TechQA.

SharedIndexInformer (Fabric8 kubernetes-client) watches only pods of its own namespace when run in the cluster

1.9k views Asked by At

I am trying to build a Kubernetes controller using the excellent Fabric8 Kubernetes client for Java (https://github.com/fabric8io/kubernetes-client). As of now I use the version 4.10.3.

For that purpose I am constructing a SharedIndexInformer to properly watch resources events emitted by the cluster. I will take pods as resources example here.

So the SharedIndexInformer is constructed following this piece of code:

SharedIndexInformer<Pod> sharedIndexInformer = kubernetesClient.informers().sharedIndexInformerFor(
                objectClass,
                objectClassList,
                10 * 60 * 1000);

Following, lot of code to attach events handler, start the indexer, have a reconciliation loop and so on.

The indexer is working perfectly fine when started from my local machine, and I see all pods being listed. However, when I run it on a pod in my cluster (with RBAC properly defined), I see only the pods for the namespace where the pod is run on.

I checked explicitly in the pod that, using kubectl, the associated service account was capable to list all pods in the cluster, and not only in the current namespace.

What am I missing?

Thanks in advance for your help!

java kubernetes fabric8 kubernetes-operator
Original Q&A
1

There are 1 answers

1
Rohan Kumar On

I think this is due to the difference between how KubernetesClient creates it's Config when outside Kubernetes Cluster or inside a Pod. In the former case, KubernetesClient usually reads from your ~/.kube/config and connection information like token and namespace are picked up from your current context in your ~/.kube/config file.

However, when KubernetesClient is inside a Pod; it picks up connection Config information from loaded ServiceAccount, See Config.java. Bearer token gets picked from /var/run/secrets/kubernetes.io/serviceaccount/token and the default namespace to be used for namespaced API operations is picked from /var/run/secrets/kubernetes.io/serviceaccount/namespace. You can find more about it in Kubernetes Docs: Accessing API from a Pod. I think KubernetesClient is picking this namespace while loading the Config.

I think KubernetesClient is not handling this case properly. This should be fixed there. There is already an issue filed there: https://github.com/fabric8io/kubernetes-client/issues/2514

I'm not sure if right now informers can detect whether they are in-cluster or outside(This is only known till we load Config). Right now, informers provide way to specify namespace using OperationContext:

SharedInformerFactory sharedInformerFactory = client.informers();
SharedIndexInformer<Pod> podInformer = sharedInformerFactory.sharedIndexInformerFor(
        Pod.class,
        PodList.class,
        new OperationContext().withNamespace("default"),
        30 * 1000L);

Maybe for overriding this namespace being loaded from ServiceAccount we can allow setting null namespace:

SharedIndexInformer<Pod> podInformer = sharedInformerFactory.sharedIndexInformerFor(
        Pod.class,
        PodList.class,
        new OperationContext().withNamespace(null), // -> Doesn't work; Ideally should Watch in all namespaces,
        30 * 1000L);

Update:

The underlying issue seems to be fixed in v4.13.0. I've tested this on this demo project: https://github.com/r0haaaan/fabric8-kubernetes-java-informer-in-pod . It runs SharedIndexInformers in a project and deploy to Kubernetes using Kubernetes Maven Plugin. When I check logs, I can see that all pods seem to be listed:

fabric8-kubernetes-java-informers-in-pod : $ mvn k8s:log
[INFO] Scanning for projects...
[INFO] 
[INFO] --------< org.example:fabric8-kubernetes-java-informers-in-pod >--------
[INFO] Building fabric8-kubernetes-java-informers-in-pod 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- kubernetes-maven-plugin:1.0.2:log (default-cli) @ fabric8-kubernetes-java-informers-in-pod ---
[INFO] k8s: Using Kubernetes at https://192.168.39.24:8443/ in namespace default with manifest /home/rohaan/work/repos/fabric8-kubernetes-java-informers-in-pod/target/classes/META-INF/jkube/kubernetes.yml 
[INFO] k8s: Using namespace: default
[INFO] k8s: Watching pods with selector LabelSelector(matchExpressions=[], matchLabels={app=fabric8-kubernetes-java-informers-in-pod, provider=jkube, group=org.example}, additionalProperties={}) waiting for a running pod...
[INFO] k8s:  [NEW] fabric8-kubernetes-java-informers-in-pod-6f957b6b59-tpbgd status: Running Ready
[INFO] k8s:  [NEW] Tailing log of pod: fabric8-kubernetes-java-informers-in-pod-6f957b6b59-tpbgd
[INFO] k8s:  [NEW] Press Ctrl-C to stop tailing the log
[INFO] k8s:  [NEW] 
[INFO] k8s: Starting the Java application using /opt/jboss/container/java/run/run-java.sh ...
[INFO] k8s: INFO exec  java -javaagent:/usr/share/java/jolokia-jvm-agent/jolokia-jvm.jar=config=/opt/jboss/container/jolokia/etc/jolokia.properties -javaagent:/usr/share/java/prometheus-jmx-exporter/jmx_prometheus_javaagent.jar=9779:/opt/jboss/container/prometheus/etc/jmx-exporter-config.yaml -XX:+UseParallelOldGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:MaxMetaspaceSize=100m -XX:+ExitOnOutOfMemoryError -cp "." -jar /deployments/fabric8-kubernetes-java-informers-in-pod-1.0-SNAPSHOT-jar-with-dependencies.jar  
[INFO] k8s: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
[INFO] k8s: SLF4J: Defaulting to no-operation (NOP) logger implementation
[INFO] k8s: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[INFO] k8s: WARNING: An illegal reflective access operation has occurred
[INFO] k8s: WARNING: Illegal reflective access by org.jolokia.util.ClassUtil (file:/usr/share/java/jolokia-jvm-agent/jolokia-jvm.jar) to constructor sun.security.x509.X500Name(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)
[INFO] k8s: WARNING: Please consider reporting this to the maintainers of org.jolokia.util.ClassUtil
[INFO] k8s: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
[INFO] k8s: WARNING: All illegal access operations will be denied in a future release
[INFO] k8s: Nov 10, 2020 5:37:50 PM io.fabric8.testing.SimpleSharedInformerRun main
[INFO] k8s: INFO: k8s.getConfiguration().getNamespace(): default
[INFO] k8s: I> No access restrictor found, access to any MBean is allowed
[INFO] k8s: Jolokia: Agent started with URL https://172.17.0.6:8778/jolokia/
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: default/fabric8-kubernetes-java-informers-in-pod-6f957b6b59-tpbgd
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: istio-system/istio-ingressgateway-64cfb9d44b-kk5ft
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: istio-system/istiod-7684b696d6-fhzwt
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/coredns-f9fd979d6-g4htj
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/etcd-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/kube-apiserver-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/kube-controller-manager-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/kube-proxy-tpsrg
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/kube-scheduler-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/metrics-server-d9b576748-4w6jz
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: kube-system/storage-provisioner
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onAdd
[INFO] k8s: INFO: ADDED: rokumar/multi-container-pod
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: default/fabric8-kubernetes-java-informers-in-pod-6f957b6b59-tpbgd
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: istio-system/istio-ingressgateway-64cfb9d44b-kk5ft
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: istio-system/istiod-7684b696d6-fhzwt
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/coredns-f9fd979d6-g4htj
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/etcd-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/kube-apiserver-minikube
[INFO] k8s:  [NEW] fabric8-kubernetes-java-informers-in-pod-6f957b6b59-tpbgd status: Running Ready
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/kube-controller-manager-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/kube-proxy-tpsrg
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/kube-scheduler-minikube
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/metrics-server-d9b576748-4w6jz
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: kube-system/storage-provisioner
[INFO] k8s: Nov 10, 2020 5:37:52 PM io.fabric8.testing.SimpleSharedInformerRun$1 onUpdate
[INFO] k8s: INFO: UPDATED: rokumar/multi-container-pod

Related Questions in JAVA

Related Questions in KUBERNETES

Related Questions in FABRIC8

Related Questions in KUBERNETES-OPERATOR

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions