search

adfinis / back8sup

A simple way to backup your kubernetes resources
GNU Affero General Public License v3.0
2 stars 2 forks source link

Fix #5: OpenShift integration #8

Closed s3lph closed 4 years ago

s3lph commented 4 years ago

OpenShift uses a adapted permission model, where pods run as random high UIDs and GID=0. This prevents the kubectl API cache to be written to ~/.kube/cache, as the user the pod is run as doesn't have write permissions to ~ aka /.

This PR resolves this issue by creating a new /workdir directory, which is set the proper permissions and is used as WORKDIR and HOME.

s3lph commented 4 years ago

I just realized we should probably test this on a plain k8s cluster. I'm not sure whether the permissions I used will work on anything else than OpenShift.

eyenx commented 4 years ago

I will test this.

On 19 June 2020 20:15:51 CEST, "Sebastian P." notifications@github.com wrote:

I just realized we should probably test this on a plain k8s cluster. I'm not sure whether the permissions I used will work on anything else than OpenShift.

--

We are now called Adfinis! More at www.adfinis.com

Adfinis AG Antonio Tauro, System Engineer, GPG KeyID: 0x0796132F0077A5F8 Güterstrasse 86 | CH-4053 Basel Office +41 61 500 31 31 | Direct +41 61 500 31 37 www.adfinis.com

eyenx commented 4 years ago

Hmm just startet it with docker and this seems like it won't work on k8s. Let me check it quickly with a emptyDir

/workdir $ id
uid=65534(nobody) gid=65534(nobody)
/workdir $ mkdir .kube
mkdir: can't create directory '.kube': Permission denied
/workdir $ s -lhatr^C
/workdir $ ls -lhatr
total 8K
drwxrwxr-x    2 root     root        4.0K Jun 19 19:49 .
drwxr-xr-x    1 root     root        4.0K Jun 19 19:51 ..
eyenx commented 4 years ago

Looks like it works on a k3d cluster I just created myself

/workdir $ ls -lhatr
total 12K
drwxrwxr-x    2 root     root        4.0K Jun 19 19:49 .
drwxr-xr-x    1 root     root        4.0K Jun 19 20:15 ..
/workdir $ ls -lhatr ^C
/workdir $ id
uid=65534(nobody) gid=65534(nobody)
/workdir $ ls -lhatr
total 12K
drwxrwxr-x    2 root     root        4.0K Jun 19 19:49 .
drwxr-xr-x    1 root     root        4.0K Jun 19 20:15 ..
/workdir $ /back8sup.sh
2020-06-19T20:16:35 INFO creating directory /mnt/back8sup/202006192016 for export
2020-06-19T20:16:35 INFO checking token and connection to cluster
{
  "major": "1",
  "minor": "14",
  "gitVersion": "v1.14.1-k3s.4",
  "gitCommit": "52f3b42401c93c36467f1fd6d294a3aba26c7def",
  "gitTreeState": "clean",
  "buildDate": "2019-04-15T22:13+00:00Z",
  "goVersion": "go1.12.1",
  "compiler": "gc",
  "platform": "linux/amd64"
}2020-06-19T20:16:35 INFO parsing /etc/config.yaml
2020-06-19T20:16:35 INFO /etc/config.yaml parsed
2020-06-19T20:16:35 INFO starting with global export
2020-06-19T20:16:35 INFO starting export for all pvc
2020-06-19T20:16:36 INFO exporting persistentvolumeclaim/back8sup from namespace default into /mnt/back8sup/202006192016/default/pvc
2020-06-19T20:16:37 INFO done exporting all pvc
2020-06-19T20:16:37 INFO starting export for all pv
2020-06-19T20:16:38 INFO done exporting all pv
2020-06-19T20:16:38 INFO done with global export
2020-06-19T20:16:38 INFO starting export in namespace default
2020-06-19T20:16:39 INFO starting export for all deployment in namespace default
2020-06-19T20:16:39 INFO starting export for all cm in namespace default
2020-06-19T20:16:39 INFO exporting configmap/back8sup-config from namespace default into /mnt/back8sup/202006192016/default/cm
2020-06-19T20:16:39 INFO starting export for all secret in namespace default
2020-06-19T20:16:40 INFO exporting secret/back8sup-token-msvd9 from namespace default into /mnt/back8sup/202006192016/default/secret
2020-06-19T20:16:40 INFO exporting secret/default-token-jbjmd from namespace default into /mnt/back8sup/202006192016/default/secret
2020-06-19T20:16:40 INFO exporting secret/sh.helm.release.v1.back8sup.v1 from namespace default into /mnt/back8sup/202006192016/default/secret
2020-06-19T20:16:41 INFO done exporting all secret in namespace default
2020-06-19T20:16:41 INFO done exporting namespace default
2020-06-19T20:16:41 INFO remove backups older than 30 days
/workdir $ ls -lhatr /mnt/back8sup/
total 16K
drwxr-xr-x    1 root     root        4.0K Jun 19 20:15 ..
drwxr-xr-x    6 nobody   nobody      4.0K Jun 19 20:15 202006192015
drwxrwxrwx    4 root     root        4.0K Jun 19 20:16 .
drwxr-xr-x    6 nobody   nobody      4.0K Jun 19 20:16 202006192016
/workdir $ ls -lhatr
total 12K
drwxrwxr-x    2 root     root        4.0K Jun 19 19:49 .
drwxr-xr-x    1 root     root        4.0K Jun 19 20:15 ..

somehow it does not create a cache folder.

eyenx commented 4 years ago

looks also good on our CI of helm-charts:

https://github.com/adfinis-sygroup/helm-charts/pull/43/checks?check_run_id=789376186

Gonna check next week on another, real environment and give feedback.