YAMLΛςετ͢Δ @b4b4r07 (Feb 25, 2019) / mercari.go #6 %YAML 1.2 --- YAML: YAML Ain't Markup Language What It Is: YAML is a human friendly data serialization standard for all programming languages. YAML Resources: YAML 1.2 (3rd Edition): http://yaml.org/spec/1.2/spec.html YAML 1.1 (2nd Edition): http://yaml.org/spec/1.1/ YAML 1.0 (1st Edition): http://yaml.org/spec/1.0/ YAML Issues Page: https://github.com/yaml/yaml/issues ...

BABAROT / @b4b4r07 Mercari, Inc.
 SRE, Microservices Platform Blog / tellme.tokyo

Kubernetes YAML ΍
 Terraform ͸ॻ͖·͔͢ʁ Question:

Infrastructure as Code ͷਁಁ ˎҎԼʮIaCʯͱه͢

IaC ͷਁಁ •Terraform ΍ Kubernetes ͷීٴͰঢ়ଶɾఆٛΛίʔυʹ͢Δ͜ͱ͕
 ଟ͘ͳͬͨ •ΠϯϑϥྖҬҎ֎ʹ͓͍ͯ΋ɺιϑτ΢ΣΞͷঢ়ଶ΍ͦͷઃఆΛ
 JSON ΍ YAML ͱ͍ͬͨݴޠͰ࣋ͭ͜ͱ͕ଟ͘ͳͬͨ https://trends.google.co.jp/trends/explore?date=today%205-y&q=infrastructure%20as%20code

• Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 IaC ͱ͸ Kubernetes Pod ͷ YAML

• Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 Kubernetes Pod ͷ YAML IaC ͱ͸

YAML Λςετ͢Δ

No content

Policy as Code •HashiCorp ͕ఏএͨ͠ߟ͑ํ •ઃఆϑΝΠϧʹ͓͚Δ “͜͏͋Δ΂͖” ΛϙϦγʔͱͯ͠ه͢ •੍໿߲໨ (deploy region, etc) •ϨϏϡʔ߲໨ (like style guide) Why Policy as Code? - HashiCorp Blog Code Policy Infrastructure IaC Policy as Code

Policy as Code Policy as Code - Sentinel by HashiCorp •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ

Policy as Code Policy as Code - Sentinel by HashiCorp •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ Kubernetes YAML Ͱ΋΍Γ͍ͨ

No content

Stein

• ઃఆϑΝΠϧͷϙϦγʔΛίʔυԽͰ͖Δ • JSON, YAML, HCL • Policy as Code Λ࣮ફ͢Δ Linter • Terraform ͷΑ͏ʹ HCL Ͱϧʔϧ࡞੒Ͱ͖Δ • ๛෋ͳ Interpolations • υΩϡϝϯτ Stein Stein Documentations

apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80

apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 লུͰ͖Δ ͚Ͳͤͨ͘͞ͳ͍ ྫ͑͹

rule "namespace_specification" { description = "Check namespace name is not empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } }

rule "namespace_specification" { description = "Check namespace name is not empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧͷఆٛ

rule "namespace_specification" { description = "Check namespace name is not empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕੒ޭ͢Δ͔ࣦഊ͢Δ͔ͷ৚݅

rule "namespace_specification" { description = "Check namespace name is not empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕ࣦഊͨ͠Β͜ͷϑΥʔϚοτʹैͬͯ Τϥʔ͕Ϩϙʔτ͞ΕΔ (ऴྃίʔυ1)

$ stein apply x-echo-jp/development/Pod/test.yaml [ERROR] rule.namespace_specification Namespace is not specified ===================== 7 error(s), 2 warn(s) •Stein Λ࢖͏͜ͱͰɺSentinel ͷΑ͏ʹ Policy as Code Λ࣮ફͰ͖Δ •Sentinel ͸ HashiCorp ੡඼ʹɺStein ͸೚ҙͷઃఆϑΝΠϧʹ •੍໿߲໨ͷݕূ΍ϨϏϡʔ؍఺ͷࢦఠΛػցతʹͰ͖Δ •ʮ஫ҙਂ͘ݟͳ͚Ε͹͍͚ͳ͍ʯʮຖճࢦఠ͢ΔʯͳͲ͸
 ػցతʹνΣοΫͯ͠ϙϦγʔΛϧʔϧԽ͢Δ΂͖

GoͰ࡞ͬͨܦҢ

ϒϩάʹॻ͍ͨ •hashicorp/hcl2 Λ࢖ͬͯಠࣗ DSL Λఆٛ͢Δ | tellme.tokyo •Kubernetes ͳͲͷ YAML ΛಠࣗͷϧʔϧΛ΋ͱʹςετ͢Δ | tellme.tokyo

Thank you