access the parent docker daemon from the container

recently i have a need to build/start/stop some sibling containers (vs docker within docker), the way to do it is to expose a pipelien from the host to the container:

for single container:

docker run -v /var/run/docker.sock:/var/run/docker.sock

for docker compose

services:
container-to-control-other-sibling-containers:
image: xyz
build:
context: .folder/to/the/controller/container/image
ports:
- 5000:5000
volumes:
- ./:/app
- /var/run/docker.sock:/var/run/docker.sock

View at Medium.com

actually the dameon could listen from other host (configuration):
https://docs.docker.com/v17.09/engine/admin/#configure-the-docker-daemon

K8s client authentication

Have been working on some serverless framework recently, which i have put onto EKS.

most of the stuff worked, except the cli, which leveraged on k8s client-go library to authen is not able to do so with EKS. (working well with Azure AKS and GCP).

turns out the issue was with k8s client-go library, which doesn’t deal with aws-iam-authenticator. as a work around, the patch is to apply the service account as a bearer token.


//command to get the token
kubectl describe secret account -n namespace | grep -E '^token' | cut -f2 -d':' | tr -d " "

then in the client-go, patch the token into the bearer header:


//retrieve the token either from secret file or env var
//token, err := ioutil.ReadFile("~/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
//token := os.Getenv("BEARER_TOKEN")

//add the header if its not yet there
r.headers.Set("Authorization", "Bearer xxx")

//before the real http call
resp, err := client.Do(req)

refer to:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html
https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/
https://github.com/kubernetes/client-go/blob/master/rest/request.go
https://github.com/1wpro2/nuclio/pull/1