Auto-connect request for k8s-snap

louiseschmidtgen · September 27, 2024, 2:01pm

Hello Team,

Currently, our strict k8s-snap is missing the following interfaces to be auto-connected upon install: All of these interfaces are not auto-connected by default:

firewall-control,
hardware-observe
home,
kernel-module-observe
log-observe
login-session-observe
mount-observe,
network-control,
network-observe,
process-control,
system-observe

Currently our k8s snap has these interfaces being auto-connected upon the snap install:

ubuntu@strict130edge2:/home/ubuntu$ snapctl is-connected --list
cilium-module-load
docker-privileged
docker-unprivileged
home-read-all
kubernetes-support
network
network-bind
opengl

This makes the total list of required interfaces for the k8s-snap:

cilium-module-load
docker-privileged
docker-unprivileged
firewall-control
hardware-observe
home
home-read-all
kernel-module-observe
kubernetes-support
log-observe
login-session-observe
mount-observe
network
network-bind
network-control
network-observe
opengl
process-control
system-observe

All listed required interfaces are auto-connected for the MicroK8s snap already and Canonical K8s will make use of them in a similar fashion. (See MicroK8s Interfaces: microk8s/microk8s-resources/actions/common/utils.sh at ee4558ad793e2e96cb316097df04e8ee51e3b9ec · canonical/microk8s · GitHub)

Thank you very much for your help!

jslarraz · September 30, 2024, 2:25pm

Hey @louiseschmidtgen

+1 from me for granting auto-connection to the requested interfaces. Those makes sense for k8s, and as discussed, all of them are already auto-connected by microk8s snap

firewall-control,
hardware-observe
home,
kernel-module-observe
log-observe
login-session-observe
mount-observe,
network-control,
network-observe,
process-control,
system-observe

Just one question, is network-observe providing any extra privilege not granted by network-control?

cav · October 1, 2024, 12:49am

Given your reasoning, these interfaces provide expected functionality for the snap. +1 from me as well for auto-connecting:

firewall-control,
hardware-observe
home,
kernel-module-observe
log-observe
login-session-observe
mount-observe,
network-control,
network-observe,
process-control,
system-observe

louiseschmidtgen · October 1, 2024, 8:44am

Hi @jslarraz, using snappy-debug we determined that network-observe is a necessary interface as well, it allows kubernetes binaries to interact with interfaces, iptables etc. We granted the same privilege to MicroK8s.

jslarraz · October 4, 2024, 12:39pm

Hey @louiseschmidtgen

The voting period has ended. We could proceed to grant the auto-connection to the requested interfaces once a new revision of the snap declaring those interfaces will be uploaded to the store.

Thanks

louiseschmidtgen · October 7, 2024, 6:48am

Hi @jslarraz

The currently published strict snap is already declaring these interfaces. Please proceed to auto-connect the interfaces.

Thank you! Have a great start into the week.

jslarraz · October 7, 2024, 7:47am

Hi @louiseschmidtgen

This is now live. Please let me know if everything is working as expected.

Thanks

louiseschmidtgen · October 7, 2024, 7:48am

Thank you @jslarraz!