<srhb>
Yup, indeed. Not in any release yet (except as nixUnstable)
ixxie has quit [Ping timeout: 252 seconds]
ixxie has joined #nixos-kubernetes
johanot has joined #nixos-kubernetes
<ixxie>
srhb: so with swap the build suceeded, but while it seems kubernetes is installed (I see k8s containers when I run `docker ps`) it seems I don't have a `kubectl` command available in my path
<ixxie>
nor does the root user
<srhb>
ixxie: You can just add it to environment.systemPackages
<srhb>
It's funny that you expect that. I think we debated whether the module should do that. I lean towards "don't silently stick things on the global PATH"
<srhb>
But good feedback.
<johanot>
While testing something else today I realized that the etcd module sticks "etcdctl" on PATH, I thought I had to ask for it specifically. Apparently not :)
<johanot>
my personal opinion is that the system PATH should be kept as clean as possible, but I'm not totally immune to the other argument still.
<ixxie>
srhb: well, at the very least the current version on unstable DOES supply kubectl
<ixxie>
because I haven't had to install it seperately
<ixxie>
so if you remove it you better warn people somehow
<srhb>
ixxie: Ah. My main concern is that it's easy to accidentally depend on things in /run/current-system in the actual module if you stick it on there automatically.
<ixxie>
fair enough!
<srhb>
ixxie: That's funny though, I don't see it being set automatically on unstable
<johanot>
ixxie: kubectl is part of the outputs from the kubernetes package, also in stable.
<ixxie>
[ixxie@flux-master:~]$ kubectl get pods --all-namespaces
<ixxie>
error: unable to read client-key /var/lib/kubernetes/secrets/cluster-admin-key.pem for cluster-admin due to open /var/lib/kubernetes/secrets/cluster-admin-key.pem: permission denied
<ixxie>
you did this today right? I missed that yesterday
<ixxie>
but I suppose there is a more permenant setup to be done where certain users get access to the cert?
<johanot>
ixxie: nope. I added firewall ports today, because I wanted to demonstrate that the nixos firewall doesn't have to be disabled to use the k8s module. But the kubectl wrap was there yesterday as well
<johanot>
The auto-generated cert and kubeconfig is a way of getting the same functionality as before, where an admin (having a console on the master-server) can obtain cluster-admin rights.
<johanot>
Additional users/roles/rolebindings must be added manually, for now.
<ixxie>
alrighty
<ixxie>
I only dimly follow whats going on here, but I am sick and quite tired now; so I will try out the wrapper tomorrow and probably ask more questions at some point
<ixxie>
thanks a bunch for all the info again!
<johanot>
ixxie: any time :)
<ixxie>
good night!
<johanot>
Users that aren't up for a deeply granular access control scheme, are most welcome to just copy the admin cert and key around as needed. At least RBAC ensures that random people without any (or a self-signed) cert cannot access the cluster.
<johanot>
Before, everyone could just access port 8080, no questions asked.