K
Q

I am new to Kubernetes and want to understand if this agent will be able to mess up my cluster somehow

7/26/2021

Recently I was searching for ways to reduce cloud bill and came up to a company named CAST.AI.

So to run a savings report you need to install their agent to your cluster and they claim it is read-only.

How do I check if this is true?

This comes from the yaml file they provide (too long to paste whole manifest here)

-- Bob
cloud
kubernetes

Similar Questions

Do I need drain the node to upgrade the kubelet version?
Deployment scales a different deployment
Is good idea to use parallel programming in pods
Nginx as authentication proxy for kubernetes
Can't build kubernetes-certbot docker container

1 Answer

7/28/2021

Short answer

Based on cast.io manifest it's indeed read-only and safe to say it won't mess up anything in the cluster

Detailed answer

In short words manifest will create: namespace, serviceaccount, clusterole with read-only permissions, clusterrolebinding (where mapping between service account and cluster role happens), secret and deployment with pod which will collect cluster's data.

ClusterRole means that service account linked to this ClusterRole will have access with given verbs within all namespaces (which is fine for resource audit).

Below is ClusterRole from manifest (added several comments at the beginning, structure is the same):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: castai-agent
  labels:
    "app.kubernetes.io/name": castai-agent
rules:
  # ---
  # Required for cost savings estimation features.
  # ---
  - apiGroups: # api group to look in
    - ""
    resources: # resources where this ClusterRole will have access to
      - pods
      - nodes
      - replicationcontrollers
      - persistentvolumeclaims
      - persistentvolumes
      - services
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
    - "apps"
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs: # what this cluster role is allowed to do with resources above
      - get
      - list
      - watch
  - apiGroups:
    - "storage.k8s.io"
    resources:
      - storageclasses
      - csinodes
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch
  - apiGroups:
    - "batch"
    resources:
      - jobs
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch

All actions that ClusterRole is allowed to perform are: get, list and watch which are harmless.

Here is a list of all available verbs:

  • get
  • list
  • create
  • update
  • patch
  • watch
  • delete
  • deletecollection

list of all available attributes, including verbs

Resources and limits

Worst case scenario cast.io pod will consume resources by its limit (this part in deployment), however with today's clusters it shouldn't be an issue:

      resources:
        requests:
          cpu: 100m
          memory: 64Mi
        limits:
          cpu: 1000m
          memory: 256Mi

Requests means that this amount of resources are required for kubelet to run this pod on the node.

Limits as it's named limits maximum possible resources allocation for pod. If it tries to consume more, it will be evicted and rescheduled again to be created.

Useful links:

-- moonkotte
Source: StackOverflow