Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to KUBECONFIG env var #113

Closed
fandujar opened this issue Jul 14, 2021 · 4 comments
Closed

Add support to KUBECONFIG env var #113

fandujar opened this issue Jul 14, 2021 · 4 comments
Labels
enhancement New feature or request kubernetes Indicates an issue or PR is related to Kubernetes. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@fandujar
Copy link

kubectl supports a KUBECONFIG env var that allows us to use other kubeconfig file instead of default $HOME/.kube/config

It would be good to support it as well
@ksudhir007
Copy link
Contributor

Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?

I see below error even when I specify the namespace using -n option

$ ./mizu tap "shopping-cart-*" -A -n ksudhir007
Tapping pods in all namespaces
warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default"

Removing mizu resources
Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")

Happy to update the documentation once I find the answer.

@ksudhir007
Copy link
Contributor

ksudhir007 commented Jul 15, 2021
edited

Opened pull request #114

@RamiBerm
Copy link
Contributor

Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?

I see below error even when I specify the namespace using -n option

$ ./mizu tap "shopping-cart-*" -A -n ksudhir007
Tapping pods in all namespaces
warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default"

Removing mizu resources
Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")

Happy to update the documentation once I find the answer.

The minimum permissions needed are (currently for the default namespace, will be configurable later on):

- apiGroups:
  - ""
  - apps
  resources:
  - pods
  - services
  verbs:
  - list
  - get
  - create
  - delete
- apiGroups:
  - ""
  - apps
  resources:
  - daemonsets
  verbs:
  - list
  - get
  - create
  - patch
  - delete

You won't be able to run mizu at all without these resources.

For traffic ip to k8s service name resolving to work you'll need these optional permissions:

- apiGroups:
  - ""
  - apps
  - "rbac.authorization.k8s.io"
  resources:
  - clusterroles
  - clusterrolebindings
  - serviceaccounts
  verbs:
  - get
  - create
  - delete

This will allow mizu to create the necessary rbac resources that give mizu permissions to watch the cluster's pods, services and endpoints in order to resolve traffic ips.

@ksudhir007
Copy link
Contributor

Thanks @RamiBerm - this issue can be closed - both pull requests are merged.

@IgorGov IgorGov closed this as completed Jul 15, 2021
@mertyildiran mertyildiran added enhancement New feature or request kubernetes Indicates an issue or PR is related to Kubernetes. triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Feb 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request kubernetes Indicates an issue or PR is related to Kubernetes. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ksudhir007 @mertyildiran @fandujar @IgorGov @RamiBerm