kubeval を使って manifest を validation しよう

Presented by @makocchi 1 Kubernets Meetup Tokyo #29 LT kubeval
を使って manifest を validation しよう

Presented by @makocchi Kubernetes meetup Tokyo #29 2 Makoto Hasegawa
Working at // AI Division, CyberAgent, Inc Currently // Develop and maintain private OpenStack cloud. Develop and maintain Kubernetes as a Service platform. CKA (Certiﬁed Kubernetes Administrator) CKA-1700-0150-0100 CKAD (Certiﬁed Kubernetes Application Developper) CKAD-1800-0005-0100 Job Title // Technical Lead Infrastructure Engineer WHO am I Twitter // @makocchi Facebook // makocchi0923 Hobby // Playing bass

Presented by @makocchi Kubernetes meetup Tokyo #29 3 今日の資料は後から公開しますが写真を撮りたい人は気にせず撮ってください
オンライン発表だもの

Presented by @makocchi Kubernetes meetup Tokyo #29 4 突然ですがここでクイズ

Presented by @makocchi Kubernetes meetup Tokyo #29 5 5秒でお答えください！！！

Presented by @makocchi Kubernetes meetup Tokyo #29 6 apiVersion: apps/v1
kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 この manifest の間違っている部分はどこでしょう？

Presented by @makocchi Kubernetes meetup Tokyo #29 7 ここだ！ apiVersion:
apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 8 spec.replicas は
int ですよね apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 9 なので正解はこう apiVersion:
apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 # NG "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 これでやっと apply できるぞ

kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 だがしかしそうは上手くいかないのが世の中

Presented by @makocchi Kubernetes meetup Tokyo #29 12 再び登場 apiVersion:
apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 直したんだからね！

Presented by @makocchi Kubernetes meetup Tokyo #29 13 この manifest
を apply すると apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 直したんだからね！

kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 $ kubectl apply -f pod.yaml Error from server (BadRequest): error when creating "pod.yaml": Deployment in version "v1" cannot be handled as a Deployment: v1.Deployment.Spec: v1.DeploymentSpec.Template: v1.PodTemplateSpec.ObjectMeta: v1.ObjectMeta.Labels: ReadString: expects " or n, but found 2, error found in #10 byte of ...|version":20200326}},|..., bigger context ...|metadata": {"labels":{"app":"myapp","app_version":20200326}},"spec":{"containers": [{"image":"myapp:la|...

kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 何がおかしいのかパッと分からない

Presented by @makocchi Kubernetes meetup Tokyo #29 16 エラーの原因はこれ apiVersion:
apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 17 label の
value は string にする apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: "20200326" spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 18 というわけで正解はこうでした
apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: "20200326" spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 19 ここから本題 kubeval
を使って Manifest を validation する不正な yaml サヨナラ

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 20 kubeval
とは instrumenta 社が開発しているツール kubernetes の schema 情報を元に manifest が正しいかチェックしてくれる schema 情報はここ Web でも公開している例えばこんな感じで参照できる似たようなツールに conftest がある https://github.com/instrumenta/kubernetes-json-schema https://kubernetesjsonschema.dev/ https://kubernetesjsonschema.dev/v1.14.0/deployment-apps-v1.json

の使い方とっても簡単　基本的にはとりあえず引数に渡してあげるだけでOK 不正な manifest の場合には exit code 1 が返る (正しい manifest だった時は 0 が返る) $ kubeval pod.yaml WARN - pod.yaml contains an invalid Deployment - spec.replicas: Invalid type. Expected: [integer,null], given: string WARN - pod.yaml contains an invalid Deployment - spec.template.metadata.labels: Invalid type. Expected: [string,null], given: integer # ਖ਼͍͠ manifest ͷ৔߹͸ PASS - pod.yaml contains a valid Deployment

の使い方 "--strict" を付けることで schema に存在しない attribute があった場合にエラーにしてくれる基本的に "--strict" は付けておくのがいいと思われる $ kubeval pod.yaml PASS - pod.yaml contains a valid Deployment $ kubeval --strict pod.yaml WARN - pod.yaml contains an invalid Deployment - meetupLocation: Additional property meetupLocation is not allowed apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy meetupLocation: shibuya ...

の使い方 kubeval が真価を発揮するのは CI の時じゃないでしょうか特に gitops の場合、なるべく不正な manifest は事前に弾いておきたい Pull Request が来た段階で merge 前に kubeval で確認しておけば安心できる apply -> 失敗 -> なんでじゃ！を防ごう kubectl apply --dry-run でいいんじゃないの？確かに似たようなことができるのでそれでも OK だと思いますでも kubernetes の cluster を用意しなければならないので、CI に組み込むのは少し面倒

Presented by @makocchi Kubernetes meetup Tokyo #29 24 GitHub Actions
を使って Pull Request 時に kubeval でチェックしよう

with GitHub Actions 実際に触ってもらったほうが分かりやすいと思って sandbox repo を用意しました自由に PR してもらって OK です！その他より詳しい詳細は blog に書いておきました https://github.com/makocchi-git/k8s-kubeval-action-demo https://medium.com/@makocchi/github-actions-kubernetes-manifests-validation-jp-c790d5a13723 一応 instrumenta が作った公式ぽい action もあるけど、機能的に少し残念 https://github.com/instrumenta/kubeval-action

Presented by @makocchi Kubernetes meetup Tokyo #29 26 kubeval で
Happy CI Life を！ conftest の action も作ってみる予定

Presented by @makocchi 27 Kubernets Meetup Tokyo #29 LT kubeval
を使って manifest を validation しよう Thank You For Your kind Attention

kubeval を使って manifest を validation しよう

kubeval を使って manifest を validation しよう

makocchi

More Decks by makocchi

Other Decks in Technology

Featured

Transcript

Presented by @makocchi 1 Kubernets Meetup Tokyo #29 LT kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 2 Makoto Hasegawa

Presented by @makocchi Kubernetes meetup Tokyo #29 3 今日の資料は後から公開しますが写真を撮りたい人は気にせず撮ってください

Presented by @makocchi Kubernetes meetup Tokyo #29 4 突然ですがここでクイズ

Presented by @makocchi Kubernetes meetup Tokyo #29 5 5秒でお答えください！！！

Presented by @makocchi Kubernetes meetup Tokyo #29 6 apiVersion: apps/v1

Presented by @makocchi Kubernetes meetup Tokyo #29 7 ここだ！ apiVersion:

Presented by @makocchi Kubernetes meetup Tokyo #29 8 spec.replicas は

Presented by @makocchi Kubernetes meetup Tokyo #29 9 なので正解はこう apiVersion:

Presented by @makocchi Kubernetes meetup Tokyo #29 10 apiVersion: apps/v1

Presented by @makocchi Kubernetes meetup Tokyo #29 11 apiVersion: apps/v1

Presented by @makocchi Kubernetes meetup Tokyo #29 12 再び登場 apiVersion:

Presented by @makocchi Kubernetes meetup Tokyo #29 13 この manifest

Presented by @makocchi Kubernetes meetup Tokyo #29 14 apiVersion: apps/v1

Presented by @makocchi Kubernetes meetup Tokyo #29 15 apiVersion: apps/v1

Presented by @makocchi Kubernetes meetup Tokyo #29 16 エラーの原因はこれ apiVersion:

Presented by @makocchi Kubernetes meetup Tokyo #29 17 label の

Presented by @makocchi Kubernetes meetup Tokyo #29 18 というわけで正解はこうでした

Presented by @makocchi Kubernetes meetup Tokyo #29 19 ここから本題 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 20 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 21 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 22 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 23 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 24 GitHub Actions

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 25 kubeval

Presented by @makocchi Kubernetes meetup Tokyo #29 26 kubeval で

Presented by @makocchi 27 Kubernets Meetup Tokyo #29 LT kubeval