Skip to content

bcollard/porthole

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.idea
.idea
 
 
deploy
deploy
 
 
docs
docs
 
 
pkg
pkg
 
 
test
test
 
 
.envrc
.envrc
 
 
DEVELOPERS.md
DEVELOPERS.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Porthole

Web-based debugging tool for Kubernetes developers.
Pluggable authentication and authorization.
Use your own images to debug your services in a Kubernetes cluster.

Big Picture

See the following diagram for a high-level overview of the system. Big Picture

Deployment

make run

Why

  • SIMPLICITY - Abstract away Kubernetes concepts from developers. Otherwise, tooling like Lens or k9s would be another possible solution (modulo the OIDC provider issue, see below).
    Developers don't have to proxy to pods in k8s clusters. They'll rather connect to a backend app (Porthole) deployed in the same cluster (as their app) after authenticating through the API Gateway.
  • FLEXIBILITY - To test their own service, Developers can attach an ephemeral container to the pod and run their tests from there. It can be any debugging image that they can pull from a registry. So it offers more flexibility if you ever need to use a database client, like psql for instance.
  • ZERO-TRUST - To test others' svc (the ones they don't own but are allowed to access), the system relies on mesh policies that are applied in the cluster.
  • CORPORATE - Cluster might not be configured with the same IdP as the one used by the API Gateway. This is a common scenario in large organizations where different teams use different IdPs. So the k8s RBAC cannot leverage corporate identities to grant access to namespaces. Instead, authentication is delegated to the API Gateway, as explained below.

Other considerations:

  • the API GW might not run in the same cluster as the backend app (Porthole)
  • there might be no websocket connection possible between the dev laptop and the API-Server of the cluster. But a chain of connections is still possible: dev laptop/browser -> API GW (Optionally -> Ingress of another cluster) -> backend app (Porthole) -> api-server [-> kubelet -> Container Runtime] -> debug container (part of the pod NS)
    Most of these connections will use WebSockets.

Authentication

  • the API Gateway is the only entry point to the cluster
  • the API Gateway authenticates the user and forwards the request to the backend app (Porthole)
  • the backend app (Porthole) will fetch dev permissions upon receiving the request, using the id_token in the request header, and connecting to an authorization server that can map user roles/groups to a list of allowed namespaces

Authorization

TBD - could be based on Ory Oathkeeper, OPA, or a custom solution

Resources

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages