mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-06-20 21:44:42 +00:00
TRA-3903 fix daemon mode in permission restricted configs (#473)
* Update tapRunner.go, permissions-all-namespaces-daemon.yaml, and 2 more files... * Update tapRunner.go * Update tapRunner.go and permissions-ns-daemon.yaml * Update tapRunner.go * Update tapRunner.go * Update tapRunner.go
This commit is contained in:
RamiBerm
GitHub
parent
95d2a868e1
commit
b7f7daa05c
@ -378,22 +378,9 @@ func createMizuApiServerPod(ctx context.Context, kubernetesProvider *kubernetes.
|
|||||||
func createMizuApiServerDeployment(ctx context.Context, kubernetesProvider *kubernetes.Provider, opts *kubernetes.ApiServerOptions) error {
|
func createMizuApiServerDeployment(ctx context.Context, kubernetesProvider *kubernetes.Provider, opts *kubernetes.ApiServerOptions) error {
|
||||||
volumeClaimCreated := false
|
volumeClaimCreated := false
|
||||||
if !config.Config.Tap.NoPersistentVolumeClaim {
|
if !config.Config.Tap.NoPersistentVolumeClaim {
|
||||||
isDefaultStorageClassAvailable, err := kubernetesProvider.IsDefaultStorageProviderAvailable(ctx)
|
volumeClaimCreated = TryToCreatePersistentVolumeClaim(ctx, kubernetesProvider)
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if isDefaultStorageClassAvailable {
|
|
||||||
if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, config.Config.MizuResourcesNamespace, kubernetes.PersistentVolumeClaimName, config.Config.Tap.MaxEntriesDBSizeBytes()+mizu.DaemonModePersistentVolumeSizeBufferBytes); err != nil {
|
|
||||||
logger.Log.Warningf(uiUtils.Yellow, "An error has occured while creating a persistent volume claim for mizu, this will mean that mizu's data will be lost on pod restart")
|
|
||||||
logger.Log.Debugf("error creating persistent volume claim: %v", err)
|
|
||||||
} else {
|
|
||||||
volumeClaimCreated = true
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
logger.Log.Warningf(uiUtils.Yellow, "Could not find default volume provider in this cluster, this will mean that mizu's data will be lost on pod restart")
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pod, err := kubernetesProvider.GetMizuApiServerPodObject(opts, volumeClaimCreated, kubernetes.PersistentVolumeClaimName)
|
pod, err := kubernetesProvider.GetMizuApiServerPodObject(opts, volumeClaimCreated, kubernetes.PersistentVolumeClaimName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -406,6 +393,26 @@ func createMizuApiServerDeployment(ctx context.Context, kubernetesProvider *kube
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TryToCreatePersistentVolumeClaim(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
|
||||||
|
isDefaultStorageClassAvailable, err := kubernetesProvider.IsDefaultStorageProviderAvailable(ctx)
|
||||||
|
if err != nil {
|
||||||
|
logger.Log.Warningf(uiUtils.Yellow, "An error occured when checking if a default storage provider exists in this cluster, this means mizu data will be lost on mizu-api-server pod restart")
|
||||||
|
logger.Log.Debugf("error checking if default storage class exists: %v", err)
|
||||||
|
return false
|
||||||
|
} else if !isDefaultStorageClassAvailable {
|
||||||
|
logger.Log.Warningf(uiUtils.Yellow, "Could not find default storage provider in this cluster, this means mizu data will be lost on mizu-api-server pod restart")
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err = kubernetesProvider.CreatePersistentVolumeClaim(ctx, config.Config.MizuResourcesNamespace, kubernetes.PersistentVolumeClaimName, config.Config.Tap.MaxEntriesDBSizeBytes()+mizu.DaemonModePersistentVolumeSizeBufferBytes); err != nil {
|
||||||
|
logger.Log.Warningf(uiUtils.Yellow, "An error has occured while creating a persistent volume claim for mizu, this means mizu data will be lost on mizu-api-server pod restart")
|
||||||
|
logger.Log.Debugf("error creating persistent volume claim: %v", err)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func getMizuApiFilteringOptions() (*api.TrafficFilteringOptions, error) {
|
func getMizuApiFilteringOptions() (*api.TrafficFilteringOptions, error) {
|
||||||
var compiledRegexSlice []*api.SerializableRegexp
|
var compiledRegexSlice []*api.SerializableRegexp
|
||||||
|
|
||||||
|
|||||||
@ -7,15 +7,15 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["pods"]
|
resources: ["pods"]
|
||||||
verbs: ["get", "list", "watch", "delete"]
|
verbs: ["get", "list", "watch", "delete"]
|
||||||
- apiGroups: [ "" ]
|
- apiGroups: [ "apps" ]
|
||||||
resources: [ "deployments" ]
|
resources: [ "deployments" ]
|
||||||
verbs: [ "create", "delete" ]
|
verbs: [ "get", "create", "delete" ]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["services"]
|
resources: ["services"]
|
||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
- apiGroups: ["apps"]
|
- apiGroups: ["apps"]
|
||||||
resources: ["daemonsets"]
|
resources: ["daemonsets"]
|
||||||
verbs: ["create", "patch", "delete"]
|
verbs: ["get", "create", "patch", "delete", "list"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["namespaces"]
|
resources: ["namespaces"]
|
||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
|
|||||||
@ -8,7 +8,7 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["pods"]
|
resources: ["pods"]
|
||||||
verbs: ["get", "list", "watch", "delete"]
|
verbs: ["get", "list", "watch", "delete"]
|
||||||
- apiGroups: [ "" ]
|
- apiGroups: [ "apps" ]
|
||||||
resources: [ "deployments" ]
|
resources: [ "deployments" ]
|
||||||
verbs: [ "get", "create", "delete" ]
|
verbs: [ "get", "create", "delete" ]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
@ -16,7 +16,7 @@ rules:
|
|||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
- apiGroups: ["apps"]
|
- apiGroups: ["apps"]
|
||||||
resources: ["daemonsets"]
|
resources: ["daemonsets"]
|
||||||
verbs: ["get", "create", "patch", "delete"]
|
verbs: ["get", "create", "patch", "delete", "list"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["services/proxy"]
|
resources: ["services/proxy"]
|
||||||
verbs: ["get"]
|
verbs: ["get"]
|
||||||
@ -32,7 +32,7 @@ rules:
|
|||||||
- apiGroups: ["rbac.authorization.k8s.io"]
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||||
resources: ["rolebindings"]
|
resources: ["rolebindings"]
|
||||||
verbs: ["get", "create", "delete"]
|
verbs: ["get", "create", "delete"]
|
||||||
- apiGroups: ["apps", "extensions"]
|
- apiGroups: ["apps", "extensions", ""]
|
||||||
resources: ["pods"]
|
resources: ["pods"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: ["apps", "extensions"]
|
- apiGroups: ["apps", "extensions"]
|
||||||
|
|||||||
@ -579,6 +579,11 @@ func (provider *Provider) RemoveDaemonSet(ctx context.Context, namespace string,
|
|||||||
return provider.handleRemovalError(err)
|
return provider.handleRemovalError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (provider *Provider) RemovePersistentVolumeClaim(ctx context.Context, namespace string, volumeClaimName string) error {
|
||||||
|
err := provider.clientSet.CoreV1().PersistentVolumeClaims(namespace).Delete(ctx, volumeClaimName, metav1.DeleteOptions{})
|
||||||
|
return provider.handleRemovalError(err)
|
||||||
|
}
|
||||||
|
|
||||||
func (provider *Provider) handleRemovalError(err error) error {
|
func (provider *Provider) handleRemovalError(err error) error {
|
||||||
// Ignore NotFound - There is nothing to delete.
|
// Ignore NotFound - There is nothing to delete.
|
||||||
// Ignore Forbidden - Assume that a user could not have created the resource in the first place.
|
// Ignore Forbidden - Assume that a user could not have created the resource in the first place.
|
||||||
@ -859,10 +864,6 @@ func (provider *Provider) CreatePersistentVolumeClaim(ctx context.Context, names
|
|||||||
return provider.clientSet.CoreV1().PersistentVolumeClaims(namespace).Create(ctx, volumeClaim, metav1.CreateOptions{})
|
return provider.clientSet.CoreV1().PersistentVolumeClaims(namespace).Create(ctx, volumeClaim, metav1.CreateOptions{})
|
||||||
}
|
}
|
||||||
|
|
||||||
func (provider *Provider) RemovePersistentVolumeClaim(ctx context.Context, namespace string, volumeClaimName string) error {
|
|
||||||
return provider.clientSet.CoreV1().PersistentVolumeClaims(namespace).Delete(ctx, volumeClaimName, metav1.DeleteOptions{})
|
|
||||||
}
|
|
||||||
|
|
||||||
func getClientSet(config *restclient.Config) (*kubernetes.Clientset, error) {
|
func getClientSet(config *restclient.Config) (*kubernetes.Clientset, error) {
|
||||||
clientSet, err := kubernetes.NewForConfig(config)
|
clientSet, err := kubernetes.NewForConfig(config)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user