custodian简介

发表于   |   分类于   |  

  Capital One是一家庞大的机构。为了成为一家金融服务公司,Capital One 需要满足许多合规性问题。该公司同时也是亚马逊 AWS 云计算服务的客户。关于使用 AWS,该公司需要一款工具,制定高效的规则和策略。

  Custodian是AWS 规则引擎,是跟AWS各项服务紧耦合的。安装其项目主页的描述“Policy rules engine for aws management, policies in yaml for query, filter, and take actions on resources” 是一款基于aws管理的规则引擎,基于yaml配置文件,能对aws资源进行查询,过滤,并采取某种操作。

  我们看看针对ec2的使用例子,主要是Query,filter,action:

  • Query
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
EC2_VALID_FILTERS = {
   'architecture': ('i386', 'x86_64'),
   'availability-zone': str,
   'iam-instance-profile.arn': str,
   'image-id': str,
   'instance-id': str,
   'instance-lifecycle': ('spot',),
   'instance-state-name': (
       'pending',
       'terminated',
       'running',
       'shutting-down',
       'stopping',
       'stopped'),
   'instance.group-id': str,
   'instance.group-name': str,
   'tag-key': str,
   'tag-value': str,
   'tag:': str,
   'vpc-id': str}

  查询模板中可以制定,region,镜像,实例状态,实例组等等。

  • Filters
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ebs
    Filter based on Volumes attached to Instance
Filter by State Transition Filter
    Filter instances by state (see Instance Lifecycle)
image-age
    Filter on the age of the instance AMI based on the ImageId CreationDate
image
    Filter on the ImageId of the instance
offhour
    Filter for c7n.resources.ec2.InstanceOffHour
onhour
    Filter for c7n.resources.ec2.InstanceOnHour
ephemeral
    Filter for instances that have ephemeral drives
instance-uptime
    Filter based on instance LaunchTime in days
instance-age
    Filter based on the AttachTime of the EBS Volumes in days

  举个例子,onhour就是基于对实例的运行时间进行过滤的

  • Actions:

    • Start

      1
      Start a set of instances (presumably) already stopped, the start action will automatically filter instances to those that are already in the correct state.
      1
      This example will restart all stopped instances.
      1
      policies:

      • name: ec2-start

        1
        2
        resources: ec2
        actions:
        • start

    • Stop

      Will stop the instances. Stopped instances do not incur EC2 instance costs.

  • Terminate

    1
    Will terminate the instances. Use with caution!

可以根据过滤后的资源,采取行动,对ec2实例进行开启,停止,终止。

  • yaml文件例子:

    1
    policies:

    • name: remediate-extant-keys
      description: |

      1
      2
      Scan through all s3 buckets in an account and ensure all objects
      are encrypted (default to AES256).

      resource: s3
      actions:

      • encrypt-keys

      • name: ec2-require-non-public-and-encrypted-volumes
        resource: ec2
        description: |

        1
        2
        3
        Provision a lambda and cloud watch event target
        that looks at all new instances not in an autoscale group
        and terminates those with unencrypted volumes.

        mode:

        1
        2
        type: cloudtrail   
        events:
        • RunInstances
          filters:

      • Encrypted: false

        1
        actions:
        • terminate

      • name: tag-compliance
        resource: ec2
        description:

        1
        2
        Schedule a resource that does not meet tag compliance policies
        to be stopped in four days.

        filters:

        • State.Name: running
        • “tag:Environment”: absent
        • “tag:AppId”: absent
        • or:
          • “tag:OwnerContact”: absent
          • “tag:DeptID”: absent
            actions:
        • type: mark-for-op
          op: stop
          days: 4
  • 第一个是针对s3进行定义的,是扫描所有s3中的bucket,并将所有对象进行加密
  • 第二是底层调用了aws的lamda和cloud watch,目标是所有新的没有在autoscale group里边的实例,并且终止掉那些未被加密的volume卷。
  • 第三个是进行一个调度任务,找出符合条件tag的资源,然后在4天之内关闭。

  我的理解,cloud-custodian工具底层基于aws提供的api进行封装的脚本工具,能够进行对aws资源进行查询,过滤,根据筛选出来的资源,采取某种操作的一款“规则引擎”。目前来看custodian跟aws是紧耦合的,它是针对aws资源进行筛选调度,更好的管理资源,提高资源利用率。