mercedes-benz / namespace-provisioner Goto Github PK

The provided task deploy-local fails when trying to deploy the namespace provisioner into minikube with running k8s version 1.16, because the used apiVersion extensions/v1beta1 for Deployment is not served by default in k8s 1.16.

Hi,

I was following the README file to set up the namespace provisioner in minikube. The step that required me to supply my own kube config didn't work quite as expected, since minkube hardcodes path to certificates and private key to host paths, rather than supplying them as base64-encoded '-data'. Additionally, I wasn't sure about adding user account data to a service made any sense. So, I found out there's something called ServiceAccount, which was made exactly for these purposes.

I modified the installation as follows:

• Create ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: namespace-provisioner

• Create ClusterRole (way too permissive one)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-provisioner
rules:
  - apiGroups: ["", "batch", "extensions", "apps", "rbac.authorization.k8s.io", "networking.k8s.io"]
    resources: ["*"]
    verbs: ["*"]

• Create ClusterRoleBinding, ServiceAccount -> ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-provisioner
  namespace: default
subjects:
- kind: ServiceAccount
  name: namespace-provisioner
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: namespace-provisioner

• Modified the deployment as follows (added serviceAccountName)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: namespace-provisioner-deployment
  labels:
    app: namespace-provisioner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: namespace-provisioner
  template:
    metadata:
      labels:
        app: namespace-provisioner
    spec:
      serviceAccountName: namespace-provisioner
      containers:
      - name: namespace-provisioner
...

• Used the following .kube/config, and put it into kube-config ConfigMap

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    server: https://kubernetes.default.svc
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token

There are two things here that could be improved. First one is obviously cluster role, which is way too permissive, and should be restricted to what the namespace-provisioner can/should manage.

Second one is obviously providing hardcoded .kube/config from outside, when it can be placed inside docker image, or not used at all, and use the kubernetes API with service accounts, as intended.

When looking at the Docker image that is created using task docker:build it shows a size of approx. 80 MB although the Alpine base image's size is approx. 5 MB and the namespace-provisioner executable's size is approx. 37 MB.
When taking a detailed look at the layers of the image it can be noticed that there are 2 layers with exactly the same size and approx. the size of the namespace-provisioner's executable. Maybe there's something wrong with the Docker image creation.