Hi, I am trying to build a snap package for the Linkerd CLI. I was able to get it working in the classic
confinement. Now we’re trying to use the strict
confinement.
There are three requirements for the CLI:
- Network access
- Read access to
~/.kube
- Capability to verify the
kubectl
version installed on the user’s system.
Setting up network access was easy but I am struggling with the other two requirements.
Here is the snapcraft.yaml
file
name: linkerd
base: core18
version: '2.7.0'
summary: Command-line utility to interact with linkerd
description: |
Linkerd is a service mesh, designed to give platform-wide observability,
reliability, and security without requiring configuration or code changes.
grade: stable
confinement: strict
parts:
linkerd:
plugin: dump
source: .
stage:
- target/release/linkerd2-cli-*-linux
override-stage: |
snapcraftctl stage
cp target/release/linkerd2-cli-*-linux $SNAPCRAFT_PRIME/linkerd
plugs:
kube-config:
interface: personal-files
read:
- $HOME/.kube
apps:
linkerd:
command: linkerd
plugs:
- network
- home
- kube-config
End goal
The end goal is to run linkerd check --pre
and get output like this
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version
pre-kubernetes-setup
--------------------
√ control plane namespace does not already exist
√ can create non-namespaced resources
√ can create ServiceAccounts
√ can create Services
√ can create Deployments
√ can create CronJobs
√ can create ConfigMaps
√ can create Secrets
√ can read Secrets
√ no clock skew detected
pre-kubernetes-capability
-------------------------
√ has NET_ADMIN capability
√ has NET_RAW capability
linkerd-version
---------------
√ can determine the latest version
‼ cli is up-to-date
unsupported version channel: git-68634a30
see https://linkerd.io/checks/#l5d-version-cli for hints
Status check results are √
Issues
The application is not able to find the Kubernetes config located at ~/.kube
. After installing the generated snap, connecting the personal file interface using snap connect linkerd:kube-config
and running linkerd check --pre
, the program complaints that it can’t access the Kubernetes config file.
kubernetes-api
--------------
× can initialize the client
error configuring Kubernetes API client: invalid configuration: no configuration has been provided
see https://linkerd.io/checks/#k8s-api for hints
Status check results are ×
Weirdly, if I pass the path to the kubeconfig
via the command line, it does seem to find the config.
So if I run linkerd check --pre --kubeconfig ~/.kube/config
, it does seem to find the config which is weird.
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
------------------
√ is running the minimum Kubernetes API version
× is running the minimum kubectl version
exec: "kubectl": executable file not found in $PATH
see https://linkerd.io/checks/#kubectl-version for hints
pre-kubernetes-setup
--------------------
√ control plane namespace does not already exist
√ can create non-namespaced resources
√ can create ServiceAccounts
√ can create Services
√ can create Deployments
√ can create CronJobs
√ can create ConfigMaps
√ can create Secrets
√ can read Secrets
√ no clock skew detected
pre-kubernetes-capability
-------------------------
√ has NET_ADMIN capability
√ has NET_RAW capability
linkerd-version
---------------
√ can determine the latest version
‼ cli is up-to-date
unsupported version channel: git-68634a30
see https://linkerd.io/checks/#l5d-version-cli for hints
Status check results are ×
In this case it’s not able to find the kubectl
binary which is installed on my system in /usr/local/bin
.
Any help regarding what could be going wrong would be very much appreciated.
Edit
I also tried adding both .kube
and .kube/config
like shown below but the same problem persists.
plugs:
kube-config:
interface: personal-files
read:
- $HOME/.kube
- $HOME/.kube/config