Allow Running Trace Pods Against Containers In a Different Namespace #147
Comments
|
I'm curious if people have a different solution to the problem. Also I'm not dead set on the name of the Any feedback would be greatly appreciated. |
|
HI @seanmalloy - thanks for opening this. Did you try to use the |
Yes, I believe |
|
Ah sorry I didn't understand the use case, what you actually want to do is a separation of the two! |
|
@fntlnz thanks for confirming. I'm interested in contributing this feature, but I can't start working on it right away. I'm hoping to start working on it by the end of 2020. I'll comment here again when I actually start working on it for real. Thanks! |
|
Heya! What you describe above with In our case, we want to be able to have a one-time setup of a single namespace to run all traces within a given cluster. This way if you are using something like workload identity, you only have to create the service account binding once. This goes pretty naturally with the work we are doing on #85 internally, as we would like to have this be a one-time operation when the operator is installed. I definitely see the use case for privilege separation, but there are other benefits too:
|
|
I haven't had time to start working on this. If someone else wants to submit a PR to add this feature then go for it. |
|
Looking at the code, it actually does look like the existing flag for https://github.com/iovisor/kubectl-trace/blob/master/pkg/tracejob/job.go#L208 So I think the feature request here is actually for how the selector for the trace itself should work (what pod to trace). Regardless, we'll look into clarifying this. @zqureshi has been doing some work on selector syntax for workloads. EDIT: so for now, it looks like both are the same Line 308 in bb25231 |
This adds support for generic tracers, fixing #125 The new "--tracer" flag allows specifying arbitrary generic tracers. The bcc suite of tools is added to take advantage of this, as well as a "fake" tracer for integration testing this functionality, fixing #112 The primary original author of this functionality was Zeeshan Qureshi. In order to pull this change in, it was necessary to also pull in functionality that refactored how trace job targets are specified. This introduces a new flag which allows specifying the target namespace separately from the namespace where the trace is created, which fixes #147. This functionality was co-authored with Aaron Olson. Co-authored-by: Aaron Olson <[email protected]> Co-authored-by: Zeeshan Qureshi <[email protected]>
This adds support for generic tracers, fixing #125 The new "--tracer" flag allows specifying arbitrary generic tracers. The bcc suite of tools is added to take advantage of this, as well as a "fake" tracer for integration testing this functionality, fixing #112 The primary original author of this functionality was Zeeshan Qureshi. In order to pull this change in, it was necessary to also pull in functionality that refactored how trace job targets are specified. This introduces a new flag which allows specifying the target namespace separately from the namespace where the trace is created, which fixes #147. This functionality was co-authored with Aaron Olson. Co-authored-by: Aaron Olson <[email protected]> Co-authored-by: Zeeshan Qureshi <[email protected]>
This adds support for generic tracers, fixing #125 The new "--tracer" flag allows specifying arbitrary generic tracers. The bcc suite of tools is added to take advantage of this, as well as a "fake" tracer for integration testing this functionality, fixing #112 The primary original author of this functionality was Zeeshan Qureshi. In order to pull this change in, it was necessary to also pull in functionality that refactored how trace job targets are specified. This introduces a new flag which allows specifying the target namespace separately from the namespace where the trace is created, which fixes #147. This functionality was co-authored with Aaron Olson. Co-authored-by: Aaron Olson <[email protected]> Co-authored-by: Zeeshan Qureshi <[email protected]>
As a cluster administrator I would like to be able to trace application pods in end user(tenant) namespaces, but I do not want to allow end users(tenants) to run privileged pods in their namespace.
For example as a cluster administrator I want to be able to run the below command, but I do not want any service account in the myapp namespace to be able to run privileged pods. Running the below command requires that the default service account in the myapp namespace is allowed to run privileged containers.
Instead I want kubectl-trace to create a trace pod in a namespace that only cluster administrators have access to, but be able to specify a "pod to trace" in an end user(tenant) namespace.
One possible option would be to add a new CLI option
--trace-job-namesapce. In this example a trace would be run against the pod router-default-7467bc9b7c-9db7s in the myapp namespace, but the trace pod/job would be running in the tracejobs namespace.This feature would be use for k8s clusters running in environments where strict audit requirements must be adhered to. For example running in a cluster with pod security policies enabled, or an OpenShift cluster with uses security context constraints.
The text was updated successfully, but these errors were encountered: