programming-kubernetes / suggestions Goto Github PK

Excuse me, I know this question has nothing to do with this project, but I can't find any clues.

This is something that I spent some time trying to understand, and I think it can help others, particularly people who are implementing an authorizer, either as part of their custom API server or as a Webhook of kube-apiserver.

Basically, what was a surprise to me is that there's an extra state other than the boolean-style Allow/Deny, namely NoOpinion.
And this is very important to understand that other than AlwaysAllow authorizer, (I believe) all other authorizers, including Node and RBAC emit NoOpinion by default - well, there's no way to model Deny in RBAC, is there? -. And so should a Webhook, as a best-practice, I think.
Last but not least, it should be noted that if all authorizers emit NoOpinion, the API server will deny the request. I'm sure this is obvious to the authors, but this is implemented as part of the apiserver Go library.

The default value for kube-apiserver --authorizer-mode is Always Allow and not RBAC as implicitly mentioned on page 32, as part of the description of WithAuthorization().

kubeadm does enforce RBAC.

Minor suggestion.

Page 39, example code.
I believe expansion of ~ to $HOME must be handled manually, either with os.ExpandEnv($HOME/.kube/config) or as described here

Albeit the code is just an example and serves for easy reading, a beginner will run into just that type of issue.

I just picked up your book, enjoying it so far, very informative. I'm on page 39 and attempting to run the little block of code as written:

import (
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/clientcmd"
)

func main() {
	kubeconfig := flag.String("kubeconfig", "~/.kube/config", "kubeconfig file")
	flag.Parse()
	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
	clientset, err := kubernetes.NewForConfig(config)
	pod, err := clientset.CoreV1().Pods("default").Get("example", metav1.GetOptions{})
}

Running go build will result in the following:

go build -o ./bin/kube-client ./cmd/kubeclient/main.go
# k8s.io/client-go/rest
../../../pkg/mod/k8s.io/client-go@v11.0.0+incompatible/rest/request.go:598:31: not enough arguments in call to watch.NewStreamWatcher
	have (*versioned.Decoder)
	want (watch.Decoder, watch.Reporter)

It looks like it relates to this issue:
kubernetes/apimachinery#63

It seems like there isn't a standard for how to use code-generator scripts in a gomodules based project yet, documenting some path would be useful as that gains traction.

Hi,
I'm just started going through "Programming Kubernetes" book in Oreily. Can you add Build and delployment guide/steps in READMD.md files.

The AtList sample does not compile. Can you explain how this should work? I fixed up the imports and package names as below but I am getting the following error

dlan@dlan-XPS-13:~/repos/kube/genesys/cnat-client$ go build
# dlan/cnat-client
./main.go:18:14: undefined: client.NewScheme
./main.go:25:55: cannot use client.InNamespace("default") (type client.InNamespace) as type runtime.Object in argument to cl.List:
	client.InNamespace does not implement runtime.Object (missing DeepCopyObject method)
./main.go:25:55: cannot use list (type *v1alpha1.AtList) as type client.ListOption in argument to cl.List:
	*v1alpha1.AtList does not implement client.ListOption (missing ApplyToList method)

Here's the code

package main

import (
	"context"
	"flag"

	"k8s.io/client-go/tools/clientcmd"

	cnatv1alpha1 "github.com/programming-kubernetes/cnat/cnat-kubebuilder/pkg/apis/cnat/v1alpha1"
	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
)

func main() {
	kubeconfig := flag.String("kubeconfig", "~/.kube/config", "kubeconfig file")
	flag.Parse()
	config, _ := clientcmd.BuildConfigFromFlags("", *kubeconfig)

	crScheme := runtimeclient.NewScheme()
	cnatv1alpha1.AddToScheme(crScheme)

	cl, _ := runtimeclient.New(config, runtimeclient.Options{
		Scheme: crScheme,
	})
	list := &cnatv1alpha1.AtList{}
	_ = cl.List(context.TODO(), runtimeclient.InNamespace("default"), list)
}