Skip to content

Use kubectl and RBAC to look up zone for broker.rack #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

Use kubectl and RBAC to look up zone for broker.rack #56

wants to merge 9 commits into from

Conversation

solsson
Copy link
Contributor

@solsson solsson commented Aug 2, 2017

API use from within pods gets permission denied with Kubernetes 1.7 on GKE. RBAC makes sense and we should learn to use it. Docs are ok but thin on conventions. I searched around but I guess the role and service account naming needs discussion.

I failed to get curl calls like in #39 to auth as system:serviceaccount:kafka:kafka but kubectl solved that and also makes it handy to extract a label value.

solsson added 9 commits August 2, 2017 12:53
@solsson
Draft rbac. I was allowed to do create -f after ...
e6d70a3 
adding myself to cluster-admin clusterrole
@solsson
Creates the service account kafka
4d00ead
@solsson
Are there conventions for naming RBAC stuff?
f6c48e2
@solsson
Oddly /run/secrets doesn't get mounted
56f0f9c
@solsson
Secrets do get mounted when using the kafka image ...
b3a6bbc 
instead of curl. Could it be that curl is based on Alpine?
@solsson
Using kubectl because curl would get 401 as system:anonymous,
7912b82 
but be prepared for misleading error messages (for an RBAC noob like me)
when your operation does not match the Role's rights:

```
root@test-rack-awareness-267009956-k0ffs:/opt/kafka# kubectl get pod $HOSTNAME
NAME                                  READY     STATUS    RESTARTS   AGE
test-rack-awareness-267009956-k0ffs   1/1       Running   0          14m
root@test-rack-awareness-267009956-k0ffs:/opt/kafka# kubectl get pods
Error from server (Forbidden): User "system:serviceaccount:kafka:kafka" cannot list pods in the namespace "kafka".: "Unknown user \"system:serviceaccount:kafka:kafka\"" (get pods)
```
@solsson
kubectl gets the designated role and kan read node label
f26a13f
@solsson
Adds nodeName downwardApi for zone lookup,
54a95fc 
and service account for debugging
@solsson
Removing the test as I can't see how to assert rack awareness
9cdb4b9
@solsson
Copy link
Contributor Author

solsson commented Aug 2, 2017

TODO make init container fast again by switching to an image with kubectl, but beware of 56f0f9c and b3a6bbc

@solsson solsson mentioned this pull request Aug 3, 2017
Merged
@solsson
Copy link
Contributor Author

solsson commented Aug 3, 2017

Without serviceAccountName: kafka kubectl tries system:serviceaccount:kafka:default so maybe we should name the ServiceAccount default so RBAC can be setup without affecting the kafka manifest.

This was referenced Aug 3, 2017
Closed
Merged
@solsson
Copy link
Contributor Author

solsson commented Aug 5, 2017

With #59 RBAC has no effect on core manifests, and works in-container with curl.

@solsson solsson closed this Aug 5, 2017
solsson added a commit that referenced this pull request Jan 8, 2018
@solsson
Sets other useful labels, for #78 and #56
f76e192
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@solsson