I did a community/unofficial snap (k9s-nsg) of the application K9s (k9s looks abandoned). It is a Kubernetes management application. K9s needs access to the Kubernetes credentials to work, they are expected to be stored at the default location in ~/.kube. The kubectl snap uses that to.
I noticed, the k9s snap packages version 0.7.12, I package the latest 0.20.5 so I guess things have changed. I noticed plenty of apparmor denials when I tried running it w/o the cache directories.
I have pinged the maintainer (and the owner of the snap k9s) over at GitHub to see if I can help. If possible I think the best thing would for the upstream project to package and release the snap directly. It looks like derailed had several different issues with the snap and I guess he lost interest.
@derailed I will give you a ping here as well. For me the only important thing is that the really awesome tool is available and easy to install, and of course I’m somewhat biased and like snaps
@jdstrand@nsg Thank you both for the update! As much as I would love to have the popular k9s available as a snap, the process to get what k9s needs to be installed correctly has been very slow and painful. I had voices for k9s to be on par with kubectl and have classic access but this process got into grinding halt. I am all ears and would love to release k9s as a snap if we can all agree and make this happen here.
The only feature in the software k9s that requires classic at the moment is the “open this file in your $EDITOR” function. To unblock myself I just picked nvim and nano as the only choices in k9s-nsg. My understanding is that there is no xdg portal available to ask the user access to run arbitrary binaries. I’m missing some alternative possibility here?
From the last post in derailed store-request it sounds like it is preferred (by @derailed) that k9s is able to access the users kubectl from $PATH. This will of course not work in a strict confinement. This may change in the future with new fancy snapd/portal features. The only way for this to work would be to make it classic.
I found the largest blocker to be the “open this in your $EDITOR” feature that at the moment requires k9s to use classic to function fully. I’m not using that function and I much prefer to use a confined snap over an much less secure classic snap.
@derailed I love to help you with the k9s snap, I think you have three options at the moment:
Wait for snapd to evolve the needed features so everything works in a strict confinement
Publish the snap with less functionality
Let me know how you like to move on, I guess alternative 2 is what’s going on at the moment. If you like to stick with it I suggest you make the k9s snap private to prevent users from finding and installing the really old and broken version published in the store. Alternative 3 is more or less what I did in k9s-nsg or just remove the e function in the snap.
@jdstrand I feel that there is still a need for k9s-nsg, if the user is fine with the bundled kubectl and vim or nano as an editor, my snap is fully functional. For me and several of my colleges this snap would be a perfect fit. I like to move on with my original request so I can publish the snap.
http-cache contains cached HTTP requests (HTTP header + body). The cache is a more formatted local cache of JSON data. So in short, they contain cached data that kubectl has done to speed things up.
I guess I could investigate to redirect these two directories inside $SNAP_USER_DATA, I could take a quick peak how hard that would be. I’m not sure that would add any additional security. I will ping you when I have done so.
We are in the process of validating the review-tools to request a store pull. Once that is done, it should be less than a week. We will monitor the review queue and manually approve in the meantime.
As an aside, the update to the review-tools we are verifying will remove the need for modifying review-tools overrides and everything will be able to be done as part of issuing the snap declaration in the store. That doesn’t help you now, but may help you for other snaps.