Presented by @makocchi 1 Kubernets Meetup Tokyo #29 LT kubeval を使って manifest を validation しよう

Presented by @makocchi Kubernetes meetup Tokyo #29 2 Makoto Hasegawa Working at // AI Division, CyberAgent, Inc Currently // Develop and maintain private OpenStack cloud. Develop and maintain Kubernetes as a Service platform. CKA (Certified Kubernetes Administrator) CKA-1700-0150-0100 CKAD (Certified Kubernetes Application Developper) CKAD-1800-0005-0100 Job Title // Technical Lead Infrastructure Engineer WHO am I Twitter // @makocchi Facebook // makocchi0923 Hobby // Playing bass

Presented by @makocchi Kubernetes meetup Tokyo #29 3 今日の資料は後から公開しますが 写真を撮りたい人は気にせず撮ってください オンライン発表だもの

Presented by @makocchi Kubernetes meetup Tokyo #29 4 突然ですがここでクイズ

Presented by @makocchi Kubernetes meetup Tokyo #29 5 5秒でお答えください！！！

Presented by @makocchi Kubernetes meetup Tokyo #29 6 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 この manifest の 間違っている部分は どこでしょう？

Presented by @makocchi Kubernetes meetup Tokyo #29 7 ここだ！ apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 8 spec.replicas は int ですよね apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 9 なので正解はこう apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 # NG "3" template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 10 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 これでやっと apply できるぞ

Presented by @makocchi Kubernetes meetup Tokyo #29 11 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 だがしかし そうは上手くいかないのが世の中

Presented by @makocchi Kubernetes meetup Tokyo #29 12 再び登場 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 直したんだからね！

Presented by @makocchi Kubernetes meetup Tokyo #29 13 この manifest を apply すると apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 直したんだからね！

Presented by @makocchi Kubernetes meetup Tokyo #29 14 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 $ kubectl apply -f pod.yaml Error from server (BadRequest): error when creating "pod.yaml": Deployment in version "v1" cannot be handled as a Deployment: v1.Deployment.Spec: v1.DeploymentSpec.Template: v1.PodTemplateSpec.ObjectMeta: v1.ObjectMeta.Labels: ReadString: expects " or n, but found 2, error found in #10 byte of ...|version":20200326}},|..., bigger context ...|metadata": {"labels":{"app":"myapp","app_version":20200326}},"spec":{"containers": [{"image":"myapp:la|...

Presented by @makocchi Kubernetes meetup Tokyo #29 15 apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80 何がおかしいのか パッと分からない

Presented by @makocchi Kubernetes meetup Tokyo #29 16 エラーの原因はこれ apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: 20200326 spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 17 label の value は string にする apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: "20200326" spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 18 というわけで 正解はこうでした apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy spec: selector: matchLabels: app: myapp replicas: 3 template: metadata: labels: app: myapp app_version: "20200326" spec: containers: - name: myapp image: myapp:latest ports: - containerPort: 80

Presented by @makocchi Kubernetes meetup Tokyo #29 19 ここから本題 kubeval を使って Manifest を validation する 不正な yaml サヨナラ

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 20 kubeval とは instrumenta 社が開発しているツール kubernetes の schema 情報を元に manifest が正しいかチェックしてくれる schema 情報はここ Web でも公開している 例えばこんな感じで参照できる 似たようなツールに conftest がある https://github.com/instrumenta/kubernetes-json-schema https://kubernetesjsonschema.dev/ https://kubernetesjsonschema.dev/v1.14.0/deployment-apps-v1.json

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 21 kubeval の使い方 とっても簡単　基本的にはとりあえず引数に渡してあげるだけでOK 不正な manifest の場合には exit code 1 が返る (正しい manifest だった時は 0 が返る) $ kubeval pod.yaml WARN - pod.yaml contains an invalid Deployment - spec.replicas: Invalid type. Expected: [integer,null], given: string WARN - pod.yaml contains an invalid Deployment - spec.template.metadata.labels: Invalid type. Expected: [string,null], given: integer # ਖ਼͍͠ manifest ͷ৔߹͸ PASS - pod.yaml contains a valid Deployment

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 22 kubeval の使い方 "--strict" を付けることで schema に存在しない attribute があった場合にエラーにしてくれる 基本的に "--strict" は付けておくのがいいと思われる $ kubeval pod.yaml PASS - pod.yaml contains a valid Deployment $ kubeval --strict pod.yaml WARN - pod.yaml contains an invalid Deployment - meetupLocation: Additional property meetupLocation is not allowed apiVersion: apps/v1 kind: Deployment metadata: name: mydeploy meetupLocation: shibuya ...

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 23 kubeval の使い方 kubeval が真価を発揮するのは CI の時じゃないでしょうか 特に gitops の場合、なるべく不正な manifest は事前に弾いておきたい Pull Request が来た段階で merge 前に kubeval で確認しておけば安心できる apply -> 失敗 -> なんでじゃ！ を防ごう kubectl apply --dry-run でいいんじゃないの？ 確かに似たようなことができるのでそれでも OK だと思います でも kubernetes の cluster を用意しなければならないので、CI に組み込むのは少し面倒

Presented by @makocchi Kubernetes meetup Tokyo #29 24 GitHub Actions を使って Pull Request 時に kubeval でチェックしよう

Presented by @makocchi Kubernetes meetup Tokyo #29 ͘Β͏ͲͶ͍ͯ͌Ϳ 25 kubeval with GitHub Actions 実際に触ってもらったほうが分かりやすいと思って sandbox repo を用意しました 自由に PR してもらって OK です！ その他より詳しい詳細は blog に書いておきました https://github.com/makocchi-git/k8s-kubeval-action-demo https://medium.com/@makocchi/github-actions-kubernetes-manifests-validation-jp-c790d5a13723 一応 instrumenta が作った公式ぽい action もあるけど、機能的に少し残念 https://github.com/instrumenta/kubeval-action

Presented by @makocchi Kubernetes meetup Tokyo #29 26 kubeval で Happy CI Life を！ conftest の action も作ってみる予定

Presented by @makocchi 27 Kubernets Meetup Tokyo #29 LT kubeval を使って manifest を validation しよう Thank You For Your kind Attention