TESTING k8s MANIFESTS & SERVICE MESH CONFIG'S

Hello,

Srinivasan Sekar

Open Source Enthusiast

@srinivasanskr

srinivasanTarget

Lead Consultant

Ashay Thorat

@ashu1425

ash1425

Lead Consultant

Agenda,

  • kubernetes and manifests
  • Failure stories
  • Static checks
  • Demo
  • Service Mesh
  • Config's for Service Mesh
  • Demo

Kubernetes Manifests

apiVersion: apps/v1
kind: Deployment
metadata:
  name: orders-deployment
  labels:
    app: orders
spec:
  replicas: 3
  selector:
    matchLabels:
      app: orders
  template:
    metadata:
      labels:
        app: orders
    spec:
      containers:
      - name: orders
        image: registry.com/orders:tag
        ports:
        - containerPort: 8080

  • Kubernetes workloads are described in YAML manifests

apiVersion: v1
kind: Service
metadata:
  name: orders-service
spec:
  selector:
    app: orders
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Kubernetes Best Practices

  • Health checks

  • Graceful shutdown

  • Fault tolerance

  • Resource Utilisation

  • Resource tagging (labels)

  • Configuration and Secrets

  • Pod security policy

  • Namespaces, etc

Static Checks

  • Integrating Static checks allows catching policy violations and errors close to dev cycle.

  • Static checks can be categorised as:

    • API Validators

    • Built-in Checkers

    • Custom Validators

API Validators

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: one
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

API Validators

  • Validates k8s manifest against the k8s API server

  • Using schemas generated from the Kubernetes OpenAPI specification

Built In Checkers

  • Validates k8s manifest against the in-built opinionated checks

One size doesn't fit all:
Datadog ensures that they don't use ImagePullPolicy as "Always"

Custom Validators

  • Conftest is a utility to help you write tests against structured configuration data.

  • Write tests for your Kubernetes configurations, Terraform code, Serverless configs or any other structured data.

Open Policy Agent

  • OPA gives you the ability to offload the decision-making process from policy enforcement to a dedicated engine.

  • Domain agnostic general-purpose agent

  • unified toolset and framework for policy across the cloud native stack.

DEMO

Service Mesh

Istio Architecture

https://istio.io/v1.4/docs/ops/deployment/architecture/

Canary Deployments

Text

https://www.mobilise.cloud/kubernetes-deployment-strategies/

Canary Deployments - Can you spot the error?

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: helloworld
spec:
  hosts:
    - helloworld
  http:
  - route:
    - destination:
        host: helloworld
        subset: v1
      weight: 90
    - destination:
        host: helloworld
        subset: v2
      weight: 90

DEMO

Resources

  • https://k8s.af/
  • https://github.com/open-policy-agent/conftest/tree/master/examples
  • https://learnk8s.io/
  • https://kubernetes.io/blog/2019/03/22/kubernetes-end-to-end-testing-for-everyone/
  • https://kube-score.com/
  • https://istio.io/v1.4/docs/ops/deployment/architecture/
  • https://www.mobilise.cloud/kubernetes-deployment-strategies/
  • https://www.youtube.com/watch?v=QXApVwRBeys
  • https://www.youtube.com/watch?v=_wySvT2uqyM
Made with Slides.com