From 53924754867a3b0e9dc5f040efc48eca129d7c23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=2E=20Mert=20Y=C4=B1ld=C4=B1ran?= Date: Sun, 19 Sep 2021 13:33:34 +0300 Subject: [PATCH] Fix the issues related to sensitive data filtering feature (#285) * Run acceptance tests on pull request * Take `options.DisableRedaction` into account * Log `defaultTapConfig` * Pass the `SENSITIVE_DATA_FILTERING_OPTIONS` to tapper daemon set too * Revert "Run acceptance tests on pull request" This reverts commit ad79f1418f2e5587f2c1282fd994415a17eeaf2f. --- cli/cmd/tap.go | 3 ++- cli/cmd/tapRunner.go | 11 ++++++----- cli/kubernetes/provider.go | 8 +++++++- tap/extensions/http/handlers.go | 4 +++- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/cli/cmd/tap.go b/cli/cmd/tap.go index a02800853..899ac1f4a 100644 --- a/cli/cmd/tap.go +++ b/cli/cmd/tap.go @@ -2,11 +2,12 @@ package cmd import ( "errors" + "os" + "github.com/up9inc/mizu/cli/config" "github.com/up9inc/mizu/cli/config/configStructs" "github.com/up9inc/mizu/cli/logger" "github.com/up9inc/mizu/cli/telemetry" - "os" "github.com/creasty/defaults" "github.com/spf13/cobra" diff --git a/cli/cmd/tapRunner.go b/cli/cmd/tapRunner.go index 0ea5a0114..e4d6042a9 100644 --- a/cli/cmd/tapRunner.go +++ b/cli/cmd/tapRunner.go @@ -109,7 +109,7 @@ func RunMizuTap() { } go goUtils.HandleExcWrapper(watchApiServerPod, ctx, kubernetesProvider, cancel) - go goUtils.HandleExcWrapper(watchPodsForTapping, ctx, kubernetesProvider, targetNamespaces, cancel) + go goUtils.HandleExcWrapper(watchPodsForTapping, ctx, kubernetesProvider, targetNamespaces, cancel, mizuApiFilteringOptions) //block until exit signal or error waitForFinish(ctx, cancel) @@ -135,7 +135,7 @@ func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Pro return err } - if err := updateMizuTappers(ctx, kubernetesProvider, nodeToTappedPodIPMap); err != nil { + if err := updateMizuTappers(ctx, kubernetesProvider, nodeToTappedPodIPMap, mizuApiFilteringOptions); err != nil { return err } @@ -221,7 +221,7 @@ func getMizuApiFilteringOptions() (*api.TrafficFilteringOptions, error) { }, nil } -func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provider, nodeToTappedPodIPMap map[string][]string) error { +func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provider, nodeToTappedPodIPMap map[string][]string, mizuApiFilteringOptions *api.TrafficFilteringOptions) error { if len(nodeToTappedPodIPMap) > 0 { var serviceAccountName string if state.mizuServiceAccountExists { @@ -241,6 +241,7 @@ func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provi serviceAccountName, config.Config.Tap.TapperResources, config.Config.ImagePullPolicy(), + mizuApiFilteringOptions, ); err != nil { return err } @@ -347,7 +348,7 @@ func waitUntilNamespaceDeleted(ctx context.Context, cancel context.CancelFunc, k } } -func watchPodsForTapping(ctx context.Context, kubernetesProvider *kubernetes.Provider, targetNamespaces []string, cancel context.CancelFunc) { +func watchPodsForTapping(ctx context.Context, kubernetesProvider *kubernetes.Provider, targetNamespaces []string, cancel context.CancelFunc, mizuApiFilteringOptions *api.TrafficFilteringOptions) { added, modified, removed, errorChan := kubernetes.FilteredWatch(ctx, kubernetesProvider, targetNamespaces, config.Config.Tap.PodRegex()) restartTappers := func() { @@ -371,7 +372,7 @@ func watchPodsForTapping(ctx context.Context, kubernetesProvider *kubernetes.Pro logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error building node to ips map: %v", errormessage.FormatError(err))) cancel() } - if err := updateMizuTappers(ctx, kubernetesProvider, nodeToTappedPodIPMap); err != nil { + if err := updateMizuTappers(ctx, kubernetesProvider, nodeToTappedPodIPMap, mizuApiFilteringOptions); err != nil { logger.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error updating daemonset: %v", errormessage.FormatError(err))) cancel() } diff --git a/cli/kubernetes/provider.go b/cli/kubernetes/provider.go index 04a65662f..f05764b53 100644 --- a/cli/kubernetes/provider.go +++ b/cli/kubernetes/provider.go @@ -576,7 +576,7 @@ func (provider *Provider) CreateConfigMap(ctx context.Context, namespace string, return nil } -func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespace string, daemonSetName string, podImage string, tapperPodName string, apiServerPodIp string, nodeToTappedPodIPMap map[string][]string, serviceAccountName string, resources configStructs.Resources, imagePullPolicy core.PullPolicy) error { +func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespace string, daemonSetName string, podImage string, tapperPodName string, apiServerPodIp string, nodeToTappedPodIPMap map[string][]string, serviceAccountName string, resources configStructs.Resources, imagePullPolicy core.PullPolicy, mizuApiFilteringOptions *api.TrafficFilteringOptions) error { logger.Log.Debugf("Applying %d tapper daemon sets, ns: %s, daemonSetName: %s, podImage: %s, tapperPodName: %s", len(nodeToTappedPodIPMap), namespace, daemonSetName, podImage, tapperPodName) if len(nodeToTappedPodIPMap) == 0 { @@ -588,6 +588,11 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac return err } + marshaledFilteringOptions, err := json.Marshal(mizuApiFilteringOptions) + if err != nil { + return err + } + mizuCmd := []string{ "./mizuagent", "-i", "any", @@ -606,6 +611,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac applyconfcore.EnvVar().WithName(shared.HostModeEnvVar).WithValue("1"), applyconfcore.EnvVar().WithName(shared.TappedAddressesPerNodeDictEnvVar).WithValue(string(nodeToTappedPodIPMapJsonStr)), applyconfcore.EnvVar().WithName(shared.GoGCEnvVar).WithValue("12800"), + applyconfcore.EnvVar().WithName(shared.MizuFilteringOptionsEnvVar).WithValue(string(marshaledFilteringOptions)), ) agentContainer.WithEnv( applyconfcore.EnvVar().WithName(shared.NodeNameEnvVar).WithValueFrom( diff --git a/tap/extensions/http/handlers.go b/tap/extensions/http/handlers.go index e29b8dd58..7c71d7691 100644 --- a/tap/extensions/http/handlers.go +++ b/tap/extensions/http/handlers.go @@ -14,7 +14,9 @@ import ( ) func filterAndEmit(item *api.OutputChannelItem, emitter api.Emitter, options *api.TrafficFilteringOptions) { - FilterSensitiveData(item, options) + if !options.DisableRedaction { + FilterSensitiveData(item, options) + } emitter.Emit(item) }