Request for personal-files confinement for kafkactl snap

dwi-di · September 25, 2020, 2:19pm

Hey everyone,

I would like to request classic confinement for the kafkactl snap.

Up to now we were quite happy using strict confinement, but our latest release includes the ability to run kafkactl with a kubernetes cluster configured.
This utilizes kubectl run to deploy kafkactl container in kubernetes. This is described in more detail here: https://github.com/deviceinsight/kafkactl/blob/master/README.md#running-in-kubernetes

This does not work currently for the snap package since access to kubectl executable is prohibited.
It is also not possible to include kubectl in our snap because the kubectl version needed, depends on the version of the kubernetes cluster.

We therefore see classic confinement as the only option for our snap package.

– UPDATE: –

This thread is no longer about classic confinement but we need personal-files access to the following:

~/.kube folder since this is where kubectl places its config files. we need access to talk to kafka clusters running in kubernetes.
~/.config/kafkactl/config.yml which is the default location for the kafkactl config. this location should be consistent regardless how kafkactl was installed

emitorino · August 20, 2020, 9:27pm

Hey @dwi-di,

If you take a look at our Process for reviewing classic confinement snaps, the need of running kubectl is not enough for this request to be accepted (it falls under the unsupported category). If you need to support several kubectl versions, you could either a) ship them all in your snap, and then decide which one to use at runtime b) make use of snap tracks. Would either of these two options work for kafkactl?

Please remember classic snaps are not installable on Ubuntu Core devices and also run in the global mount namespace, which means great care must be taken for the snap to work reliably across distributions.

galgalesh · August 20, 2020, 10:06pm

@emitorino

From what I understand, kubectl is a "kubernetes tools requiring arbitrary authentication agents ", so wouldn’t any app which includes it fall under this supported reason for classic confinement?

dwi-di · August 21, 2020, 6:57pm

Hey @emitorino,
I thought that the snap package for helm has a similar requirement and uses classic confinement, but I searched the forum and found at least those two requests that are similar to mine:

There it is stated that classic confinement for helm was granted some years ago and things are different now.

I gave this some thought and I can probably live without classic but I will need access ~/.kube/ folder in order to read kubectl configs from the default location. For that I would need personal files interfaces.

What do I need to do for that?

While I’m already at it, can I also get access to ~/.config/kafkactl which is the xdg config dir for kafkactl and where people usually expect the config to be.

Thanks for your help.

emitorino · August 28, 2020, 6:04pm

Hey @dwi-di,

Here you have an example of how your yaml should look like for read access to $HOME/.kube and other example to request access to ~/.config/kafkactl.

Please update the request title/info so it follows under the correct category of our queue.

Thanks!

emitorino · August 28, 2020, 6:10pm

Hey @galgalesh,

Even though we have such category for granting classic, it is not exactly the situation for kafkactl. Their need is related to getting access to $HOME/.kube which is possible with strict confinement and the use of the personal-files interface.

Thanks as always for your active participation in this forum!

emitorino · September 15, 2020, 5:49pm

Hey @dwi-di,

Could you analyze the alternatives suggested? Thanks!

dwi-di · September 18, 2020, 2:08pm

Hey @emitorino,

sorry for being unresponsive. I’m working on the corresponding code changes and hopefully the new version can be submitted mid of next week.
I will then update the title/info accordingly.