-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
changing permission for kubeconfig file inside the shell pod #166
changing permission for kubeconfig file inside the shell pod #166
Conversation
}, | ||
}, | ||
v1.Volume{ | ||
Name: "user-kubeconfig-map", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: user-kube-configmap
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pod.Spec.Containers[i].VolumeMounts = append(container.VolumeMounts, v1.VolumeMount{ | ||
Name: "user-kubeconfig", | ||
ReadOnly: true, | ||
MountPath: envvar.Value, | ||
SubPath: "config", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this subpath?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only use what's inside the config
key of the ConfigMap. We don't need it, but I think it's good to specify a SubPath
if we know exactly what we need
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@diogoasouza this is not a configmap. This is only emptyDir volume.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rohitsakala Yes, sorry if I wasn't clear. I meant that we only copy the config
from the configMap
to this volume and that's why we only need to mount this path to the container
1b210e0
to
ecbe3b5
Compare
ecbe3b5
to
663d58d
Compare
Can I get a review from someone on the frameworks team? |
|
||
pod.Spec.InitContainers = []v1.Container{ | ||
{ | ||
Name: "init-container", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename to something descriptive ? instead of init-container
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
pod.Spec.InitContainers = []v1.Container{ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to the new init-container
when I click on the Kubectl shell
button on Rancher Manager, it is taking 18 seconds to load the shell.
Before the init-container
it takes only 4 seconds to load the shell.
This is a serious degradation of user experience.
Maybe due to this, I find the sed
solution better, if we can't find a way to mitigate this user experience issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was the imagePullPolicy
that was causing this. The default value is Always
and I changed it to PullIfNotPresent
. Should be fine now
Can you link a GH issue associated with this change? I'm also not very familiar with this area but I'll do my best at reviewing this. From what I understand, we want to mount some kubeconfig that's stored on a Is it not possible to mount this file with the Here's an example (taken and modified from the upstream k8s docs): ---
apiVersion: v1
kind: ConfigMap
metadata:
name: game-config
namespace: default
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
---
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: registry.k8s.io/busybox
command: [ "/bin/sh", "-c", "ls -l /etc/config/" ]
volumeMounts:
- name: game-config
subPath: game.properties
mountPath: /etc/config/game.properties
volumes:
- name: game-config
configMap:
name: game-config
defaultMode: 0600
restartPolicy: Never Looking at the logs of the pod: $ kubectl logs dapi-test-pod
total 4
-rw------- 1 root root 162 Mar 8 13:12 game.properties The mode bits are as expected. |
@tomleb Hi Tom, thanks for the review. |
663d58d
to
28fdee2
Compare
902ba4d
to
dcea050
Compare
dcea050
to
6013cb3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit but otherwise LGTM.
Thanks for adding some tests.
for i, container := range pod.Spec.Containers { | ||
for _, envvar := range container.Env { | ||
if envvar.Name != "KUBECONFIG" { | ||
continue | ||
} | ||
|
||
vmount := v1.VolumeMount{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could add a comment to explain why we're doing this since it's not obvious at first
272a8b7
to
27f864a
Compare
Needs one more approval from frameworks folks. Also this PR will need someone from your team to QA it 👍 |
Sure! I'll put it in our QA backlog after it's merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything looks good. Just found a minor typo
|
||
assert.Len(t, pod.Spec.Volumes, len(p.Spec.Volumes)+4, "expected four new volumes") | ||
if len(tc.envVars) != 0 { | ||
assert.Len(t, pod.Spec.Containers[0].VolumeMounts, len(p.Spec.Containers[0].VolumeMounts)+1, "expeted kubeconfig volume to be mounted") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert.Len(t, pod.Spec.Containers[0].VolumeMounts, len(p.Spec.Containers[0].VolumeMounts)+1, "expeted kubeconfig volume to be mounted") | |
assert.Len(t, pod.Spec.Containers[0].VolumeMounts, len(p.Spec.Containers[0].VolumeMounts)+1, "expected kubeconfig volume to be mounted") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed it
27f864a
to
355b4e0
Compare
355b4e0
to
3654549
Compare
3654549
to
7eb213c
Compare
I think it has the required approvals, can you merge it @tomleb ? |
This PR changes the permission of the kubeconfig file used in the
shell
container used by the impersonator. It was using 0644 which was causing warnings when using helm. This changes the permission to 0600.Explanation:
Kubernetes always mounts configMaps and
Secret
volumes asreadOnly
, regardless of the flag passed when creating the mount. This is not reflected in the documentation of thereadOnly
flag. To work around that, I'm using aninit-container
to copy the content to anemptyDir
volume, changing the permission and using that volume in theshell
container