Update README directions for authenticating within a cluster #316
Conversation
There was a problem hiding this comment.
Looks great!
cc @carbonin, you have experience with in-cluster kubeclient use, could you reveiw as well? I see in manageiq we do this slightly differently — env vars vs kubernetes.default DNS, /run vs /var/run.
- This PR looks consistent with official doc https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod.
- KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT weren't set in pod env kubernetes/kubernetes#40973 sounds like DNS is more reliable than env vars (asked over there to confirm)
README.md
Outdated
| for more details). For example: | ||
| #### Inside a Kubernetes cluster | ||
|
|
||
| The recommended way to locate the apiserver within the pod is with the `kubernetes` DNS name, which resolves to a Service IP which in turn will be routed to an apiserver. |
There was a problem hiding this comment.
https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod documents kubernetes.default. I suspect kubernetes works too but only from pod running in default namespace?
BTW, consider linking to that doc.
There was a problem hiding this comment.
Hmm... I found different instructions at https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod (linked in the PR). Adding a link in the docs here is a good idea, but we need to decide which one is the right one. :) Reading the two, I think your link is more accurate / more recent?
On a separate note, I see that the link you shared says "Official client libraries do this automatically." I would like a feature where kubeclient can automatically authenticate itself where possible (e.g. within a cluster). However, from the discussions we've had, it sounds like you're more inclined to have authentication be explicit.
There was a problem hiding this comment.
LOL. I'm hoping to get some answers on kubernetes/kubernetes#40973.
There was a problem hiding this comment.
opened kubernetes/website#8166 to fix the docs
Connecting to kubernetes from within kubernetes is 100% in scope for kubeclient! BTW, we've recently heard about https://github.com/kubernetes-client/ruby, a still-early official kubernetes ruby client. I intend to reach out to the authors and compare long-term plans; in particular I suspect config-related code and APIs could be shared... |
|
Tested in a pod (on openshift). Authenticated as |
As mentioned in #213, the recommended way to connect within a cluster is a little different than what's documented in the README. This resolves that by updating the documented approach.
I removed the reference to kubernetes issue 7101 because kubernetes has moved beyond the work discussed there.
Most of this text is taken directly from the Kubernetes documentation, although I edited it a bit.