Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Going Beyond CI/CD with Prow

Leonardo Di Donato
August 20, 2020
Technology
0
210

Going Beyond CI/CD with Prow

One of the most untold secrets is how hard and important is to automate the whole set of workflows around the code, not only the testing phase. We were able to use the native Kubernetes CI/CD system - Prow - to solve CI/CD for Falco. Furthermore we discovered that Prow does much more than CI/CD! Join us to find out what! You will walk away with a deep technical knowledge of Prow and how we were able to implement internally so you can too.

We’ll see how to correctly setup and deploy Prow on a Kubernetes instance. How to link it to a bot account. How to hook Prow to GitHub organizations and repositories, how to establish an automated governance process for the Open Source by configuring multiple Prow plugins.

Finally, the audience will learn how to create its own custom plugins in order to lint commit messages and code.

KubeCon + CloudNativeCon 2020 Europe

Leonardo Di Donato

August 20, 2020
Tweet

More Decks by Leonardo Di Donato

See All by Leonardo Di Donato
Coverage for eBPF programs
leodido
2
420
Scheduling eBPF on K8S doesn't have to be difficult
leodido
0
260
FalcOMG That's Awesome
leodido
0
250
Bypass Falco
leodido
0
200
Falco: runtime security analysis through syscalls
leodido
2
620
Designing a gRPC Interface for Kernel Tracing with eBPF
leodido
0
500
Falco, runtime security analysis through syscalls
leodido
0
310
Cloud Native eBPF Instrumentation
leodido
7
810
Go eBPF superpowers
leodido
0
410

Other Decks in Technology

See All in Technology
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.6k
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
350
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
170
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
220
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
360
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
670
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
260
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
本当のAWS基礎
toru_kubota
0
530
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
260
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
310
オーナーシップを持つ領域を明確にする
konifar
13
3.2k

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
689
190k
Building Your Own Lightsaber
phodgson
99
5.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Scaling GitHub
holman
457
140k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Thoughts on Productivity
jonyablonski
58
3.8k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
What's new in Ruby 2.0
geeforr
337
31k

Transcript

  1. Going Beyond CI/CD with Prow @leodido

  2. Leonardo Di Donato Open Source Software Engineer Falco Maintainer @leodido

    2 extra points to who spots the meaning of this Italian hand-gesture! Whoami!

  3. A timeline always works fine Falco created to parse libsinsp

    events! May 2016 Accepted as a CNCF incubation level hosted project Jan 2020 Sysdig Inc. donated Falco to the CNCF Oct 2018 3 May 2019 Falco Community Calls start! @leodido

  4. Drama! 4 ❏ CI was built on top of Travis

    CI ❏ Barely working ❏ Flaky ❏ Falco drivers building & testing infrastructure not public ❏ Internal Jenkins @leodido

  5. More drama! 5 ❏ PRs merged even when GitHub status

    checks not passing ❏ No clear ownership ❏ Missing PRs reviews ❏ Some policies there but… ❏ Not easily discoverable & auditable ❏ Zero enforcement ❏ Zero automation ❏ The list goes on... @leodido

  6. No blame. Just solutions.™ We had some constraints… ❏ No

    time to build a custom CI/CD system from scratch ❏ No time to create an automatic policy enforcer ❏ Team of 2 While the main focus was to: ❏ Write eBPF ❏ Write C/C++ code @leodido

  7. How Kubernetes does? @leodido

  8. Prow Way more than CI/CD. ❏ GitHub ChatOps ❏ Define

    and enforce policies ❏ Auto-merge bot ❏ OSS ❣ @leodido

  9. CRDs ❏ Custom controllers ❏ Resource management Pods ❏ Scheduling

    ❏ Lifecycle ❏ A bunch of containers ConfigMaps ❏ Auditable ❏ Configurations Secrets ❏ Credentials management 9 Built for Kubernetes. On Kubernetes. @leodido

  10. Poiana stops the drama! 10 More time spent in Falco

    coding. Healthier OSS Auditable policies. Clear rules. Templated processes. Auto enforcement. Community More contributors. More projects. @leodido

  11. Prow Architecture ❏ ProwJob custom resource ❏ Horologium ❏ Hook

    ❏ Plank ❏ Deck ❏ Tide ❏ Sinker ❏ Crier @leodido

  12. ProwJobs ❏ Life of a ProwJob ❏ Custom resource ❏

    Custom controllers ❏ Types ❏ presubmit ❏ postsubmit ❏ batch ❏ periodic @leodido

  13. @leodido Plank Controller that manages the lifecycle of jobs. Plank

    Job X POD Pods API API ProwJobs Prow Cluster Build Cluster Horologium Periodic jobs… gh:falcosecurity/test-infra/pull/78

  14. Hook kubernetes/test-infra/prow/hook @leodido GitHub Hook cat trigger goose webhooks /meow

    /retest /honk

  15. @leodido Plugins for everybody kubernetes/test-infra/prow/plugins ❏ config_updater ❏ trigger ❏

    approve, lgtm ❏ hold, wip ❏ ...

  16. @leodido ProwJob definition Deck Build logs

  17. Tide @leodido Overrides! These prevent a PR on Falco to

    be merged in! Poiana requires these labels to put a Falco PR in merge queue!

  18. Sinker garbage collector ❏ > 48 hours completed jobs (customisable)

    ❏ > 30 min completed pods (customisable) @leodido Crier 1. Detects ProwJob status changes 2. Reports them ❏ Gerrit ❏ Pubsub ❏ GitHub ❏ Slack Disable report feature of Plank! (--skip-report=true) More at test-infra/prow/cmd/crier

  19. Workflow

  20. I want it too! GitHub Bot Account go get -u

    k8s.io/test-infra/experiment/update-hook update-hook --hmac-path=path/to/hmac/secret \ --github-token-path=path/to/oauth/secret \ --hook-url http://1.2.3.4/hook --repo my_organization --confirm=true Become a YAML developer ❏ Write access to the repos ❏ Owner access for the org(s) ❏ Create access token with repo:status + public_repo scopes ❏ admin:org_hook if handling GitHub org 1. Create the YAML manifests, cluster role bindings… 2. Create the secrets from tokens (hmac + oauth2) 3. Apply them on your Kubernetes cluster Install the webhook 1 2 3 getting started guide @leodido

  21. falcosecurity/test-infra/prow a.k.a @poiana

  22. Bring Your Own Prow Plugin STEPS 1. Write a Go

    server! 2. Wrap it into a docker image 3. Kubernetes service and deployment 4. kubectl apply -f them! 5. Add it to your Prow cluster external_plugins: <org>/<repo>: - name: <name> endpoint: http://<name>.default.svc.cluster.local events: - issue_comment RESOURCES ❏ custom external plugin intro ❏ phony test utility ❏ help helpers ❏ k8s.io/test-infra/prow/pluginhelp ❏ k8s.io/test-infra/prow/pluginhelp/exter nalplugins ❏ GitHub client and utilities ❏ k8s.io/test-infra/prow/github ❏ config agent and secrets ❏ k8s.io/test-infra/prow/config/secret ❏ k8s.io/test-infra/prow/config ❏ flag helpers ❏ k8s.io/test-infra/pkg/flagutil ❏ k8s.io/test-infra/prow/flagutil @leodido

  23. Read The Source Code leodido/saymyname-prow-plugin @leodido

  24. @leodido

  25. Speculations about the future! ❏ Enable the Prow GitHub API

    proxy ❏ Falco Drivers Test Grid through ProwJobs ❏ Code Coverage ❏ Code Linting ❏ Custom plugin for externals CI ❏ Spyglass ❏ Plugin that automatically creates a release PR when a milestone is done ❏ Periodic job to cleanup old unused Falco version and prebuilt Falco drivers ❏ ... 25 @leodido

  26. Questions and feedback welcome 26 Thanks! ❏ twitter.com/leodido ❏ github.com/leodido

    ❏ github.com/falcosecurity/falco ❏ slack.k8s.io, #falco channel ❏ github.com/falcosecurity/test-infra ❏ github.com/kubernetes/test-infra ❏ thanks to Apulia for inspiration @leodido