Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix rbac to set useful labels on broker pods from init script #117

Merged
merged 4 commits into from
Jan 8, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,6 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r
kubectl apply -f rbac-namespace-default/
```

For example rack awareness can fail without this, `logs -c init-config` showing `Error from server (Forbidden): pods "kafka-0" is forbidden: User "system:serviceaccount:kafka:default" cannot get pods in the namespace "kafka": Unknown user "system:serviceaccount:kafka:default"`.

## Tests

Tests are based on the [kube-test](https://github.com/Yolean/kube-test) concept.
Expand Down
15 changes: 10 additions & 5 deletions kafka/10broker-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ data:
KAFKA_BROKER_ID=${HOSTNAME##*-}
sed -i "s/#init#broker.id=#init#/broker.id=$KAFKA_BROKER_ID/" /etc/kafka/server.properties

LABELS="kafka-broker-id=$KAFKA_BROKER_ID"

hash kubectl 2>/dev/null || {
sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# kubectl not found in path/" /etc/kafka/server.properties
} && {
Expand All @@ -21,17 +23,20 @@ data:
sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# zone label not found for node $NODE_NAME/" /etc/kafka/server.properties
else
sed -i "s/#init#broker.rack=#init#/broker.rack=$ZONE/" /etc/kafka/server.properties
LABELS="$LABELS kafka-broker-rack=$ZONE"
fi

# This requires additional RBAC, and won't be needed after https://github.com/kubernetes/kubernetes/pull/55329
kubectl -n $POD_NAMESPACE label pod $POD_NAME kafka-broker-id=$KAFKA_BROKER_ID

OUTSIDE_HOST=$(kubectl get node "$NODE_NAME" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
if [ $? -ne 0 ]; then
echo "Outside (i.e. cluster-external access) host lookup command failed"
else
OUTSIDE_HOST=${OUTSIDE_HOST}:3240${KAFKA_BROKER_ID}
sed -i "s|#init#advertised.listeners=OUTSIDE://#init#|advertised.listeners=OUTSIDE://${OUTSIDE_HOST}|" /etc/kafka/server.properties
OUTSIDE_PORT=3240${KAFKA_BROKER_ID}
sed -i "s|#init#advertised.listeners=OUTSIDE://#init#|advertised.listeners=OUTSIDE://${OUTSIDE_HOST}:${OUTSIDE_PORT}|" /etc/kafka/server.properties
LABELS="$LABELS kafka-listener-outside-host=$OUTSIDE_HOST kafka-listener-outside-port=$OUTSIDE_PORT"
fi

if [ ! -z "$LABELS" ]; then
kubectl -n $POD_NAMESPACE label pod $POD_NAME $LABELS || echo "Failed to label $POD_NAMESPACE.$POD_NAME - RBAC issue?"
fi
}

Expand Down
39 changes: 39 additions & 0 deletions rbac-namespace-default/pod-labler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# To see if init containers need RBAC:
#
# $ kubectl -n kafka logs kafka-2 -c init-config
# ...
# Error from server (Forbidden): pods "kafka-2" is forbidden: User "system:serviceaccount:kafka:default" cannot get pods in the namespace "kafka": Unknown user "system:serviceaccount:kafka:default"
#
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-labler
namespace: kafka
labels:
origin: github.com_Yolean_kubernetes-kafka
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- update
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kafka-pod-labler
namespace: kafka
labels:
origin: github.com_Yolean_kubernetes-kafka
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-labler
subjects:
- kind: ServiceAccount
name: default
namespace: kafka