Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Going Beyond CI/CD with Prow

Leonardo Di Donato
August 20, 2020
Technology
0
220

Going Beyond CI/CD with Prow

One of the most untold secrets is how hard and important is to automate the whole set of workflows around the code, not only the testing phase. We were able to use the native Kubernetes CI/CD system - Prow - to solve CI/CD for Falco. Furthermore we discovered that Prow does much more than CI/CD! Join us to find out what! You will walk away with a deep technical knowledge of Prow and how we were able to implement internally so you can too.

We’ll see how to correctly setup and deploy Prow on a Kubernetes instance. How to link it to a bot account. How to hook Prow to GitHub organizations and repositories, how to establish an automated governance process for the Open Source by configuring multiple Prow plugins.

Finally, the audience will learn how to create its own custom plugins in order to lint commit messages and code.

KubeCon + CloudNativeCon 2020 Europe

Leonardo Di Donato

August 20, 2020
Tweet

More Decks by Leonardo Di Donato

See All by Leonardo Di Donato
Coverage for eBPF programs
leodido
2
500
Scheduling eBPF on K8S doesn't have to be difficult
leodido
0
310
FalcOMG That's Awesome
leodido
0
290
Bypass Falco
leodido
0
250
Falco: runtime security analysis through syscalls
leodido
2
740
Designing a gRPC Interface for Kernel Tracing with eBPF
leodido
0
540
Falco, runtime security analysis through syscalls
leodido
0
410
Cloud Native eBPF Instrumentation
leodido
7
870
Go eBPF superpowers
leodido
0
490

Other Decks in Technology

See All in Technology
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
200
いざ、BSC討伐の旅
nikinusu
2
780
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Lambdaと地方とコミュニティ
miu_crescent
2
370
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
130

Featured

See All Featured
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Adopting Sorbet at Scale
ufuk
73
9.1k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
RailsConf 2023
tenderlove
29
900
The Pragmatic Product Professional
lauravandoore
31
6.3k
Optimizing for Happiness
mojombo
376
70k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
For a Future-Friendly Web
brad_frost
175
9.4k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
The Art of Programming - Codeland 2020
erikaheidi
52
13k

Transcript

  1. Going Beyond CI/CD with Prow @leodido

  2. Leonardo Di Donato Open Source Software Engineer Falco Maintainer @leodido

    2 extra points to who spots the meaning of this Italian hand-gesture! Whoami!

  3. A timeline always works fine Falco created to parse libsinsp

    events! May 2016 Accepted as a CNCF incubation level hosted project Jan 2020 Sysdig Inc. donated Falco to the CNCF Oct 2018 3 May 2019 Falco Community Calls start! @leodido

  4. Drama! 4 ❏ CI was built on top of Travis

    CI ❏ Barely working ❏ Flaky ❏ Falco drivers building & testing infrastructure not public ❏ Internal Jenkins @leodido

  5. More drama! 5 ❏ PRs merged even when GitHub status

    checks not passing ❏ No clear ownership ❏ Missing PRs reviews ❏ Some policies there but… ❏ Not easily discoverable & auditable ❏ Zero enforcement ❏ Zero automation ❏ The list goes on... @leodido

  6. No blame. Just solutions.™ We had some constraints… ❏ No

    time to build a custom CI/CD system from scratch ❏ No time to create an automatic policy enforcer ❏ Team of 2 While the main focus was to: ❏ Write eBPF ❏ Write C/C++ code @leodido

  7. How Kubernetes does? @leodido

  8. Prow Way more than CI/CD. ❏ GitHub ChatOps ❏ Define

    and enforce policies ❏ Auto-merge bot ❏ OSS ❣ @leodido

  9. CRDs ❏ Custom controllers ❏ Resource management Pods ❏ Scheduling

    ❏ Lifecycle ❏ A bunch of containers ConfigMaps ❏ Auditable ❏ Configurations Secrets ❏ Credentials management 9 Built for Kubernetes. On Kubernetes. @leodido

  10. Poiana stops the drama! 10 More time spent in Falco

    coding. Healthier OSS Auditable policies. Clear rules. Templated processes. Auto enforcement. Community More contributors. More projects. @leodido

  11. Prow Architecture ❏ ProwJob custom resource ❏ Horologium ❏ Hook

    ❏ Plank ❏ Deck ❏ Tide ❏ Sinker ❏ Crier @leodido

  12. ProwJobs ❏ Life of a ProwJob ❏ Custom resource ❏

    Custom controllers ❏ Types ❏ presubmit ❏ postsubmit ❏ batch ❏ periodic @leodido

  13. @leodido Plank Controller that manages the lifecycle of jobs. Plank

    Job X POD Pods API API ProwJobs Prow Cluster Build Cluster Horologium Periodic jobs… gh:falcosecurity/test-infra/pull/78

  14. Hook kubernetes/test-infra/prow/hook @leodido GitHub Hook cat trigger goose webhooks /meow

    /retest /honk

  15. @leodido Plugins for everybody kubernetes/test-infra/prow/plugins ❏ config_updater ❏ trigger ❏

    approve, lgtm ❏ hold, wip ❏ ...

  16. @leodido ProwJob definition Deck Build logs

  17. Tide @leodido Overrides! These prevent a PR on Falco to

    be merged in! Poiana requires these labels to put a Falco PR in merge queue!

  18. Sinker garbage collector ❏ > 48 hours completed jobs (customisable)

    ❏ > 30 min completed pods (customisable) @leodido Crier 1. Detects ProwJob status changes 2. Reports them ❏ Gerrit ❏ Pubsub ❏ GitHub ❏ Slack Disable report feature of Plank! (--skip-report=true) More at test-infra/prow/cmd/crier

  19. Workflow

  20. I want it too! GitHub Bot Account go get -u

    k8s.io/test-infra/experiment/update-hook update-hook --hmac-path=path/to/hmac/secret \ --github-token-path=path/to/oauth/secret \ --hook-url http://1.2.3.4/hook --repo my_organization --confirm=true Become a YAML developer ❏ Write access to the repos ❏ Owner access for the org(s) ❏ Create access token with repo:status + public_repo scopes ❏ admin:org_hook if handling GitHub org 1. Create the YAML manifests, cluster role bindings… 2. Create the secrets from tokens (hmac + oauth2) 3. Apply them on your Kubernetes cluster Install the webhook 1 2 3 getting started guide @leodido

  21. falcosecurity/test-infra/prow a.k.a @poiana

  22. Bring Your Own Prow Plugin STEPS 1. Write a Go

    server! 2. Wrap it into a docker image 3. Kubernetes service and deployment 4. kubectl apply -f them! 5. Add it to your Prow cluster external_plugins: <org>/<repo>: - name: <name> endpoint: http://<name>.default.svc.cluster.local events: - issue_comment RESOURCES ❏ custom external plugin intro ❏ phony test utility ❏ help helpers ❏ k8s.io/test-infra/prow/pluginhelp ❏ k8s.io/test-infra/prow/pluginhelp/exter nalplugins ❏ GitHub client and utilities ❏ k8s.io/test-infra/prow/github ❏ config agent and secrets ❏ k8s.io/test-infra/prow/config/secret ❏ k8s.io/test-infra/prow/config ❏ flag helpers ❏ k8s.io/test-infra/pkg/flagutil ❏ k8s.io/test-infra/prow/flagutil @leodido

  23. Read The Source Code leodido/saymyname-prow-plugin @leodido

  24. @leodido

  25. Speculations about the future! ❏ Enable the Prow GitHub API

    proxy ❏ Falco Drivers Test Grid through ProwJobs ❏ Code Coverage ❏ Code Linting ❏ Custom plugin for externals CI ❏ Spyglass ❏ Plugin that automatically creates a release PR when a milestone is done ❏ Periodic job to cleanup old unused Falco version and prebuilt Falco drivers ❏ ... 25 @leodido

  26. Questions and feedback welcome 26 Thanks! ❏ twitter.com/leodido ❏ github.com/leodido

    ❏ github.com/falcosecurity/falco ❏ slack.k8s.io, #falco channel ❏ github.com/falcosecurity/test-infra ❏ github.com/kubernetes/test-infra ❏ thanks to Apulia for inspiration @leodido