Kubernetes SIG/Meetings/2024-02-27

Agenda:

  • Introductions for new members (if any):
  • SIG administrivia:
  • Misc:
    • [BT] superset migration going well (superset-next)
    • [JM] Have been carrying on the work that Luca started on the replacement for PodSecurityPolicies - It’s not very satisfactory at the moment. Wikikube still needs the ptrace capability, so none of the readily available solutions is suitable for wikikube. Other clusters might be able to get away with easier solutions. Hope to have something else to look at/consider next meeting.
  • Topic: Improve how we address outside k8s infrastructure from within charts (e.g. network policies)
    • Trying to fix the problem of needing to populate IPs from k8s-external systems inside of k8s (network-policies)
    • A) Get IPs automatically into chart values (deployment_server::global_config)
      • Read from puppetdb (ipv4 and ipv6)
      • Merge into yaml on deployment host
      • Pull into charts via helmfile.yaml includes
    • B) Having to re-deploy services that use k8s-external systems if those change (new hosts/hosts removed to kafka clusters etc.)
      • New system would reduce that to one deployment of a know chart instead of N unknown charts
    • Still some problems/drawbacks
      • This only works inside k8s
      • There is no generic interface representing external systems. E.g. data gathering is still pretty different depending on the external service (in global_config)
      • Deviating data structures might need adaption of the chart
      • Mariadb is very different as there is no contract on specific IPs with data persistence
      • This locks is into calico network-policies (and we need a generic way to not enable them for local dev deployments for example)
    • Next steps:
      • Review/Merge the chart
      • Agree on some kind of namespace structure
      • Deploy the chart
      • Extend the networkpolicy module for charts
      • Update charts that would benefit