From 8e20ca797b29a692c8eb0c0a5be3776e7564054c Mon Sep 17 00:00:00 2001 From: RoyUP9 <87927115+RoyUP9@users.noreply.github.com> Date: Wed, 5 Jan 2022 11:15:42 +0200 Subject: [PATCH] Added endpoint for getting tapped namespaces (#587) --- agent/pkg/controllers/config_controller.go | 49 +++++++++------ cli/cmd/installRunner.go | 6 +- cli/resources/createResources.go | 17 ++---- shared/kubernetes/provider.go | 71 ++++++++++++---------- 4 files changed, 81 insertions(+), 62 deletions(-) diff --git a/agent/pkg/controllers/config_controller.go b/agent/pkg/controllers/config_controller.go index 922c4c54c..11c931bb8 100644 --- a/agent/pkg/controllers/config_controller.go +++ b/agent/pkg/controllers/config_controller.go @@ -16,9 +16,8 @@ import ( "time" ) -var globalTapConfig *models.TapConfig +var globalTapConfig = &models.TapConfig{} var cancelTapperSyncer context.CancelFunc -var kubernetesProvider *kubernetes.Provider func PostTapConfig(c *gin.Context) { tapConfig := &models.TapConfig{} @@ -37,17 +36,6 @@ func PostTapConfig(c *gin.Context) { broadcastTappedPodsStatus() } - if kubernetesProvider == nil { - var err error - kubernetesProvider, err = kubernetes.NewProviderInCluster() - if err != nil { - c.JSON(http.StatusBadRequest, err) - return - } - } - - ctx, cancel := context.WithCancel(context.Background()) - var tappedNamespaces []string for namespace, tapped := range tapConfig.TappedNamespaces { if tapped { @@ -57,8 +45,14 @@ func PostTapConfig(c *gin.Context) { podRegex, _ := regexp.Compile(".*") - if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{} , tapApi.TrafficFilteringOptions{}, false); err != nil { - c.JSON(http.StatusBadRequest, err) + kubernetesProvider, err := kubernetes.NewProviderInCluster() + if err != nil { + c.JSON(http.StatusInternalServerError, err) + return + } + ctx, cancel := context.WithCancel(context.Background()) + if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{}, tapApi.TrafficFilteringOptions{}, false); err != nil { + c.JSON(http.StatusInternalServerError, err) cancel() return } @@ -70,11 +64,30 @@ func PostTapConfig(c *gin.Context) { } func GetTapConfig(c *gin.Context) { - if globalTapConfig != nil { - c.JSON(http.StatusOK, globalTapConfig) + kubernetesProvider, err := kubernetes.NewProviderInCluster() + if err != nil { + c.JSON(http.StatusInternalServerError, err) + return + } + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + namespaces, err := kubernetesProvider.ListAllNamespaces(ctx) + if err != nil { + c.JSON(http.StatusInternalServerError, err) + return } - c.JSON(http.StatusBadRequest, "Not config found") + for _, namespace := range namespaces { + if namespace.Name == config.Config.MizuResourcesNamespace { + continue + } + + if _, ok := globalTapConfig.TappedNamespaces[namespace.Name]; !ok { + globalTapConfig.TappedNamespaces[namespace.Name] = false + } + } + + c.JSON(http.StatusOK, globalTapConfig) } func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) { diff --git a/cli/cmd/installRunner.go b/cli/cmd/installRunner.go index 962d32098..5062fd557 100644 --- a/cli/cmd/installRunner.go +++ b/cli/cmd/installRunner.go @@ -39,7 +39,11 @@ func runMizuInstall() { return } - if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(), config.Config.MizuResourcesNamespace, config.Config.AgentImage, nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(), config.Config.LogLevel(), false); err != nil { + if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules, + serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(), + config.Config.MizuResourcesNamespace, config.Config.AgentImage, + nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(), + config.Config.LogLevel(), false); err != nil { var statusError *k8serrors.StatusError if errors.As(err, &statusError) { if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists { diff --git a/cli/resources/createResources.go b/cli/resources/createResources.go index 80af4a513..852b08f6c 100644 --- a/cli/resources/createResources.go +++ b/cli/resources/createResources.go @@ -25,7 +25,7 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes. logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to create resources required for policy validation. Mizu will not validate policy rules. error: %v", errormessage.FormatError(err))) } - mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) + mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints"}) if err != nil { logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to ensure the resources required for IP resolving. Mizu will not resolve target IPs to names. error: %v", errormessage.FormatError(err))) } @@ -65,19 +65,12 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes. } func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error { - if !isNsRestrictedMode { - if err := createMizuNamespace(ctx, kubernetesProvider, mizuResourcesNamespace); err != nil { - return err - } - logger.Log.Infof("Created mizu namespace") - } - if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil { return err } logger.Log.Infof("Created config map") - _, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) + _, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints", "namespaces"}) if err != nil { return err } @@ -124,9 +117,9 @@ func createMizuConfigmap(ctx context.Context, kubernetesProvider *kubernetes.Pro return err } -func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string) (bool, error) { +func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string, resources []string) (bool, error) { if !isNsRestrictedMode { - if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion); err != nil { + if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion, resources); err != nil { return false, err } } else { @@ -176,7 +169,7 @@ func tryToCreatePersistentVolumeClaim(ctx context.Context, kubernetesProvider *k return false } - if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, opts.Namespace, kubernetes.PersistentVolumeClaimName, opts.MaxEntriesDBSizeBytes + mizu.InstallModePersistentVolumeSizeBufferBytes); err != nil { + if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, opts.Namespace, kubernetes.PersistentVolumeClaimName, opts.MaxEntriesDBSizeBytes+mizu.InstallModePersistentVolumeSizeBufferBytes); err != nil { logger.Log.Warningf(uiUtils.Yellow, "An error has occured while creating a persistent volume claim for mizu, this means mizu data will be lost on mizu-api-server pod restart") logger.Log.Debugf("error creating persistent volume claim: %v", err) return false diff --git a/shared/kubernetes/provider.go b/shared/kubernetes/provider.go index d0a28cc48..44827da78 100644 --- a/shared/kubernetes/provider.go +++ b/shared/kubernetes/provider.go @@ -43,8 +43,8 @@ type Provider struct { kubernetesConfig clientcmd.ClientConfig clientConfig restclient.Config Namespace string - managedBy string - createdBy string + managedBy string + createdBy string } const ( @@ -252,9 +252,9 @@ func (provider *Provider) GetMizuApiServerPodObject(opts *ApiServerOptions, moun pod := &core.Pod{ ObjectMeta: metav1.ObjectMeta{ - Name: opts.PodName, + Name: opts.PodName, Labels: map[string]string{ - "app": opts.PodName, + "app": opts.PodName, LabelManagedBy: provider.managedBy, LabelCreatedBy: provider.createdBy, }, @@ -369,41 +369,41 @@ func (provider *Provider) doesResourceExist(resource interface{}, err error) (bo return resource != nil, nil } -func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string) error { +func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string, resources []string) error { serviceAccount := &core.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Name: serviceAccountName, + Name: serviceAccountName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, } clusterRole := &rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: clusterRoleName, + Name: clusterRoleName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, Rules: []rbac.PolicyRule{ { APIGroups: []string{"", "extensions", "apps"}, - Resources: []string{"pods", "services", "endpoints"}, + Resources: resources, Verbs: []string{"list", "get", "watch"}, }, }, } clusterRoleBinding := &rbac.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Name: clusterRoleBindingName, + Name: clusterRoleBindingName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, RoleRef: rbac.RoleRef{ @@ -437,21 +437,21 @@ func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error { serviceAccount := &core.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Name: serviceAccountName, + Name: serviceAccountName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, } role := &rbac.Role{ ObjectMeta: metav1.ObjectMeta{ - Name: roleName, + Name: roleName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, Rules: []rbac.PolicyRule{ @@ -464,11 +464,11 @@ func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context, } roleBinding := &rbac.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Name: roleBindingName, + Name: roleBindingName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, RoleRef: rbac.RoleRef{ @@ -502,11 +502,11 @@ func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context, func (provider *Provider) CreateDaemonsetRBAC(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error { role := &rbac.Role{ ObjectMeta: metav1.ObjectMeta{ - Name: roleName, + Name: roleName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, Rules: []rbac.PolicyRule{ @@ -524,11 +524,11 @@ func (provider *Provider) CreateDaemonsetRBAC(ctx context.Context, namespace str } roleBinding := &rbac.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Name: roleBindingName, + Name: roleBindingName, Labels: map[string]string{ "mizu-cli-version": version, - LabelManagedBy: provider.managedBy, - LabelCreatedBy: provider.createdBy, + LabelManagedBy: provider.managedBy, + LabelCreatedBy: provider.createdBy, }, }, RoleRef: rbac.RoleRef{ @@ -805,7 +805,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac podTemplate := applyconfcore.PodTemplateSpec() podTemplate.WithLabels(map[string]string{ - "app": tapperPodName, + "app": tapperPodName, LabelManagedBy: provider.managedBy, LabelCreatedBy: provider.createdBy, }) @@ -869,6 +869,15 @@ func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, r return matchingPods, nil } +func (provider *Provider) ListAllNamespaces(ctx context.Context) ([]core.Namespace, error) { + namespaces, err := provider.clientSet.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, err + } + + return namespaces.Items, err +} + func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string) (string, error) { podLogOpts := core.PodLogOptions{} req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts)