Tracking ticket for initial deployment of Kubernetes to Tool Labs.
The initial deployment will allow whitelisted tools to run arbitrary docker containers in NFS-free instances directly via the kubectl tool.
- Debian packages
- Authentication setup
- Helper scripts to create authentication tokens and namespace
- Authorization setup
- ABAC rules to restrict users to their own namespace only
- DNS for services, available from rest of toollabs
- Webproxy from tools.wmflabs.org/<toolname> to a running webservice container, if there is one.
- Define what are web services and what are not.
Things that will be missing:
- NFS access - Kubernetes doesn't allow gid to be specified explicitly, preventing us from writing an admission controller for this
- One-off jobs
- Scheduled jobs (cron-like)
- Compatibility layer for current commands (jsub, webservice, jstart)
- Custom docker image building + local docker repository