github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-10 12:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added endpoint for getting tapped namespaces (#587)

Browse Source
This commit is contained in:
RoyUP9 2022-01-05 11:15:42 +02:00 committed by GitHub
parent bf68689212
commit 8e20ca797b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 81 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
agent/pkg/controllers/config_controller.go
View File

@ -16,9 +16,8 @@ import (
"time" "time"
) )
var globalTapConfig *models.TapConfig var globalTapConfig = &models.TapConfig{}
var cancelTapperSyncer context.CancelFunc var cancelTapperSyncer context.CancelFunc
var kubernetesProvider *kubernetes.Provider
func PostTapConfig(c *gin.Context) { func PostTapConfig(c *gin.Context) {
tapConfig := &models.TapConfig{} tapConfig := &models.TapConfig{}
@ -37,17 +36,6 @@ func PostTapConfig(c *gin.Context) {
broadcastTappedPodsStatus() broadcastTappedPodsStatus()
} }
if kubernetesProvider == nil {
var err error
kubernetesProvider, err = kubernetes.NewProviderInCluster()
if err != nil {
c.JSON(http.StatusBadRequest, err)
return
}
}
ctx, cancel := context.WithCancel(context.Background())
var tappedNamespaces []string var tappedNamespaces []string
for namespace, tapped := range tapConfig.TappedNamespaces { for namespace, tapped := range tapConfig.TappedNamespaces {
if tapped { if tapped {
@ -57,8 +45,14 @@ func PostTapConfig(c *gin.Context) {
podRegex, _ := regexp.Compile(".*") podRegex, _ := regexp.Compile(".*")
if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{} , tapApi.TrafficFilteringOptions{}, false); err != nil { kubernetesProvider, err := kubernetes.NewProviderInCluster()
c.JSON(http.StatusBadRequest, err) if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
}
ctx, cancel := context.WithCancel(context.Background())
if _, err := startMizuTapperSyncer(ctx, kubernetesProvider, tappedNamespaces, *podRegex, []string{}, tapApi.TrafficFilteringOptions{}, false); err != nil {
c.JSON(http.StatusInternalServerError, err)
cancel() cancel()
return return
} }
@ -70,11 +64,30 @@ func PostTapConfig(c *gin.Context) {
} }
func GetTapConfig(c *gin.Context) { func GetTapConfig(c *gin.Context) {
if globalTapConfig != nil { kubernetesProvider, err := kubernetes.NewProviderInCluster()
c.JSON(http.StatusOK, globalTapConfig) if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
namespaces, err := kubernetesProvider.ListAllNamespaces(ctx)
if err != nil {
c.JSON(http.StatusInternalServerError, err)
return
} }
c.JSON(http.StatusBadRequest, "Not config found") for _, namespace := range namespaces {
if namespace.Name == config.Config.MizuResourcesNamespace {
continue
}
if _, ok := globalTapConfig.TappedNamespaces[namespace.Name]; !ok {
globalTapConfig.TappedNamespaces[namespace.Name] = false
}
}
c.JSON(http.StatusOK, globalTapConfig)
} }
func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) { func startMizuTapperSyncer(ctx context.Context, provider *kubernetes.Provider, targetNamespaces []string, podFilterRegex regexp.Regexp, ignoredUserAgents []string, mizuApiFilteringOptions tapApi.TrafficFilteringOptions, istio bool) (*kubernetes.MizuTapperSyncer, error) {

6
cli/cmd/installRunner.go
View File

@ -39,7 +39,11 @@ func runMizuInstall() {
return return
} }
if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(), config.Config.MizuResourcesNamespace, config.Config.AgentImage, nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(), config.Config.LogLevel(), false); err != nil { if err = resources.CreateInstallMizuResources(ctx, kubernetesProvider, serializedValidationRules,
serializedContract, serializedMizuConfig, config.Config.IsNsRestrictedMode(),
config.Config.MizuResourcesNamespace, config.Config.AgentImage,
nil, defaultMaxEntriesDBSizeBytes, defaultResources, config.Config.ImagePullPolicy(),
config.Config.LogLevel(), false); err != nil {
var statusError *k8serrors.StatusError var statusError *k8serrors.StatusError
if errors.As(err, &statusError) { if errors.As(err, &statusError) {
if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists { if statusError.ErrStatus.Reason == metav1.StatusReasonAlreadyExists {

17
cli/resources/createResources.go
View File

@ -25,7 +25,7 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes.
logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to create resources required for policy validation. Mizu will not validate policy rules. error: %v", errormessage.FormatError(err))) logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to create resources required for policy validation. Mizu will not validate policy rules. error: %v", errormessage.FormatError(err)))
} }
mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) mizuServiceAccountExists, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints"})
if err != nil { if err != nil {
logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to ensure the resources required for IP resolving. Mizu will not resolve target IPs to names. error: %v", errormessage.FormatError(err))) logger.Log.Warningf(uiUtils.Warning, fmt.Sprintf("Failed to ensure the resources required for IP resolving. Mizu will not resolve target IPs to names. error: %v", errormessage.FormatError(err)))
} }
@ -65,19 +65,12 @@ func CreateTapMizuResources(ctx context.Context, kubernetesProvider *kubernetes.
} }
func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error { func CreateInstallMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, serializedValidationRules string, serializedContract string, serializedMizuConfig string, isNsRestrictedMode bool, mizuResourcesNamespace string, agentImage string, syncEntriesConfig *shared.SyncEntriesConfig, maxEntriesDBSizeBytes int64, apiServerResources shared.Resources, imagePullPolicy core.PullPolicy, logLevel logging.Level, noPersistentVolumeClaim bool) error {
if !isNsRestrictedMode {
if err := createMizuNamespace(ctx, kubernetesProvider, mizuResourcesNamespace); err != nil {
return err
}
logger.Log.Infof("Created mizu namespace")
}
if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil { if err := createMizuConfigmap(ctx, kubernetesProvider, serializedValidationRules, serializedContract, serializedMizuConfig, mizuResourcesNamespace); err != nil {
return err return err
} }
logger.Log.Infof("Created config map") logger.Log.Infof("Created config map")
_, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace) _, err := createRBACIfNecessary(ctx, kubernetesProvider, isNsRestrictedMode, mizuResourcesNamespace, []string{"pods", "services", "endpoints", "namespaces"})
if err != nil { if err != nil {
return err return err
} }
@ -124,9 +117,9 @@ func createMizuConfigmap(ctx context.Context, kubernetesProvider *kubernetes.Pro
return err return err
} }
func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string) (bool, error) { func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider, isNsRestrictedMode bool, mizuResourcesNamespace string, resources []string) (bool, error) {
if !isNsRestrictedMode { if !isNsRestrictedMode {
if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion); err != nil { if err := kubernetesProvider.CreateMizuRBAC(ctx, mizuResourcesNamespace, kubernetes.ServiceAccountName, kubernetes.ClusterRoleName, kubernetes.ClusterRoleBindingName, mizu.RBACVersion, resources); err != nil {
return false, err return false, err
} }
} else { } else {
@ -176,7 +169,7 @@ func tryToCreatePersistentVolumeClaim(ctx context.Context, kubernetesProvider *k
return false return false
} }
if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, opts.Namespace, kubernetes.PersistentVolumeClaimName, opts.MaxEntriesDBSizeBytes + mizu.InstallModePersistentVolumeSizeBufferBytes); err != nil { if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, opts.Namespace, kubernetes.PersistentVolumeClaimName, opts.MaxEntriesDBSizeBytes+mizu.InstallModePersistentVolumeSizeBufferBytes); err != nil {
logger.Log.Warningf(uiUtils.Yellow, "An error has occured while creating a persistent volume claim for mizu, this means mizu data will be lost on mizu-api-server pod restart") logger.Log.Warningf(uiUtils.Yellow, "An error has occured while creating a persistent volume claim for mizu, this means mizu data will be lost on mizu-api-server pod restart")
logger.Log.Debugf("error creating persistent volume claim: %v", err) logger.Log.Debugf("error creating persistent volume claim: %v", err)
return false return false

71
shared/kubernetes/provider.go
View File

@ -43,8 +43,8 @@ type Provider struct {
kubernetesConfig clientcmd.ClientConfig kubernetesConfig clientcmd.ClientConfig
clientConfig restclient.Config clientConfig restclient.Config
Namespace string Namespace string
managedBy string managedBy string
createdBy string createdBy string
} }
const ( const (
@ -252,9 +252,9 @@ func (provider *Provider) GetMizuApiServerPodObject(opts *ApiServerOptions, moun
pod := &core.Pod{ pod := &core.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: opts.PodName, Name: opts.PodName,
Labels: map[string]string{ Labels: map[string]string{
"app": opts.PodName, "app": opts.PodName,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
@ -369,41 +369,41 @@ func (provider *Provider) doesResourceExist(resource interface{}, err error) (bo
return resource != nil, nil return resource != nil, nil
} }
func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string) error { func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string, serviceAccountName string, clusterRoleName string, clusterRoleBindingName string, version string, resources []string) error {
serviceAccount := &core.ServiceAccount{ serviceAccount := &core.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName, Name: serviceAccountName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
} }
clusterRole := &rbac.ClusterRole{ clusterRole := &rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: clusterRoleName, Name: clusterRoleName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
Rules: []rbac.PolicyRule{ Rules: []rbac.PolicyRule{
{ {
APIGroups: []string{"", "extensions", "apps"}, APIGroups: []string{"", "extensions", "apps"},
Resources: []string{"pods", "services", "endpoints"}, Resources: resources,
Verbs: []string{"list", "get", "watch"}, Verbs: []string{"list", "get", "watch"},
}, },
}, },
} }
clusterRoleBinding := &rbac.ClusterRoleBinding{ clusterRoleBinding := &rbac.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: clusterRoleBindingName, Name: clusterRoleBindingName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
RoleRef: rbac.RoleRef{ RoleRef: rbac.RoleRef{
@ -437,21 +437,21 @@ func (provider *Provider) CreateMizuRBAC(ctx context.Context, namespace string,
func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error { func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error {
serviceAccount := &core.ServiceAccount{ serviceAccount := &core.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName, Name: serviceAccountName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
} }
role := &rbac.Role{ role := &rbac.Role{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: roleName, Name: roleName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
Rules: []rbac.PolicyRule{ Rules: []rbac.PolicyRule{
@ -464,11 +464,11 @@ func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context,
} }
roleBinding := &rbac.RoleBinding{ roleBinding := &rbac.RoleBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName, Name: roleBindingName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
RoleRef: rbac.RoleRef{ RoleRef: rbac.RoleRef{
@ -502,11 +502,11 @@ func (provider *Provider) CreateMizuRBACNamespaceRestricted(ctx context.Context,
func (provider *Provider) CreateDaemonsetRBAC(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error { func (provider *Provider) CreateDaemonsetRBAC(ctx context.Context, namespace string, serviceAccountName string, roleName string, roleBindingName string, version string) error {
role := &rbac.Role{ role := &rbac.Role{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: roleName, Name: roleName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
Rules: []rbac.PolicyRule{ Rules: []rbac.PolicyRule{
@ -524,11 +524,11 @@ func (provider *Provider) CreateDaemonsetRBAC(ctx context.Context, namespace str
} }
roleBinding := &rbac.RoleBinding{ roleBinding := &rbac.RoleBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName, Name: roleBindingName,
Labels: map[string]string{ Labels: map[string]string{
"mizu-cli-version": version, "mizu-cli-version": version,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}, },
}, },
RoleRef: rbac.RoleRef{ RoleRef: rbac.RoleRef{
@ -805,7 +805,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
podTemplate := applyconfcore.PodTemplateSpec() podTemplate := applyconfcore.PodTemplateSpec()
podTemplate.WithLabels(map[string]string{ podTemplate.WithLabels(map[string]string{
"app": tapperPodName, "app": tapperPodName,
LabelManagedBy: provider.managedBy, LabelManagedBy: provider.managedBy,
LabelCreatedBy: provider.createdBy, LabelCreatedBy: provider.createdBy,
}) })
@ -869,6 +869,15 @@ func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, r
return matchingPods, nil return matchingPods, nil
} }
func (provider *Provider) ListAllNamespaces(ctx context.Context) ([]core.Namespace, error) {
namespaces, err := provider.clientSet.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
if err != nil {
return nil, err
}
return namespaces.Items, err
}
func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string) (string, error) { func (provider *Provider) GetPodLogs(ctx context.Context, namespace string, podName string) (string, error) {
podLogOpts := core.PodLogOptions{} podLogOpts := core.PodLogOptions{}
req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts) req := provider.clientSet.CoreV1().Pods(namespace).GetLogs(podName, &podLogOpts)