https://pulumi.com logo
w

wonderful-yacht-97719

02/27/2019, 7:38 PM
any thoughts about a controller-based workflow for kubernetes? i.e. pulumi running in the cluster checking git repos for changes, then applying the changes when detected (and/or on a schedule)
c

creamy-potato-29402

02/27/2019, 7:38 PM
@wonderful-yacht-97719 this is something we’re actively thinking about.
💯 1
Something that will automatically monitor and do things like generate slack messages when observed state differs from desired state in git
this sort of thing is very useful.
no specific plan yet though
w

wonderful-yacht-97719

02/27/2019, 7:41 PM
I’m sure something could be hacked together today using the CLI and other components. but something “official”, possibly with hooks into the console/UI, would be very interesting
c

creamy-potato-29402

02/27/2019, 7:42 PM
yeah, it’s very appealing.
We have almost everything we need to do it, we just have so much work we haven’t gotten around to it.
w

wonderful-yacht-97719

02/27/2019, 7:43 PM
completely understand
c

creamy-potato-29402

02/27/2019, 7:43 PM
e.g., we have the ability to output machine-readable data about pulumi runs.
If there was a groundswell of interest from community or customers it would probably be something we’d think more seriously about.
w

wonderful-yacht-97719

02/27/2019, 7:45 PM
challenge accepted
f

fancy-magazine-29876

02/27/2019, 8:22 PM
this would be an awesome thing to have, but is definitely a nice to have imo
o

orange-policeman-59119

02/27/2019, 8:42 PM
probably worth noting there are pretty significant security implications from allowing something in the cluster that degree of control, FWIW if you're in a compliance-regulated industry
it's an ouroboros of auth issues, and a great way to escalate from "merely" being able to see a service account or secret in K8s to having full control of it and much more (because pulumi can manage the existence of clusters themselves)
c

creamy-potato-29402

02/27/2019, 9:29 PM
@orange-policeman-59119 that’s true, but the alternative is having an external component that has god mode privileges for your cluster.
I almost always prefer to keep it in-cluster.
💯 1
o

orange-policeman-59119

02/27/2019, 10:37 PM
Something like this would be attractive if, until invoked with the appropriate key (say, a service with the appropriate service account delegated it permissions) it could only operate in a monitoring mode.