Kushagra Indurkhya
05/29/2023, 1:09 PMoguzhan
Kushagra Indurkhya
06/01/2023, 7:53 AMapiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: main-app
image: {my-repo}/test-cerbos:latest
ports:
- containerPort: 8000
volumeMounts:
- name: sock
mountPath: /sock
- name: cerbos
image: "<http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0>"
imagePullPolicy: IfNotPresent
volumeMounts:
# Mount the shared volume containing the socket
- name: sock
mountPath: /sock
- name: config
mountPath: /config
readOnly: true
- name: policies
mountPath: /policies
volumes:
# Shared volume containing the socket.
- name: sock
emptyDir: {}
- name: config
emptyDir: {}
# configMap:
# name: cerbos-sidecar-demo
- name: certs
emptyDir: {}
# secret:
# secretName: cerbos-sidecar-demo
- name: policies
emptyDir: {}
Here's my test app using python sdk
from flask import Flask,request,make_response,jsonify
from cerbos.sdk.model import *
from cerbos.sdk.client import CerbosClient
app = Flask(__name__)
@app.route('/api/v1/cerbosApp/test', methods=['GET'])
def index():
with CerbosClient("unix+https:///sock/cerbos.sock", debug=True, tls_verify=False) as c:
p = Principal(
"john",
roles={"employee"},
policy_version="20210210",
attr={"department": "marketing", "geography": "GB", "team": "design"},
)
# Check a single action on a single resource
r = Resource(
"XX125",
"leave_request",
policy_version="20210210",
attr={
"id": "XX125",
"department": "marketing",
"geography": "GB",
"team": "design",
"owner": "john",
},
)
allowed = c.is_allowed("view:public", p, r)
print(allowed)
return "hello world"
Here's the command i am running in container
kubectl exec -it test-pod -- ls /sock
Kushagra Indurkhya
06/01/2023, 8:03 AMoguzhan
/sock/cerbos.sock
file on the filesystem, cerbos might not be running. can you check whether you have errors showing up on the cerbos logs?Kushagra Indurkhya
06/01/2023, 8:33 AM$ kubectl logs test-pod -c cerbos
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"Loading configuration from __default__"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.disk.store","message":"Initializing disk store from /policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.index","message":"Found 0 executable policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.292Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.296Z","log.logger":"cerbos.dir.watch","message":"Watching directory for changes","dir":"/policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
oguzhan
Starting HTTP server at unix:/sock/cerbos.sock
but you have this in the logs;
Starting HTTP server at :3592
can you validate your cerbos configuration in the ConfigMap
and be sure it has;
httpListenAddr: "unix:/sock/cerbos.sock"
and also it could be possible the ConfigMap
is not mounted to the pod, hence cerbos runs with the default configuration.oguzhan
#
in your Pod
definition where you specify `volumes`;
volumes:
# Shared volume containing the socket.
- name: sock
emptyDir: {}
- name: config
emptyDir: {}
# configMap:
# name: cerbos-sidecar-demo
- name: certs
emptyDir: {}
# secret:
# secretName: cerbos-sidecar-demo
- name: policies
emptyDir: {}
this could be the reason 🙂Kushagra Indurkhya
06/01/2023, 8:49 AMoguzhan