github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-06-22 06:18:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added endpoint for getting tapped namespaces (#587)

Browse Source
This commit is contained in:
RoyUP9 2022-01-05 11:15:42 +02:00 committed by GitHub
parent bf68689212
commit 8e20ca797b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 81 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
agent/pkg/controllers/config_controller.go
View File

@ -16,9 +16,8 @@ import (
"time" "time"
) )
var globalTapConfig *models.TapConfig var globalTapConfig = &models.TapConfig{}
var cancelTapperSyncer context.CancelFunc var cancelTapperSyncer context.CancelFunc
var kubernetesProvider *kubernetes.Provider
func PostTapConfig(c *gin.Context) { func PostTapConfig(c *gin.Context) {
tapConfig := &models.TapConfig{} tapConfig := &models.TapConfig{}
@ -37,17 +36,6 @@ func PostTapConfig(c *gin.Context) {
broadcastTappedPodsStatus() broadcastTappedPodsStatus()
} }
if kubernetesProvider == nil {
var err error
kubernetesProvider, err = kubernetes.NewProviderInCluster()
if err != nil {
c.JSON(http.StatusBadRequest, err)
return
}
}
ctx, cancel := context.WithCancel(context.Background())
var tappedNamespaces []string var tappedNamespaces []string
for namespace, tapped := range tapConfig.TappedNamespaces { for namespace, tapped := range tapConfig.TappedNamespaces {
if tapped { if tapped {
@ -57,8 +45,14 @@ func PostTapConfig(c *gin.Context) {
podRegex, _ := regexp.Compile(".*") podRegex, _ := regexp.Compile(".*")
kubernetesProvider, err := kubernetes.NewProviderInCluster()
if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
}
ctx, cancel := context.WithCancel(context.Background())
if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{}, tapApi.TrafficFilteringOptions{}, false); err != nil { if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{}, tapApi.TrafficFilteringOptions{}, false); err != nil {
c.JSON(http.StatusBadRequest, err) c.JSON(http.StatusInternalServerError, err)
cancel() cancel()
return return
} }
@ -70,11 +64,30 @@ func PostTapConfig(c *gin.Context) {
} }
func GetTapConfig(c *gin.Context) { func GetTapConfig(c *gin.Context) {
if globalTapConfig != nil { kubernetesProvider, err := kubernetes.NewProviderInCluster()
c.JSON(http.StatusOK, globalTapConfig) if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
namespaces, err := kubernetesProvider.ListAllNamespaces(ctx)
if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
} }
c.JSON(http.StatusBadRequest, "Not config found") for _, namespace := range namespaces {
if namespace.Name == config.Config.MizuResourcesNamespace {
continue
}
if _, ok := globalTapConfig.TappedNamespaces[namespace.Name]; !ok {
globalTapConfig.TappedNamespaces[namespace.Name] = false
}
}
c.JSON(http.StatusOK, globalTapConfig)
} }
func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) { func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) {

6
cli/cmd/installRunner.go
View File

@ -39,7 +39,11 @@ func runMizuInstall() {
return return
} }
if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(), config.Config.MizuResourcesNamespace, config.Config.AgentImage, nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(), config.Config.LogLevel(), false); err != nil { if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules,
serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(),
config.Config.MizuResourcesNamespace, config.Config.AgentImage,
nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(),
config.Config.LogLevel(), false); err != nil {
var statusError *k8serrors.StatusError var statusError *k8serrors.StatusError
if errors.As(err, &statusError) { if errors.As(err, &statusError) {
if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists { if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists {

15
cli/resources/createResources.go
View File

@ -25,7 +25,7 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes.
logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to create resources required for policy validation. Mizu will not validate policy rules. error: %v", errormessage.FormatError(err))) logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to create resources required for policy validation. Mizu will not validate policy rules. error: %v", errormessage.FormatError(err)))
} }
mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints"})
if err != nil { if err != nil {
logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to ensure the resources required for IP resolving. Mizu will not resolve target IPs to names. error: %v", errormessage.FormatError(err))) logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to ensure the resources required for IP resolving. Mizu will not resolve target IPs to names. error: %v", errormessage.FormatError(err)))
} }
@ -65,19 +65,12 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes.
} }
func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error { func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error {
if !isNsRestrictedMode {
if err := createMizuNamespace(ctx, kubernetesProvider, mizuResourcesNamespace); err != nil {
return err
}
logger.Log.Infof("Created mizu namespace")
}
if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil { if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil {
return err return err
} }
logger.Log.Infof("Created config map") logger.Log.Infof("Created config map")
_, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) _, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints", "namespaces"})
if err != nil { if err != nil {
return err return err
} }
@ -124,9 +117,9 @@ func createMizuConfigmap(ctx context.Context, kubernetesProvider *kubernetes.Pro
return err return err
} }
func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string) (bool, error) { func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string, resources []string) (bool, error) {
if !isNsRestrictedMode { if !isNsRestrictedMode {
if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion); err != nil { if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion, resources); err != nil {
return false, err return false, err
} }
} else { } else {

13
shared/kubernetes/provider.go
View File

@ -369,7 +369,7 @@ func (provider *Provider) doesResourceExist(resource interface{}, err error) (bo
return resource != nil, nil return resource != nil, nil
} }
func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string) error { func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string, resources []string) error {
serviceAccount := &core.ServiceAccount{ serviceAccount := &core.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName, Name: serviceAccountName,
@ -392,7 +392,7 @@ func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string,
Rules: []rbac.PolicyRule{ Rules: []rbac.PolicyRule{
{ {
APIGroups: []string{"", "extensions", "apps"}, APIGroups: []string{"", "extensions", "apps"},
Resources: []string{"pods", "services", "endpoints"}, Resources: resources,
Verbs: []string{"list", "get", "watch"}, Verbs: []string{"list", "get", "watch"},
}, },
}, },
@ -869,6 +869,15 @@ func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, r
return matchingPods, nil return matchingPods, nil
} }
func (provider *Provider) ListAllNamespaces(ctx context.Context) ([]core.Namespace, error) {
namespaces, err := provider.clientSet.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
if err != nil {
return nil, err
}
return namespaces.Items, err
}
func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string) (string, error) { func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string) (string, error) {
podLogOpts := core.PodLogOptions{} podLogOpts := core.PodLogOptions{}
req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts) req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts)