Struct K8sClient 

pub struct K8sClient { /* private fields */ }

A namespaced kube client plus this process’s instance identity.

Implementations

impl K8sClient

pub async fn connect(namespace: impl Into<String>) -> Result<Self, K8sError>

Install the rustls CryptoProvider, connect a client from the ambient config (in-cluster ServiceAccount or kubeconfig), and scope it to namespace.

pub fn from_client(client: Client, namespace: String) -> Self

Wrap an already-constructed client (used by tests and callers that share a client across backends).

pub fn namespace(&self) -> &str

The namespace Pods are created in.

pub fn instance_id(&self) -> &str

This process’s instance identity (fakecloud-<pid>), used for the labels::INSTANCE label.

pub fn client(&self) -> &Client

The underlying client, for callers that need raw API access.

pub fn pods(&self) -> Api<Pod>

Namespaced Pod API handle.

pub async fn create_pod(&self, pod: &Pod) -> Result<(), K8sError>

Create pod, first deleting any stale Pod with the same name left behind by a previous process (which would otherwise make create return 409 Conflict). Retries the create a few times while the API server finishes deleting the old Pod.

pub async fn wait_for_pod_ip( &self, name: &str, timeout: Duration, ) -> Result<String, K8sError>

Poll until the Pod has a non-empty status.podIP and phase Running, returning the IP. Errors if the Pod reaches a terminal phase (Failed/Succeeded) during startup or if timeout elapses first.

pub async fn wait_for_tcp( ip: &str, port: u16, timeout: Duration, ) -> Result<(), K8sError>

TCP-handshake ip:port until it accepts a connection or timeout elapses. A Pod being Running doesn’t guarantee the process inside it is listening yet, so backends follow wait_for_pod_ip with this.

pub async fn exec( &self, pod: &str, container: Option<&str>, cmd: &[&str], ) -> Result<ExecOutput, K8sError>

Run cmd inside pod (in container, or the default container when None) and collect stdout/stderr/exit-code. This is the k8s equivalent of docker exec — used for operations like issuing redis-cli commands or copying a file out of a Pod.

pub async fn exec_with_stdin( &self, pod: &str, container: Option<&str>, cmd: &[&str], stdin: &[u8], ) -> Result<ExecOutput, K8sError>

Like exec but writes stdin to the command’s standard input first (then closes it). Used for piping a SQL dump into psql/mysql during a restore — the k8s equivalent of docker exec -i ... < dump.

pub async fn pod_logs( &self, pod: &str, container: Option<&str>, ) -> Result<String, K8sError>

Fetch a Pod container’s logs (the k8s equivalent of docker logs) — used for log-marker readiness on engines that don’t expose a connect-based probe (Oracle / SQL Server / Db2).

pub async fn delete_pod(&self, name: &str)

Delete a Pod by name. Idempotent — a 404 (already gone) is treated as success; other errors are logged but not returned, since teardown is best-effort.

pub async fn reap_stale(&self, service: &str) -> usize

Delete Pods of the given service left behind by a different process. Lists Pods labelled with both labels::MANAGED_BY and the service value, and deletes those whose labels::INSTANCE differs from this process’s. Mirrors the Docker reaper so a restart doesn’t leak the previous run’s Pods. Returns the count reaped.

pub fn network_policies(&self) -> Api<NetworkPolicy>

Namespaced NetworkPolicy API handle.

pub async fn apply_network_policy(&self, np: &NetworkPolicy)

Create or replace a NetworkPolicy (delete-then-create, like create_pod, so a re-apply with changed rules always lands). Best-effort: errors are logged, not propagated, since a failed policy apply must never fail the originating EC2 API call.

pub async fn prune_network_policies(&self, keep: &HashSet<String>)

Delete every NetworkPolicy owned by this process (managed-by + this instance label) whose name is not in keep. Prunes policies for instances that have since terminated. Best-effort.

pub async fn cni_component_names(&self) -> Vec<String>

Best-effort detection of the cluster CNI from Pod names across the namespaces CNIs commonly install into (e.g. calico-node-*, cilium-*, kindnet-*). Returns the matched component names; the caller maps them to a driver. An empty result (lists failed or no recognizable CNI) maps to “unknown”.

Scans kube-system plus the operator namespaces Calico/Cilium use (calico-system, tigera-operator, cilium) so a Tigera-operator or dedicated-namespace install isn’t mis-reported as non-enforcing (bug-hunt 2026-06-18 finding 1.6). Per-namespace list errors (RBAC / absent namespace) are swallowed.

Trait Implementations

impl Clone for K8sClient

fn clone(&self) -> K8sClient

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.