Polaris自定义检查规则

113次阅读

共计 3645 个字符,预计需要花费 10 分钟才能阅读完成。

Polaris 功能

Polaris是一款通过分析部署配置,从而发现集群中存在的问题的健康检查组件。当然,Polaris的目标可不仅仅只是发现问题,同时也提供避免问题的解决方案,确保集群处于健康状态。下面将会介绍Polaris的主要功能:

Polaris 包含3个组件,分别实现了不同的功能:

  • Dashboard – 以图表的形式查看当前Kubernetes workloads的工作状态和优化点。
  • Webhook – 阻止在集群中安装不符合标准的应用
  • CLI – 检查本地的yaml文件,可结合CI/CD使用

更多详细的介绍和安装可以参考这篇文章,本文主要介绍 自定义检查规则 的一些使用

常用检查规则

key default description
cpuRequestsMissing warning Fails when resources.requests.cpu attribute is not configured.
memoryRequestsMissing warning Fails when resources.requests.memory attribute is not configured.
cpuLimitsMissing warning Fails when resources.limits.cpu attribute is not configured.
memoryLimitsMissing warning Fails when resources.limits.memory attribute is not configured.

常用检查规则只能检查 Req 和 Limit 是否配置,如果需要更精细化的检查,比如配置的数值范围大小做限制、或者 Req 和 Limit 配置是否相等,就需要自定义检查规则来实现。

自定义检查规则

我们已经可以根据项目的实际情况,定义自己的扫描配置。如果觉得polaris提供的检查规则不满足需求的话,我们还可以自定义检查规则。

基本示例

禁止来自 quay.io 的图像

checks:
  imageRegistry: warning

customChecks:
  imageRegistry:
    successMessage: Image comes from allowed registries
    failureMessage: Image should not be from disallowed registry
    category: Security
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      properties:
        image:
          type: string
          not:
            pattern: ^quay.io

Templating

可以在 JSON 模式中使用 go 模板,以便将一个字段与另一个字段进行匹配。例如,这里是内置检查以确保name注释与对象的名称相匹配

successMessage: Label app.kubernetes.io/name matches metadata.name
failureMessage: Label app.kubernetes.io/name must match metadata.name
target: Controller
schema:
  '$schema': http://json-schema.org/draft-07/schema
  type: object
  properties:
    metadata:
      type: object
      required: ["labels"]
      properties:
        labels:
          type: object
          required: ["app.kubernetes.io/name"]
          properties:
            app.kubernetes.io/name:
              const: "{{ .metadata.name }}"

还可以使用完整的Go 模板语法 (打开新窗口),例如,此检查可确保matchLabels中至少存在对象的一个标签

schemaString: |
  type: object
  properties:
    spec:
      type: object
      required: ["selector"]
      properties:
        selector:
          type: object
          required: ["matchLabels"]
          properties:
            matchLabels:
              type: object
              anyOf:
              {{ range $key, $value := .metadata.labels }}
              - properties:
                  "{{ $key }}":
                    type: string
                    const: {{ $value }}
                required: ["{{ $key }}"]
              {{ end }}

示例

Limit 配置范围限制

# 设置规则告警等级
checks:
  resourceLimits: warning
customChecks:
  resourceLimits:
    containers:
      exclude:
      - initContainer
    successMessage: Resource limits are within the required range
    failureMessage: Resource limits should be within the required range
    category: Resources
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      required:
      - resources
      properties:
        resources:
          type: object
          required:
          - limits
          properties:
            limits:
              type: object
              required:
              - memory
              - cpu
              properties:
                memory:
                  type: string
                  resourceMinimum: 100M
                  resourceMaximum: 6G
                cpu:
                  type: string
                  resourceMinimum: 100m
                  resourceMaximum: "2"

Req 和 Limit 是否相等

我们可以自定义规则检查 Workload 配置的 RequestLimit是否相等,当不相等时,抛出警告

# 设置规则告警等级
checks:
  cpuReqLimitEqual: warning
  memReqLimitEqual: warning
# 自定义检查规则
customChecks:
  cpuReqLimitEqual:
    successMessage: CPU requests and limits is equal
    failureMessage: CPU requests and limits should be equal
    category: Resources
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      required:
      - resources
      properties:
        resources:
          type: object
          required:
          - limits
          properties:
            limits:
              type: object
              required:
              - cpu
              properties:
                cpu:
                  type: string
                  const: "{{ .Polaris.Container.resources.requests.cpu }}"
  memReqLimitEqual:
    successMessage: Memory requests and limits is equal
    failureMessage: Memory requests and limits should be equal
    category: Resources
    target: Container
    schema:
      '$schema': http://json-schema.org/draft-07/schema
      type: object
      required:
      - resources
      properties:
        resources:
          type: object
          required:
          - limits
          properties:
            limits:
              type: object
              required:
              - memory
              properties:
                memory:
                  type: string
                  const: "{{ .Polaris.Container.resources.requests.memory }}"

注意constvalue{{ .Polaris.Container.resources.requests.memory }},代表每个被检查containerrequest数值,当 targetContainer时,可以通过.Polaris.Container快速获取当前被检查container对象

同样支持的还有:

  • target: PodSpec : .Polaris.PodSpec
  • target: PodTemplate: .Polaris.PodTemplate

Polaris自定义检查规则

正文完
Kubernetes 云原生
发表至: Kubernetes
2023-04-21
 
mervinwang
版权声明:本站原创文章,由 mervinwang 2023-04-21发表,共计3645字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
文章搜索
Kubernetes网络之Falnnel和Calico
Kubernetes 使用PVC后数据丢失分析
通过vault在Kubernetes中注入密钥
Polaris自定义检查规则