Implemented the option to use a service account token with a cluster …

…role

.kubernetes/kubernetes-job-monitor-kubeconfig.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: kubernetes-job-monitor
+spec:
+  rules:
+  - host: kubernetes-job-monitor.local
+    http:
+      paths:
+      - backend:
+          serviceName: kubernetes-job-monitor
+          servicePort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubernetes-job-monitor
+  labels:
+    app: kubernetes-job-monitor
+spec:
+  selector:
+    app: kubernetes-job-monitor
+  ports:
+  - name: app-port
+    port: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubernetes-job-monitor
+  labels:
+    app: kubernetes-job-monitor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubernetes-job-monitor
+  template:
+    metadata:
+      labels:
+        app: kubernetes-job-monitor
+    spec:
+      containers:
+      - name: kubernetes-job-monitor
+        imagePullPolicy: Always
+        image: pietervogelaar/kubernetes-job-monitor:latest
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: kubeconfig
+          mountPath: /etc/.kube
+          readOnly: true
+        env:
+        - name: KUBERNETES_DASHBOARD_URL
+          value: 'http://kubernetes-dashboard.local'
+      volumes:
+      - name: kubeconfig
+        secret:
+          secretName: kubeconfig

.kubernetes/kubernetes-job-monitor.yaml

@@ -25,6 +25,34 @@ spec:
   - name: app-port
     port: 80
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: kubernetes-job-monitor
+  name: kubernetes-job-monitor
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-job-monitor-minimal
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-job-monitor-minimal
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-job-monitor-minimal
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-job-monitor
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -47,14 +75,7 @@ spec:
         image: pietervogelaar/kubernetes-job-monitor:latest
         ports:
         - containerPort: 80
-        volumeMounts:
-        - name: kubeconfig
-          mountPath: /etc/.kube
-          readOnly: true
         env:
         - name: KUBERNETES_DASHBOARD_URL
           value: 'http://kubernetes-dashboard.local'
-      volumes:
-      - name: kubeconfig
-        secret:
-          secretName: kubeconfig
+      serviceAccountName: kubernetes-job-monitor

Dockerfile

@@ -5,7 +5,9 @@ WORKDIR /var/www/app
 RUN apk add --no-cache bash curl findutils nginx=1.14.0-r1 supervisor=3.3.4-r1 && \
     curl -sSO https://storage.googleapis.com/kubernetes-release/release/v1.11.1/bin/linux/amd64/kubectl && \
     chmod +x kubectl && \
-    mv kubectl /usr/local/bin/kubectl
+    mv kubectl /usr/local/bin/kubectl && \
+    mkdir /etc/.kube && \
+    touch /etc/.kube/config
 
 COPY requirements.txt /var/www/app
 

README.md

@@ -10,16 +10,26 @@ the container to retrieve the data from Kubernetes.
 
 ## Installation
 
-### Kubeconfig secret
+### Inside the cluster with a service account token (recommended)
 
-The Kubernetes job monitor uses kubectl to retrieve data from the Kubernetes cluster, which requires authentication.
-The configuration for the admin user that is located at `/etc/kubernetes/admin.conf` on the Kubernetes master can be
-used. It's off course also possible to create a user that only has read access to jobs (of one namespace or
-all namespaces).
+This option is the easiest and the recommended way of installing. The Kubernetes job monitor shows all the jobs of
+the cluster it is deployed to. Permissions are granted by a service account and cluster role.   
 
-Convert the user configuration to one base64 encoded line:
+    kubectl apply -f https://raw.githubusercontent.com/pietervogelaar/kubernetes-job-monitor/master/.kubernetes/kubernetes-job-monitor.yaml
+
+**Note**: You should review the manifest above, to configure the correct host and Kubernetes dashboard URL for
+deep linking.
+
+### Inside a separate cluster with kubeconfig for remote monitoring
 
-    cat /etc/kubernetes/admin.conf | base64 | tr -d '\n'
+This option uses a kubeconfig file instead of a service account for permissions. A kubeconfig file can
+also describe another cluster than that the Kubernetes job monitor is deployed to. So remote monitoring is possible.
+
+The user configured in the kubeconfig file must be able to get and list batch jobs. 
+
+Convert your kubeconfig file to one base64 encoded line:
+
+    cat /your/.kube/config | base64 | tr -d '\n'
 
 Create the `secret.yaml` manifest:
 
@@ -38,9 +48,7 @@ Apply in the same namespace as the Kubernetes job monitor:
 
 This secret will be mounted inside the container so that kubectl can use it.
 
-### Deployment
-
-    kubectl apply -f https://raw.githubusercontent.com/pietervogelaar/kubernetes-job-monitor/master/.kubernetes/kubernetes-job-monitor.yaml
+    kubectl apply -f https://raw.githubusercontent.com/pietervogelaar/kubernetes-job-monitor/master/.kubernetes/kubernetes-job-monitor-kubeconfig.yaml
 
 **Note**: You should review the manifest above, to configure the correct host and Kubernetes dashboard URL for
 deep linking.

functions.py

@@ -235,7 +235,7 @@ def exec_command(command, shell=False, print_output=True):
 
         if stderr:
             # Write subprocess stderr to stderr
-            print('stderr:')
+            sys.stderr.write("stderr:\n")
             sys.stderr.write(stderr)
 
     if p.returncode > 0: