Skip to content
/ achilles-token-controller Public

Example Achilles SDK controller for tutorial purposes.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

reddit/achilles-token-controller

BranchesTags

Repository files navigation

achilles-token-controller

This is an example Achilles SDK based controller showcasing SDK basics. It implements the AccessToken CRD, which allows creating a Kubernetes bearer token with specified permissions.

Running the controller

  1. Clone the achilles-token-controller.

    git clone [email protected]:reddit/achilles-token-controller.git

  2. Ensure you have k3d installed.

  3. Deploy a local cluster with k3d.

    k3d cluster create orch

  4. Verify the above command updated your kubecontext to the k3d cluster.

    kubectl config current-context

    The output should be:

    k3d-orch

  5. Build the controller image.

    make docker

  6. Load the controller image into the k3d cluster

    k3d image import achilles-token-controller:latest -c orch

  7. Open manifests/base/manager.yaml and replace image: REPLACE-ME with image: achilles-token-controller:latest. If this file doesn't exist, run make generate.

  8. Create the namespace for the controller

    kubectl create namespace achilles-system

  9. Deploy the controller.

    kubectl apply -f manifests/base/manager.yaml

  10. Test the controller with this example AccessToken.

    apiVersion: group.example.com/v1alpha1
kind: AccessToken
metadata:
  name: test
  namespace: default
spec:
  namespacedPermissions:
  - namespace: default
    rules:
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs:     ["*"]
  - namespace: kube-system
    rules:
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs:     ["get", "list", "watch"]
  clusterPermissions:
    rules:
    - apiGroups: [""]
      resources: ["namespaces"]
      verbs:     ["get", "list", "watch"]

  11. Check that the AccessToken was processed successfully

    kubectl get accesstoken test -n default -oyaml

    You should see the following status condition, indicating that the object was instantiated successfully.

     status:
   conditions:
   - lastTransitionTime: "2024-10-24T17:33:35Z"
     message: All conditions successful.
     observedGeneration: 1
     reason: ConditionsSuccessful
     status: "True"
     type: Ready

    You'll also see that it provisioned a deploy token as a secret, whose name is under status.tokenSecretRef.

  12. As a bonus, we can use kubectl auth can-i (docs here) check that the deploy token in fact has the permissions that we declared for it. We first need to locate the Service Account that the AccessToken was created for, which can be found under status.resourceRefs with kind: ServiceAccount.

    kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n default # should report yes
kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n kube-system # should report no
kubectl auth can-i --as=system:serviceaccount:default:test list configmaps -n kube-system # should report yes
kubectl auth can-i --as=system:serviceaccount:default:test create namespaces # should report no
kubectl auth can-i --as=system:serviceaccount:default:test list namespaces # should report yes

About

Example Achilles SDK controller for tutorial purposes.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages