General question, why no need to authenticate `kubectl`?

kube-aws / kube-spot-termination-notice-handler

A Kubernetes DaemonSet to gracefully delete pods 2 minutes before an EC2 Spot Instance gets terminated

Apache License 2.0

378 stars 77 forks source link

General question, why no need to authenticate `kubectl`? #33

Closed t0ny-peng closed 4 years ago

t0ny-peng commented 4 years ago

This might be a stupid but short question. In the script and dockerfile I don't see anyplace where the user enters the credentials of the cluster, yet still kubectl is able to drain a node. What kind of authentication is behind this? Is it using some intrinsic k8s feature? Please educate me.

Thanks.

edify42 commented 4 years ago

The README suggests deploying the app via helm helm install stable/k8s-spot-termination-handler.

The pod itself runs under a serviceaccount with the k8s permission to create pod/eviction resources, which is what is required for the kubectl drain node command.

If you inspect the helm chart, you'll find what I'm talking about :)

t0ny-peng commented 4 years ago

@edify42 Thanks Ted. That's really helpful.