较好的选择。
如果你有复杂的要求,并且想要自定义检查的细节,则应考虑使用copper ,config-lint和conftest。
尽管conftest和config-lint都使用更多的YAML来定义自定义验证规则,但是Copper允许访问一种真正的编程语言,这使其颇具吸引力。
但是,你应该使用其中之一并从头开始编写所有检查吗?还是应该使用Polaris并仅编写其他自定义检查?
这都取决于你自己,合适自己的才是最好的。。。
