Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

more permission handling for gcloud? #82

Open
chy168 opened this issue Sep 21, 2019 · 0 comments
Open

more permission handling for gcloud? #82

chy168 opened this issue Sep 21, 2019 · 0 comments
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@chy168
Copy link

chy168 commented Sep 21, 2019

Hi,
I'm using kubefwd on GCP, and I encountered some permission problem in kubefwd + GCP(gcloud).

For renewing the credential that interacts to GKE, k8s client implements auth-provider to accomplish token refresh mechanism. For GCP, the auth-provider invokes gcloud to get the latest token and write some log to logs folder. (e.g:. ~/.config/gcloud/logs/2019.08.04/17.33.10.339790.log)

The problem comes here, for editing host file, we need to call kubefwd with sudo and this turns k8s client to follow the mechanism of auth-provider to call gcloud and write logs. For this case, the logs has been written as root due to sudo. The log file folder is created by root.

Once we invoke gcloud for daily operation (run by normal user), we will get permission denied due to the log file is own by root.

The invoke path is: kubefwd (root) -> k8s client -> auth-provider -> gcloud (root)

Reproduce steps:

  1. wait access token expired
  2. sudo kubefwd
  3. gcloud container clusters get-credentials k8s-cluster --project test <-- get permission denied error

any idea to prevent gcloud logging by normal user when kubefwd invoked by sudo?

PS. To workaround this, run kubectl get pod before kubefwd, this will trigger auth-provider to refresh the credential. kubefwd will never trigger the refresh mechanism anymore.

Thanks!

Error from gcloud

Traceback (most recent call last):
  File "/Users/zzchen/google-cloud-sdk/lib/gcloud.py", line 95, in <module>
    main()
  File "/Users/zzchen/google-cloud-sdk/lib/gcloud.py", line 91, in main
    sys.exit(gcloud_main.main())
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/gcloud_main.py", line 172, in main
    gcloud_cli = CreateCLI([])
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/gcloud_main.py", line 151, in CreateCLI
    generated_cli = loader.Generate()
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 502, in Generate
    cli = self.__MakeCLI(top_group)
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 672, in __MakeCLI
    log.AddFileLogging(self.__logs_dir)
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 1033, in AddFileLogging
    _log_manager.AddLogsDir(logs_dir=logs_dir)
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 683, in AddLogsDir
    self._CleanUpLogs(logs_dir)
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 711, in _CleanUpLogs
    self._CleanLogsDir(logs_dir)
  File "/Users/zzchen/google-cloud-sdk/lib/googlecloudsdk/core/log.py", line 737, in _CleanLogsDir
    os.remove(log_file_path)
OSError: [Errno 13] Permission denied: '/Users/zzchen/.config/gcloud/logs/2019.08.04/17.33.10.339790.log'
@cjimti cjimti added help wanted Extra attention is needed question Further information is requested labels Oct 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjimti @chy168