Programatic api for kubectl commands (Depends on #7311) #31173
Comments
pwittrock
added
priority/important-soon
pwittrock
changed the title
pwittrock
added
kubectl/epic-programmatic-access
size/L
|
This should be something we need to do next, but first I will help with business logic refactor before we start this. |
|
How would #2 even work for clients using client certs? Without tokens and impersonation (even with tokens and impersonation) there are definitely some risks there. I guess I'm not horribly opposed to it (I like the idea of having an easy API for running GET), but what guarantees would we give for the API? |
|
@smarterclayton My intention for 2. was to provide a sidecar bound to the loopback for applications running in the k8s cluster. If I understand correctly, this should only give access to the applications running in the same Pod, is that correct? I don't think this should be any less secure than running a |
|
Oh, I was imagining a server endpoint that accepted Kube credentials and On Mon, Aug 22, 2016 at 10:12 PM, Phillip Wittrock <notifications@github.com
|
|
@smarterclayton Ah yes, I agree we would have to be more security conscious in that case. I think https://github.com/rancher/kubectld provides something along those lines. If we are successful with providing a sidecar we could probably extend (or reuse the majority of the work) to handle usages requiring stricter security. |
|
I think kubectld give a good example of how to wrap kubectl, but definitely if we could a more elegant way to do this, it would be much convenient for third party tools to use kubectl. |
|
@adohe Yes, the kubectld approach to wrapping kubectl is pretty simple. This issue could probably even be worked on in parallel by introducing a reasonable abstraction layer for invoking the kubectl logic. Work on them in whatever order makes the most sense to you. |
|
We'd have to version kubectl pretty finely. On Tue, Aug 23, 2016 at 11:25 AM, Phillip Wittrock <notifications@github.com
|
|
@smarterclayton Could you expand upon your comment? |
|
In that changes to kubectl happen pretty often - we try to be backwards On Tue, Aug 23, 2016 at 5:09 PM, Phillip Wittrock notifications@github.com
|
k8s-github-robot
added
the
needs-sig
|
/sig cli |
k8s-ci-robot
added
the
sig/cli
k8s-github-robot
removed
the
needs-sig
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/rotten
k8s-ci-robot
removed
the
lifecycle/stale
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
Projects such as helm and dashboard vendor in kubectl. This is a terrible experience kubectl:
A quick and dirty solution would be to.
Alternatively we could: Move the client logic into the api server so thick client logic is not required. #12143
Pros: This is a better engineering solution.
Cons: This is much more challenging and time consuming.
I propose we knock out the quick and dirty solution while we work towards the longer term goal of moving logic into the api server.
The text was updated successfully, but these errors were encountered: