Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat add startup error when running in kube system #1031

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

LucasRoesler
Copy link
Member

Description

To avoid any accedential security issues, we block running anything in
the kube-system namespace. We already have this explicitly blocked in
the rest of the code that deals with namespaces and it causes hard to
debug errors for users that try to deploy to the kube-system namespace.

This adds an explicit check so that this misconfiguration is easier to
detect and debug for end users.

Motivation and Context

  • I have raised an issue to propose this change (required)

Part of a comment on #1022

How Has This Been Tested?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@derek
Copy link

derek bot commented Oct 4, 2022

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

💡 Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name"
git config --global user.email "[email protected]"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force.
If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

@derek derek bot added the no-dco label Oct 4, 2022
To avoid any accedential security issues, we block running anything in
the kube-system namespace. We already have this explicitly blocked in
the rest of the code that deals with namespaces and it causes hard to
debug errors for users that try to deploy to the kube-system namespace.

This adds an explicit check so that this mis-configuration is easier to
detect and debug for end users.

Signed-off-by: Lucas Roesler <[email protected]>
@LucasRoesler LucasRoesler force-pushed the feat-add-startup-error-when-running-in-kube-system branch from b3556c1 to 1aa19ec Compare October 4, 2022 08:41
@derek derek bot removed the no-dco label Oct 4, 2022
@@ -98,6 +98,12 @@ func main() {

config.Fprint(verbose)

// use kubeclient to check the current namespace
namespace, _ := k8s.CurrentNamespace()
if namespace == "kube-system" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't quite the error we were running into.

You probably can run the openfaas core components in the kube-system namespace.

It was that you can't deploy functions there.

So we already have validation in the deployment handlers, but we could do better by checking the functionNamespace variable (if set), and exiting upon startup

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i thought this was part of the suggestion #1022 (comment)

but i see that what we also need to do is provide a meaningful api error as well

// This implementation is based on the clientcmd.inClusterClientConfig.Namespace method.
// This is not exported and not accessible via other methods, so we have to copy it.
func CurrentNamespace() (namespace string, found bool) {
if ns := os.Getenv("POD_NAMESPACE"); ns != "" {
Copy link
Member

@alexellis alexellis Oct 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a pretty nice trick. TIL

Although please see my other *comment (typo)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants