增加监控导出容器编排镜像audit#9
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new Python script tools/audit_k8s_images.py along with unit tests in tests/test_audit_k8s_images.py to audit Kubernetes and Helm manifests for mx-exporter image references and verify their consistency. The reviewer provided valuable feedback to improve the robustness and accuracy of the script: 1) optimizing the regular expression to correctly match Helm template image strings containing spaces and exclude trailing comments, 2) checking for directory existence and verifying paths are files before reading to prevent runtime errors, and 3) narrowing the path filter from "exporter" to "mx-exporter" to avoid false positives from other exporters.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| from pathlib import Path | ||
|
|
||
|
|
||
| IMAGE_RE = re.compile(r"^\s*image:\s*['\"]?([^'\"\s]+)", re.MULTILINE) |
There was a problem hiding this comment.
当前的正则表达式 IMAGE_RE 在处理包含空格的 Helm 模板镜像引用(例如 image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}")时,由于 [^'"\s]+ 会在空格处截断,导致只能匹配到 {{。这会导致 Helm 模板中的镜像提取不完整,进而影响一致性审计结果。
建议优化正则表达式,使其能够完整提取带引号的字符串(包括其中的空格),并排除末尾可能存在的注释。
IMAGE_RE = re.compile(r"^\s*image:\s*['"]?([^'"\n]+?)['"]?\s*(?:\s#.*)?$", re.MULTILINE)| def collect_images(root: Path) -> list[dict[str, str]]: | ||
| images: list[dict[str, str]] = [] | ||
| for path in sorted((root / "deployment").rglob("*")): | ||
| if path.suffix not in {".yaml", ".yml"}: | ||
| continue |
There was a problem hiding this comment.
在遍历 deployment 目录时,存在以下两个潜在问题:
- 如果
deployment目录不存在,直接调用rglob可能会导致不符合预期的行为或在某些环境下抛出异常。 - 如果存在以
.yaml或.yml结尾的目录(例如某些临时目录或特定配置),直接调用path.read_text()会抛出IsADirectoryError异常。
建议在遍历前先检查 deployment 是否为目录,并在循环中增加 path.is_file() 的判断,以提高代码的健壮性。
| def collect_images(root: Path) -> list[dict[str, str]]: | |
| images: list[dict[str, str]] = [] | |
| for path in sorted((root / "deployment").rglob("*")): | |
| if path.suffix not in {".yaml", ".yml"}: | |
| continue | |
| def collect_images(root: Path) -> list[dict[str, str]]: | |
| images: list[dict[str, str]] = [] | |
| deploy_dir = root / "deployment" | |
| if not deploy_dir.is_dir(): | |
| return images | |
| for path in sorted(deploy_dir.rglob("*")): | |
| if not path.is_file() or path.suffix not in {".yaml", ".yml"}: | |
| continue |
|
|
||
| def audit(root: Path) -> dict[str, object]: | ||
| images = collect_images(root) | ||
| exporter_images = sorted({item["image"] for item in images if "exporter" in item["path"].lower()}) |
There was a problem hiding this comment.
在过滤 exporter 镜像时,使用 "exporter" in item["path"].lower() 可能会过于宽泛。如果部署目录中包含其他 exporter(例如 node-exporter、gpu-exporter 等),它们的路径也会包含 "exporter",从而被错误地纳入 mx_exporter_images 的统计和一致性检查中。
鉴于该脚本和返回的键名(如 mx_exporter_images)明确针对 mx-exporter,建议将过滤条件精确为 "mx-exporter"。
| exporter_images = sorted({item["image"] for item in images if "exporter" in item["path"].lower()}) | |
| exporter_images = sorted({item["image"] for item in images if "mx-exporter" in item["path"].lower()}) |
1 participant
这次改动补上了监控导出容器编排镜像audit,主要是为了解决监控导出与部署排查流程里相关信息不够集中、人工整理成本较高的问题,让日常排查、验证和结果归档更直接。
实现上补充了对应工具或脚本逻辑,补上了对应测试,同时尽量保持现有用法不变,避免影响已有流程。
这一分支已经在沐曦算力环境完成实际验证,相关检查均已通过,现提交合入。