Personal-files request for k9s-nsg

I did a community/unofficial snap (k9s-nsg) of the application K9s (k9s looks abandoned). It is a Kubernetes management application. K9s needs access to the Kubernetes credentials to work, they are expected to be stored at the default location in ~/.kube. The kubectl snap uses that to.

read:
  - $HOME/.kube
write:
  - $HOME/.kube/cache
  - $HOME/.kube/http-cache

I leave it up to the reviewer if you feel that an auto-connect is appropriate here. I have added an simple error message telling the user how to connect the interface. This is an CLI application.

Fyi, k9s used:

plugs:
  kube-config:
    interface: personal-files
    read:
    - $HOME/.kube

so this request adds the cache write accesses. @advocacy, @store - @nsg claims that the k9s snap seems abandoned. Is this a case where a transfer of ownership is warranted?

I noticed, the k9s snap packages version 0.7.12, I package the latest 0.20.5 so I guess things have changed. I noticed plenty of apparmor denials when I tried running it w/o the cache directories.

I have pinged the maintainer (and the owner of the snap k9s) over at GitHub to see if I can help. If possible I think the best thing would for the upstream project to package and release the snap directly. It looks like derailed had several different issues with the snap and I guess he lost interest.

@derailed I will give you a ping here as well. For me the only important thing is that the really awesome tool is available and easy to install, and of course Iā€™m somewhat biased and like snaps :slight_smile:

@jdstrand @nsg Thank you both for the update! As much as I would love to have the popular k9s available as a snap, the process to get what k9s needs to be installed correctly has been very slow and painful. I had voices for k9s to be on par with kubectl and have classic access but this process got into grinding halt. I am all ears and would love to release k9s as a snap if we can all agree and make this happen here.

Thank you!

The only feature in the software k9s that requires classic at the moment is the ā€œopen this file in your $EDITORā€ function. To unblock myself I just picked nvim and nano as the only choices in k9s-nsg. My understanding is that there is no xdg portal available to ask the user access to run arbitrary binaries. Iā€™m missing some alternative possibility here?

After some reflections from my part ā€¦

From the last post in derailed store-request it sounds like it is preferred (by @derailed) that k9s is able to access the users kubectl from $PATH. This will of course not work in a strict confinement. This may change in the future with new fancy snapd/portal features. The only way for this to work would be to make it classic.

I found the largest blocker to be the ā€œopen this in your $EDITORā€ feature that at the moment requires k9s to use classic to function fully. Iā€™m not using that function and I much prefer to use a confined snap over an much less secure classic snap.

@derailed I love to help you with the k9s snap, I think you have three options at the moment:

  1. Make your case for classic to Canonical (you have a few unanswered questions)
  2. Wait for snapd to evolve the needed features so everything works in a strict confinement
  3. Publish the snap with less functionality

Let me know how you like to move on, I guess alternative 2 is whatā€™s going on at the moment. If you like to stick with it I suggest you make the k9s snap private to prevent users from finding and installing the really old and broken version published in the store. Alternative 3 is more or less what I did in k9s-nsg or just remove the e function in the snap.

@jdstrand I feel that there is still a need for k9s-nsg, if the user is fine with the bundled kubectl and vim or nano as an editor, my snap is fully functional. For me and several of my colleges this snap would be a perfect fit. I like to move on with my original request so I can publish the snap.

@nsg - sorry for the delay. Can you describe what is in $HOME/.kube/cache and $HOME/.kube/http-cache?

No worry!

http-cache contains cached HTTP requests (HTTP header + body). The cache is a more formatted local cache of JSON data. So in short, they contain cached data that kubectl has done to speed things up.

I guess I could investigate to redirect these two directories inside $SNAP_USER_DATA, I could take a quick peak how hard that would be. Iā€™m not sure that would add any additional security. I will ping you when I have done so.

Okay, done! @jdstrand

In commit e7dba5ffdcc962532c52f1228e8751c483b1cd1b I removed the need for write. The snapcraft.yml now only contains:

plugs:
  kube-config:
    interface: personal-files
    read:
      - $HOME/.kube

So thatā€™s what Iā€™m asking for now.

+1 to allow use of and auto-connection for personal-files for read access to ~/.kube with the interface reference of kube-config.

@reviewers - can others please vote?

+1 from me as well, for use of and auto-connection of personal-files for read access to ~/.kube.

+1 from me too - +3 votes for, 0 votes against, auto-connect of personal-files instance kube-config for read access to ~/.kube. This is now live.

I triggered a build to release v0.21.7 to edge and got stuck in review again with a warning:

override not found for ā€˜plugs/kube-configā€™. Use of the personal-files interface is reserved for vetted publishers. /ā€¦/

@alexmurray also wrote in the review:

Manually approving this revision - in the future, once an updated version of the review-tools is deployed to the store, additional uploads should pass review automatically.

Do I need to do anything more? Will you manually review the releases until the updated review-tools is released? Any idea when the update will happen? No hurry really, just curious.

I have manually approved this revision as well - @jdstrand / @roadmr may be able to comment regarding the timeline for deployment of an updated version of the review-tools.

1 Like

We are in the process of validating the review-tools to request a store pull. Once that is done, it should be less than a week. We will monitor the review queue and manually approve in the meantime.

As an aside, the update to the review-tools we are verifying will remove the need for modifying review-tools overrides and everything will be able to be done as part of issuing the snap declaration in the store. That doesnā€™t help you now, but may help you for other snaps.

1 Like