Closed jp39 closed 2 days ago
You can modify the kubeconfig file so that it uses a service account. The helm chart installs the necessary RBAC rules for the service account (https://github.com/ccremer/kubernetes-zfs-provisioner/blob/master/charts/kubernetes-zfs-provisioner/templates/rbac.yaml). I don't know the exact steps, but it should be possible, search around online a bit.
Then, you can create a script named /usr/bin/update-permissions
, just like this (https://github.com/ccremer/kubernetes-zfs-provisioner/blob/master/docker/update-permissions.sh), chmod +x
it, and remove the SSH parts (and ignore the hostname). Probably something like
#!/bin/bash
set -eo pipefail
zfs_mountpoint="${2}"
chmod g+w "${zfs_mountpoint}"
Hi @ccremer, I've managed to create a kubeconfig file for the service account. It works great.
Regarding your suggestion of adding an /usr/bin/update-permissions file on the ZFS host, I think it would be nicer if we could just run kubernetes-zfs-provisioner
as a standalone daemon on the host without having to install any extra dependency on it. Would you be open to add the possibility to control this using an environment variable?
🎉
Sure, that'll work, but I guess setting permission over SSH should remain the default, to avoid a breaking change. If we're going that way, I think it makes sense to release the provisioner also as a deb package. Goreleaser Example here: https://github.com/ccremer/fronius-exporter/blob/master/.goreleaser.yml#L67
As in issue #85, my ZFS host is part of the cluster as a worker node. I'm not a real fan of using SSH from the provisioner container to run commands on the ZFS host and I'd much prefer running the provisioner as a daemon directly on the ZFS host.
So far I've been able to make it work by running
kubernetes-zfs-provisioner
directly on the ZFS host with theZFS_KUBE_CONFIG_PATH
environment variable pointing to my "admin" kubeconfig.Obviously this is not ideal because the "admin" user permissions are too open for what the provisioner has to do. What would be the right thing to do instead here?
It also required this tiny change:
The change is quite simple but it does break the "normal" use-case though. I'm not sure how we could make it more generic.