Skip to content

Latest commit

 

History

History
111 lines (92 loc) · 3.4 KB

README.md

File metadata and controls

111 lines (92 loc) · 3.4 KB

achilles-token-controller

This is an example Achilles SDK based controller showcasing SDK basics. It implements the AccessToken CRD, which allows creating a Kubernetes bearer token with specified permissions.

Running the controller

  1. Clone the achilles-token-controller.

    git clone [email protected]:reddit/achilles-token-controller.git
    
  2. Ensure you have k3d installed.

  3. Deploy a local cluster with k3d.

    k3d cluster create orch
  4. Verify the above command updated your kubecontext to the k3d cluster.

    kubectl config current-context

    The output should be:

    k3d-orch
  5. Build the controller image.

    make docker
  6. Load the controller image into the k3d cluster

    k3d image import achilles-token-controller:latest -c orch
  7. Open manifests/base/manager.yaml and replace image: REPLACE-ME with image: achilles-token-controller:latest. If this file doesn't exist, run make generate.

  8. Create the namespace for the controller

    kubectl create namespace achilles-system
  9. Deploy the controller.

    kubectl apply -f manifests/base/manager.yaml
  10. Test the controller with this example AccessToken.

    apiVersion: group.example.com/v1alpha1
    kind: AccessToken
    metadata:
      name: test
      namespace: default
    spec:
      namespacedPermissions:
      - namespace: default
        rules:
        - apiGroups: [""]
          resources: ["configmaps"]
          verbs:     ["*"]
      - namespace: kube-system
        rules:
        - apiGroups: [""]
          resources: ["configmaps"]
          verbs:     ["get", "list", "watch"]
      clusterPermissions:
        rules:
        - apiGroups: [""]
          resources: ["namespaces"]
          verbs:     ["get", "list", "watch"]
  11. Check that the AccessToken was processed successfully

    kubectl get accesstoken test -n default -oyaml

    You should see the following status condition, indicating that the object was instantiated successfully.

     status:
       conditions:
       - lastTransitionTime: "2024-10-24T17:33:35Z"
         message: All conditions successful.
         observedGeneration: 1
         reason: ConditionsSuccessful
         status: "True"
         type: Ready

    You'll also see that it provisioned a deploy token as a secret, whose name is under status.tokenSecretRef.

  12. As a bonus, we can use kubectl auth can-i (docs here) check that the deploy token in fact has the permissions that we declared for it. We first need to locate the Service Account that the AccessToken was created for, which can be found under status.resourceRefs with kind: ServiceAccount.

    kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n default # should report yes
    kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n kube-system # should report no
    kubectl auth can-i --as=system:serviceaccount:default:test list configmaps -n kube-system # should report yes
    kubectl auth can-i --as=system:serviceaccount:default:test create namespaces # should report no
    kubectl auth can-i --as=system:serviceaccount:default:test list namespaces # should report yes