Request for classic confinement for kubectl-iexec

gabeduke · September 21, 2020, 3:53am

Hello I would like to request classic confinement for the plugin kubectl-iexec.

I am a snap n00b but as far as I can tell this is required to read the KUBECONFIG file in the user’s home directory (it is in a hidden dir ~/.kube/config). This is the same confinement that kubectl uses which is how I discovered it would be necessary.

The error without classic confinement is Error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

If possible I would love any suggestions to work around this, here is what I have unsuccesfully attempted:

snapcraft.yaml:

name: kubectl-iexec
base: core18
version: '1.9.0'
summary: Kubernetes plugin to interactively exec to a pod
description: |
  Kubectl-iexec is a plugin providing an interactive selector to exec into a running pod. For a search filter,
  the plugin will return a list of pods and containers that match, then perform a kubectl exec to the selection.

grade: devel # must be 'stable' to release into candidate/stable channels
confinement: devmode # use 'strict' once you have the right plugs and slots

parts:
  kubect-iexec:
    plugin: go
    go-importpath: github.com/gabeduke/kubectl-iexec
    source: .
    source-type: git
apps:
  kubectl-iexec:
    command: kubectl-iexec
    plugs: [ "home", "network", "network-bind", "personal-files" ]


plugs:
  kubectl-iexec:
    interface: personal-files
    read:
      - $HOME/.kube

alexmurray · September 29, 2020, 4:48am

There should be no need for classic - personal-files should suffice for this. However there are some issues with your snapcraft.yaml - can you please change it to be as follows:

apps:
  kubectl-iexec:
    command: kubectl-iexec
    plugs: [ "home", "network", "network-bind", "dot-kube" ]


plugs:
  dot-kube:
    interface: personal-files
    read:
      - $HOME/.kube

(ie for consistency the personal-files instance should be named dot-kube but crucially, this is the name that must be listed under plugs, not the generic personal-files).

This should allow read access to the users $HOME/.kube when connected. Assuming this then works, you would need to request auto-connect to and use of this personal-files instance - in that case, you can reuse this thread and just change the title as appropriate.

emitorino · October 15, 2020, 2:43am

Hey @gabeduke ping, could you try @alexmurray suggestions? Thanks!

alexmurray · October 27, 2020, 7:54am

@gabeduke - ping, this request cannot proceed without the requested information?

pfsmorigo · November 6, 2020, 7:57pm

@gabeduke - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks* "