Kubernetes transport #205
Kubernetes transport #205
Conversation
This uses kubectl exec internally. Windows pods are not supported at this time, mostly because I have no way to test them. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
coderanger
force-pushed
the
kubernetes
branch
from
8cd24d7 to
6f7ef7a
Compare
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
Thanks for the contribution, @coderanger! We're discussing this one internally in relation to some other kubernetes work we've been discussing. Hopefully we'll have more feedback for you next week. |
There was a problem hiding this comment.
@coderanger Thank you very much for this huge improvement. We always wanted to add k8s as native supported transport, therefore this is a great step into the right direction. I left some comments to better understand your design.
| @@ -40,6 +40,16 @@ matrix: | |||
| - rvm: 2.4.1 | |||
| script: bundle exec rake $SUITE | |||
| env: SUITE="test:docker config=test-travis-ubuntu.yml" | |||
| - rvm: 2.4.1 | |||
There was a problem hiding this comment.
Nice to have the integration tests included. That is great!
| @@ -0,0 +1,152 @@ | |||
| # encoding: utf-8 | |||
There was a problem hiding this comment.
Can we move that file to test/integration/k8s/test.rb?
There was a problem hiding this comment.
Sure, this was used to match with the existing Docker tests.
| @@ -0,0 +1,152 @@ | |||
| # encoding: utf-8 | |||
| # | |||
| # Copyright 2017, Noah Kantrowitz | |||
There was a problem hiding this comment.
Please change that to Author.
| @@ -31,7 +31,7 @@ def root_group(os) | |||
| end | |||
|
|
|||
| def selinux_label(backend, path = nil) | |||
| return nil if backend.class.to_s =~ /docker/i | |||
| return nil if backend.class.to_s =~ /docker|kubernetes/i | |||
There was a problem hiding this comment.
We are preparing inspec/inspec#1661 in Train and InSpec. kubernetes will become a platform in train. At this point, we are adding a k8s transport for the execution inside of containers only. We think k8s-exec is a better name for this specific implementation.
There was a problem hiding this comment.
I don't understand, that PR says "platform" would be things like RedHat or Ubuntu, in which case Kubernetes will not be a platform. The OS image used in the underlying container would be the platform, just like with Docker.
| end | ||
|
|
||
| def run_command(cmd) | ||
| kubectl_cmd = [options[:kubectl_path], 'exec'] |
There was a problem hiding this comment.
This implementation relies on shelling out to kubectl rather than using the API directly. This limits the usage and decreases the usability of train/inspec. Is there any reason why you decided against using https://github.com/abonas/kubeclient directly?
There was a problem hiding this comment.
A couple of reasons:
- Stability, the APIs change a lot and kubectl/client-go will always be the first class citizen in the ecosystem.
- Performance, Ruby network perf is not great and because we're using it as the file transport system too it would be annoying.
- Support, Kubeclient (and pretty much all other client libs) don't actually implement the
execAPI. Most libraries just do the REST API, which here wouldn't actually help with anything. TheexecAPI is weirdly undocumented but it initiates over an HTTP POST and then upgrades to SPDY (which will be replaced with websockets soon). Implementing a client for this in Ruby would be very annoying.
| @@ -0,0 +1,72 @@ | |||
| # encoding: utf-8 | |||
| # | |||
| # Copyright 2017, Noah Kantrowitz | |||
There was a problem hiding this comment.
Please change to author
There was a problem hiding this comment.
Copyright is correct as I remain the owner of this code. Unless you're requesting I assign copyright to Chef Software, which would be unusual?
| @@ -76,7 +72,11 @@ | |||
|
|
|||
| it 'has selinux label handling' do | |||
| res = Test.selinux_label(backend, file.path) | |||
| file.selinux_label.must_equal(res) | |||
| if res.nil? | |||
There was a problem hiding this comment.
Why do you expect that is a result from a method is nil, that this is okay?
There was a problem hiding this comment.
As noted above, you already returned nil here during the Docker tests, and I extended that to also return nil on Kubernetes tests. You weren't actually handling that in most of the tests so I fixed that while making the Kubernetes tests pass.
* Add cache connection to train * Update caching to be on BaseConnection * Refactor tests and cleanup logic * Move caching into base_connection and privatize connection calls * Update mock transport to use base caching. * Add author tag and caching comments. * Added exception for invalid cache type and small logic refactor. Signed-off-by: Jared Quick <jquick@chef.io>
|
How would this connect to openShift as well? Would we want a individual openshift or oc:// transport or would it be a "type" of k8r transport do you think? |
|
@aaronlippold as OC still uses the same k8s API server, it think it would be ok to use the same transport that k8s uses. Maybe in inspec we could alias k8s transport to oc. |
|
I agree with @frezbo here, we should keep it to plain k8s. I also do not recommend to use an alias since this may confuses the community. The confusion may come from the fact that this implementation uses kubectl. I would like to avoid that and instead talk to the k8s api directly. Then we are talking about API compatible solutions not binary compatible solutions |
|
+1 on the usage of API. I hope we use this: https://github.com/kubernetes-client/ruby seems there are a lot of k8s ruby API's |
|
That is a great reference @frezbo I missed that we have near official clients for ruby now |
|
No, it's not a great a reference, that's an abandoned project from 8 months ago. And it doesn't expose the pod execution API because almost no clients do. I explained why I used |
|
That's sad. I really hope all other API's gets the same love as go-client. |
|
Maybe in a long long time when the API stabilizes more fully. Until then, that seems highly unlikely. |
|
As for the original question, the |
|
So, I thought I'd chime in here. This PR is about creating a Kubernetes transport to talk to a running container within a pod, which is absolutely a great idea, and very much wanted. The behavior is very well specified through integration tests. It was submitted prior to our efforts to make Train plugins more practical; today we'd shuffle this into a plugin, in a separate repo with its own lifecycle and distributed as an independent gem. Regarding implementation. From my perspective, we have two concerns:
Thoughts? |
|
We will one day get around to adding a kubernetes transport; it will likely be a separate plugin, however, and may be "chimeric" (internally using multiple means to answer questions - perhaps both kubectl and some ruby api (a cursory glance indicates that https://github.com/kubernetes-client/ruby appears to be active as of right now)). This is excellent work, and when a kube plugin is started in earnest, we'll certainly refer to this (with attribution and copyright if we're outright copying). For now though, this PR isn't likely to ever be merged into train (and train has 18 months of growth since this was last touched) so, I'm going to close this. It's linked from the issue, so it won't get misplaced. |
|
https://github.com/bgeesaman/inspec-k8s which relies on https://github.com/bgeesaman/train-kubernetes was recently released. |
Includes a test harness using the same tests as for Docker.