mirror of
https://github.com/k8snetworkplumbingwg/multus-cni.git
synced 2025-08-17 15:52:37 +00:00
Add filepath sanity check
This commit is contained in:
parent
c550826675
commit
748930239d
@ -21,6 +21,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
|
"path/filepath"
|
||||||
"syscall"
|
"syscall"
|
||||||
"text/template"
|
"text/template"
|
||||||
"time"
|
"time"
|
||||||
@ -58,10 +59,15 @@ users:
|
|||||||
func main() {
|
func main() {
|
||||||
certDir := pflag.StringP("certdir", "", "/tmp", "specify cert directory")
|
certDir := pflag.StringP("certdir", "", "/tmp", "specify cert directory")
|
||||||
bootstrapConfig := pflag.StringP("bootstrap-config", "", "/tmp/kubeconfig", "specify bootstrap kubernetes config")
|
bootstrapConfig := pflag.StringP("bootstrap-config", "", "/tmp/kubeconfig", "specify bootstrap kubernetes config")
|
||||||
kubeconfigPath := pflag.StringP("kubeconfig", "", "/run/multus/kubeconfig", "specify output kubeconfig path")
|
kubeconfigPathRaw := pflag.StringP("kubeconfig", "", "/run/multus/kubeconfig", "specify output kubeconfig path")
|
||||||
certDurationString := pflag.StringP("cert-duration", "", "10m", "specify certificate duration")
|
certDurationString := pflag.StringP("cert-duration", "", "10m", "specify certificate duration")
|
||||||
helpFlag := pflag.BoolP("help", "h", false, "show help message and quit")
|
helpFlag := pflag.BoolP("help", "h", false, "show help message and quit")
|
||||||
|
|
||||||
|
kubeconfigPath, err := filepath.Abs(*kubeconfigPathRaw)
|
||||||
|
if err != nil {
|
||||||
|
klog.Fatalf("illegal path %s in kubeconfigPath %s: %v", kubeconfigPath, *kubeconfigPathRaw, err)
|
||||||
|
}
|
||||||
|
|
||||||
pflag.Parse()
|
pflag.Parse()
|
||||||
if *helpFlag {
|
if *helpFlag {
|
||||||
pflag.PrintDefaults()
|
pflag.PrintDefaults()
|
||||||
@ -102,9 +108,9 @@ func main() {
|
|||||||
klog.Fatalf("failed to start cert manager: %v", err)
|
klog.Fatalf("failed to start cert manager: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
fp, err := os.OpenFile(*kubeconfigPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
|
fp, err := os.OpenFile(kubeconfigPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Fatalf("cannot create kubeconfig file %q: %v", *kubeconfigPath, err)
|
klog.Fatalf("cannot create kubeconfig file %q: %v", kubeconfigPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// render kubeconfig
|
// render kubeconfig
|
||||||
@ -125,15 +131,15 @@ func main() {
|
|||||||
klog.Fatalf("cannot save kubeconfig: %v", err)
|
klog.Fatalf("cannot save kubeconfig: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
klog.Infof("kubeconfig %q is saved", *kubeconfigPath)
|
klog.Infof("kubeconfig %q is saved", kubeconfigPath)
|
||||||
|
|
||||||
// wait for signal
|
// wait for signal
|
||||||
sigterm := make(chan os.Signal, 1)
|
sigterm := make(chan os.Signal, 1)
|
||||||
signal.Notify(sigterm, syscall.SIGINT, syscall.SIGTERM, syscall.SIGKILL)
|
signal.Notify(sigterm, syscall.SIGINT, syscall.SIGTERM, syscall.SIGKILL)
|
||||||
<-sigterm
|
<-sigterm
|
||||||
klog.Infof("signal received. remove kubeconfig %q and quit.", *kubeconfigPath)
|
klog.Infof("signal received. remove kubeconfig %q and quit.", kubeconfigPath)
|
||||||
err = os.Remove(*kubeconfigPath)
|
err = os.Remove(kubeconfigPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to remove kubeconfig %q: %v", *kubeconfigPath, err)
|
klog.Errorf("failed to remove kubeconfig %q: %v", kubeconfigPath, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -154,7 +154,7 @@ func startMultusDaemon(ctx context.Context, daemonConfig *srv.ControllerNetConf,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if daemonConfig.MetricsPort != nil {
|
if daemonConfig.MetricsPort != nil {
|
||||||
go utilwait.UntilWithContext(ctx, func(ctx context.Context) {
|
go utilwait.UntilWithContext(ctx, func(_ context.Context) {
|
||||||
http.Handle("/metrics", promhttp.Handler())
|
http.Handle("/metrics", promhttp.Handler())
|
||||||
logging.Debugf("metrics port: %d", *daemonConfig.MetricsPort)
|
logging.Debugf("metrics port: %d", *daemonConfig.MetricsPort)
|
||||||
logging.Debugf("metrics: %s", http.ListenAndServe(fmt.Sprintf(":%d", *daemonConfig.MetricsPort), nil))
|
logging.Debugf("metrics: %s", http.ListenAndServe(fmt.Sprintf(":%d", *daemonConfig.MetricsPort), nil))
|
||||||
@ -177,7 +177,12 @@ func startMultusDaemon(ctx context.Context, daemonConfig *srv.ControllerNetConf,
|
|||||||
}
|
}
|
||||||
|
|
||||||
func cniServerConfig(configFilePath string) (*srv.ControllerNetConf, error) {
|
func cniServerConfig(configFilePath string) (*srv.ControllerNetConf, error) {
|
||||||
configFileContents, err := os.ReadFile(configFilePath)
|
path, err := filepath.Abs(configFilePath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("illegal path %s in server config path %s: %w", path, configFilePath, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
configFileContents, err := os.ReadFile(path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -185,9 +190,14 @@ func cniServerConfig(configFilePath string) (*srv.ControllerNetConf, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func copyUserProvidedConfig(multusConfigPath string, cniConfigDir string) error {
|
func copyUserProvidedConfig(multusConfigPath string, cniConfigDir string) error {
|
||||||
srcFile, err := os.Open(multusConfigPath)
|
path, err := filepath.Abs(multusConfigPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to open (READ only) file %s: %w", multusConfigPath, err)
|
return fmt.Errorf("illegal path %s in multusConfigPath %s: %w", path, multusConfigPath, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
srcFile, err := os.Open(path)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to open (READ only) file %s: %w", path, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
dstFileName := cniConfigDir + "/" + filepath.Base(multusConfigPath)
|
dstFileName := cniConfigDir + "/" + filepath.Base(multusConfigPath)
|
||||||
|
@ -53,7 +53,7 @@ func DoCNI(url string, req interface{}, socketPath string) ([]byte, error) {
|
|||||||
|
|
||||||
client := &http.Client{
|
client := &http.Client{
|
||||||
Transport: &http.Transport{
|
Transport: &http.Transport{
|
||||||
Dial: func(proto, addr string) (net.Conn, error) {
|
Dial: func(_, _ string) (net.Conn, error) {
|
||||||
return net.Dial("unix", socketPath)
|
return net.Dial("unix", socketPath)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -66,9 +66,14 @@ func NewManager(config MultusConf) (*Manager, error) {
|
|||||||
|
|
||||||
// overrideCNIVersion overrides cniVersion in cniConfigFile, it should be used only in kind case
|
// overrideCNIVersion overrides cniVersion in cniConfigFile, it should be used only in kind case
|
||||||
func overrideCNIVersion(cniConfigFile string, multusCNIVersion string) error {
|
func overrideCNIVersion(cniConfigFile string, multusCNIVersion string) error {
|
||||||
masterCNIConfigData, err := os.ReadFile(cniConfigFile)
|
path, err := filepath.Abs(cniConfigFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to read cni config %s: %v", cniConfigFile, err)
|
return fmt.Errorf("illegal path %s in cni config path %s: %w", path, cniConfigFile, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
masterCNIConfigData, err := os.ReadFile(path)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to read cni config %s: %v", path, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var primaryCNIConfigData map[string]interface{}
|
var primaryCNIConfigData map[string]interface{}
|
||||||
@ -82,7 +87,7 @@ func overrideCNIVersion(cniConfigFile string, multusCNIVersion string) error {
|
|||||||
return fmt.Errorf("couldn't update cluster network config: %v", err)
|
return fmt.Errorf("couldn't update cluster network config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = os.WriteFile(cniConfigFile, configBytes, 0644)
|
err = os.WriteFile(path, configBytes, 0644)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("couldn't update cluster network config: %v", err)
|
return fmt.Errorf("couldn't update cluster network config: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -353,7 +353,7 @@ func (s *Server) Start(ctx context.Context, l net.Listener) {
|
|||||||
waitCancel()
|
waitCancel()
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
utilwait.UntilWithContext(ctx, func(ctx context.Context) {
|
utilwait.UntilWithContext(ctx, func(_ context.Context) {
|
||||||
logging.Debugf("open for business")
|
logging.Debugf("open for business")
|
||||||
if err := s.Serve(l); err != nil {
|
if err := s.Serve(l); err != nil {
|
||||||
utilruntime.HandleError(fmt.Errorf("CNI server Serve() failed: %v", err))
|
utilruntime.HandleError(fmt.Errorf("CNI server Serve() failed: %v", err))
|
||||||
|
Loading…
Reference in New Issue
Block a user