SlideShare a Scribd company logo

Increasing Reliability via Helm Pre-Release Checks (Helm Summit 2019)

B
bridgetkromhout

The document discusses using pre-release checks with Helm to increase reliability of Helm releases. It introduces tools like kubeval to validate Kubernetes resources, conftest to check policies, and kubectl auth can-i to validate role-based access controls. These checks can be added to CI/CD pipelines to prevent broken releases from being deployed.

Technology
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
@bridgetkromhout #helmsummit Increasing Reliability via Helm Pre-Release Checks
@bridgetkromhout #helmsummit lives: Minneapolis, Minnesota works: Microsoft podcasts: Arrested DevOps organizes: devopsdays Bridget Kromhout
@bridgetkromhout #helmsummit Where is Waldo Lachie? (and he still wrote most of this talk, too!)
@bridgetkromhout #helmsummit Image credit: Vasa Museet failed Helm release circa 1628
@bridgetkromhout #helmsummit Image credit: Vasa Museet a successful Helm release …has gotten harder (because k8s is vast and contains multitudes)
@bridgetkromhout #helmsummit open-source tooling for more reliable Helm releases kubeval conftest kubectl auth can-i
@bridgetkromhout #helmsummit $ helm install stable/nginx-ingress Let’s choose a chart to use
@bridgetkromhout #helmsummit Helm Pre-Release Checks resource validity policy role based access control
@bridgetkromhout #helmsummit invalid k8s resources $ helm install stable/nginx-ingress --set controller.replicaCount=two Error: release estranged-arachnid failed: Deployment in version "v1beta1" cannot be handled as a Deployment: v1beta1.Deployment.Spec: v1beta1.DeploymentSpec.Replicas: readUint32: unexpected character: , error found in #10 byte of ...|eplicas":"two","revi|..., bigger context ...|default"},"spec":{"minReadySeconds": 0,"replicas":"two","revisionHistoryLimit": 10,"strategy":{},"temp|...
@bridgetkromhout #helmsummit resources don’t work!? (…on this k8s version) https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ $ helm install stable/nginx-ingress Error: validation failed: unable to recognize "": no matches for kind "Deployment" in version "extensions/ v1beta1"
@bridgetkromhout #helmsummit $ helm plugin install https:// github.com/instrumenta/helm-kubeval kubeval: install as Helm plugin @garethr - kubeval.instrumenta.dev
@bridgetkromhout #helmsummit kubeval: find invalid deployments $ helm kubeval stable/nginx-ingress --set controller.replicaCount=two […] The file nginx-ingress/templates/controller- deployment.yaml contains an invalid Deployment ---> spec.replicas: Invalid type. Expected: [integer,null], given: string The file nginx-ingress/templates/default-backend- deployment.yaml contains a valid Deployment […] Error: plugin "kubeval" exited with error
@bridgetkromhout #helmsummit kubeval: will a chart work with a given version? $ helm kubeval stable/nginx-ingress -v 1.15.0 The file nginx-ingress/templates/controller- serviceaccount.yaml contains a valid ServiceAccount The file nginx-ingress/templates/default-backend- serviceaccount.yaml contains a valid ServiceAccount […]
@bridgetkromhout #helmsummit Helm Pre-Release Checks resource validity policy role based access control
@bridgetkromhout #helmsummit conftest openpolicyagent.org Open Policy Agent https://garethr.dev/2019/06/introducing-conftest/ Policy-based control specified declaratively & enforced automatically Write policy in OPA native query language Rego test locally against structured configuration data (uses Rego) (enforced server-side: PodSecurityPolicy, Gatekeeper, etc)
@bridgetkromhout #helmsummit $ helm conftest stable/nginx-ingress FAIL - nginx-ingress-controller in the Deployment release-name-nginx-ingress-controller does not have a memory limit set FAIL - nginx-ingress-controller in the Deployment release-name-nginx-ingress-controller does not have a CPU limit set […] Error: plugin "conftest" exited with error conftest: fail if non-compliant with policy
@bridgetkromhout #helmsummit conftest: succeed when explicitly setting limits $ helm conftest stable/nginx-ingress/ —set controller.resources.limits.cpu=100m,controller .resources.limits.memory=64Mi $
@bridgetkromhout #helmsummit Helm Pre-Release Checks resource validity policy role based access control
@bridgetkromhout #helmsummit RBAC tl;dr: if you don’t have permissions, you’ll have a failed deployment…
@bridgetkromhout #helmsummit … and spoiler alert: in Helm 3, with Tiller gone, you won’t have the “cluster admin” permissions anymore!
@bridgetkromhout #helmsummit $ for i in `helm template stable/nginx-ingress | grep -i Kind | awk -F: '{print $2}' | sort -u`; do echo "$i: `kubectl auth can-i create $i`"; done Warning: resource 'clusterroles' is not namespace scoped in group 'rbac.authorization.k8s.io' ClusterRole: no Warning: resource 'clusterrolebindings' is not namespace scoped in group 'rbac.authorization.k8s.io' ClusterRoleBinding: no Deployment: yes Role: yes RoleBinding: yes Service: yes ServiceAccount: yes kubectl auth can-i
@bridgetkromhout #helmsummit multiple options: kubectl auth can-i (https://kubernetes.io/docs/reference/access-authn- authz/authorization/#checking-api-access) who-can (https://github.com/aquasecurity/kubectl-who-can)
@bridgetkromhout #helmsummit great! what now? - add pre-release checks to your CI/CD pipelines: - kubeval - conftest - kubectl auth can-i - prevent broken releases - … - profit!
@bridgetkromhout #helmsummit
@bridgetkromhout #helmsummit To learn more… Cloud Native Tooling deislabs.io Helm FAQ v3.helm.sh/docs/faq Container Training container.training What is Kubernetes? aka.ms/k8slearning
@bridgetkromhout #helmsummit Thanks! Cloud Native Tooling deislabs.io Helm FAQ v3.helm.sh/docs/faq Container Training container.training What is Kubernetes? aka.ms/k8slearning

More Related Content

PDF
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
bridgetkromhout
 
PDF
Join Our Party: The Cloud Native Adventure Brigade (Kubernetes Belgium 2019)
bridgetkromhout
 
PDF
Join Our Party: The Cloud Native Adventure Brigade (devopsdays Philly 2019)
bridgetkromhout
 
PPTX
Using Azure Runbooks and Microsoft Flow to Automate SharePoint Tasks
Geoff Varosky
 
PDF
Kubernetes Operability Tooling (GOTO Chicago 2019)
bridgetkromhout
 
PDF
Reactive Programming by UniRx for Asynchronous & Event Processing
Yoshifumi Kawai
 
PDF
Microservices in Golang
Mo'ath Qasim
 
PDF
A microservice architecture based on golang
Gianfranco Reppucci
 
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
bridgetkromhout
 
Join Our Party: The Cloud Native Adventure Brigade (Kubernetes Belgium 2019)
bridgetkromhout
 
Join Our Party: The Cloud Native Adventure Brigade (devopsdays Philly 2019)
bridgetkromhout
 
Using Azure Runbooks and Microsoft Flow to Automate SharePoint Tasks
Geoff Varosky
 
Kubernetes Operability Tooling (GOTO Chicago 2019)
bridgetkromhout
 
Reactive Programming by UniRx for Asynchronous & Event Processing
Yoshifumi Kawai
 
Microservices in Golang
Mo'ath Qasim
 
A microservice architecture based on golang
Gianfranco Reppucci
 

What's hot (20)

PPTX
Bootiful Reactive Testing - Mario Gray
VMware Tanzu
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
PDF
Ambassador: Building a Control Plane for Envoy
Ambassador Labs
 
PDF
給 RD 的 Kubernetes 初體驗 (EKS version)
William Yeh
 
PDF
Driving and virtualizing control systems: the Open Source approach used in Wh...
Igalia
 
PPTX
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...
VMware Tanzu
 
PDF
Go for Operations
QAware GmbH
 
PDF
Docker in Production: Reality, Not Hype - DevOps Chicago
bridgetkromhout
 
PDF
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
PDF
[Quality Meetup #20] Michał Górski - Continuous Deployment w chmurze
Future Processing
 
PDF
PuppetConf 2016: Keynote: Pulling the Strings to Containerize Your Life - Sco...
Puppet
 
PDF
Supercharge your app with Cloud Functions for Firebase
Bret McGowen - NYC Google Developer Advocate
 
PDF
From zero to hero with Kubernetes and Istio
Sergii Bishyr
 
PDF
You and your containers: strumenti di automazione in Cloud (parte 2) - Gabrie...
Codemotion
 
PDF
Open Source in the Era of 5G
All Things Open
 
PDF
Ondřej Procházka - Deployment podle Devel.cz
Develcz
 
PDF
Git deep dive – chopping Kubernetes
Stefan Schimanski
 
PPTX
Cleaner Code Through Test-Driven Development
All Things Open
 
PDF
"Messaging with Quarkus"
ConSol Consulting & Solutions Software GmbH
 
Bootiful Reactive Testing - Mario Gray
VMware Tanzu
 
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
Ambassador: Building a Control Plane for Envoy
Ambassador Labs
 
給 RD 的 Kubernetes 初體驗 (EKS version)
William Yeh
 
Driving and virtualizing control systems: the Open Source approach used in Wh...
Igalia
 
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...
VMware Tanzu
 
Go for Operations
QAware GmbH
 
Docker in Production: Reality, Not Hype - DevOps Chicago
bridgetkromhout
 
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
[Quality Meetup #20] Michał Górski - Continuous Deployment w chmurze
Future Processing
 
PuppetConf 2016: Keynote: Pulling the Strings to Containerize Your Life - Sco...
Puppet
 
Supercharge your app with Cloud Functions for Firebase
Bret McGowen - NYC Google Developer Advocate
 
From zero to hero with Kubernetes and Istio
Sergii Bishyr
 
You and your containers: strumenti di automazione in Cloud (parte 2) - Gabrie...
Codemotion
 
Open Source in the Era of 5G
All Things Open
 
Ondřej Procházka - Deployment podle Devel.cz
Develcz
 
Git deep dive – chopping Kubernetes
Stefan Schimanski
 
Cleaner Code Through Test-Driven Development
All Things Open
 
"Messaging with Quarkus"
ConSol Consulting & Solutions Software GmbH
 
Ad

Similar to Increasing Reliability via Helm Pre-Release Checks (Helm Summit 2019) (20)

PDF
Helm 3 - Navigating to distant shores
Lachlan Evenson
 
PDF
Deploying on Kubernetes - An intro
André Cruz
 
PDF
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
Łukasz Piątkowski
 
PDF
Configuration Management for the Cloud Native world with GitOps and Helm - To...
PROIDEA
 
PPTX
Helm and the zen of managing complex Kubernetes apps
Abhishek Chanda
 
PDF
Kubecon SIG Apps December 2017 Update
Matthew Farina
 
PDF
Helm 3: Navigating to Distant Shores (KubeCon EU 2019)
bridgetkromhout
 
PDF
Config management for kubernetes: GitOps + Helm
Tomasz Tarczyński
 
PDF
Helm - Application deployment management for Kubernetes
Alexei Ledenev
 
PDF
[k8s] Kubernetes terminology (1).pdf
Frederik Wouters
 
PDF
Delve into Helm - Advanced DevOps
Lachlan Evenson
 
PPTX
Deploying Windows Apps to Kubernetes with Draft and Helm
Jessica Deen
 
PDF
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Major Hayden
 
PPTX
Leveraging Helm to manage Deployments on Kubernetes
Manoj Bhagwat
 
PPTX
Helm @ Orchestructure
Matthew Farina
 
PPTX
Exploring the Future of Helm
Matthew Farina
 
PDF
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
 
PDF
Verified CKAD Exam Questions and Answers
dalebeck957
 
PDF
Helm Charts Security 101
Deep Datta
 
PDF
Config management for_kubernetes: GitOps + Helm (CfgMgmtCamp 2020)
Tomasz Tarczyński
 
Helm 3 - Navigating to distant shores
Lachlan Evenson
 
Deploying on Kubernetes - An intro
André Cruz
 
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
Łukasz Piątkowski
 
Configuration Management for the Cloud Native world with GitOps and Helm - To...
PROIDEA
 
Helm and the zen of managing complex Kubernetes apps
Abhishek Chanda
 
Kubecon SIG Apps December 2017 Update
Matthew Farina
 
Helm 3: Navigating to Distant Shores (KubeCon EU 2019)
bridgetkromhout
 
Config management for kubernetes: GitOps + Helm
Tomasz Tarczyński
 
Helm - Application deployment management for Kubernetes
Alexei Ledenev
 
[k8s] Kubernetes terminology (1).pdf
Frederik Wouters
 
Delve into Helm - Advanced DevOps
Lachlan Evenson
 
Deploying Windows Apps to Kubernetes with Draft and Helm
Jessica Deen
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Major Hayden
 
Leveraging Helm to manage Deployments on Kubernetes
Manoj Bhagwat
 
Helm @ Orchestructure
Matthew Farina
 
Exploring the Future of Helm
Matthew Farina
 
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
 
Verified CKAD Exam Questions and Answers
dalebeck957
 
Helm Charts Security 101
Deep Datta
 
Config management for_kubernetes: GitOps + Helm (CfgMgmtCamp 2020)
Tomasz Tarczyński
 
Ad

More from bridgetkromhout (20)

PDF
An introduction to Helm - KubeCon EU 2020
bridgetkromhout
 
PDF
devops, distributed (devopsdays Ghent 2019)
bridgetkromhout
 
PDF
Kubernetes for the Impatient (devopsdays Cape Town 2019)
bridgetkromhout
 
PDF
Join Our Party: The Cloud Native Adventure Brigade (OSS 2019)
bridgetkromhout
 
PDF
Helm 3: Navigating To Distant Shores (OSS NA 2019)
bridgetkromhout
 
PDF
Helm 3: Navigating to Distant Shores (OSCON 2019)
bridgetkromhout
 
PDF
Kubernetes for the Impatient (Velocity San Jose 2019)
bridgetkromhout
 
PDF
Community projects inform enterprise products (Velocity San Jose 2019)
bridgetkromhout
 
PDF
Kubernetes Operability Tooling (Minnebar 2019)
bridgetkromhout
 
PDF
Livetweeting Tech Conferences - SREcon Americas 2019
bridgetkromhout
 
PDF
Kubernetes Operability Tooling (devopsdays Seattle 2019)
bridgetkromhout
 
PDF
Kubernetes Operability Tooling (LEAP 2019)
bridgetkromhout
 
PDF
Day 2 Kubernetes - Tools for Operability (KubeCon)
bridgetkromhout
 
PDF
Cloud, Containers, Kubernetes (YOW Melbourne 2018)
bridgetkromhout
 
PDF
Cloud, Containers, Kubernetes (YOW Brisbane 2018)
bridgetkromhout
 
PDF
Cloud, Containers, Kubernetes (YOW Sydney 2018)
bridgetkromhout
 
PDF
Day 2 Kubernetes - Tools for Operability (Philly Open Source)
bridgetkromhout
 
PDF
Day 2 Kubernetes - Tools for Operability (QConSF)
bridgetkromhout
 
PDF
Day 2 Kubernetes - Tools for Operability (Velocity London Meetup)
bridgetkromhout
 
PDF
the endless now: distributed systems & teams
bridgetkromhout
 
An introduction to Helm - KubeCon EU 2020
bridgetkromhout
 
devops, distributed (devopsdays Ghent 2019)
bridgetkromhout
 
Kubernetes for the Impatient (devopsdays Cape Town 2019)
bridgetkromhout
 
Join Our Party: The Cloud Native Adventure Brigade (OSS 2019)
bridgetkromhout
 
Helm 3: Navigating To Distant Shores (OSS NA 2019)
bridgetkromhout
 
Helm 3: Navigating to Distant Shores (OSCON 2019)
bridgetkromhout
 
Kubernetes for the Impatient (Velocity San Jose 2019)
bridgetkromhout
 
Community projects inform enterprise products (Velocity San Jose 2019)
bridgetkromhout
 
Kubernetes Operability Tooling (Minnebar 2019)
bridgetkromhout
 
Livetweeting Tech Conferences - SREcon Americas 2019
bridgetkromhout
 
Kubernetes Operability Tooling (devopsdays Seattle 2019)
bridgetkromhout
 
Kubernetes Operability Tooling (LEAP 2019)
bridgetkromhout
 
Day 2 Kubernetes - Tools for Operability (KubeCon)
bridgetkromhout
 
Cloud, Containers, Kubernetes (YOW Melbourne 2018)
bridgetkromhout
 
Cloud, Containers, Kubernetes (YOW Brisbane 2018)
bridgetkromhout
 
Cloud, Containers, Kubernetes (YOW Sydney 2018)
bridgetkromhout
 
Day 2 Kubernetes - Tools for Operability (Philly Open Source)
bridgetkromhout
 
Day 2 Kubernetes - Tools for Operability (QConSF)
bridgetkromhout
 
Day 2 Kubernetes - Tools for Operability (Velocity London Meetup)
bridgetkromhout
 
the endless now: distributed systems & teams
bridgetkromhout
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Increasing Reliability via Helm Pre-Release Checks (Helm Summit 2019)