search

weaveworks / scope

Monitoring, visualisation & management for Docker & Kubernetes
https://www.weave.works/oss/scope/
Apache License 2.0
5.84k stars 708 forks source link

Allow disabling container operations #3835

Closed bharath-12345 closed 3 years ago

bharath-12345 commented 3 years ago

I have setup weavescope on kubernetes. I would like to expose it to developers behind a vpn. We do not want to allow developers to directly pause, stop or restart individual containers.

I have tried restricting access in the cluster role but that doesn't seem to be working. I am able to restrict terminating pods but not containers.

I may have missed something fairly obvious here. Please do let me know if its possible to disable container operations.

bboreham commented 3 years ago

https://github.com/weaveworks/scope/blob/master/site/faq.md#disabling-scope-write-access

bharath-12345 commented 3 years ago

Thank you @bboreham . I have added —-probe.no-controls=false arg to weave-scope-agent but I am still able to pause, delete and restart containers. I have tried setting probe.docker=false but that removes the option to exec into the container which can be useful....

bboreham commented 3 years ago

Must be some flaw in the way you added the flag, because as the name suggests it disables all "controls" including pause, delete, etc.

There is no option in the code to disable some controls but not others.

Note that typically if you can exec into a container you can kill the process, which is either "stop" or "restart" depending on other factors.

kingdonb commented 3 years ago

If you have copied this directly from the FAQ: —probe.no-controls=true it will not work, since someone's text editor has apparently replaced the double-dash with a Unicode M-dash. Can you check if that might be what prevented this from working @bharath-12345 ?

I submitted a PR which fixes the docs issue, assuming that's what caused the problem.

(I tested this and it works as described, the controls vanish as soon as the new pod rolls out from updating the daemonset.)

bboreham commented 3 years ago

One more thought: you would need to add the flag both in the Deployment for controls relating to Kubernetes elements (Pod, etc.) and in the DaemonSet for controls relating to containers, processes, etc.

bharath-12345 commented 3 years ago

@bboreham what you said makes sense. I think my issue is resolved. Closing this issue now. Thank you :)