From 90f0f603c7127530ab367519f1a030284f3acc09 Mon Sep 17 00:00:00 2001 From: Igor Gov Date: Thu, 5 Aug 2021 12:12:01 +0300 Subject: [PATCH] Support getting logs in ns restricted mode (#168) --- cli/cmd/tap.go | 4 ++ cli/cmd/tapRunner.go | 80 ++++++++++++++++---------------- cli/cmd/viewRunner.go | 4 +- cli/errormessage/errormessage.go | 4 +- cli/kubernetes/provider.go | 32 +++++++------ cli/logsUtils/mizuLogsUtils.go | 6 ++- cli/mizu/config.go | 11 +++++ cli/mizu/configStruct.go | 34 +++++--------- cli/mizu/consts.go | 21 ++++----- 9 files changed, 102 insertions(+), 94 deletions(-) diff --git a/cli/cmd/tap.go b/cli/cmd/tap.go index 5538a0fd4..9aa040134 100644 --- a/cli/cmd/tap.go +++ b/cli/cmd/tap.go @@ -31,6 +31,10 @@ Supported protocols are HTTP and gRPC.`, return errors.New("unexpected number of arguments") } + if err := mizu.Config.Validate(); err != nil { + return errormessage.FormatError(err) + } + if err := mizu.Config.Tap.Validate(); err != nil { return errormessage.FormatError(err) } diff --git a/cli/cmd/tapRunner.go b/cli/cmd/tapRunner.go index c4f2ac23d..a886144de 100644 --- a/cli/cmd/tapRunner.go +++ b/cli/cmd/tapRunner.go @@ -118,7 +118,7 @@ func readValidationRules(file string) (string, error) { } func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Provider, nodeToTappedPodIPMap map[string][]string, mizuApiFilteringOptions *shared.TrafficFilteringOptions, mizuValidationRules string) error { - if mizu.Config.IsOwnNamespace() { + if !mizu.Config.IsNsRestrictedMode() { if err := createMizuNamespace(ctx, kubernetesProvider); err != nil { return err } @@ -143,12 +143,12 @@ func createMizuResources(ctx context.Context, kubernetesProvider *kubernetes.Pro } func createMizuConfigmap(ctx context.Context, kubernetesProvider *kubernetes.Provider, data string) error { - err := kubernetesProvider.CreateConfigMap(ctx, mizu.Config.ResourcesNamespace(), mizu.ConfigMapName, data) + err := kubernetesProvider.CreateConfigMap(ctx, mizu.Config.MizuResourcesNamespace, mizu.ConfigMapName, data) return err } func createMizuNamespace(ctx context.Context, kubernetesProvider *kubernetes.Provider) error { - _, err := kubernetesProvider.CreateNamespace(ctx, mizu.Config.ResourcesNamespace()) + _, err := kubernetesProvider.CreateNamespace(ctx, mizu.Config.MizuResourcesNamespace) return err } @@ -168,11 +168,11 @@ func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Pro } opts := &kubernetes.ApiServerOptions{ - Namespace: mizu.Config.ResourcesNamespace(), + Namespace: mizu.Config.MizuResourcesNamespace, PodName: mizu.ApiServerPodName, - PodImage: mizu.Config.MizuImage, + PodImage: mizu.Config.AgentImage, ServiceAccountName: serviceAccountName, - IsNamespaceRestricted: !mizu.Config.IsOwnNamespace(), + IsNamespaceRestricted: mizu.Config.IsNsRestrictedMode(), MizuApiFilteringOptions: mizuApiFilteringOptions, MaxEntriesDBSizeBytes: mizu.Config.Tap.MaxEntriesDBSizeBytes(), } @@ -182,7 +182,7 @@ func createMizuApiServer(ctx context.Context, kubernetesProvider *kubernetes.Pro } mizu.Log.Debugf("Successfully created API server pod: %s", mizu.ApiServerPodName) - state.apiServerService, err = kubernetesProvider.CreateService(ctx, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName, mizu.ApiServerPodName) + state.apiServerService, err = kubernetesProvider.CreateService(ctx, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName, mizu.ApiServerPodName) if err != nil { return err } @@ -219,9 +219,9 @@ func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provi if err := kubernetesProvider.ApplyMizuTapperDaemonSet( ctx, - mizu.Config.ResourcesNamespace(), + mizu.Config.MizuResourcesNamespace, mizu.TapperDaemonSetName, - mizu.Config.MizuImage, + mizu.Config.AgentImage, mizu.TapperPodName, fmt.Sprintf("%s.%s.svc.cluster.local", state.apiServerService.Name, state.apiServerService.Namespace), nodeToTappedPodIPMap, @@ -232,7 +232,7 @@ func updateMizuTappers(ctx context.Context, kubernetesProvider *kubernetes.Provi } mizu.Log.Debugf("Successfully created %v tappers", len(nodeToTappedPodIPMap)) } else { - if err := kubernetesProvider.RemoveDaemonSet(ctx, mizu.Config.ResourcesNamespace(), mizu.TapperDaemonSetName); err != nil { + if err := kubernetesProvider.RemoveDaemonSet(ctx, mizu.Config.MizuResourcesNamespace, mizu.TapperDaemonSetName); err != nil { return err } } @@ -255,55 +255,55 @@ func cleanUpMizuResources(kubernetesProvider *kubernetes.Provider) { mizu.Log.Infof("\nRemoving mizu resources\n") - if mizu.Config.IsOwnNamespace() { - if err := kubernetesProvider.RemoveNamespace(removalCtx, mizu.Config.ResourcesNamespace()); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Namespace %s: %v", mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if !mizu.Config.IsNsRestrictedMode() { + if err := kubernetesProvider.RemoveNamespace(removalCtx, mizu.Config.MizuResourcesNamespace); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Namespace %s: %v", mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) return } } else { - if err := kubernetesProvider.RemovePod(removalCtx, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Pod %s in namespace %s: %v", mizu.ApiServerPodName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemovePod(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Pod %s in namespace %s: %v", mizu.ApiServerPodName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } - if err := kubernetesProvider.RemoveService(removalCtx, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Service %s in namespace %s: %v", mizu.ApiServerPodName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveService(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Service %s in namespace %s: %v", mizu.ApiServerPodName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } - if err := kubernetesProvider.RemoveDaemonSet(removalCtx, mizu.Config.ResourcesNamespace(), mizu.TapperDaemonSetName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing DaemonSet %s in namespace %s: %v", mizu.TapperDaemonSetName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveDaemonSet(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.TapperDaemonSetName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing DaemonSet %s in namespace %s: %v", mizu.TapperDaemonSetName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } if !state.doNotRemoveConfigMap { - if err := kubernetesProvider.RemoveConfigMap(removalCtx, mizu.Config.ResourcesNamespace(), mizu.ConfigMapName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing ConfigMap %s in namespace %s: %v", mizu.ConfigMapName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveConfigMap(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.ConfigMapName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing ConfigMap %s in namespace %s: %v", mizu.ConfigMapName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } } } if state.mizuServiceAccountExists { - if mizu.Config.IsOwnNamespace() { + if !mizu.Config.IsNsRestrictedMode() { if err := kubernetesProvider.RemoveNonNamespacedResources(removalCtx, mizu.ClusterRoleName, mizu.ClusterRoleBindingName); err != nil { mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing non-namespaced resources: %v", errormessage.FormatError(err))) return } } else { - if err := kubernetesProvider.RemoveServicAccount(removalCtx, mizu.Config.ResourcesNamespace(), mizu.ServiceAccountName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Service Account %s in namespace %s: %v", mizu.ServiceAccountName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveServicAccount(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.ServiceAccountName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Service Account %s in namespace %s: %v", mizu.ServiceAccountName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) return } - if err := kubernetesProvider.RemoveRole(removalCtx, mizu.Config.ResourcesNamespace(), mizu.RoleName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Role %s in namespace %s: %v", mizu.RoleName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveRole(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.RoleName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing Role %s in namespace %s: %v", mizu.RoleName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } - if err := kubernetesProvider.RemoveRoleBinding(removalCtx, mizu.Config.ResourcesNamespace(), mizu.RoleBindingName); err != nil { - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing RoleBinding %s in namespace %s: %v", mizu.RoleBindingName, mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + if err := kubernetesProvider.RemoveRoleBinding(removalCtx, mizu.Config.MizuResourcesNamespace, mizu.RoleBindingName); err != nil { + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error removing RoleBinding %s in namespace %s: %v", mizu.RoleBindingName, mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } } } - if mizu.Config.IsOwnNamespace() { + if !mizu.Config.IsNsRestrictedMode() { waitUntilNamespaceDeleted(removalCtx, cancel, kubernetesProvider) } } @@ -314,14 +314,14 @@ func waitUntilNamespaceDeleted(ctx context.Context, cancel context.CancelFunc, k waitForFinish(ctx, cancel) }() - if err := kubernetesProvider.WaitUtilNamespaceDeleted(ctx, mizu.Config.ResourcesNamespace()); err != nil { + if err := kubernetesProvider.WaitUtilNamespaceDeleted(ctx, mizu.Config.MizuResourcesNamespace); err != nil { switch { case ctx.Err() == context.Canceled: // Do nothing. User interrupted the wait. case err == wait.ErrWaitTimeout: - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Timeout while removing Namespace %s", mizu.Config.ResourcesNamespace())) + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Timeout while removing Namespace %s", mizu.Config.MizuResourcesNamespace)) default: - mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error while waiting for Namespace %s to be deleted: %v", mizu.Config.ResourcesNamespace(), errormessage.FormatError(err))) + mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error while waiting for Namespace %s to be deleted: %v", mizu.Config.MizuResourcesNamespace, errormessage.FormatError(err))) } } } @@ -410,7 +410,7 @@ func watchPodsForTapping(ctx context.Context, kubernetesProvider *kubernetes.Pro func updateCurrentlyTappedPods(kubernetesProvider *kubernetes.Provider, ctx context.Context, targetNamespaces []string) (error, bool) { changeFound := false - if matchingPods, err := kubernetesProvider.GetAllRunningPodsMatchingRegex(ctx, mizu.Config.Tap.PodRegex(), targetNamespaces); err != nil { + if matchingPods, err := kubernetesProvider.ListAllRunningPodsMatchingRegex(ctx, mizu.Config.Tap.PodRegex(), targetNamespaces); err != nil { return err, false } else { addedPods, removedPods := getPodArrayDiff(state.currentlyTappedPods, matchingPods) @@ -455,7 +455,7 @@ func getMissingPods(pods1 []core.Pod, pods2 []core.Pod) []core.Pod { func createProxyToApiServerPod(ctx context.Context, kubernetesProvider *kubernetes.Provider, cancel context.CancelFunc) { podExactRegex := regexp.MustCompile(fmt.Sprintf("^%s$", mizu.ApiServerPodName)) - added, modified, removed, errorChan := kubernetes.FilteredWatch(ctx, kubernetesProvider, []string{mizu.Config.ResourcesNamespace()}, podExactRegex) + added, modified, removed, errorChan := kubernetes.FilteredWatch(ctx, kubernetesProvider, []string{mizu.Config.MizuResourcesNamespace}, podExactRegex) isPodReady := false timeAfter := time.After(25 * time.Second) for { @@ -474,7 +474,7 @@ func createProxyToApiServerPod(ctx context.Context, kubernetesProvider *kubernet if modifiedPod.Status.Phase == core.PodRunning && !isPodReady { isPodReady = true go func() { - err := kubernetes.StartProxy(kubernetesProvider, mizu.Config.Tap.GuiPort, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName) + err := kubernetes.StartProxy(kubernetesProvider, mizu.Config.Tap.GuiPort, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName) if err != nil { mizu.Log.Errorf(uiUtils.Error, fmt.Sprintf("Error occured while running k8s proxy %v", errormessage.FormatError(err))) cancel() @@ -493,7 +493,7 @@ func createProxyToApiServerPod(ctx context.Context, kubernetesProvider *kubernet cancel() } case <-errorChan: - mizu.Log.Debugf("[ERROR] Agent creation, watching %v namespace", mizu.Config.ResourcesNamespace()) + mizu.Log.Debugf("[ERROR] Agent creation, watching %v namespace", mizu.Config.MizuResourcesNamespace) cancel() } } @@ -522,18 +522,18 @@ func requestForAnalysis() { } func createRBACIfNecessary(ctx context.Context, kubernetesProvider *kubernetes.Provider) (bool, error) { - mizuRBACExists, err := kubernetesProvider.DoesServiceAccountExist(ctx, mizu.Config.ResourcesNamespace(), mizu.ServiceAccountName) + mizuRBACExists, err := kubernetesProvider.DoesServiceAccountExist(ctx, mizu.Config.MizuResourcesNamespace, mizu.ServiceAccountName) if err != nil { return false, err } if !mizuRBACExists { - if mizu.Config.IsOwnNamespace() { - err := kubernetesProvider.CreateMizuRBAC(ctx, mizu.Config.ResourcesNamespace(), mizu.ServiceAccountName, mizu.ClusterRoleName, mizu.ClusterRoleBindingName, mizu.RBACVersion) + if !mizu.Config.IsNsRestrictedMode() { + err := kubernetesProvider.CreateMizuRBAC(ctx, mizu.Config.MizuResourcesNamespace, mizu.ServiceAccountName, mizu.ClusterRoleName, mizu.ClusterRoleBindingName, mizu.RBACVersion) if err != nil { return false, err } } else { - err := kubernetesProvider.CreateMizuRBACNamespaceRestricted(ctx, mizu.Config.ResourcesNamespace(), mizu.ServiceAccountName, mizu.RoleName, mizu.RoleBindingName, mizu.RBACVersion) + err := kubernetesProvider.CreateMizuRBACNamespaceRestricted(ctx, mizu.Config.MizuResourcesNamespace, mizu.ServiceAccountName, mizu.RoleName, mizu.RoleBindingName, mizu.RBACVersion) if err != nil { return false, err } diff --git a/cli/cmd/viewRunner.go b/cli/cmd/viewRunner.go index 2c9e9d931..f2aae65a7 100644 --- a/cli/cmd/viewRunner.go +++ b/cli/cmd/viewRunner.go @@ -18,7 +18,7 @@ func runMizuView() { ctx, cancel := context.WithCancel(context.Background()) defer cancel() - exists, err := kubernetesProvider.DoesServicesExist(ctx, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName) + exists, err := kubernetesProvider.DoesServicesExist(ctx, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName) if err != nil { panic(err) } @@ -36,7 +36,7 @@ func runMizuView() { mizu.Log.Infof("Found service %s, creating k8s proxy", mizu.ApiServerPodName) mizu.Log.Infof("Mizu is available at http://%s\n", kubernetes.GetMizuApiServerProxiedHostAndPath(mizu.Config.View.GuiPort)) - err = kubernetes.StartProxy(kubernetesProvider, mizu.Config.View.GuiPort, mizu.Config.ResourcesNamespace(), mizu.ApiServerPodName) + err = kubernetes.StartProxy(kubernetesProvider, mizu.Config.View.GuiPort, mizu.Config.MizuResourcesNamespace, mizu.ApiServerPodName) if err != nil { mizu.Log.Infof("Error occured while running k8s proxy %v", err) } diff --git a/cli/errormessage/errormessage.go b/cli/errormessage/errormessage.go index 510581e8d..657562dbf 100644 --- a/cli/errormessage/errormessage.go +++ b/cli/errormessage/errormessage.go @@ -13,7 +13,9 @@ import ( func FormatError(err error) error { var errorNew error if k8serrors.IsForbidden(err) { - errorNew = fmt.Errorf("Insufficient permissions: %w. Supply the required permission or control Mizu's access to namespaces by setting MizuNamespace in the config file or setting the tapped namespace with --set mizu-namespace=.", err) + errorNew = fmt.Errorf("Insufficient permissions: %w. "+ + "Supply the required permission or control Mizu's access to namespaces by setting MizuResourcesNamespace "+ + "in the config file or setting the tapped namespace with --set mizu-resources-namespace=.", err) } else if syntaxError, isSyntaxError := asRegexSyntaxError(err); isSyntaxError { errorNew = fmt.Errorf("Regex %s is invalid: %w", syntaxError.Expr, err) } else { diff --git a/cli/kubernetes/provider.go b/cli/kubernetes/provider.go index 026c77d94..d6c92754f 100644 --- a/cli/kubernetes/provider.go +++ b/cli/kubernetes/provider.go @@ -562,19 +562,6 @@ func (provider *Provider) CreateConfigMap(ctx context.Context, namespace string, return nil } -func (provider *Provider) ListPods(ctx context.Context, namespace string) ([]shared.PodInfo, error) { - podInfos := make([]shared.PodInfo, 0) - listOptions := metav1.ListOptions{} - pods, err := provider.clientSet.CoreV1().Pods(namespace).List(ctx, listOptions) - if err != nil { - return podInfos, fmt.Errorf("error getting pods in ns: %s, %w", namespace, err) - } - for _, pod := range pods.Items { - podInfos = append(podInfos, shared.PodInfo{Name: pod.Name, Namespace: pod.Namespace}) - } - return podInfos, nil -} - func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespace string, daemonSetName string, podImage string, tapperPodName string, apiServerPodIp string, nodeToTappedPodIPMap map[string][]string, serviceAccountName string, tapOutgoing bool) error { mizu.Log.Debugf("Applying %d tapper deamonsets, ns: %s, daemonSetName: %s, podImage: %s, tapperPodName: %s", len(nodeToTappedPodIPMap), namespace, daemonSetName, podImage, tapperPodName) @@ -691,7 +678,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac return err } -func (provider *Provider) GetAllRunningPodsMatchingRegex(ctx context.Context, regex *regexp.Regexp, namespaces []string) ([]core.Pod, error) { +func (provider *Provider) ListAllPodsMatchingRegex(ctx context.Context, regex *regexp.Regexp, namespaces []string) ([]core.Pod, error) { var pods []core.Pod for _, namespace := range namespaces { namespacePods, err := provider.clientSet.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) @@ -704,7 +691,22 @@ func (provider *Provider) GetAllRunningPodsMatchingRegex(ctx context.Context, re matchingPods := make([]core.Pod, 0) for _, pod := range pods { - if regex.MatchString(pod.Name) && isPodRunning(&pod) { + if regex.MatchString(pod.Name) { + matchingPods = append(matchingPods, pod) + } + } + return matchingPods, nil +} + +func (provider *Provider) ListAllRunningPodsMatchingRegex(ctx context.Context, regex *regexp.Regexp, namespaces []string) ([]core.Pod, error) { + pods, err := provider.ListAllPodsMatchingRegex(ctx, regex, namespaces) + if err != nil { + return nil, err + } + + matchingPods := make([]core.Pod, 0) + for _, pod := range pods { + if isPodRunning(&pod) { matchingPods = append(matchingPods, pod) } } diff --git a/cli/logsUtils/mizuLogsUtils.go b/cli/logsUtils/mizuLogsUtils.go index 96911875e..aed8d9c9a 100644 --- a/cli/logsUtils/mizuLogsUtils.go +++ b/cli/logsUtils/mizuLogsUtils.go @@ -9,16 +9,18 @@ import ( "io" "os" "path/filepath" + "regexp" ) func DumpLogs(provider *kubernetes.Provider, ctx context.Context, filePath string) error { - pods, err := provider.ListPods(ctx, mizu.Config.ResourcesNamespace()) + podExactRegex := regexp.MustCompile(fmt.Sprintf("^mizu-")) + pods, err := provider.ListAllPodsMatchingRegex(ctx, podExactRegex, []string{mizu.Config.MizuResourcesNamespace}) if err != nil { return err } if len(pods) == 0 { - return fmt.Errorf("no pods found in namespace %s", mizu.Config.ResourcesNamespace()) + return fmt.Errorf("no pods found in namespace %s", mizu.Config.MizuResourcesNamespace) } newZipFile, err := os.Create(filePath) diff --git a/cli/mizu/config.go b/cli/mizu/config.go index 2babdbad6..f96f5b37b 100644 --- a/cli/mizu/config.go +++ b/cli/mizu/config.go @@ -24,6 +24,17 @@ const ( var Config = ConfigStruct{} +func (config *ConfigStruct) Validate() error { + if config.IsNsRestrictedMode() { + if config.Tap.AllNamespaces || len(config.Tap.Namespaces) != 1 || config.Tap.Namespaces[0] != config.MizuResourcesNamespace { + return fmt.Errorf("Not supported mode. Mizu can't resolve IPs in other namespaces when running in namespace restricted mode.\n" + + "You can use the same namespace for --namespace and --mizu-resources-namespace") + } + } + + return nil +} + func InitConfig(cmd *cobra.Command) error { if err := defaults.Set(&Config); err != nil { return err diff --git a/cli/mizu/configStruct.go b/cli/mizu/configStruct.go index f6b3ef4e5..da426caa0 100644 --- a/cli/mizu/configStruct.go +++ b/cli/mizu/configStruct.go @@ -7,32 +7,20 @@ import ( ) type ConfigStruct struct { - Tap configStructs.TapConfig `yaml:"tap"` - Fetch configStructs.FetchConfig `yaml:"fetch"` - Version configStructs.VersionConfig `yaml:"version"` - View configStructs.ViewConfig `yaml:"view"` - MizuImage string `yaml:"mizu-image"` - MizuNamespace string `yaml:"mizu-namespace"` - Telemetry bool `yaml:"telemetry" default:"true"` - DumpLogs bool `yaml:"dump-logs" default:"false"` + Tap configStructs.TapConfig `yaml:"tap"` + Fetch configStructs.FetchConfig `yaml:"fetch"` + Version configStructs.VersionConfig `yaml:"version"` + View configStructs.ViewConfig `yaml:"view"` + AgentImage string `yaml:"agent-image"` + MizuResourcesNamespace string `yaml:"mizu-resources-namespace" default:"mizu"` + Telemetry bool `yaml:"telemetry" default:"true"` + DumpLogs bool `yaml:"dump-logs" default:"false"` } func (config *ConfigStruct) SetDefaults() { - config.MizuImage = fmt.Sprintf("gcr.io/up9-docker-hub/mizu/%s:%s", Branch, SemVer) + config.AgentImage = fmt.Sprintf("gcr.io/up9-docker-hub/mizu/%s:%s", Branch, SemVer) } -func (config *ConfigStruct) ResourcesNamespace() string { - if config.MizuNamespace == "" { - return ResourcesDefaultNamespace - } - - return config.MizuNamespace -} - -func (config *ConfigStruct) IsOwnNamespace() bool { - if config.MizuNamespace == "" { - return true - } - - return false +func (config *ConfigStruct) IsNsRestrictedMode() bool { + return config.MizuResourcesNamespace != "mizu" // Notice "mizu" string must match the default MizuResourcesNamespace } diff --git a/cli/mizu/consts.go b/cli/mizu/consts.go index 848f463b9..576010709 100644 --- a/cli/mizu/consts.go +++ b/cli/mizu/consts.go @@ -14,17 +14,16 @@ var ( ) const ( - ApiServerPodName = "mizu-api-server" - ClusterRoleBindingName = "mizu-cluster-role-binding" - ClusterRoleName = "mizu-cluster-role" - K8sAllNamespaces = "" - ResourcesDefaultNamespace = "mizu" - RoleBindingName = "mizu-role-binding" - RoleName = "mizu-role" - ServiceAccountName = "mizu-service-account" - TapperDaemonSetName = "mizu-tapper-daemon-set" - TapperPodName = "mizu-tapper" - ConfigMapName = "mizu-policy" + ApiServerPodName = "mizu-api-server" + ClusterRoleBindingName = "mizu-cluster-role-binding" + ClusterRoleName = "mizu-cluster-role" + K8sAllNamespaces = "" + RoleBindingName = "mizu-role-binding" + RoleName = "mizu-role" + ServiceAccountName = "mizu-service-account" + TapperDaemonSetName = "mizu-tapper-daemon-set" + TapperPodName = "mizu-tapper" + ConfigMapName = "mizu-policy" ) func GetMizuFolderPath() string {