github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-10 21:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adds Namespace-Restricted Mode to README. (#178)

Browse Source
This commit is contained in:
Nimrod Gilboa Markevich 2021-08-08 12:23:11 +03:00 committed by GitHub
parent ebbe6458a8
commit 0595df8b87
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.md
View File

@ -14,9 +14,9 @@ A simple-yet-powerful API traffic viewer for Kubernetes to help you troubleshoot
## Download ## Download
Download `mizu` for your platform and operating system Download Mizu for your platform and operating system
### Latest stable release ### Latest Stable Release
* for MacOS - Intel * for MacOS - Intel
``` ```
@ -34,12 +34,12 @@ https://github.com/up9inc/mizu/releases/latest/download/mizu_linux_amd64 \
SHA256 checksums are available on the [Releases](https://github.com/up9inc/mizu/releases) page. SHA256 checksums are available on the [Releases](https://github.com/up9inc/mizu/releases) page.
### Development (unstable) build ### Development (unstable) Build
Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page. Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
## Prerequisites ## Prerequisites
1. Set `KUBECONFIG` environment variable to your kubernetes configuration. If this is not set, mizu assumes that configuration is at `${HOME}/.kube/config` 1. Set `KUBECONFIG` environment variable to your Kubernetes configuration. If this is not set, Mizu assumes that configuration is at `${HOME}/.kube/config`
2. mizu needs following permissions on your kubernetes cluster to run 2. Mizu needs following permissions on your Kubernetes cluster to run
```yaml ```yaml
- apiGroups: - apiGroups:
@ -84,7 +84,7 @@ Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
- get - get
``` ```
3. Optionally, for resolving traffic IP to kubernetes service name, mizu needs below permissions 3. Optionally, for resolving traffic IP to Kubernetes service name, Mizu needs below permissions
```yaml ```yaml
- apiGroups: - apiGroups:
@ -201,7 +201,7 @@ Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
- watch - watch
``` ```
4. Optionally, in order to use the policy rules validation feature, mizu requires the following additional permissions: 4. Optionally, in order to use the policy rules validation feature, Mizu requires the following additional permissions:
```yaml ```yaml
- apiGroups: - apiGroups:
@ -214,7 +214,7 @@ Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
- delete - delete
``` ```
5. Alternatively, in order to restrict mizu to one namespace only (by setting `agent.namespace` in the config file), mizu needs the following permissions in that namespace: 5. Alternatively, in order to restrict Mizu to one namespace only (by setting `agent.namespace` in the config file), Mizu needs the following permissions in that namespace:
```yaml ```yaml
- apiGroups: - apiGroups:
@ -252,7 +252,7 @@ Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
- get - get
``` ```
6. To restrict mizu to one namespace while also resolving IPs, mizu needs the following permissions in that namespace: 6. To restrict Mizu to one namespace while also resolving IPs, Mizu needs the following permissions in that namespace:
```yaml ```yaml
- apiGroups: - apiGroups:
@ -346,7 +346,7 @@ Pick one from the [Releases](https://github.com/up9inc/mizu/releases) page.
See `examples/roles` for example `clusterroles`. See `examples/roles` for example `clusterroles`.
## How to run ## How to Run
1. Find pods you'd like to tap to in your Kubernetes cluster 1. Find pods you'd like to tap to in your Kubernetes cluster
2. Run `mizu tap PODNAME` or `mizu tap REGEX` 2. Run `mizu tap PODNAME` or `mizu tap REGEX`
@ -388,3 +388,17 @@ To tap multiple pods using regex -
^C ^C
``` ```
## Advanced Usage
### Namespace-Restricted Mode
Some users have permission to only manage resources in one particular namespace assigned to them.
By default `mizu tap` creates a new namespace `mizu` for all of its Kubernetes resources. In order to instead install
Mizu in an existing namespace, set the `mizu-resources-namespace` config option.
If `mizu-resources-namespace` is set to a value other than the default `mizu`, Mizu will operate in a
Namespace-Restricted mode. It will only tap pods in `mizu-resources-namespace`. This way Mizu only requires permissions
to the namespace set by `mizu-resources-namespace`. The user must set the tapped namespace to the same namespace by
using the `--namespace` flag or by setting `tap.namespaces` in the config file.
Setting `mizu-resources-namespace=mizu` resets Mizu to its default behavior.

8
cli/errormessage/errormessage.go
View File

@ -17,8 +17,12 @@ func FormatError(err error) error {
var errorNew error var errorNew error
if k8serrors.IsForbidden(err) { if k8serrors.IsForbidden(err) {
errorNew = fmt.Errorf("insufficient permissions: %w. "+ errorNew = fmt.Errorf("insufficient permissions: %w. "+
"supply the required permission or control Mizu's access to namespaces by setting MizuResourcesNamespace "+ "supply the required permission or control Mizu's access to namespaces by setting %s "+
"in the config file or setting the tapped namespace with --%s %s=<NAMEPSACE>", err, mizu.SetCommandName, mizu.MizuResourcesNamespaceConfigName) "in the config file or setting the tapped namespace with --%s %s=<NAMEPSACE>",
err,
mizu.MizuResourcesNamespaceConfigName,
mizu.SetCommandName,
mizu.MizuResourcesNamespaceConfigName)
} else if syntaxError, isSyntaxError := asRegexSyntaxError(err); isSyntaxError { } else if syntaxError, isSyntaxError := asRegexSyntaxError(err); isSyntaxError {
errorNew = fmt.Errorf("regex %s is invalid: %w", syntaxError.Expr, err) errorNew = fmt.Errorf("regex %s is invalid: %w", syntaxError.Expr, err)
} else { } else {