search

ccremer / kubernetes-zfs-provisioner

Dynamic ZFS persistent volume provisioner for Kubernetes
Apache License 2.0
74 stars 7 forks source link

Ability to run the provisioner on the ZFS host. #130

Closed jp39 closed 2 days ago

jp39 commented 1 month ago

As in issue #85, my ZFS host is part of the cluster as a worker node. I'm not a real fan of using SSH from the provisioner container to run commands on the ZFS host and I'd much prefer running the provisioner as a daemon directly on the ZFS host.

So far I've been able to make it work by running kubernetes-zfs-provisioner directly on the ZFS host with the ZFS_KUBE_CONFIG_PATH environment variable pointing to my "admin" kubeconfig.

Obviously this is not ideal because the "admin" user permissions are too open for what the provisioner has to do. What would be the right thing to do instead here?

It also required this tiny change:

diff --git a/pkg/zfs/zfs.go b/pkg/zfs/zfs.go
index 015fa16d78db..cc3196bc3269 100644
--- a/pkg/zfs/zfs.go
+++ b/pkg/zfs/zfs.go
@@ -114,7 +114,7 @@ func (z *zfsImpl) SetPermissions(dataset *Dataset) error {
    if dataset.Mountpoint == "" {
        return fmt.Errorf("undefined mountpoint for dataset: %s", dataset.Name)
    }
-   cmd := exec.Command("update-permissions", dataset.Hostname, dataset.Mountpoint)
+   cmd := exec.Command("chmod", "g+w", dataset.Mountpoint)
    out, err := cmd.CombinedOutput()
    if err != nil {
        return fmt.Errorf("could not update permissions on '%s': %w: %s", dataset.Hostname, err, out)

The change is quite simple but it does break the "normal" use-case though. I'm not sure how we could make it more generic.

ccremer commented 1 month ago

You can modify the kubeconfig file so that it uses a service account. The helm chart installs the necessary RBAC rules for the service account (https://github.com/ccremer/kubernetes-zfs-provisioner/blob/master/charts/kubernetes-zfs-provisioner/templates/rbac.yaml). I don't know the exact steps, but it should be possible, search around online a bit.

Then, you can create a script named /usr/bin/update-permissions, just like this (https://github.com/ccremer/kubernetes-zfs-provisioner/blob/master/docker/update-permissions.sh), chmod +x it, and remove the SSH parts (and ignore the hostname). Probably something like

#!/bin/bash

set -eo pipefail

zfs_mountpoint="${2}"

chmod g+w "${zfs_mountpoint}"
jp39 commented 1 month ago

Hi @ccremer, I've managed to create a kubeconfig file for the service account. It works great.

Regarding your suggestion of adding an /usr/bin/update-permissions file on the ZFS host, I think it would be nicer if we could just run kubernetes-zfs-provisioner as a standalone daemon on the host without having to install any extra dependency on it. Would you be open to add the possibility to control this using an environment variable?

ccremer commented 1 month ago

🎉

Sure, that'll work, but I guess setting permission over SSH should remain the default, to avoid a breaking change. If we're going that way, I think it makes sense to release the provisioner also as a deb package. Goreleaser Example here: https://github.com/ccremer/fronius-exporter/blob/master/.goreleaser.yml#L67