Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add flag that limits Kubernetes API calls to a certain namespace #399

Merged
merged 6 commits into from
Jan 4, 2023
Merged

Add flag that limits Kubernetes API calls to a certain namespace #399

merged 6 commits into from
Jan 4, 2023

Conversation

linki
Copy link
Owner

@linki linki commented Jan 5, 2022

Alternative implementation for #108

@linki linki self-assigned this Jan 5, 2022
ghost
ghost reviewed Jan 6, 2022
View reviewed changes
chaoskube/chaoskube.go Outdated
@@ -95,32 +97,33 @@ var (
// * a logger implementing logrus.FieldLogger to send log output to
// * what specific terminator to use to imbue chaos on victim pods
// * whether to enable/disable dry-run mode
func New(client kubernetes.Interface, labels, annotations, kinds, namespaces, namespaceLabels labels.Selector, includedPodNames, excludedPodNames *regexp.Regexp, excludedWeekdays []time.Weekday, excludedTimesOfDay []util.TimePeriod, excludedDaysOfYear []time.Time, timezone *time.Location, minimumAge time.Duration, logger log.FieldLogger, dryRun bool, terminator terminator.Terminator, maxKill int, notifier notifier.Notifier) *Chaoskube {
func New(client kubernetes.Interface, labels, annotations, kinds, namespaces, namespaceLabels labels.Selector, includedPodNames, excludedPodNames *regexp.Regexp, excludedWeekdays []time.Weekday, excludedTimesOfDay []util.TimePeriod, excludedDaysOfYear []time.Time, timezone *time.Location, minimumAge time.Duration, logger log.FieldLogger, dryRun bool, terminator terminator.Terminator, maxKill int, notifier notifier.Notifier, clientNamespaceScope string) *Chaoskube {
broadcaster := record.NewBroadcaster()
broadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: client.CoreV1().Events(v1.NamespaceAll)})
Copy link

@ghost ghost Jan 6, 2022
edited by ghost
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that you also need to use the clientNamespaceScope here, as follows

broadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: client.CoreV1().Events(clientNamespaceScope)})

@cazeaux
Copy link

cazeaux commented May 13, 2022

Hello.

Is there any chance to merge this PR ? We have used this branch to test chaoskube in a namespaced application (with openshift) and this is working fine.

Regards.

@desponda
Copy link
Contributor

desponda commented Jan 4, 2023

@linki what is left on this to make it merge-able?

@linki linki merged commit d9db104 into master Jan 4, 2023
@linki linki deleted the namespace-scope branch January 4, 2023 17:23
@linki
Copy link
Owner Author

linki commented Jan 5, 2023
edited
Loading

This is merged and released in v0.27.0.

You can now use --client-namespace-scope=target-namespace to limit all API calls to the target-namespace namespace, allowing you to only give chaoskube permission to that namespace. The flags --namespaces and --namespace-labels kind of become obsolete in that mode.

Here are the RBAC rules that worked for me:

# global role that allows chaoskube to list and delete pods as well as create events.
# you could also use a namespaced role but you would need to redefine it in each target namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: chaoskube
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "delete"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]
---
# a non-global role binding in the target namespace from the chaoskube service account to the global role.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: chaoskube
  namespace: target-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: chaoskube
subjects:
- kind: ServiceAccount
  name: chaoskube
  namespace: chaoskube
---
# service account for chaoskube in the namespace where chaoskube runs.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: chaoskube
  namespace: chaoskube

/cc @cazeaux @desponda @SleepyBrett @spapinistarkware @PunchGrey

This was referenced Jan 5, 2023
Open
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
Assignees

@linki linki

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@linki @cazeaux @desponda