Introduce a pure-HTTP (no K8s client) query mode for use when only API access is available (e.g. Kubecost Cloud)

[michaelmdresser]

Problem

Users of Kubecost's hosted product do not have cluster/kubectl access to the cluster in which the primary Kubecost instance is running, because Kubecost is hosting that in our internal infrastructure. This means they cannot use kubectl cost to get cost information because the CLI currently supports two query modes: port-forward and proxy, both of which require cluster access:

kubectl-cost/pkg/query/allocation.go

Lines 35 to 50 in dc741c5

	if p.UseProxy {
	clientset, err := kubernetes.NewForConfig(p.RestConfig)
	if err != nil {
	return nil, fmt.Errorf("failed to create clientset for proxied query: %s", err)
	}
	bytes, err = clientset.CoreV1().Services(p.KubecostNamespace).ProxyGet("", p.ServiceName, fmt.Sprint(p.ServicePort), p.AllocationPath, p.QueryParams).DoRaw(p.Ctx)
	if err != nil {
	return nil, fmt.Errorf("failed to proxy get kubecost. err: %s; data: %s", err, bytes)
	}
	} else {
	bytes, err = portForwardedQueryService(p.RestConfig, p.KubecostNamespace, p.ServiceName, p.AllocationPath, p.ServicePort, p.QueryParams, p.Ctx)
	if err != nil {
	return nil, fmt.Errorf("failed to port forward query: %s", err)
	}
	}

Proposed solution

Implement a new query mode http (on top of the current proxy and port-forward) that sends requests directly to a Kubecost HTTP API endpoint without using a K8s client to execute the request.

Possible additions

It would be amazing (though probably difficult) to somehow tie the current cluster in the user's Kubeconfig to a cluster ID in Kubecost, enabling intelligent filtering of Kubecost data based on the current Kubeconfig context. This is a step 2 for this request, unless it turns out to be simple. (perhaps we could see if there is a kubecost namespace and snag the cluster ID from env vars?)

[michaelmdresser]

@Adam-Stack-PM FYI. This is a feature request from a hosted customer.

[Adam-Stack-PM]

@michaelmdresser, Thanks. I have added the hosted label and will get this considered for an upcoming release cycle. If you want to help move this forward, it would be great if you could add a rough time estimate.

[michaelmdresser]

2 days of my time due to familiarity. 3-4 days of someone else's time, in case it gets tricky.

[michaelmdresser]

• Notes from previous/dupe issue: Add support for providing just an endpoint to hit for data, instead of proxying/port-forwarding into a cluster #120
• This is most easily testable with a local-running version of Kubecost/OpenCost.
• Possible flag name: kubectl cost --no-cluster --path "kubecost.example.com"

[michaelmdresser]

@teevans @kwombach12 what do you think about prioritizing this soon? With the launch of KC Cloud beta, I suspect this will be an increasingly-important ask.

[kwombach12]

@michaelmdresser I like this idea. Lets take a look at this in 105.

[mattray]

I've had similar requests for authentication on OpenCost APIs so they could be exposed similarly.

[zorrobyte]

Another user ask for this feature:
https://kubecost.slack.com/archives/C052PHJNQ49/p1683578888197519

[debMan]

We need same feature.
In a multi-tenant openshift cluster, generally admins place an oauth-proxy as a sidecar to opencost pod, to grant access to authorized users only.
So, it would be nice to set Authorization: Bearer <TOKEN> header in addition to direct API URL.

[kwombach12]

@debMan thanks for bumping this! We are actively looking at solutions here