Deploy an Application: SA Kubeconfigs point to KCP

[pweil-]

Use Case: Deploy an unmodified application and make it transparently talk to the kcp apiserver

Objectives:

• [x] An unmodified controller that needs to manipulate its own CRs (e.g. Tekton) deployed to kcp "just works"
• [x] The user doesn't need to do anything to make the controller running on a pcluster know how to talk to the kcp apiserver

Details

Deploying an application to KCP should detect workloads that configure SAs and inject a kubeconfig that points them back up to kcp

Action Items:

• [x] Research: make sure we can rewrite a Deployment with custom service account logic and not fight with Kube service account controllers / kubelet.

Using "automountServiceAccountToken: false" in deployment.spec.template.spec allows us to handle what volumes should be mounted on the PODs, this way we can override the default kube-root-ca.crt or any other names

~~- [ ] kcp-dev/contrib-tmc#127

• [ ] (note from Clayton) The service account token volume projection on a local cluster is by default stripped and replaced with a secret from the logical cluster service account, possibly via a CSI driver (to accomplish rotation)~~
  • [x] sync down service accounts referenced by synced resources, possibly deconflicting names (https://github.com/kcp-dev/kcp/pull/679 && https://github.com/kcp-dev/kcp/pull/680)
  • [x] sync down service account secrets and rewrite namespace, possibly deconflicting names (https://github.com/kcp-dev/kcp/pull/679 && https://github.com/kcp-dev/kcp/pull/680)
  • [x] Make the rootCACertPublisher workspace aware (merge: https://github.com/kcp-dev/kubernetes/pull/49)
  • [x] Wire the rootCACertPublisher into KCP (merge: https://github.com/kcp-dev/kcp/pull/667)
  • [x] sync down kube-root-ca.crt ConfigMap, and deconflict name (https://github.com/kcp-dev/kcp/pull/679 && https://github.com/kcp-dev/kcp/pull/680 )
  • [x] Ensure to sync only the configmap/secret/servicetoken when referenced by a deployment. (https://github.com/kcp-dev/kcp/pull/680) ---> pushed to p4 (https://github.com/kcp-dev/contrib-tmc/issues/137)
  • [x] implement transformation of Deployments pointing to the right service account in the pcluster (related: https://github.com/kcp-dev/kcp/pull/668 https://github.com/kcp-dev/kcp/pull/670)
  • [x] wire correct apiserver URL (the advertized address of kcp, i.e. the server URL from the from_kubeconfig of the syncer) into the mounted service account by adding KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to the PodSpec
  • [x] make sure RoleBindings are not copied down to the target namespace (Exposing resources is handled by the virtual-workspace.)
  • [x] blocker: write e2e making sure it actually works https://github.com/kcp-dev/kcp/issues/917 https://github.com/kcp-dev/kcp/issues/758
  • [x] https://github.com/kcp-dev/kcp/issues/897

[imjasonh]

Concretely, the syncer should detect an object that has a PodSpec (somehow, possibly Knative-style duck types, possibly just a hardcoded list of known types), detect whether it specifies a serviceAccountName that references a SA with any ClusterRoleBindings, and inject the env var that tells the k8s client to talk to kcp's address.

Given this represents a pretty esoteric use of the multicluster system, I think we could consider punting this to prototype3. Prototype2 would then only be focused on workspaces, API evolution, and non-operator multi-cluster workloads.

[sttts]

the duck typing approach is fragile. Don't we know exactly which workload types the syncer supports? Why don't we add support for just those, i.e. having a list of json path into those type where the service account could be declared?

[imjasonh]

Don't we know exactly which workload types the syncer supports?

For now, we do (Deployment, DaemonSet, StatefulSet, that's about it I think?) -- but in the future we might have any arbitrary CRDs flowing down to pclusters to get translated into Pods etc down there, and will need the SA to be handled in our special way.

I'm fine hard-coding for now, or making it a flag, but we'll want to think about how to generalize it eventually.

Another possibility: require CRD authors to add some annotation to the type telling us where to find strings representing service accounts?

[sttts]

Which CRDs for "but in the future we might have any arbitrary CRDs flowing down to pclusters" do you have in mind? Some custom workloads?

Another possibility: require CRD authors to add some annotation to the type telling us where to find strings representing service accounts?

That sounds more feasible. We could start with those annotations. Eventually, if this become more serious and we have facets, this could be a facet onto the CRD type, e.g. SyncOptions.

[ncdc]

Do we have a concrete example for a demo for prototype 2? i.e. an app that gets deployed to a pcluster that needs to interact w/the apiserver (which then needs to be kcp, not kube)?

[imjasonh]

Do we have a concrete example for a demo for prototype 2? i.e. an app that gets deployed to a pcluster that needs to interact w/the apiserver (which then needs to be kcp, not kube)?

If a Tekton controller (a Deployment with a SA with ClusterRoles) is scheduled to a pcluster, it needs to point back up to kcp to watch for new TaskRun CRs created by users, turn them into Pods and put them back in kcp (to be scheduled to some pcluster), watch those Pods and update TaskRuns, etc. (Tekton, Knative, ArgoCD, any number of similar app-layer controllers on CRs)

In an ideal case, the Tekton controller(s) would be running totally outside of kcp and not be scheduled to pclusters at all, but since we want to support ~arbitrary similar controllers for ~arbitrary CR types we need some solution to run those in general.

An alternative is to have kcp schedule the TaskRun CRs down to pclusters where a Tekton controller is already running, pointed at its local API server, creating and watching Pods only in the local cluster. Is that how we want to solve this case? 🤔

[ncdc]

Great example. So basically any controller that works with its own CRDs is a candidate... I'm inclined to move this to prototype3 as you suggested above.

[jmprusi]

Research: make sure we can rewrite a Deployment with custom service account logic and not fight with Kube service account controllers / kubelet.

Using "automountServiceAccountToken: false" in deployment.spec.template.spec allows us to handle what volumes should be mounted on the PODs, this way we can override the default kube-root-ca.crt or any other names

[jmprusi]

related to https://github.com/kcp-dev/kcp/issues/535

[pweil-]

@jmprusi is this ready to be closed out for p3 work (p3 work merged, remaining items noted as out of scope, moved to other issues, etc)?

[jmprusi]

I'm working on cleaning some stuff, and adding some tests, but it works. Hopefully today we can merge the pr and close this issue.

[ncdc]

Moving to 0.4 to re-assess/update/close/etc.

[marun]

The code implementing this is already in the tree. I filed https://github.com/kcp-dev/kcp/issues/917 to track the test addition(s) required to verify the behavior and insure against regression.

[sttts]

We have to come back to this in v0.5.

1. there is something broken afaik
2. we have no e2e test. Before missing kind in e2e was blocking this. But we have kind now.

[sttts]

Done in v0.5. Remaining task about bounded token moved into https://github.com/kcp-dev/contrib-tmc/issues/127.