box
diff --git a/‎.gitignore
Lines changed: 24 additions & 0 deletions b/‎.gitignore
Lines changed: 24 additions & 0 deletions
diff --git a/‎.travis.yml
Lines changed: 6 additions & 0 deletions b/‎.travis.yml
Lines changed: 6 additions & 0 deletions
diff --git a/‎.travis/check_workspace.sh
Lines changed: 10 additions & 0 deletions b/‎.travis/check_workspace.sh
Lines changed: 10 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md
Lines changed: 77 additions & 0 deletions b/‎CONTRIBUTING.md
Lines changed: 77 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 14 additions & 0 deletions b/‎Dockerfile
Lines changed: 14 additions & 0 deletions
diff --git a/‎Makefile
Lines changed: 34 additions & 0 deletions b/‎Makefile
Lines changed: 34 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 141 additions & 5 deletions b/‎README.md
Lines changed: 141 additions & 5 deletions
@@ -0,0 +1,24 @@
+# Binaries for programs and plugins
+/kube-exec-controller
+/kubectl-pi
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Local development files
+.DS_Store
+.idea/*
+.vscode
+
+# CSR related tools and files
+/cfssl
+/cfssljson
+server-key.pem
+server.crt
+server.csr
+
+# Ensure no vendor files get ignored
+!vendor/**
@@ -0,0 +1,6 @@
+language: go
+go:
+  - 1.16
+script:
+  - make test-unit
+  - .travis/check_workspace.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$(git status --porcelain | wc -l)" -ne "0" ]; then 
+  echo "Unclean workspace detected. This typically indicates 'gofmt' changed some files." \
+       "\n Please run 'make fmt' locally to verify." 
+  exit 1
+else
+  exit 0
+fi
@@ -0,0 +1,77 @@
+# Contributing
+All contributions are welcome to this project.
+
+## Contributor License Agreement
+Before a contribution can be merged into this project, please fill out the Contributor License Agreement (CLA) located at:
+
+https://cla-assistant.io/box/cla
+
+To learn more about CLAs and why they are important to open source projects, please see the [Wikipedia entry](http://en.wikipedia.org/wiki/Contributor_License_Agreement).
+
+## Code of Conduct
+This project adheres to the [Box Open Code of Conduct](http://opensource.box.com/code-of-conduct/). By participating, you are expected to uphold this code.
+
+## How to contribute
+* **File an issue** - if you found a bug, want to request an enhancement, or want to implement something (bug fix or feature).
+* **Send a pull request** - if you want to contribute code. Please be sure to file an issue first.
+
+## Pull request best practices
+We want to accept your pull requests. Please follow these steps:
+
+### Step 1: File an issue
+Before writing any code, please file an issue stating the problem you want to solve or the feature you want to implement. This allows us to give you feedback before you spend any time writing code. There may be a known limitation that can't be addressed, or a bug that has already been fixed in a different way. The issue allows us to communicate and figure out if it's worth your time to write a bunch of code for the project.
+
+### Step 2: Fork this repository in GitHub
+This will create your own copy of our repository.
+
+### Step 3: Add the upstream source
+The upstream source is the project under the Box organization on GitHub. To add an upstream source for this project, type:
+
+```
+$ git remote add upstream [email protected]:box/kube-exec-controller.git
+```
+
+This will come in useful later.
+
+### Step 4: Create a feature branch
+Create a branch with a descriptive name, such as `add-search`.
+
+### Step 5: Push your feature branch to your fork
+As you develop code, continue to push code to your remote feature branch. Please make sure to include the issue number you're addressing in your commit message, such as:
+
+```
+$ git commit -m "Adding search (fixes #123)"
+```
+
+This helps us out by allowing us to track which issue your commit relates to.
+
+Keep a separate feature branch for each issue you want to address.
+
+### Step 6: Rebase
+Before sending a pull request, rebase against upstream, such as:
+
+```
+$ git fetch upstream
+$ git rebase upstream/main
+```
+
+This will add your changes on top of what's already in upstream, minimizing merge issues.
+
+### Step 7: Run the tests
+Make sure that [all tests are passing](https://app.travis-ci.com/github/box/kube-exec-controller) before submitting a pull request (required for merging any new PRs). You can also run `make test-unit` locally to execute these tests.
+
+Coverage is lacking on the more integration-heavy components, including:
+* Receiving admission requests from K8s API-Server
+* Evicting Pods with potentially mutated container
+* Interacting with commands from kubectl-pi plugin
+
+Until better automated testing of these components is implemented, we expect thorough local testing to ensure that the kube-exec-controller container is still fully functional. You can deploy the app and verify its functionality by:
+* Run `make deploy` to apply the app and enable admission control
+* Check if the updated kube-exec-controller Pod is up running
+* Run `kubectl exec` to a random Pod and verify if the Pod gets evicted
+* Run `kubectl pi get/extend` to verify if the commands get handled by kube-exec-controller as expected (see the Install section in [README](README.md) for more detail)
+
+### Step 8: Send the pull request
+Send the pull request from your feature branch to us. Be sure to include a description that lets us know what work you did.
+
+Keep in mind that we like to see one issue addressed per pull request, as this helps keep our git history clean and we can more easily track down issues.
@@ -0,0 +1,14 @@
+ARG APP_NAME="kube-exec-controller"
+
+FROM golang:1.16 as builder
+ARG APP_NAME
+WORKDIR /build
+COPY . .
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o ${APP_NAME} cmd/${APP_NAME}/main.go
+
+FROM alpine
+ARG APP_NAME
+LABEL com.box.name=${APP_NAME}
+LABEL maintainer="[email protected]"
+COPY --from=builder /build/${APP_NAME} /
+RUN chmod +x /${APP_NAME}
@@ -0,0 +1,34 @@
+ENVVAR = GOOS=linux GOARCH=amd64
+APP_NAME = kube-exec-controller
+PLUGIN_NAME = kubectl-pi
+
+clean:
+	rm -rf $(APP_NAME)
+	rm -rf $(PLUGIN_NAME)
+
+fmt:
+	find . -path ./vendor -prune -o -name '*.go' -print | xargs -L 1 -I % gofmt -s -w %
+
+test-unit: clean fmt
+	CGO_ENABLED=0 go test -v -cover ./...
+
+build-cgo: clean fmt
+	$(ENVVAR) CGO_ENABLED=1 go build -mod vendor -o $(APP_NAME) cmd/$(APP_NAME)/main.go
+	$(ENVVAR) CGO_ENABLED=1 go build -mod vendor -o $(PLUGIN_NAME) cmd/$(PLUGIN_NAME)/main.go
+
+build: clean fmt
+	$(ENVVAR) CGO_ENABLED=0 go build -mod vendor -o $(APP_NAME) cmd/$(APP_NAME)/main.go
+	$(ENVVAR) CGO_ENABLED=0 go build -mod vendor -o $(PLUGIN_NAME) cmd/$(PLUGIN_NAME)/main.go
+
+container: clean fmt
+	docker build -f Dockerfile -t $(APP_NAME):local .
+
+deploy: container
+	kind load docker-image $(APP_NAME):local
+	# build the kubectl-pi plugin (to use it from your Mac)
+	rm -rf $(PLUGIN_NAME)
+	env GOOS=darwin GOARCH=amd64 go build -mod vendor -o $(PLUGIN_NAME) cmd/$(PLUGIN_NAME)/main.go
+	export PATH="$(PWD):$(PATH)"
+	./demo/deploy.sh
+
+.PHONY: clean fmt test-unit build-cgo build container deploy
@@ -1,13 +1,149 @@
+# kube-exec-controller
+[![Project Status](https://opensource.box.com/badges/active.svg)](https://opensource.box.com/badges)
+[![Build Status](https://app.travis-ci.com/box/kube-exec-controller.svg?branch=main)](https://app.travis-ci.com/box/kube-exec-controller)
+[![Go Report Card](https://goreportcard.com/badge/github.com/box/kube-exec-controller)](https://goreportcard.com/report/github.com/box/kube-exec-controller)
+
+kube-exec-controller is an [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) for handling container drift (caused by kubectl `exec`, `attach`, `cp`, or other interactive requests) inside a Kubernetes cluster. It runs as a Deployment and can be referred in a `ValidatingWebhookConfiguration` (see the provided [demo/](demo/) as an example) to detect and evict interacted Pods after a pre-defined interval. This project also includes a [kubectl plugin](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/), named `kubectl-pi` (*pod-interaction*), for checking such interacted Pods or extending their eviction time.
+
+Here is an overview of running a `kubectl exec` command in a K8s cluster with this admission controller service enabled:
+
+![workflow-diagram](workflow-diagram.png)
+
+## Install
+#### Prerequisite
+- [Docker (17.05+)](https://www.docker.com/get-started)
+- [Kubernetes (1.16+)](https://kubernetes.io/)
+- [Kind (for local development only)](https://kind.sigs.k8s.io/)
+
+If you have a local K8s cluster up running, you can deploy kube-exec-controller and apply its validating admission webhooks simply by:
+```
+$ git clone [email protected]:box/kube-exec-controller.git
+$ cd kube-exec-controller
+$ make deploy
+```
+
+You should get a demo app and its admission webhooks deployed after the above `make deploy` command completes:
+```
+$ kubectl get pod,service -n kube-exec-controller
+NAME                               READY   STATUS    RESTARTS   AGE
+pod/demo-deploy-5d5cd95f94-jwf5b   1/1     Running   0          9s
+
+NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+service/demo-service   ClusterIP   10.96.211.63   <none>        443/TCP   9s
+
+$ kubectl get ValidatingWebhookConfiguration
+NAME                             WEBHOOKS   AGE
+demo-validating-webhook-config   2          24s
+```
+
+To see how kube-exec-controller works, let's create a test Pod in your local cluster and send a `kubectl exec` request to it:
+```
+$ kubectl run test --image=nginx
+pod/test created
+
+$ kubectl exec test -- touch new-file
+```
+
+You will see the test Pod has some labels attached and receives corresponding K8s events from our controller app:
+```
+$ kubectl get pod --show-labels
+NAME   READY   STATUS    RESTARTS   AGE   LABELS
+test   1/1     Running   0          2s    box.com/podInitialInteractionTimestamp=1634408037,box.com/podInteractorUsername=kubernetes-admin,box.com/podTTLDuration=2m0s,run=test
+
+$ kubectl describe pod test
+...
+Warning  PodInteraction  20s   kube-exec-controller  Pod was interacted with 'kubectl exec/attach' command by a user 'kubernetes-admin' initially at time 2021-10-16 18:04:44.5257517 +0000 UTC m=+27.185038701
+Warning  PodInteraction  21s   kube-exec-controller  Pod will be evicted at time 2021-10-16 18:06:44 +0000 UTC (in about 1m59s)
+```
+
+You can also utilize the `kubectl pi` plugin to get more detailed info or request an extension to the test Pod's eviction time:
+```
+$ kubectl pi get
+POD_NAME  INTERACTOR        POD_TTL  EXTENSION  EXTENSION_REQUESTER  EVICTION_TIME
+test      kubernetes-admin  2m0s                                     2021-10-16 18:06:44 +0000 UTC
+
+$ kubectl pi extend --duration=1m
+Successfully extended the termination time of pod/test with a duration=1m
+
+$ kubectl pi get
+POD_NAME  INTERACTOR        POD_TTL  EXTENSION  EXTENSION_REQUESTER  EVICTION_TIME
+test      kubernetes-admin  2m0s     1m         kubernetes-admin     2021-10-16 18:07:44 +0000 UTC
+
+$ kubectl describe pod test
+...
+Warning  PodInteraction  30s   kube-exec-controller  Pod eviction time has been extended by '1m', as requested from user 'kubernetes-admin'. New eviction time: 2021-10-16 18:07:44 +0000 UTC
+Warning  PodInteraction  30s   kube-exec-controller  Pod will be evicted at time 2021-10-16 18:07:44 +0000 UTC (in about 2m21s)
+```
+
+## Usage
+#### kube-exec-controller
+```
+$ kube-exec-controller --help
+Usage of kube-exec-controller:
+  -api-server string
+    	URL to K8s api-server, required if kube-proxy is not set up
+  -cert-path string
+    	Path to the PEM-encoded TLS certificate
+  -extend-chan-size int
+    	Buffer size of the channel for handling Pod extension (default 500)
+  -interact-chan-size int
+    	Buffer size of the channel for handling Pod interaction (default 500)
+  -key-path string
+    	Path to the un-encrypted TLS key
+  -log-level debug
+    	Log level. debug, `info`, `warn`, `error` are currently supported (default "info")
+  -namespace-allowlist string
+    	Comma separated list of namespaces that allow interaction without evicting their Pods
+  -port int
+    	Port for the app to listen on (default 8443)
+  -ttl-seconds int
+      TTL (time-to-live) of interacted Pods before getting evicted by the controller (default 600)
+```
+
+#### kubectl-pi
+```
+$ kubectl pi --help
+Get pod interaction info or request an extension of its termination time
+
+Usage:
+  kubectl pi [command] [flags]
+
+Examples:
+
+    # get interaction info of specified pod(s)
+    kubectl pi get <pod-name-1> <pod-name-2> <...> -n POD_NAMESPACE
+
+    # get interaction info of all pods under the given namespace
+    kubectl pi get -n <pod-namespace> --all
+
+    # extend termination time of interacted pod(s)
+    kubectl pi extend -d <duration> <pod-name-1> <pod-name-2> <...> -n POD_NAMESPACE
+
+    # extend termination time of all interacted pods under the given namespace
+    kubectl pi extend -d <duration> -n <pod-namespace> --all
+
+Flags:
+  -a, --all                            if present, select all pods under specified namespace (and ignore any given pod podName)
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+  -d, --duration string                a relative duration such as 5s, 2m, or 3h, default to 30m (default "30m")
+  -h, --help                           help for kubectl
+  -n, --namespace string               If present, the namespace scope for this CLI request
+  ...
+```
+
+## Contribution
+Refer to [CONTRIBUTING.md](CONTRIBUTING.md)
+
 ## Copyright and License
-  
-Copyright 2015 Box, Inc. All rights reserved.
- 
+Copyright 2021 Box, Inc. All rights reserved.
+
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
- 
+
    http://www.apache.org/licenses/LICENSE-2.0
- 
+
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.