0

I have the following doubt, let's say I have a kubernetes pod A with n=1 replicas, and I want that every x minutes it will create a new pod B of type "Job", I can create a job pod from kubectl without problems, but how can I make a pod be instantiated from another pod ?

I could try to use kubectl on the parent pod but I don't think it's the most elegant way to do it.

jmhostalet
  • 4,399
  • 4
  • 38
  • 47

2 Answers2

3

In the pod you could use any supported kubernetes client library to call REST API exposed by kubernetes API server to create a pod.

The client library need to be authenticated to be to call the kubernetes API. A service account can be used by the client library for that and the service account need to have RBAC to be to be able to create a pod by calling kubernetes API server.

Internally kubectl also calls the REST API exposed by kubernetes API server when kubectl is used to create a pod.

Arghya Sadhu
  • 41,002
  • 9
  • 78
  • 107
  • You might also need to look into rolebindings, roles and service accounts to grant your pod the necessary permissions to create what it needs to (if your kubernetes cluster supports RBAC).. – RohanP Apr 30 '20 at 11:48
2

In my opinion you have 2 options here:

  1. As suggested in previous answer, using a client library.

  2. Using an ambassador container pattern: ambassador containers proxy a local connection to the world, you can read about this pattern more here.

How will this solve your issue:

Instead of talking to the API server directly from your pod (as you would using kubectl) you can run kubectl proxy in an ambassador container alongside the main container and communicate with the API server through it.

Instead of talking to the API server directly, the app in the main container can connect to the ambassador through HTTP (instead of HTTPS) and let the ambassador proxy handle the HTTPS connection to the API server, taking care of security transparently. It does this by using the files from the default token’s secret volume (see the script below).

Because all containers in a pod share the same loopback network interface, your app can access the proxy through a port on localhost.

How to build such container?

Dockerfile (uses v1.8):

FROM alpine
RUN apk update && apk add curl && curl -L -O https://dl.k8s.io/v1.8.0/kubernetes-client-linux-amd64.tar.gz && tar zvxf kubernetes-client-linux-amd64.tar.gz kubernetes/client/bin/kubectl && mv kubernetes/client/bin/kubectl / && rm -rf kubernetes && rm -f kubernetes-client-linux-amd64.tar.gz
ADD kubectl-proxy.sh /kubectl-proxy.sh
ENTRYPOINT /kubectl-proxy.sh

Where kubectl-proxy.sh is the following script:

#!/bin/sh

API_SERVER="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
CA_CRT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"

/kubectl proxy --server="$API_SERVER" --certificate-authority="$CA_CRT" --token="$TOKEN" --accept-paths='^.*'

All that's left for you to do is build this image (push it to a registry), add it as a container to your app pod, and talk to it directly through loopback.

By default, kubectl proxy binds to port 8001, and because both containers in the pod share the same network interfaces, including loopback, you can point your requests to localhost:8001

Credit for this goes to Kubernetes in Action book (which is awesome!)

omricoco
  • 823
  • 5
  • 15