Kexer (K8s Executor) is an addon apiserver to execute commands in a Kubernetes cluster. It is designed to be used to offload long running streaming operations like exec
, cp
from the main apiserver
. It can also be used as a proxy for main apiserver
with rest of the operations proxied to the main apiserver
.
Kexer can also be used as a reverse proxy for clusters configured using a secret with endpoint and service-account token on the cluster that acts a reverse proxy
.
- Execute commands in a Kubernetes cluster
- kubectl compatible
- Support for
kubectl exec
andkubectl cp
commands - Support for
kubectl logs
command - Support for authentication and authorization delegation to the main apiserver
- serving certificate and key for the apiserver
-
Generate a serving certificate and key for the apiserver. The certificate and key should be in
PEM
format. The certificate should be either signed by a CA trusted by thekube-apiserver
(default) or Public CA or self signed. In case of Public CA or self signed, set the caBundle in theconfig/kexer-apiservice.yaml
. The serving certificate and key should be set in theSecret
objectconfig/kexer-serving-cert.yaml
. -
Run the following command to install the addon:
kubectl apply -f https://raw.githubusercontent.com/Commvault/kexer/master/config
The addon can be configured as a NodePort
or LoadBalancer
service. The default configuration is ClusterIP
. A sample configuration for NodePort
service is available in sample/node-svc.yaml
file.
The addon supports authentication and authorization delegation to the main apiserver. To enable this feature, create a kubeconfig with following endpoint url and use the client certificate
or the ServiceAccount
token. A sample kubeconfig file is available in sample/kubeconfig.yaml
file.
Example:
server: https://woker-node:node-port/apis/backup.cv.io/v1/namespaces/default/clusters/local/exec
kubectl exec -it <pod-name> -- <command>
kubectl cp <pod-name>:<path> <local-path>
Create a Secret
object with the following keys. You can use the sample/cluster-creds-secret.yaml
file as a template.
endpointUrl
: The endpoint of the cluster to be proxiedtoken
: The service account token for the cluster to be proxied
The url for the reverse proxy in the kubeconfig is:
https://<kexer-host>:<kexer-port>/apis/backup.cv.io/v1/namespaces/<secret-namespace>/clusters/<secret-name>/exec