So previously we had a vanilla installation of Apache Ignite on Kubernetes.
You had a cache service running however all you did was installing a helm chart.
In this blog we shall evaluate what is installed and take notes for our futures helm charts.
The first step would be to view the helm chart.
> helm list NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ignite-cache default 1 2020-03-07 22:23:49.918924 +0000 UTC deployed ignite-1.0.1 2.7.6
Now let’s download it
> helm fetch stable/ignite > tar xvf ignite-1.0.1.tgz > cd ignite/; ls -R Chart.yaml README.md templates values.yaml ./templates: NOTES.txt account-role.yaml persistence-storage-class.yaml service-account.yaml svc.yaml _helpers.tpl configmap.yaml role-binding.yaml stateful-set.yaml wal-storage-class.yaml
Reading through the template files is a bit challenging (well they are tempaltes :P) so we shall just check what was installed through our previous blog.
Let’s get started with the account-role. The cluster role that ignite shall use needs to be able to get/list/watch the pods and the endpoints. It makes sense since there is a need for discovery between the nodes.
> kubectl get ClusterRole ignite-cache -o yaml kind: ClusterRole metadata: creationTimestamp: 2020-03-07T22:23:50Z name: ignite-cache resourceVersion: "137525" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/ignite-cache uid: 0cad0689-2f94-4b74-87bc-b468e2ac78ae rules: - apiGroups: - "" resources: - pods - endpoints verbs: - get - list - watch
In order to use this role you need a service account. A service account is create with a token.
> kubectl get serviceaccount ignite-cache -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2020-03-07T22:23:50Z name: ignite-cache namespace: default resourceVersion: "137524" selfLink: /api/v1/namespaces/default/serviceaccounts/ignite-cache uid: 7aab67e5-04db-41a8-b73d-e76e34ca1d8e secrets: - name: ignite-cache-token-8rln4
Then we have the role binding. We have a new service account called the ignite-cache which has the role ignite-cache.
> kubectl get ClusterRoleBinding ignite-cache -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: 2020-03-07T22:23:50Z name: ignite-cache resourceVersion: "137526" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/ignite-cache uid: 1e180bd1-567f-4979-a278-ba2e420ed482 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ignite-cache subjects: - kind: ServiceAccount name: ignite-cache namespace: default
It is important for you ignite workloads to use this service account and its token. By doing so they have the permissions to discover the other nodes in your cluster.
The next blog focuses on the configuration.
3 thoughts on “Apache Ignite on your Kubernetes Cluster Part 2: RBAC Explained”