Merge branch 'master' of github.com:intel/multus-cni

2025-07-12 15:08:03 +00:00 · 2018-12-27 12:20:36 +09:00 · 2018-12-27 12:20:36 +09:00 · e55832cae0
commit e55832cae0
parent 6e335441ab de4bed7a60
4 changed files with 201 additions and 10 deletions
--- a/doc/configuration.md
+++ b/doc/configuration.md
@ -17,7 +17,7 @@ Following is the example of multus config file, in `/etc/cni/net.d/`.
        "portMappings": true
    },    
    "readinessindicatorfile": "",
-    
+    "namespaceIsolation": false,
 "Note1":"NOTE: you can set clusterNetwork+defaultNetworks OR delegates!!",
    "clusterNetwork": "defaultCRD",
    "defaultNetworks": ["sidecarCRD", "flannel"],
@ -40,6 +40,7 @@ Following is the example of multus config file, in `/etc/cni/net.d/`.
 * `kubeconfig` (string, optional): kubeconfig file for the out of cluster communication with kube-apiserver. See the example [kubeconfig](https://github.com/intel/multus-cni/blob/master/doc/node-kubeconfig.yaml). If you would like to use CRD (i.e. network attachment definition), this is required
 * `logFile` (string, optional): file path for log file. multus puts log in given file
 * `logLevel` (string, optional): logging level ("debug", "error" or "panic")
 * `namespaceIsolation` (boolean, optional): Enables a security feature where pods are only allowed to access `NetworkAttachmentDefinitions` in the namespace where the pod resides. Defaults to false.
 * `capabilities` ({}list, optional): [capabilities](https://github.com/containernetworking/cni/blob/master/CONVENTIONS.md#dynamic-plugin-specific-fields-capabilities--runtime-configuration) supported by at least one of the delegates. (NOTE: Multus only supports portMappings capability for now). See the [example](https://github.com/intel/multus-cni/blob/master/examples/multus-ptp-portmap.conf).
 * `readinessindicatorfile`: The path to a file whose existance denotes that the default network is ready
@ -107,3 +108,140 @@ You may configure the logging level by using the `LogLevel` option in your CNI c
    "LogLevel": "debug",
 ```
 ### Namespace Isolation
 The functionality provided by the `namespaceIsolation` configuration option enables a mode where Multus only allows pods to access custom resources (the `NetworkAttachmentDefinitions`) within the namespace where that pod resides. In other words, the `NetworkAttachmentDefinitions` are isolated to usage within the namespace in which they're created. 
 For example, if a pod is created in the namespace called `development`, Multus will not allow networks to be attached when defined by custom resources created in a different namespace, say in the `default` network.
 Consider the situation where you have a system that has users of different privilege levels -- as an example, a platform which has two administrators: a Senior Administrator and a Junior Administrator. The Senior Administrator may have access to all namespaces, and some network configurations as used by Multus are considered to be privileged in that they allow access to some protected resources available on the network. However, the Junior Administrator has access to only a subset of namespaces, and therefore it should be assumed that the Junior Administrator cannot create pods in their limited subset of namespaces. The `namespaceIsolation` feature provides for this isolation, allowing pods created in given namespaces to only access custom resources in the same namespace as the pod.
 Namespace Isolation is disabled by default.
 #### Configuration example
 ```
  "namespaceIsolation": true,
 ```
 #### Usage example
 Let's setup an example where we:
 * Create a custom resource in a namespace called `privileged`
 * Create a pod in a namespace called `development`, and have annotations that reference a custom resource in the `privileged` namespace. The creation of this pod should be disallowed by Multus (as we'll have the use of the custom resources limited only to those custom resources created within the same namespace as the pod).
 Given the above scenario with a Junior & Senior Administrator. You may assume that the Senior Administrator has access to all namespaces, whereas the Junior Administrator has access only to the `development` namespace.
 Firstly, we show that we have a number of namespaces available:
 ```
 # List the available namespaces
 [user@kube-master ~]$ kubectl get namespaces
 NAME          STATUS   AGE
 default       Active   7h27m
 development   Active   3h
 kube-public   Active   7h27m
 kube-system   Active   7h27m
 privileged    Active   4s
 ```
 We'll create a `NetworkAttachmentDefinition` in the `privileged` namespace.
 ```
 # Show the network attachment definition we're creating.
 [user@kube-master ~]$ cat cr.yml
 apiVersion: "k8s.cni.cncf.io/v1"
 kind: NetworkAttachmentDefinition
 metadata:
  name: macvlan-conf
 spec:
  config: '{
      "cniVersion": "0.3.0",
      "type": "macvlan",
      "master": "eth0",
      "mode": "bridge",
      "ipam": {
        "type": "host-local",
        "subnet": "192.168.1.0/24",
        "rangeStart": "192.168.1.200",
        "rangeEnd": "192.168.1.216",
        "routes": [
          { "dst": "0.0.0.0/0" }
        ],
        "gateway": "192.168.1.1"
      }
    }'
 # Create that network attachment definition in the privileged namespace
 [user@kube-master ~]$ kubectl create -f cr.yml -n privileged
 networkattachmentdefinition.k8s.cni.cncf.io/macvlan-conf created
 # List the available network attachment definitions in the privileged namespace.
 [user@kube-master ~]$ kubectl get networkattachmentdefinition.k8s.cni.cncf.io -n privileged
 NAME           AGE
 macvlan-conf   11s
 ```
 Next, we'll create a pod with an annotation that references the privileged namespace. Pay particular attention to the annotation that reads `k8s.v1.cni.cncf.io/networks: privileged/macvlan-conf` -- where it contains a reference to a `namespace/configuration-name` formatted network attachment name. In this case referring to the `macvlan-conf` in the namespace called `privileged`.
 ```
 # Show the yaml for a pod.
 [user@kube-master ~]$ cat example.pod.yml
 apiVersion: v1
 kind: Pod
 metadata:
  name: samplepod
  annotations:
    k8s.v1.cni.cncf.io/networks: privileged/macvlan-conf
 spec:
  containers:
  - name: samplepod
    command: ["/bin/bash", "-c", "sleep 2000000000000"]
    image: dougbtv/centos-network
 # Create that pod.
 [user@kube-master ~]$ kubectl create -f example.pod.yml -n development
 pod/samplepod created
 ```
 You'll note that pod fails to spawn successfully. If you check the Multus logs, you'll see an entry such as:
 ```
 2018-12-18T21:41:32Z [error] GetPodNetwork: namespace isolation violation: podnamespace: development / target namespace: privileged
 ```
 This error expresses that the pod resides in the namespace named `development` but refers to a `NetworkAttachmentDefinition` outside of that namespace, in this case, the namespace named `privileged`.
 In a positive example, you'd instead create the `NetworkAttachmentDefinition` in the `development` namespace, and you'd have an annotation that either A. does not reference a namespace, or B. refers to the same annotation.
 A positive example may be:
 ```
 # Create the same NetworkAttachmentDefinition as above, however in the development namespace
 [user@kube-master ~]$ kubectl create -f cr.yml -n development
 networkattachmentdefinition.k8s.cni.cncf.io/macvlan-conf created
 # Show the yaml for a sample pod which references macvlan-conf without a namspace/ format
 [user@kube-master ~]$ cat positive.example.pod
 apiVersion: v1
 kind: Pod
 metadata:
  name: samplepod
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-conf
 spec:
  containers:
  - name: samplepod
    command: ["/bin/bash", "-c", "sleep 2000000000000"]
    image: dougbtv/centos-network
 # Create that pod.
 [user@kube-master ~]$ kubectl create -f positive.example.pod -n development
 pod/samplepod created
 # We can see that this pod has been launched successfully.
 [user@kube-master ~]$ kubectl get pods -n development
 NAME        READY   STATUS    RESTARTS   AGE
 samplepod   1/1     Running   0          31s
 ```
--- a/k8sclient/k8sclient.go
+++ b/k8sclient/k8sclient.go
@ -438,7 +438,7 @@ func TryLoadPodDelegates(k8sArgs *types.K8sArgs, conf *types.NetConf, kubeClient
 		conf.Delegates[0] = delegate
 	}
-	delegates, err := GetPodNetwork(kubeClient, k8sArgs, conf.ConfDir)
+	delegates, err := GetPodNetwork(kubeClient, k8sArgs, conf.ConfDir, conf.NamespaceIsolation)
 	if err != nil {
 		if _, ok := err.(*NoK8sNetworkError); ok {
 			return 0, clientInfo, nil
@ -491,7 +491,7 @@ func GetK8sClient(kubeconfig string, kubeClient KubeClient) (KubeClient, error)
 	return &defaultKubeClient{client: client}, nil
 }
-func GetPodNetwork(k8sclient KubeClient, k8sArgs *types.K8sArgs, confdir string) ([]*types.DelegateNetConf, error) {
+func GetPodNetwork(k8sclient KubeClient, k8sArgs *types.K8sArgs, confdir string, confnamespaceisolation bool) ([]*types.DelegateNetConf, error) {
 	logging.Debugf("GetPodNetwork: %v, %v, %v", k8sclient, k8sArgs, confdir)
 	netAnnot, defaultNamespace, podID, err := getPodNetworkAnnotation(k8sclient, k8sArgs)
@ -519,6 +519,15 @@ func GetPodNetwork(k8sclient KubeClient, k8sArgs *types.K8sArgs, confdir string)
 	// Read all network objects referenced by 'networks'
 	var delegates []*types.DelegateNetConf
 	for _, net := range networks {
 		// The pods namespace (stored as defaultNamespace, does not equal the annotation's target namespace in net.Namespace)
 		// In the case that this is a mismatch when namespaceisolation is enabled, this should be an error.
 		if confnamespaceisolation {
 			if defaultNamespace != net.Namespace {
 				return nil, logging.Errorf("GetPodNetwork: namespace isolation violation: podnamespace: %v / target namespace: %v", defaultNamespace, net.Namespace)
 			}
 		}
 		delegate, updatedResourceMap, err := getKubernetesDelegate(k8sclient, net, confdir, podID, resourceMap)
 		if err != nil {
 			return nil, logging.Errorf("GetPodNetwork: failed getting the delegate: %v", err)
--- a/k8sclient/k8sclient_test.go
+++ b/k8sclient/k8sclient_test.go
@ -82,7 +82,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(fKubeClient.PodCount).To(Equal(1))
 		Expect(fKubeClient.NetCount).To(Equal(2))
@ -115,7 +115,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(len(delegates)).To(Equal(0))
 		Expect(err).To(MatchError("GetPodNetwork: failed getting the delegate: getKubernetesDelegate: failed to get network resource, refer Multus README.md for the usage guide: resource not found"))
 	})
@ -159,7 +159,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(fKubeClient.PodCount).To(Equal(1))
 		Expect(fKubeClient.NetCount).To(Equal(3))
@ -186,7 +186,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(len(delegates)).To(Equal(0))
 		Expect(err).To(MatchError("parsePodNetworkAnnotation: failed to parse pod Network Attachment Selection Annotation JSON format: invalid character 'a' looking for beginning of value"))
 	})
@ -216,7 +216,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(fKubeClient.PodCount).To(Equal(1))
 		Expect(fKubeClient.NetCount).To(Equal(2))
@ -242,7 +242,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(fKubeClient.PodCount).To(Equal(1))
 		Expect(fKubeClient.NetCount).To(Equal(1))
@ -273,7 +273,7 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
-		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir)
+		delegates, err := GetPodNetwork(kubeClient, k8sArgs, tmpDir, false)
 		Expect(len(delegates)).To(Equal(0))
 		Expect(err).To(MatchError(fmt.Sprintf("GetPodNetwork: failed getting the delegate: cniConfigFromNetworkResource: err in getCNIConfigFromFile: Error loading CNI config file %s: error parsing configuration: invalid character 'a' looking for beginning of value", net2Name)))
 	})
@ -546,4 +546,46 @@ var _ = Describe("k8sclient operations", func() {
 		Expect(netConf.Delegates[0].Conf.Name).To(Equal("net1"))
 		Expect(netConf.Delegates[0].Conf.Type).To(Equal("mynet1"))
 	})
 	It("Errors when namespace isolation is violated", func() {
 		fakePod := testutils.NewFakePod("testpod", "kube-system/net1", "")
 		conf := `{
 			"name":"node-cni-network",
 			"type":"multus",
 			"delegates": [{
 			"name": "weave1",
 				"cniVersion": "0.2.0",
 				"type": "weave-net"
 			}],
 			"kubeconfig":"/etc/kubernetes/node-kubeconfig.yaml",
 			"namespaceIsolation": true
 		}`
 		netConf, err := types.LoadNetConf([]byte(conf))
 		Expect(err).NotTo(HaveOccurred())
 		net1 := `{
 	"name": "net1",
 	"type": "mynet",
 	"cniVersion": "0.2.0"
 }`
 		args := &skel.CmdArgs{
 			Args: fmt.Sprintf("K8S_POD_NAME=%s;K8S_POD_NAMESPACE=%s", fakePod.ObjectMeta.Name, fakePod.ObjectMeta.Namespace),
 		}
 		fKubeClient := testutils.NewFakeKubeClient()
 		fKubeClient.AddPod(fakePod)
 		fKubeClient.AddNetConfig("kube-system", "net1", net1)
 		kubeClient, err := GetK8sClient("", fKubeClient)
 		Expect(err).NotTo(HaveOccurred())
 		k8sArgs, err := GetK8sArgs(args)
 		Expect(err).NotTo(HaveOccurred())
 		_, err = GetPodNetwork(kubeClient, k8sArgs, tmpDir, netConf.NamespaceIsolation)
 		Expect(err).To(HaveOccurred())
 		Expect(err).To(MatchError("GetPodNetwork: namespace isolation violation: podnamespace: test / target namespace: kube-system"))
 	})
 })
--- a/types/types.go
+++ b/types/types.go
@ -47,6 +47,8 @@ type NetConf struct {
 	RuntimeConfig   *RuntimeConfig           `json:"runtimeConfig,omitempty"`
 	// Default network readiness options
 	ReadinessIndicatorFile string `json:"readinessindicatorfile"`
 	// Option to isolate the usage of CR's to the namespace in which a pod resides.
 	NamespaceIsolation bool `json:"namespaceIsolation"`
 }
 type RuntimeConfig struct {