Change Details

Tracking ticket for initial deployment of Kubernetes to Tool Labs. The initial deployment will allow whitelisted tools to run arbitrary docker containers in NFS-free instances directly via the `kubectl` tool. Should have: # Debian packages # Authentication setup ## Helper scripts to create authentication tokens and namespace # Authorization setup ## ABAC rules to restrict users to their own namespace only # DNS for services, available from rest of toollabs Things that will be missing: # NFS access - Kubernetes doesn't allow gid to be specified explicitly, preventing us from writing an admission controller for this # One-off jobs # Scheduled jobs (cron-like) # Compatibility layer for current commands (jsub, webservice, jstart) # Custom docker image building + local docker repository

Tracking ticket for initial deployment of Kubernetes to Tool Labs. The initial deployment will allow whitelisted tools to run arbitrary docker containers in NFS-free instances directly via the `kubectl` tool. Should have: # Debian packages # Authentication setup ## Helper scripts to create authentication tokens and namespace # Authorization setup ## ABAC rules to restrict users to their own namespace only # DNS for services, available from rest of toollabs # Webproxy from tools.wmflabs.org/<toolname> to a running webservice container, if there is one. ## Define what are web services and what are not. Things that will be missing: # NFS access - Kubernetes doesn't allow gid to be specified explicitly, preventing us from writing an admission controller for this # One-off jobs # Scheduled jobs (cron-like) # Compatibility layer for current commands (jsub, webservice, jstart) # Custom docker image building + local docker repository

Tracking ticket for initial deployment of Kubernetes to Tool Labs. The initial deployment will allow whitelisted tools to run arbitrary docker containers in NFS-free instances directly via the `kubectl` tool. Should have: # Debian packages # Authentication setup ## Helper scripts to create authentication tokens and namespace # Authorization setup ## ABAC rules to restrict users to their own namespace only # DNS for services, available from rest of toollabs # Webproxy from tools.wmflabs.org/<toolname> to a running webservice container, if there is one. ## Define what are web services and what are not. Things that will be missing: # NFS access - Kubernetes doesn't allow gid to be specified explicitly, preventing us from writing an admission controller for this # One-off jobs # Scheduled jobs (cron-like) # Compatibility layer for current commands (jsub, webservice, jstart) # Custom docker image building + local docker repository