kapp-controller icon indicating copy to clipboard operation
kapp-controller copied to clipboard

Published 20 hours ago verified publisher icon carvel-dev

`kctrl`: Use the kubeconfig on host while using the `dev` command by default

Open 100mik opened this issue 2 years ago • 3 comments

Describe the problem/challenge you have As of today, we use the service account specified in the PackageInstall while creating resources created as a result of the installation. This means users have to create service accounts to be able to use dev. Alternatively, we could create the service account for the user if not present as well.

Describe the solution you'd like Using a specified service account is useful when we are trying to figure out if a service account has the minimum required set of permissions available. We can still enable users to do this by using a --service-account flag. Or considering that multiple PackageInstalls might be in play, these could be supplied via annotations.

Tasks

  • [x] Add flag to accept --use-sa-from-kube-cofig defaulted to false. In this case use SA from packageInstall and error if SA not present.
  • [x] when flag is true use SA from kubeconfig.
  • [ ] Test that the correct SA is being used (positive and negative)
  • [ ] Documentation update

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

100mik avatar Oct 04 '22 08:10 100mik

We just hit this issue, were we're using kctrl dev to install our apps in an imperative way, and since we're using the kubeconfig we have on our system to do the installation, we would expect to use the SA associated in that kubeconfig and not needing us to provide a SA. Currently it's failing with Preparing kapp: Expected service account or cluster specified which seems to be some kapp internal validation.

jorgemoralespou avatar Nov 07 '23 10:11 jorgemoralespou

cc/ @grahamdumpleton

jorgemoralespou avatar Nov 07 '23 10:11 jorgemoralespou

As well as being able to use a local .kube/config file, it would also be useful if kctrl dev could use the in-cluster config available when run inside of a container deployed to a Kubernetes cluster. IOW, /var/run/secrets/kubernetes.io. This would make it easier to use it as part of a custom operator or other application deployed in a cluster, where it would be restricted by the RBAC of the service account associated with the pod. The ability to use in-cluster config should be something that is accessible if using kapp-controller as Go package embedded in a custom operator.

GrahamDumpleton avatar Nov 07 '23 11:11 GrahamDumpleton