Search code examples
kubernetescloud

I am new to Kubernetes and want to understand if this agent will be able to mess up my cluster somehow

Recently I was searching for ways to reduce cloud bill and came up to a company named CAST.AI.

So to run a savings report you need to install their agent to your cluster and they claim it is read-only.

How do I check if this is true?

This comes from the yaml file they provide (too long to paste whole manifest here)

Solution

  • Short answer

    Based on cast.io manifest it's indeed read-only and safe to say it won't mess up anything in the cluster

    Detailed answer

    In short words manifest will create: namespace, serviceaccount, clusterole with read-only permissions, clusterrolebinding (where mapping between service account and cluster role happens), secret and deployment with pod which will collect cluster's data.

    ClusterRole means that service account linked to this ClusterRole will have access with given verbs within all namespaces (which is fine for resource audit).

    Below is ClusterRole from manifest (added several comments at the beginning, structure is the same):

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: castai-agent
  labels:
    "app.kubernetes.io/name": castai-agent
rules:
  # ---
  # Required for cost savings estimation features.
  # ---
  - apiGroups: # api group to look in
    - ""
    resources: # resources where this ClusterRole will have access to
      - pods
      - nodes
      - replicationcontrollers
      - persistentvolumeclaims
      - persistentvolumes
      - services
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
    - "apps"
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs: # what this cluster role is allowed to do with resources above
      - get
      - list
      - watch
  - apiGroups:
    - "storage.k8s.io"
    resources:
      - storageclasses
      - csinodes
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch
  - apiGroups:
    - "batch"
    resources:
      - jobs
    verbs: # what this cluster role is allowed to do
      - get
      - list
      - watch

    All actions that ClusterRole is allowed to perform are: get, list and watch which are harmless.

    Here is a list of all available verbs:

    • get
    • list
    • create
    • update
    • patch
    • watch
    • delete
    • deletecollection

    list of all available attributes, including verbs

    Resources and limits

    Worst case scenario cast.io pod will consume resources by its limit (this part in deployment), however with today's clusters it shouldn't be an issue:

          resources:
        requests:
          cpu: 100m
          memory: 64Mi
        limits:
          cpu: 1000m
          memory: 256Mi

    Requests means that this amount of resources are required for kubelet to run this pod on the node.

    Limits as it's named limits maximum possible resources allocation for pod. If it tries to consume more, it will be evicted and rescheduled again to be created.

    Useful links: