From e4684a10afee4257d439f74013d37ab2d35a8525 Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Mon, 27 Mar 2023 16:26:09 +0300 Subject: [PATCH] :sparkles: Add `--ignoreTainted` flag to `tap` command --- cmd/tap.go | 1 + config/configStructs/tapConfig.go | 2 ++ kubernetes/provider.go | 10 +++++++++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cmd/tap.go b/cmd/tap.go index 6742a4d7d..da263e123 100644 --- a/cmd/tap.go +++ b/cmd/tap.go @@ -58,5 +58,6 @@ func init() { tapCmd.Flags().StringP(configStructs.PcapLabel, "p", defaultTapConfig.Pcap, fmt.Sprintf("Capture from a PCAP snapshot of %s (.tar.gz) using your Docker Daemon instead of Kubernetes", misc.Software)) tapCmd.Flags().Bool(configStructs.ServiceMeshLabel, defaultTapConfig.ServiceMesh, "Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS") tapCmd.Flags().Bool(configStructs.TlsLabel, defaultTapConfig.Tls, "Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries") + tapCmd.Flags().Bool(configStructs.IgnoreTaintedLabel, defaultTapConfig.IgnoreTainted, "Ignore tainted pods while running Worker DaemonSet") tapCmd.Flags().Bool(configStructs.DebugLabel, defaultTapConfig.Debug, "Enable the debug mode") } diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 9b3cd85a0..342ca32f8 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -24,6 +24,7 @@ const ( PcapLabel = "pcap" ServiceMeshLabel = "servicemesh" TlsLabel = "tls" + IgnoreTaintedLabel = "ignoreTainted" DebugLabel = "debug" ) @@ -82,6 +83,7 @@ type TapConfig struct { ServiceMesh bool `yaml:"servicemesh" default:"true"` Tls bool `yaml:"tls" default:"true"` PacketCapture string `yaml:"packetcapture" default:"libpcap"` + IgnoreTainted bool `yaml:"ignoreTainted" default:"false"` Debug bool `yaml:"debug" default:"false"` } diff --git a/kubernetes/provider.go b/kubernetes/provider.go index 73df49071..154cbe908 100644 --- a/kubernetes/provider.go +++ b/kubernetes/provider.go @@ -10,6 +10,7 @@ import ( "path/filepath" "regexp" + "github.com/kubeshark/kubeshark/config" "github.com/kubeshark/kubeshark/config/configStructs" "github.com/kubeshark/kubeshark/docker" "github.com/kubeshark/kubeshark/misc" @@ -735,12 +736,19 @@ func (provider *Provider) ApplyWorkerDaemonSet( affinity := applyconfcore.Affinity() affinity.WithNodeAffinity(nodeAffinity) + var tolerations []*v1.TolerationApplyConfiguration + noExecuteToleration := applyconfcore.Toleration() noExecuteToleration.WithOperator(core.TolerationOpExists) noExecuteToleration.WithEffect(core.TaintEffectNoExecute) + tolerations = append(tolerations, noExecuteToleration) + noScheduleToleration := applyconfcore.Toleration() noScheduleToleration.WithOperator(core.TolerationOpExists) noScheduleToleration.WithEffect(core.TaintEffectNoSchedule) + if !config.Config.Tap.IgnoreTainted { + tolerations = append(tolerations, noScheduleToleration) + } // Host procfs is needed inside the container because we need access to // the network namespaces of processes on the machine. @@ -766,7 +774,7 @@ func (provider *Provider) ApplyWorkerDaemonSet( } podSpec.WithContainers(workerContainer) podSpec.WithAffinity(affinity) - podSpec.WithTolerations(noExecuteToleration, noScheduleToleration) + podSpec.WithTolerations(tolerations...) podSpec.WithVolumes(procfsVolume, sysfsVolume) if len(imagePullSecrets) > 0 {