877 allow controller to use token #885
Conversation
This reverts commit 6ed2ef2.
There was a problem hiding this comment.
Thank you for the patch! The approach looks good to me, I've just made a couple of minor comments. After that we will need a bit of documentation in docs/function-controller-configuration.md to tell users how to use the new env var.
Also, to fix the tests please rebase the current status of master.
pkg/utils/k8sutil.go
Outdated
| @@ -136,10 +140,14 @@ func GetAPIExtensionsClientInCluster() clientsetAPIExtensions.Interface { | |||
|
|
|||
| // GetFunctionClientInCluster returns function clientset to the request from inside of cluster | |||
| func GetFunctionClientInCluster() (versioned.Interface, error) { | |||
| config, err := rest.InClusterConfig() | |||
| config, err := GetOverriddenClientConfig() | |||
| if err != nil { | |||
There was a problem hiding this comment.
the error could be related to something else, it's better to avoid having to retrieve the config twice. In fact if KUBELESS_TOKEN_FILE_PATH is not set you are already returning the result of rest.InClusterConfig() so you don't need this if block.
pkg/utils/kubelessutil.go
Outdated
| @@ -760,6 +762,23 @@ func GetOwnerReference(kind, apiVersion, name string, uid types.UID) ([]metav1.O | |||
| }, nil | |||
| } | |||
|
|
|||
| // GetControllerRestClientConfig returns necessary Config object to authenticate k8s clients if env variable is set | |||
| func GetOverriddenClientConfig() (*rest.Config, error) { | |||
There was a problem hiding this comment.
I'd call this GetInClusterConfig so you don't need to know about what are you overriding.
Now Gopkg.toml is used instead
* Remove description for CRDs * Update docs * Adapt kafka manifest
…dundant error handler for getting config
This reverts commit 6ed2ef2.
…dundant error handler for getting config
…g/kubeless into 877-allow-controller-to-use-token
|
@andresmgot thanks for the quick feedback! I've addressed your comments and added some docs about using the environmental variable--lmk what you think |
Issue Ref: Fixes #877
Description:
I am deploying kubeless-function-controller to a non-rbac k8s cluster using webhooks for auth/z. My authz policies reject any non-whitelisted serviceaccounts, and I cannot whitelist the controller-acct serviceaccount nor can I use an existing, whitelisted serviceaccount.
This PR allows you to supply a bearer token for the Kubeless Function Controller to use for k8s operations instead of using a k8s service account. Do so by setting the environmental variable
KUBELESS_TOKEN_FILE_PATHto the filepath where a file containing the bearer token will be mounted.Notably, this does not manage OAuth refresh workflows. In my use case, the mechanism I use to procure tokens and configure kubeless is responsible to managing token lifespans.
TODOs: