https://cerbos.dev logo
#community
Title
# community
k

Kushagra Indurkhya

05/29/2023, 1:09 PM
Hi, I am new to kubernetes, Can someone point to some resources for deploying cerbos as a sidecar to my main application and accessing cerbos withing my application on kubernetes
o

oguzhan

05/29/2023, 1:16 PM
Hi, We have a section related on our docs with example CRs: https://docs.cerbos.dev/cerbos/latest/deployment/k8s-sidecar.html
k

Kushagra Indurkhya

06/01/2023, 7:53 AM
Yes i was going through it , I was unable to figure out somethings : • Where do we specify the socket on which the cerbos listens to in the example its directly specified "unix:/sock/cerbos.sock" • When i mounted /sock directory to my test implementation , I am able to access cerbos via port forwarded dashboard, but when executing ls on /sock and trying to connect via python cerbosclient i am unable to see that the cerbos.sock is created here's my pod configuration
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: main-app
image: {my-repo}/test-cerbos:latest
ports:
- containerPort: 8000
volumeMounts:
- name: sock
mountPath: /sock
- name: cerbos
image: "<http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0>"
imagePullPolicy: IfNotPresent
volumeMounts:
# Mount the shared volume containing the socket
- name: sock
mountPath: /sock
- name: config
mountPath: /config
readOnly: true
- name: policies
mountPath: /policies
volumes:
# Shared volume containing the socket.
- name: sock
emptyDir: {}
- name: config
emptyDir: {}
# configMap:
# name: cerbos-sidecar-demo
- name: certs
emptyDir: {}
# secret:
#   secretName: cerbos-sidecar-demo
- name: policies
emptyDir: {}
Here's my test app using python sdk
from flask import Flask,request,make_response,jsonify
from cerbos.sdk.model import *
from cerbos.sdk.client import CerbosClient
app = Flask(__name__)
@app.route('/api/v1/cerbosApp/test', methods=['GET'])
def index():
with CerbosClient("unix+https:///sock/cerbos.sock", debug=True, tls_verify=False) as c:
p = Principal(
"john",
roles={"employee"},
policy_version="20210210",
attr={"department": "marketing", "geography": "GB", "team": "design"},
)
# Check a single action on a single resource
r = Resource(
"XX125",
"leave_request",
policy_version="20210210",
attr={
"id": "XX125",
"department": "marketing",
"geography": "GB",
"team": "design",
"owner": "john",
},
)
allowed = c.is_allowed("view:public", p, r)
print(allowed)
return "hello world"
Here's the command i am running in container
kubectl exec -it test-pod -- ls /sock
@oguzhan i maybe widely offtrack here too, any help is appreciated Thank You
o

oguzhan

06/01/2023, 8:24 AM
if you cannot observe the
/sock/cerbos.sock
file on the filesystem, cerbos might not be running. can you check whether you have errors showing up on the cerbos logs?
k

Kushagra Indurkhya

06/01/2023, 8:33 AM
I think cerbos is running ,here are the logs from cerbos container running in same pod
$ kubectl logs test-pod -c cerbos
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.284Z","log.logger":"cerbos.server","message":"Loading configuration from __default__"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.disk.store","message":"Initializing disk store from /policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.290Z","log.logger":"cerbos.index","message":"Found 0 executable policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.292Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.296Z","log.logger":"cerbos.dir.watch","message":"Watching directory for changes","dir":"/policies"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}
{"log.level":"info","@timestamp":"2023-06-01T07:55:02.298Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
o

oguzhan

06/01/2023, 8:40 AM
yes, it is running but I think cerbos configuration is wrong. there supposed to be some line like this;
Copy code
Starting HTTP server at unix:/sock/cerbos.sock
but you have this in the logs;
Copy code
Starting HTTP server at :3592
can you validate your cerbos configuration in the
ConfigMap
and be sure it has;
Copy code
httpListenAddr: "unix:/sock/cerbos.sock"
and also it could be possible the
ConfigMap
is not mounted to the pod, hence cerbos runs with the default configuration.
I see some
#
in your
Pod
definition where you specify `volumes`;
Copy code
volumes:
      # Shared volume containing the socket.
      - name: sock
        emptyDir: {}
      - name: config
        emptyDir: {}
        # configMap:
          # name: cerbos-sidecar-demo
      - name: certs
        emptyDir: {}
        # secret:
        #   secretName: cerbos-sidecar-demo
      - name: policies
        emptyDir: {}
this could be the reason 🙂
k

Kushagra Indurkhya

06/01/2023, 8:49 AM
yes sorry for the oversight...I will add the config map and try out again , thanks for the help
o

oguzhan

06/01/2023, 8:55 AM
happy to help!
7 Views