Ability to retrieve Ark server version

[nrb]

Right now, it's not immediately apparent that the output of ark version is the client only, and getting the version of the server is done via kubectl.

We should consider adding an endpoint so the client can report the version, much in the same way kubectl version works.

[nrb]

@mattmoyer Hey Matt, do you see this kind of feature being a security concern? One point that was brought up was that if there's an endpoint for the version, a client could do version sniffing and then use known vulnerabilities.

I'm wondering if it's really that much different than kubectl version and our current way of looking up the server version - kubectl logs deploy/ark -n heptio-ark, which has the version in the first few lines of output.

[ncdc]

Thinking about this more, it's probably ok (especially since kubectl version reports similar information about the server).

Getting the request from the client to the ark server pod could be challenging, depending on the networking setup. We should assume that most invocations of ark version happen outside the Kubernetes cluster (e.g., on your laptop). This means there needs to be some sort of ingress into the cluster - a regular Service won't be sufficient. We could consider attempting to proxy through the apiserver, but many/most clusters may have that locked down and unavailable.

We may want to consider adding new configuration options to ark client config set, such as (names TBD):

• serverUrl
• useKubernetesProxy

We also will want to be careful not to expose the metrics endpoint - presumably that should remain private/protected (although as I understand it, if you run a pod on the cluster and there aren't any network policy rules, the pod can access the metrics endpoint, and we don't have any authn/authz for it...).

cc @rosskukulinski

[ncdc]

Decision: add a Status CRD that for now just contains the server version. Update the ark version command to use that to get the server's version. We'll create a new issue for an ark status command with additional details.

[mattmoyer]

@nrb I don't think it's a serious security concern. It can be nice to avoid version fingerprinting for publicly-exposed services, but for something like Ark (or the Kubernetes API) that's generally only exposed internally, I think it's generally accepted that the inspectability is worth making it easier to fingerprint.