Auto-connect request for k8s-snap

store-requests
1

Hello Team,

Currently, our strict k8s-snap is missing the following interfaces to be auto-connected upon install: All of these interfaces are not auto-connected by default:

  • firewall-control,
  • hardware-observe
  • home,
  • kernel-module-observe
  • log-observe
  • login-session-observe
  • mount-observe,
  • network-control,
  • network-observe,
  • process-control,
  • system-observe

Currently our k8s snap has these interfaces being auto-connected upon the snap install:

ubuntu@strict130edge2:/home/ubuntu$ snapctl is-connected --list
cilium-module-load
docker-privileged
docker-unprivileged
home-read-all
kubernetes-support
network
network-bind
opengl

This makes the total list of required interfaces for the k8s-snap:

cilium-module-load
docker-privileged
docker-unprivileged
firewall-control
hardware-observe
home
home-read-all
kernel-module-observe
kubernetes-support
log-observe
login-session-observe
mount-observe
network
network-bind
network-control
network-observe
opengl
process-control
system-observe

All listed required interfaces are auto-connected for the MicroK8s snap already and Canonical K8s will make use of them in a similar fashion. (See MicroK8s Interfaces: microk8s/microk8s-resources/actions/common/utils.sh at ee4558ad793e2e96cb316097df04e8ee51e3b9ec · canonical/microk8s · GitHub)

Thank you very much for your help!

2

Hey @louiseschmidtgen

+1 from me for granting auto-connection to the requested interfaces. Those makes sense for k8s, and as discussed, all of them are already auto-connected by microk8s snap

  • firewall-control,
  • hardware-observe
  • home,
  • kernel-module-observe
  • log-observe
  • login-session-observe
  • mount-observe,
  • network-control,
  • network-observe,
  • process-control,
  • system-observe

Just one question, is network-observe providing any extra privilege not granted by network-control?

3

Given your reasoning, these interfaces provide expected functionality for the snap. +1 from me as well for auto-connecting:

  • firewall-control,
  • hardware-observe
  • home,
  • kernel-module-observe
  • log-observe
  • login-session-observe
  • mount-observe,
  • network-control,
  • network-observe,
  • process-control,
  • system-observe
4

Hi @jslarraz, using snappy-debug we determined that network-observe is a necessary interface as well, it allows kubernetes binaries to interact with interfaces, iptables etc. We granted the same privilege to MicroK8s.

5

Hey @louiseschmidtgen

The voting period has ended. We could proceed to grant the auto-connection to the requested interfaces once a new revision of the snap declaring those interfaces will be uploaded to the store.

Thanks