You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the Flux/VSCode extension reaches out to remote clusters, it should use a stateful connection and batch requests. I am unsure if this can be done with the Kubernetes API directly, because of the common nature of Kubernetes APIs which always have a self-signed certificate.
This is a hard one to solve. It results in performance issues (#407), security issues (this fork and exec danger has been there, at the site of every CVE we have published so far), and generally would be a good idea to solve this in a cross-cutting way.
Actual behaviour
The kubectl and flux binaries are always used through fork and exec.
We could hit the Kubernetes API instead, if we were able to reach it from inside of the sandbox, but we cannot do that because of the linked issue above (self-signed certificates cannot be used for connections inside of the sandbox, unless they have been added to the certificate trust in the sandbox.)
Steps to reproduce
N/A
Versions
VSCode version: 0.23.1 and earlier
The text was updated successfully, but these errors were encountered:
Expected behaviour
When the Flux/VSCode extension reaches out to remote clusters, it should use a stateful connection and batch requests. I am unsure if this can be done with the Kubernetes API directly, because of the common nature of Kubernetes APIs which always have a self-signed certificate.
This means that we cannot connect with a client like
https://github.com/kubernetes-client/javascript or https://www.npmjs.com/package/@kubernetes/client-node
which has a facet that accepts a certificate-authority-data in the kubeconfig, since in the sandbox you cannot have any custom certificate data, you are sandboxed.
This is a hard one to solve. It results in performance issues (#407), security issues (this fork and exec danger has been there, at the site of every CVE we have published so far), and generally would be a good idea to solve this in a cross-cutting way.
Actual behaviour
The
kubectlandfluxbinaries are always used through fork and exec.We could hit the Kubernetes API instead, if we were able to reach it from inside of the sandbox, but we cannot do that because of the linked issue above (self-signed certificates cannot be used for connections inside of the sandbox, unless they have been added to the certificate trust in the sandbox.)
Steps to reproduce
N/A
Versions
VSCode version: 0.23.1 and earlier
The text was updated successfully, but these errors were encountered: