allow APIClarity to start without kubernetes

openclarity / apiclarity

An API security tool to capture and analyze API traffic, test API endpoints, reconstruct Open API specification, and identify API security risks.

https://apiclarity.io

Apache License 2.0

501 stars 64 forks source link

allow APIClarity to start without kubernetes #298

Closed jnapper7 closed 1 year ago

jnapper7 commented 1 year ago

This PR provides a new config flag to start APIClarity without kubernetes.

A new boolean env var "ENABLE_K8S" is checked at boot.
The env var "TRACE_SAMPLING_ENABLED" configuration is enforced by disabling the trace-sampling-manager.

By default the env var ENABLE_K8S is set to True, allowing backwards-compatible behavior with existing deployments.

Since the trace-sampling-manager still requires k8s to store some data, the PR also includes a change to disable the trace sampling manager when TRACE_SAMPLING_ENABLED is False. This may cause backward-compatibility problems as the behavior can be different in edge cases.

So, realistically, to boot APIClarity cleanly without k8s, you must use the following config and this PR:

ENABLE_K8S=False
TRACE_SAMPLING_ENABLED=False

fishkerez commented 1 year ago

Hey @jnapper7 Out of curiosity, what is the difference between ENABLE_K8S and K8S_LOCAL? Currently I can run Apiclarity locally with the command from the README:

DATABASE_DRIVER=LOCAL K8S_LOCAL=true FAKE_TRACES=true FAKE_TRACES_PATH=./backend/pkg/test/trace_files \
ENABLE_DB_INFO_LOGS=true ./backend/bin/backend run

So why do I need also ENABLE_K8S? And should it be stated in the README?

jnapper7 commented 1 year ago

Hey @jnapper7 Out of curiosity, what is the difference between ENABLE_K8S and K8S_LOCAL? Currently I can run Apiclarity locally with the command from the README:
DATABASE_DRIVER=LOCAL K8S_LOCAL=true FAKE_TRACES=true FAKE_TRACES_PATH=./backend/pkg/test/trace_files \
ENABLE_DB_INFO_LOGS=true ./backend/bin/backend run
So why do I need also ENABLE_K8S? And should it be stated in the README?

It's a good question. However, K8S_LOCAL does not turn off the requirement for kubernetes. It says that your k8s config is local and not a service account running within k8s. If you check the code:

/backend/pkg/k8smonitor/common.go/CreateLocalK8sClientset

you can see that the reason it starts is that you have a proper KUBECONFIG in your environment. If you remove that, then APIClarity will not boot. This PR is to fix that by disabling dependencies on k8s entirely.

Are you suggesting in the README to change the command-line from "K8S_LOCAL=true" to "ENABLE_K8S=false"?

fishkerez commented 1 year ago

I see, that make sense. I think that in that case, the current instructions should be stayed as is in the README, since it brings more functionality. But maybe worth adding a "Note: this command require a proper KUBECONFIG in your environment. If you want to run without k8s, use ENABLE_K8S=false" WDYT?

jnapper7 commented 1 year ago

Good idea! I added your text with a little bit extra explanation. :)