kopf
kopf copied to clipboard
nolar
Run kopf Admission Controller without authenticating with API server
Keywords
Admission Controller, Authentication
Problem
Summary
I would like to use kopf as an Admission Controller. Currently it looks like kopf always wants to authenticate with the Kubernetes API server even if it should not be required for the configured admission handlers.
Example
import kopf
@kopf.on.validate("pods")
def say_hello(warnings: list[str], **_):
warnings.append("Verified with the operator's hook.")
@kopf.on.startup()
def configure(settings: kopf.OperatorSettings, **_) -> None:
settings.admission.server = kopf.WebhookServer()
# Disable event posting since we don't want to authenticate with Kubernetes
settings.posting.enabled = False
Running this without a valid kubeconfig file fails with:
File "/Users/user/.pyenv/versions/3.10.1/envs/venv/lib/python3.10/site-packages/kopf/_cogs/structs/credentials.py", line 207, in select
raise LoginError("Ran out of valid credentials. Consider installing "
kopf._cogs.structs.credentials.LoginError: Ran out of valid credentials. Consider installing an API client library or adding a login handler. See more: https://kopf.readthedocs.io/en/stable/authentication/
The issue seems to be that kopf always starts the authentication tasks even if it is not needed https://github.com/nolar/kopf/blob/7b4569024b5a9382195bd0ba76ffb164c2c41bbd/kopf/_core/reactor/running.py#L251
Question
Would it easily be possible to make this optional? Are there any other tasks that are also started and require Kubernetes API access?
Thanks for asking. This default behavior (requiring the credentials) is for Kopf to work "out of the box" for its main purpose — the operator framework.
I first thought that you can override the credentials (in @on.login()) with some fake records that are never used.
But on second thought, Kopf will try to scan the resources available anyway — just to know what "pods" means specifically. I am not sure it will be easy to remove that logic. I will take a look.
