search

kptdev / kpt

Automate Kubernetes Configuration Editing
https://kpt.dev
Apache License 2.0
1.7k stars 228 forks source link

Support enabling network access when using `kpt fn run --image` #334

Closed dflemstr closed 4 years ago

dflemstr commented 4 years ago

Since there is no place to declare function behavior in this situation, I would suggest supporting a command-line flag for enabling access.

Maybe we could trust --network ultimately in case --image is already set?

pwittrock commented 4 years ago

@phanimarupaka I think this may already be supported, would you confirm?

phanimarupaka commented 4 years ago

@dflemstr This feature is already supported in kpt. You can find the usage by running "kpt fn run -h" and scroll though flags section.

dflemstr commented 4 years ago

Thanks for getting back to me! I saw the flags in that section, but despite that I keep getting errors.

Some examples:

# A simple kpt function that simply pipes objects to kubeval
$ kpt fn source ... | kpt fn run --network --image gcr.io/spotify-declarative-infra/kubeval
ERR  - stdin: Failed initalizing schema https://...: Get https://...: dial tcp: lookup kubernetesjsonschema.dev on 1.1.1.1:53: dial udp 1.1.1.1:53: connect: network is unreachable

Adding --network-name doesn't make a difference.

However, running the exact same function with this config works:

apiVersion: v1
kind: ConfigMap
metadata:
  name: kpt-fn-2
  annotations:
    config.k8s.io/function: |
      container:
        image: gcr.io/spotify-declarative-infra/kubeval
        network:
          required: true

The image is private, let me know if I should create a test case that can be reproduced publicly.

pwittrock commented 4 years ago

@phanimarupaka ideas?

pwittrock commented 4 years ago

The issue is that network is only enabled if the function requests. This is possible for declarative functions, but not for ones specified on the cli. There is a TODO for this:

https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/internal/commands/run-fns.go#L85

The solution is to add request for network on line 89.

if r.Network {
    err = fn.PipeE(
        yaml.LookupCreate(yaml.MappingNode, "container", "network"),
        yaml.SetField("required", yaml.NewScalarRNode("true")))
    if err != nil {
        return nil, err
    }
}
phanimarupaka commented 4 years ago

@dflemstr The issue has been fixed in the new release. Can you please pull the latest kpt version and check if the issue is resolved. Thanks for your patience.

dflemstr commented 4 years ago

Yes, I can confirm that the issue is now fixed!