Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Going Beyond CI/CD with Prow

Leonardo Di Donato
August 20, 2020
Technology
0
190

Going Beyond CI/CD with Prow

One of the most untold secrets is how hard and important is to automate the whole set of workflows around the code, not only the testing phase. We were able to use the native Kubernetes CI/CD system - Prow - to solve CI/CD for Falco. Furthermore we discovered that Prow does much more than CI/CD! Join us to find out what! You will walk away with a deep technical knowledge of Prow and how we were able to implement internally so you can too.

We’ll see how to correctly setup and deploy Prow on a Kubernetes instance. How to link it to a bot account. How to hook Prow to GitHub organizations and repositories, how to establish an automated governance process for the Open Source by configuring multiple Prow plugins.

Finally, the audience will learn how to create its own custom plugins in order to lint commit messages and code.

KubeCon + CloudNativeCon 2020 Europe

Leonardo Di Donato

August 20, 2020
Tweet

More Decks by Leonardo Di Donato

See All by Leonardo Di Donato
Coverage for eBPF programs
leodido
2
310
Scheduling eBPF on K8S doesn't have to be difficult
leodido
0
220
FalcOMG That's Awesome
leodido
0
200
Bypass Falco
leodido
0
150
Falco: runtime security analysis through syscalls
leodido
2
500
Designing a gRPC Interface for Kernel Tracing with eBPF
leodido
0
470
Falco, runtime security analysis through syscalls
leodido
0
230
Cloud Native eBPF Instrumentation
leodido
7
760
Go eBPF superpowers
leodido
0
340

Other Decks in Technology

See All in Technology
開発生産性、上から見るか 下から見るか / development productivity and cognitive science
sugamasao
0
120
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
390
Case Studies: Modern Development Practices In Highly Regulated Environments
charity
2
1.3k
Autify Company Deck
autifyhq
1
25k
増え続ける公開アプリケーションへの悪意あるアクセス_多層防御を取り入れるSRE活動_.pdf
yoshiiryo1
0
400
Jagu'e'r Tech Writers Meetup #1
yamahiro
0
160
GPTでメールの緊急度を 判定させてみた/automation-engineerLT-link-and-motivation
lmi
0
110
SREの組織類型におけるリーダーシップの考察
kenta_hi
3
400
ログから学ぶgo build
nasa_desu
3
430
KubeCon China 2023: Adventures in Platform Building
salaboy
0
140
230930_XP祭り_ビジネスへの越境を考える /230930_XP_Fest_Across_Your_Border_to_Business
mkwrd
PRO
0
390
プロダクトオーナーとしてSLOに向き合う 〜Mackerelチームの事例〜 / SRE NEXT 2023
tatsuru
PRO
0
300

Featured

See All Featured
What's new in Ruby 2.0
geeforr
336
30k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Facilitating Awesome Meetings
lara
37
5.1k
Stop Working from a Prison Cell
hatefulcrawdad
265
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
890
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
Embracing the Ebb and Flow
colly
77
3.8k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
670
A designer walks into a library…
pauljervisheath
199
17k

Transcript

  1. Going Beyond CI/CD
    with Prow
    @leodido

    View Slide

  2. Leonardo Di Donato
    Open Source Software Engineer
    Falco Maintainer
    @leodido
    2
    extra points to who spots the meaning of this Italian hand-gesture!
    Whoami!

    View Slide

  3. A timeline always works fine
    Falco created to
    parse libsinsp
    events!
    May 2016
    Accepted as a
    CNCF
    incubation level
    hosted project
    Jan 2020
    Sysdig Inc.
    donated Falco
    to the CNCF
    Oct 2018
    3
    May 2019
    Falco
    Community
    Calls start!
    @leodido

    View Slide

  4. Drama!
    4
    ❏ CI was built on top of Travis CI
    ❏ Barely working
    ❏ Flaky
    ❏ Falco drivers building & testing
    infrastructure not public
    ❏ Internal Jenkins
    @leodido

    View Slide

  5. More drama!
    5
    ❏ PRs merged even when GitHub status
    checks not passing
    ❏ No clear ownership
    ❏ Missing PRs reviews
    ❏ Some policies there but…
    ❏ Not easily discoverable &
    auditable
    ❏ Zero enforcement
    ❏ Zero automation
    ❏ The list goes on...
    @leodido

    View Slide

  6. No blame. Just solutions.™
    We had some constraints…
    ❏ No time to build a custom CI/CD system from scratch
    ❏ No time to create an automatic policy enforcer
    ❏ Team of 2
    While the main focus was to:
    ❏ Write eBPF
    ❏ Write C/C++ code
    @leodido

    View Slide

  7. How Kubernetes does?
    @leodido

    View Slide

  8. Prow
    Way more than CI/CD.
    ❏ GitHub ChatOps
    ❏ Define and enforce policies
    ❏ Auto-merge bot
    ❏ OSS ❣
    @leodido

    View Slide

  9. CRDs
    ❏ Custom controllers
    ❏ Resource
    management
    Pods
    ❏ Scheduling
    ❏ Lifecycle
    ❏ A bunch of
    containers
    ConfigMaps
    ❏ Auditable
    ❏ Configurations
    Secrets
    ❏ Credentials
    management
    9
    Built for Kubernetes.
    On Kubernetes.
    @leodido

    View Slide

  10. Poiana stops the drama!
    10

    More time spent in
    Falco coding.
    Healthier OSS
    Auditable policies.
    Clear rules.
    Templated processes.
    Auto enforcement.
    Community
    More contributors.
    More projects.
    @leodido

    View Slide

  11. Prow Architecture
    ❏ ProwJob custom resource
    ❏ Horologium
    ❏ Hook
    ❏ Plank
    ❏ Deck
    ❏ Tide
    ❏ Sinker
    ❏ Crier
    @leodido

    View Slide

  12. ProwJobs
    ❏ Life of a ProwJob
    ❏ Custom resource
    ❏ Custom controllers
    ❏ Types
    ❏ presubmit
    ❏ postsubmit
    ❏ batch
    ❏ periodic
    @leodido

    View Slide

  13. @leodido
    Plank
    Controller that manages the lifecycle of jobs.
    Plank
    Job X
    POD
    Pods
    API
    API
    ProwJobs
    Prow Cluster
    Build Cluster
    Horologium
    Periodic jobs… gh:falcosecurity/test-infra/pull/78

    View Slide

  14. Hook
    kubernetes/test-infra/prow/hook
    @leodido
    GitHub
    Hook
    cat
    trigger
    goose
    webhooks
    /meow
    /retest
    /honk

    View Slide

  15. @leodido
    Plugins for everybody
    kubernetes/test-infra/prow/plugins
    ❏ config_updater
    ❏ trigger
    ❏ approve, lgtm
    ❏ hold, wip
    ❏ ...

    View Slide

  16. @leodido
    ProwJob definition
    Deck
    Build logs

    View Slide

  17. Tide
    @leodido
    Overrides!
    These prevent a PR on
    Falco to be merged in!
    Poiana requires these
    labels to put a Falco PR in
    merge queue!

    View Slide

  18. Sinker
    garbage collector
    ❏ > 48 hours completed jobs (customisable)
    ❏ > 30 min completed pods (customisable)
    @leodido
    Crier
    1. Detects ProwJob status changes
    2. Reports them
    ❏ Gerrit
    ❏ Pubsub
    ❏ GitHub
    ❏ Slack
    Disable report feature of Plank! (--skip-report=true)
    More at test-infra/prow/cmd/crier

    View Slide

  19. Workflow

    View Slide

  20. I want it too!
    GitHub Bot Account
    go get -u k8s.io/test-infra/experiment/update-hook
    update-hook --hmac-path=path/to/hmac/secret \
    --github-token-path=path/to/oauth/secret \
    --hook-url http://1.2.3.4/hook --repo my_organization --confirm=true
    Become a YAML developer
    ❏ Write access to the repos
    ❏ Owner access for the org(s)
    ❏ Create access token with repo:status + public_repo scopes
    ❏ admin:org_hook if handling GitHub org
    1. Create the YAML manifests, cluster role bindings…
    2. Create the secrets from tokens (hmac + oauth2)
    3. Apply them on your Kubernetes cluster
    Install the webhook
    1
    2
    3
    getting started guide
    @leodido

    View Slide

  21. falcosecurity/test-infra/prow a.k.a @poiana

    View Slide

  22. Bring Your Own Prow Plugin
    STEPS
    1. Write a Go server!
    2. Wrap it into a docker image
    3. Kubernetes service and deployment
    4. kubectl apply -f them!
    5. Add it to your Prow cluster
    external_plugins:
    /:
    - name:
    endpoint:
    http://.default.svc.cluster.local
    events:
    - issue_comment
    RESOURCES
    ❏ custom external plugin intro
    ❏ phony test utility
    ❏ help helpers
    ❏ k8s.io/test-infra/prow/pluginhelp
    ❏ k8s.io/test-infra/prow/pluginhelp/exter
    nalplugins
    ❏ GitHub client and utilities
    ❏ k8s.io/test-infra/prow/github
    ❏ config agent and secrets
    ❏ k8s.io/test-infra/prow/config/secret
    ❏ k8s.io/test-infra/prow/config
    ❏ flag helpers
    ❏ k8s.io/test-infra/pkg/flagutil
    ❏ k8s.io/test-infra/prow/flagutil
    @leodido

    View Slide

  23. Read The Source Code
    leodido/saymyname-prow-plugin
    @leodido

    View Slide

  24. @leodido

    View Slide

  25. Speculations about the future!
    ❏ Enable the Prow GitHub API proxy
    ❏ Falco Drivers Test Grid through ProwJobs
    ❏ Code Coverage
    ❏ Code Linting
    ❏ Custom plugin for externals CI
    ❏ Spyglass
    ❏ Plugin that automatically creates a release PR when a milestone is done
    ❏ Periodic job to cleanup old unused Falco version and prebuilt Falco drivers
    ❏ ...
    25
    @leodido

    View Slide

  26. Questions and feedback welcome
    26
    Thanks!
    ❏ twitter.com/leodido
    ❏ github.com/leodido
    ❏ github.com/falcosecurity/falco
    ❏ slack.k8s.io, #falco channel
    ❏ github.com/falcosecurity/test-infra
    ❏ github.com/kubernetes/test-infra
    ❏ thanks to Apulia for inspiration

    @leodido

    View Slide