Add podman kube apply command #15091
Conversation
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@rhatdan @vrothberg @mheon PTAL Added the "no new tests needed" as there is no good way to test this, we will need spin up a cluster every time for this. There is no major change in binary size and we are not vendoring in anything new, just using the endpoints with http requests. |
openshift-ci
bot
added
release-note
and removed
do-not-merge/release-note-label-needed
|
Any idea why the binary size for podman-remote is going up so much? |
|
Could |
|
I fear that's it. We did a lot to disentangle Podman and K8S earlier, but this is probably going to drag a lot of those deps back in. |
|
Okay, I moved most of the code to |
|
I think this functionality deserves a dedicated command. It's similar to In symmetry to |
|
I am fine with a new command now that we have the podman kube command. I don't fully understand how this is supposed to work. |
I imagine that we can generate a YAML via |
|
So the initial plan was I am fine with doing a separate kube command for this, but do we want to leave the flags for generate kube so users can still generate and deploy with one command? |
|
When you say Deploy are you talking about to OpenSHift or to a Kubernetes cluster? |
|
You can deploy to either as long as you have a kubeconfig. We are using the k8s API endpoints underneath. |
|
I think this should definitely be a separate command then. podman generate kube CONTAINER new.Yaml |
|
I would be OK with a |
|
Sorry for the wall of text. I found it worth elaborating on this design decision to keep the doors for future features open.
I am against a Maybe users want to login to a cluster only once, so we may need a
I wouldn't like to directly deploy a workload to a cluster without having inspected or even tested it (as it would with
But we do not reduce the feature to one use case only that can otherwise be piped, for instance, What about deploying existing files? I had to run Another potentital use case, could be a git-ops kind of workflow. I generate the YAML once, drop it to my repository and the fleet will take the YAML as is to deploy it. Regarding testing: We need some testing somewhere. The feature is absolutely amazing, so it would be extremely painful to silently regress. Could we use something like |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
umohnani8
changed the title
github-actions
bot
added
the
kind/api-change
|
This is ready for review. Will be adding tests with #15826. Let's not block this on tests. |
|
LGTM |
|
I am strictly against adding new functionality without tests. If others think differently, feel free to merge. |
umohnani8
force-pushed
the
lift
branch
2 times, most recently
from
67eb393 to
c6b2f0b
Compare
|
Added system tests for this. Updated the command to accept container/pod id/name as well. So we can directly apply a container or pod to the cluster without having to generate a yaml file and saving it first. It calls kube generate and the applies the yaml file generated from that to the cluster. |
umohnani8
force-pushed
the
lift
branch
4 times, most recently
from
c95add8 to
27aa523
Compare
umohnani8
force-pushed
the
lift
branch
3 times, most recently
from
7944b99 to
e958b01
Compare
|
nvm, I think I see the issue |
Add the abilitiy to deploy the generated kube yaml to a kubernetes cluster with the podman kube apply command. Add support to directly apply containers, pods, or volumes by passing in their names or ids to the command. Use the kubernetes API endpoints and http requests to connect to the cluster and deploy the various kubernetes object kinds. Signed-off-by: Urvashi Mohnani <[email protected]>
|
Tests are green, @containers/podman-maintainers PTAL |
Sorry the test is very hard to understand. It only checks shell completion vs usage line, it is hard to know which of the two is wrong. I am open to suggestions if you think we can/should improve the error message. |
|
The cli bits LGTM but I cannot comment on the k8s api calls. |
|
/lgtm |
| runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime) | ||
| decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder) | ||
| query := struct { | ||
| CACertFile string `schema:"caCertFile"` |
There was a problem hiding this comment.
This doesn't look right. We usually don't allow client to control reading/writing files on the host for security reasons. They're usually send over the wire in a tarball.
Do we need to expose this on the REST API at all? Couldn't we have podman and podman-remote call the same function?
We could move pkg/domain/infra/abi/apply.go into an internal package pkg/domain/infra/internal/apply.go that the infra/abi and infra/tunnel can call.
There was a problem hiding this comment.
Do we need to expose this on the REST API at all? Couldn't we have podman and podman-remote call the same function?
That is a good question. I guess it comes down to: Do we want to API callers use it, e.g. should podman-py or podman-desktop have this functionality?
We usually don't allow client to control reading/writing files on the host for security reasons.
I don't see how this is an argument? podman-remote run -v allows full access to the file system anyway.
There was a problem hiding this comment.
Do we want to API callers use it, e.g. should podman-py or podman-desktop have this functionality?
I don't see a compelling reason. I see podman kube apply more for something during development but would recommend kubectl for production use.
I don't see how this is an argument? podman-remote run -v allows full access to the file system anyway.
That's an unfortunate circumstance but shouldn't justify more unfortunate circumstances. A probably more convincing reason is that users will expect podman-remote --file foo to be evaluated on the client side not on the relative path of the server on a remote machine.
There was a problem hiding this comment.
I don't see how this is an argument? podman-remote run -v allows full access to the file system anyway.
That's an unfortunate circumstance but shouldn't justify more unfortunate circumstances. A probably more convincing reason is that users will expect podman-remote --file foo to be evaluated on the client side not on the relative path of the server on a remote machine.
Sure I agree there and it would make it more consistent with the other commands. Just saying we should not argue with security. The train is long gone, access to the podman socket allows arbitrary code execution, this is by design of how podman run works.
There was a problem hiding this comment.
You are correct to put it into context but I will always argue with security. One potentially dangerous feature should not justify making others less secure. It's possible to deny the use of "dangerous" parameters, for instance. The more there are, the harder it gets.
github-actions
bot
added
the
locked - please file new issue/PR
Add the abilitiy to deploy the generated kube yaml to a
kubernetes cluster with the podman kube apply command.
Add support to directly apply containers, pods, or volumes
by passing in their names or ids to the command.
Use the kubernetes API endpoints and http requests to connect
to the cluster and deploy the various kubernetes object kinds.
Signed-off-by: Urvashi Mohnani [email protected]
Does this PR introduce a user-facing change?