MIssing info on how to use/create profiles

[qubeio]

Hey, this is a really useful looking tool so thanks for creating. I can't figure out how to get info on how to create profiles though

[ChaosInTheCRD]

@qubeio thanks for submitting this issue!

The simple answer as to why this capability can't be found is because it unfortunately doesn't exist 😢. I am aware that documentation on how to do this is needed, as well as (probably) some helper commands to get started, so I will try and prioritise getting this done when I get some spare time!

[ChaosInTheCRD]

So I just did a bit of messing around with the functionality, it was a bit buggy in places. I am in the process of releasing v0.0.5, which should be available by the time you read this.

You should (for now) you should be able to expand the kube-lock.yaml like so:

1. locate the kube-lock.yaml. This should be in your $HOME directory (e.g., ~/.kube-lock.yaml).
2. Opening the file, it should look something like:

contexts:
  - name: minikube
    status: protected
    unlockTimestamp: ""
profiles:
  - name: protected
    blockedVerbs:
      - delete
      - apply
      - create
      - patch
      - label
      - annotate
      - replace
      - cp
      - taint
      - drain
      - uncordon
      - cordon
      - auto-scale
      - scale
      - rollout
      - expose
      - run
      - set
    deleteExceptions:
      - group: cert-manager.io/v1
        resource: certificates
      - group: v1
        resource: pods
defaultProfile: protected
unlockTimeoutPeriod: ""

3. You can now edit this file. For example if you wanted to add another delete exception to the protected profile, you could add:

contexts:
  - name: minikube
    status: protected
    unlockTimestamp: ""
profiles:
  - name: protected
    blockedVerbs:
      - delete
      - apply
      - create
      - patch
      - label
      - annotate
      - replace
      - cp
      - taint
      - drain
      - uncordon
      - cordon
      - auto-scale
      - scale
      - rollout
      - expose
      - run
      - set
    deleteExceptions:
      - group: cert-manager.io/v1
        resource: certificates
      - group: acme.cert-manager.io/v1
        resource: orders
      - group: v1
        resource: pods
      - group: monitoring.coreos.com/v1
        resource: prometheusrules
defaultProfile: protected
unlockTimeoutPeriod: ""

Notice that now, I have two more exceptions for deleting things, prometheusrules and orders. This means that if I perform a kubectl delete prometheusrule, it should block me as I have configured it to do so.

4. If you want to find resources to add to the delete exceptions, you can start by calling kubectl api-resources --verbs=list -o name. This wil list all the resources available to the cluster. You can follow this up with a kubectl explain <API_RESOURCE> command (e.g., kubectl explain statefulsets.apps) to get the group and kind of the resource:

➜ kubectl explain statefulsets.apps        
GROUP:      apps
KIND:       StatefulSet
VERSION:    v1

**NOTE: Here comes the bit where I messed up. Strictly, the group field should really be called apiVersion, as you must specify the contents of the VERSION field (e.g., /v1) at the end of the GROUP (e.g., apps) in said group field. Also, while the value of KIND is what you will want to use in the resource field in the kube-lock config, you should set this as the resources "plural" kind in lowercase. This should however be easy enough to convert manually, (e.g., StatefulSet is statefulsets).

5. Finally, you could create a new profile entirely by adding something like:

contexts:
  - name: minikube
    status: protected
    unlockTimestamp: ""
profiles:
  - name: barely-protected
    blockedVerbs:
      - delete
      - apply
  - name: protected
    blockedVerbs:
      - delete
      - apply
      - create
      - patch
      - label
      - annotate
      - replace
      - cp
      - taint
      - drain
      - uncordon
      - cordon
      - auto-scale
      - scale
      - rollout
      - expose
      - run
      - set
    deleteExceptions:
      - group: cert-manager.io/v1
        resource: certificates
      - group: acme.cert-manager.io/v1
        resource: orders
      - group: v1
        resource: pods
      - group: monitoring.coreos.com/v1
        resource: prometheusrules
defaultProfile: protected
unlockTimeoutPeriod: ""

You should be able to customize this to whatever you want.

Now, I know this all needs to be documented. I will endevour to do so in good time 😄 .

[qubeio]

Wow. This was a pretty quick turnaround! I'll have a play and get back to you

[ChaosInTheCRD]

Wow. This was a pretty quick turnaround! I'll have a play and get back to you

Ha! I mean I dunno, it is not often that I get issues filed against my code so it was a pleasant surprise to see after coming back from Christmas holidays!

Let me know how you get on! As I said, hopefully I can give this project some TLC over the next few months.

[qubeio]

Looks like the darwin arm sha isn't correct. I calculated it as 'ecd3e13910fcb7e1935bf5cb23d0228b7750ba23e49fd3292f226bf00ee4e38' which is what krew is reporting. I was going to put it in as PR but it isn't open for contributions. Happy to contribute if you consider it :)

[ChaosInTheCRD]

oh man 🤦 I thought I fixed this yesterday 😢

I think I know what's happened. I retagged and rereleased, which affected these sha's... so annoying! It's all good, give me two seconds.

[ChaosInTheCRD]

I can confirm that this now works 😄 I am also on darwin arm so can confirm.

Any other trouble just let me know - thank you for checking out the tool 😃

[ChaosInTheCRD]

I'm going to keep this issue open as a reminder that we need to update the documentation 😄 .