search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.79k stars 2.68k forks source link

control over kubernetes service account generation / kubernets-client issue #9283

Closed maxandersen closed 4 years ago

maxandersen commented 4 years ago

Description using https://cloud.okteto.com the deployment fails as we setup service account instead of using default.

Workaround is to have quarkus.kubernetes.service-account=default but then we still generate a service account unnecessarily.

furthermore quarkus kubernetes docs states:

"some RBAC related resources are required (e.g. a ServiceAccount, a RoleBinding etc.). So, when the kubernetes-client extension is present, the kubernetes extension is going to create those resources automatically,"

i only added kubernetes extension, not kubernetes client. ... why is it then there ? if by implicit dependency; is there a way to avoid service-account to be defined/referenced ?

and if i'm not using kubernets api in the deployment, isn't the kubernetes-client just making my native compilation much slower ?

Implementation ideas (If you have any implementation ideas, they can go here, however please note that all design change proposals should be posted to the Quarkus developer mailing list (or the corresponding Google Group; see the decisions process document for more information).

geoand commented 4 years ago

@iocanel has more insight here since he is the one that added the SA and RB handling

Ladicek commented 4 years ago

I always thought it's a good practice to create a dedicated service account for the application, instead of usign the namespace's default SA. Why would Okteto disallow creating a service account is beyond me.

geoand commented 4 years ago

Yeah, I am sure that is what @iocanel had in mind as well

iocanel commented 4 years ago

Workaround is to have quarkus.kubernetes.service-account=default but then we still generate a service account unnecessarily.

Let me have a look at it!

i only added kubernetes extension, not kubernetes client. ... why is it then there ? if by implicit dependency; is there a way to avoid service-account to be defined/referenced ?

That must have been a side effect of using the kubernetes-client for deploying. We need to fix that.

iocanel commented 4 years ago

Currently, I see no RBAC resources generated out of the box. We just created a ServiceAccount which is ok, if not a good practise as @Ladicek mentions.

i only added kubernetes extension, not kubernetes client. ... why is it then there ? RoleBindings don't seem to be there any more.

and if i'm not using kubernets api in the deployment, isn't the kubernetes-client just making my native compilation much slower?

No, it's just a build time dependency.

iocanel commented 4 years ago

So, what's left is to avoid creating the ServiceAccount if we don't need to.