877 allow controller to use token#885
Conversation
This reverts commit 6ed2ef2.
There was a problem hiding this comment.
Thank you for the patch! The approach looks good to me, I've just made a couple of minor comments. After that we will need a bit of documentation in docs/function-controller-configuration.md to tell users how to use the new env var.
Also, to fix the tests please rebase the current status of master.
pkg/utils/k8sutil.go
Outdated
| func GetFunctionClientInCluster() (versioned.Interface, error) { | ||
| config, err := rest.InClusterConfig() | ||
| config, err := GetOverriddenClientConfig() | ||
| if err != nil { |
There was a problem hiding this comment.
the error could be related to something else, it's better to avoid having to retrieve the config twice. In fact if KUBELESS_TOKEN_FILE_PATH is not set you are already returning the result of rest.InClusterConfig() so you don't need this if block.
pkg/utils/kubelessutil.go
Outdated
| } | ||
|
|
||
| // GetControllerRestClientConfig returns necessary Config object to authenticate k8s clients if env variable is set | ||
| func GetOverriddenClientConfig() (*rest.Config, error) { |
There was a problem hiding this comment.
I'd call this GetInClusterConfig so you don't need to know about what are you overriding.
Now Gopkg.toml is used instead
* Remove description for CRDs * Update docs * Adapt kafka manifest
…dundant error handler for getting config
This reverts commit 6ed2ef2.
…dundant error handler for getting config
…g/kubeless into 877-allow-controller-to-use-token
|
@andresmgot thanks for the quick feedback! I've addressed your comments and added some docs about using the environmental variable--lmk what you think |
andresmgot
left a comment
andresmgot
left a comment
There was a problem hiding this comment.
thanks for applying the changes!
2 participants
Issue Ref: Fixes #877
Description:
I am deploying kubeless-function-controller to a non-rbac k8s cluster using webhooks for auth/z. My authz policies reject any non-whitelisted serviceaccounts, and I cannot whitelist the controller-acct serviceaccount nor can I use an existing, whitelisted serviceaccount.
This PR allows you to supply a bearer token for the Kubeless Function Controller to use for k8s operations instead of using a k8s service account. Do so by setting the environmental variable
KUBELESS_TOKEN_FILE_PATHto the filepath where a file containing the bearer token will be mounted.Notably, this does not manage OAuth refresh workflows. In my use case, the mechanism I use to procure tokens and configure kubeless is responsible to managing token lifespans.
TODOs: