Giter Site home page Giter Site logo

Comments (6)

jseguillon avatar jseguillon commented on May 10, 2024 1

Maybe we could imagine an operator pattern waiting for new debug session asked via CRDs ? CRDs have full RBAC control and the operator could secure things enough with a service account and a Pod Security Policy.
Maybe also some annotations on the pod to expliclty authorize debugging (meaning that if you can modify this annotation, then it's ok to debug this pod) ?

from kubectl-debug.

kklin avatar kklin commented on May 10, 2024

JOOC, how are you planning on doing authentication? Is it possible to piggy-back off of RBAC and have users authenticate with the user in their kubeconfig? Or will you need to implement your own authentication flow?

I've been thinking about this for a project I'm working on, so would love to hear your thoughts!

from kubectl-debug.

kklin avatar kklin commented on May 10, 2024

Ah, or are you planning on using this thing? https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/

There's so many concepts in Kubernetes..

from kubectl-debug.

aylei avatar aylei commented on May 10, 2024

To be honest, I am not familiar with authz & authn in kubernetes. But yes, I plan to build an Extension API Server to serve as the gateway for kubectl-debug, and the idea is mainly inspired by this document. The key API to integrate with Kubernetes RBAC is SubjectAccessReview.

The same mechanism can be implemented in the agent, too. Kubelet does so for node resources.

from kubectl-debug.

kklin avatar kklin commented on May 10, 2024

from kubectl-debug.

aylei avatar aylei commented on May 10, 2024

@jseguillon Great idea at a glance! I will carefully consider this idea days after.

from kubectl-debug.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.