DevOps Adventures…Log parser – Authentication

How to even start collecting logs from kubernetes ? Through access to proper endpoint, and this one is served by kubernetes API. Endpoint list can be found here:

https://jamesdefabia.github.io/docs/api-reference/v1/operations/

To access necessary endpoint, we need external endpoint address, which is external kubernetes IP cluster. When we know from where we can gather all logs, we have to keep in mind, that kubernetes API access is available only via token, which we have to send in header. Interesting hint – according to documentation, token is generated automatically during namespace generation in k8s scope – it is hidden as secret as ServiceAccount. That’s a big plus. However it doesn’t give us straight away access to all resources, which we need. So to get above access, we need to create ClusterRole and RoleBinding, which will grant us access to required resources. After applying changes to k8s, we don’t have to do anything beside it. It’s available instantly. That’s all when it comes to k8s.

When it comes to Rust side, I’ve decided to choose awc library, which uses another library under the hood – reqwest. It is helpful as much as it simplify communications to cluster which uses HTTPS protocol, and cert checking can be easily disabled. When it comes to different libraries, they were easier to read, but more difficult to actual use, as they didn’t work as I would like to – I was unable to create automatically token to access k8s cluster. Nonetheless, I aws able to create token manually for specific ServiceAccount and it works very well. Important thing to remember - token for specific ServiceAccount works only for specific namespace ! So every namespace will require separate token, thus separate function which will handle the connection.