Kubernetes IP address belongs to pod, not container

[carolinebeauchamp]

I'm trying to get metadataproxy working in kubernetes, and I'm almost there - however, the snag with kubernetes is that it attaches the IP address to the pod, which is a group of containers, rather than to a individual container. In fact, it actually attaches it to a container running just "pause" then bridges the networking between that container and the others in the pod. Unfortunately, Environment vars are specific to a container, so looking up IAM_ROLE fails, as the pause container doesn't have that var. However, containers in the same pod have a common label: io.kubernetes.pod.uid which is a uuid unique to the pod and can be used to identify containers within the pod. My plan is to match the pause container with others in the pod and get IAM_ROLE from an associated pod. Limitations would be only one IAM_ROLE per pod, but that's not a biggie IMHO.

Is this approach reasonable? It shouldn't impact non-kubernetes systems significantly, as I'll only check for other containers if the label exists. Or have others solved this in other ways?

Should be straightforward to implement - I'll do a pull request in due course...

[ryan-lane]

That implementation sounds perfect. I think containers of a pod should likely share the same IAM role anyway, since all containers in a pod share the same networking space anyway. When you send in the PR, make sure to also sign our CLA. Thanks for the help!

[alexouzounis]

Just curious, why not https://github.com/jtblin/kube2iam ?

[carolinebeauchamp]

Because I can't use Google properly? ;)

[Carles-Figuerola]

Has there been any progress on this, by any chance?

[ryan-lane]

@Carles-Figuerola no one has worked on it, and I don't believe anyone so far has signed up for doing so. If you want to dive in, please do so :)

[dschaller]

Thank you for you contribution to this repository.

Closing this contribution as this repository is being archived.