Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making ksync work in a RBAC enabled internal cluster with public k8s elb #294

Closed
alok87 opened this issue May 24, 2019 · 3 comments
Closed

Making ksync work in a RBAC enabled internal cluster with public k8s elb #294

alok87 opened this issue May 24, 2019 · 3 comments

Comments

@alok87
Copy link
Contributor

alok87 commented May 24, 2019
edited

There could be two kinds of users for ksync.

  1. Users having their own kubernetes cluster with the cluster machine being publically accesible
  2. Users having namespaced/or limited access to a kubernetes cluster. Basically a users sharing a single kubernetes cluster using RBAC. Also these users have a cluster which is internal and only the kuberentes api loadbalancer is public.

ksync works perfectly when you fall into first kind of users. But from what i have experienced so far, code is not friendly for second type of users #293

I would like to contribute to ksync to make it friendly for 2nd kind of user. I see there are the areas of work here

  1. to make it RBAC friendly with every access configured at the time of installation.
  2. to make it workable for clusters in which nodes are internal and api server is only public. Will tunnelling work? will sync work in this kind of setup?

What are the things that is required to be changed? Will it be a major work?

@timfallmk @grampelberg please help me do this. We want to use ksync :)
@alok87 alok87 changed the title Making ksync work in a RBAC enabled cluster Making ksync work in a RBAC enabled internal cluster with public k8s elb May 24, 2019
@timfallmk
Copy link
Collaborator

Off the top of my head, it would take some doing to get this working. The main problem you would have is that currently ksync needs administrative access to the docker daemon (in order to interact with the filesystems and event streams), which essentially gives a user unrestricted access to all containers run on that node.

@alok87
Copy link
Contributor Author

alok87 commented May 31, 2019
edited

@timfallmk Forgot to update here. I have made it working in an RBAC enabled environment with internal kubernetes nodes (nothing required for internal kubernetes nodes -port forwarding with k8s api works).

Created #299 for the extra things i had to do to make ksync work in an RBAC controlled env.

  1. It does give a little more access than required - like any user can list all pods in the cluster. But we can do something here to fix it.
  2. ksync init for local breaks: ksync init for localhost breaks for the user having namespaced access to kubernetes. It can be changed to not break. (ksync init is required in local to install syncthing binary)
  3. ksync init for remote: It is fine if it needs admin access as it is a one time thing.

I dont think a lot of work is needed. Lets start by fixing the above 2 ^ ?

@alok87 alok87 mentioned this issue May 31, 2019
Closed
@alok87
Copy link
Contributor Author

alok87 commented Feb 19, 2020

This can be used as a referrence for people facing issues. Nothing to do here extra. closing this.

@alok87 alok87 closed this as completed Feb 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timfallmk @alok87