Hi I am new to kubernetes Can someone point to some resource Cerbos Community #community

Hi, I am new to kubernetes, Can someone point to s...

Kushagra Indurkhya

05/29/2023, 1:09 PM

Hi, I am new to kubernetes, Can someone point to some resources for deploying cerbos as a sidecar to my main application and accessing cerbos withing my application on kubernetes

oguzhan

05/29/2023, 1:16 PM

Hi, We have a section related on our docs with example CRs: https://docs.cerbos.dev/cerbos/latest/deployment/k8s-sidecar.html

Kushagra Indurkhya

06/01/2023, 7:53 AM

Yes i was going through it , I was unable to figure out somethings : • Where do we specify the socket on which the cerbos listens to in the example its directly specified "unix:/sock/cerbos.sock" • When i mounted /sock directory to my test implementation , I am able to access cerbos via port forwarded dashboard, but when executing ls on /sock and trying to connect via python cerbosclient i am unable to see that the cerbos.sock is created here's my pod configuration

apiVersion: v1

kind: Pod

metadata:

name: test-pod

spec:

containers:

- name: main-app

image: {my-repo}/test-cerbos:latest

ports:

- containerPort: 8000

volumeMounts:

- name: sock

mountPath: /sock

- name: cerbos

image: "<http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0>"

imagePullPolicy: IfNotPresent

volumeMounts:

# Mount the shared volume containing the socket

- name: sock

mountPath: /sock

- name: config

mountPath: /config

readOnly: true

- name: policies

mountPath: /policies

volumes:

# Shared volume containing the socket.

- name: sock

emptyDir: {}

- name: config

emptyDir: {}

# configMap:

# name: cerbos-sidecar-demo

- name: certs

emptyDir: {}

# secret:

#   secretName: cerbos-sidecar-demo

- name: policies

emptyDir: {}

Here's my test app using python sdk

from flask import Flask,request,make_response,jsonify

from cerbos.sdk.model import *

from cerbos.sdk.client import CerbosClient

app = Flask(__name__)

@app.route('/api/v1/cerbosApp/test', methods=['GET'])

def index():

with CerbosClient("unix+https:///sock/cerbos.sock", debug=True, tls_verify=False) as c:

p = Principal(

"john",

roles={"employee"},

policy_version="20210210",

attr={"department": "marketing", "geography": "GB", "team": "design"},

# Check a single action on a single resource

r = Resource(

"XX125",

"leave_request",

policy_version="20210210",

attr={

"id": "XX125",

"department": "marketing",

"geography": "GB",

"team": "design",

"owner": "john",

},

allowed = c.is_allowed("view:public", p, r)

print(allowed)

return "hello world"

Here's the command i am running in container

kubectl exec -it test-pod -- ls /sock

Kushagra Indurkhya

06/01/2023, 8:03 AM

@oguzhan i maybe widely offtrack here too, any help is appreciated Thank You

oguzhan

06/01/2023, 8:24 AM

if you cannot observe the

/sock/cerbos.sock

file on the filesystem, cerbos might not be running. can you check whether you have errors showing up on the cerbos logs?

Kushagra Indurkhya

06/01/2023, 8:33 AM

I think cerbos is running ,here are the logs from cerbos container running in same pod

$ kubectl logs test-pod -c cerbos

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"Loading configuration from __default__"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.disk.store","message":"Initializing disk store from /policies"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.index","message":"Found 0 executable policies"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.292Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.296Z","log.logger":"cerbos.dir.watch","message":"Watching directory for changes","dir":"/policies"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}

{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}

oguzhan

06/01/2023, 8:40 AM

yes, it is running but I think cerbos configuration is wrong. there supposed to be some line like this;

Copy code

Starting HTTP server at unix:/sock/cerbos.sock

but you have this in the logs;

Copy code

Starting HTTP server at :3592

can you validate your cerbos configuration in the

ConfigMap

and be sure it has;

Copy code

httpListenAddr: "unix:/sock/cerbos.sock"

and also it could be possible the

ConfigMap

is not mounted to the pod, hence cerbos runs with the default configuration.

oguzhan

06/01/2023, 8:45 AM

I see some

in your

Pod

definition where you specify `volumes`;

Copy code

volumes:
      # Shared volume containing the socket.
      - name: sock
        emptyDir: {}
      - name: config
        emptyDir: {}
        # configMap:
          # name: cerbos-sidecar-demo
      - name: certs
        emptyDir: {}
        # secret:
        #   secretName: cerbos-sidecar-demo
      - name: policies
        emptyDir: {}

this could be the reason 🙂

Kushagra Indurkhya

06/01/2023, 8:49 AM

yes sorry for the oversight...I will add the config map and try out again , thanks for the help

oguzhan

06/01/2023, 8:55 AM

happy to help!

7 Views

Open in Slack

Previous Next