update naming and readme for ciliumnodes

QxBytes · QxBytes · commit 086f3bacfa87 · 2025-07-24T11:42:36.000-07:00
diff --git a/azure-iptables-monitor/README.md b/azure-iptables-monitor/README.md
@@ -1,10 +1,10 @@
 # azure-iptables-monitor
 
-`azure-iptables-monitor` is a utility for monitoring iptables rules on Kubernetes nodes and labeling nodes based on whether they contain user-defined iptables rules.
+`azure-iptables-monitor` is a utility for monitoring iptables rules on Kubernetes nodes and labeling a ciliumnode resource based on whether the corresponding node contains user-defined iptables rules.
 
 ## Description
 
-The goal of this program is to periodically scan iptables rules across all tables (nat, mangle, filter, raw, security) and determine if any rules exist that don't match expected patterns. When unexpected rules are found, the node is labeled to indicate the presence of user-defined iptables rules.
+The goal of this program is to periodically scan iptables rules across all tables (nat, mangle, filter, raw, security) and determine if any rules exist that don't match expected patterns. When unexpected rules are found, the ciliumnode resource is labeled to indicate the presence of user-defined iptables rules.
 
 ## Usage
 
@@ -25,14 +25,14 @@ Follow the steps below to build and run the program:
 
 4. Start the program with:
     ```bash
-    ./azure-iptables-monitor --input=/etc/config/ --interval=600
+    ./azure-iptables-monitor --input=/etc/config/ --interval=300
     ```
     - The `--input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/`
-    - The `--interval` flag specifies how often to check iptables rules in seconds. Default: `600`
+    - The `--interval` flag specifies how often to check iptables rules in seconds. Default: `300`
     - The `--events` flag enables Kubernetes event creation for rule violations. Default: `false`
-    - The program must be in a k8 environment and `NODE_NAME` must be a set environment variable with the current node.
+    - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node.
 
-5. The program will set the `user-iptables-rules` label on the current node to `true` if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching the node.
+5. The program will set the `user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes).
 
 
 ## Pattern File Format
diff --git a/azure-iptables-monitor/iptables_monitor.go b/azure-iptables-monitor/iptables_monitor.go
@@ -28,11 +28,11 @@ var version string
 
 var (
 	configPath    = flag.String("input", "/etc/config/", "Name of the directory with the allowed regex files")
-	checkInterval = flag.Int("interval", 600, "How often to check iptables rules (in seconds)")
+	checkInterval = flag.Int("interval", 300, "How often to check iptables rules (in seconds)")
 	sendEvents    = flag.Bool("events", false, "Whether to send node events if unexpected iptables rules are detected")
 )
 
-const nodeLabel = "user-iptables-rules"
+const label = "user-iptables-rules"
 
 type FileLineReader interface {
 	Read(filename string) ([]string, error)
@@ -66,9 +66,9 @@ func (OSFileLineReader) Read(filename string) ([]string, error) {
 	return lines, nil
 }
 
-// patchNodeLabel sets a specified node label to a certain value by patching it
-// Requires proper rbac (node patch)
-func patchNodeLabel(clientset dynamic.Interface, labelValue bool, nodeName string) error {
+// patchLabel sets a specified label to a certain value on a ciliumnode resource by patching it
+// Requires proper rbac
+func patchLabel(clientset dynamic.Interface, labelValue bool, nodeName string) error {
 	gvr := schema.GroupVersionResource{
 		Group:    "cilium.io",
 		Version:  "v2",
@@ -81,12 +81,12 @@ func patchNodeLabel(clientset dynamic.Interface, labelValue bool, nodeName strin
 		"%s": "%v"
 		}
 	}
-	}`, nodeLabel, labelValue))
+	}`, label, labelValue))
 
 	_, err := clientset.Resource(gvr).
 		Patch(context.TODO(), nodeName, types.MergePatchType, patch, metav1.PatchOptions{})
 	if err != nil {
-		return fmt.Errorf("failed to patch %s with label %s=%v: %w", nodeName, nodeLabel, labelValue, err)
+		return fmt.Errorf("failed to patch %s with label %s=%v: %w", nodeName, label, labelValue, err)
 	}
 	return nil
 }
@@ -275,12 +275,12 @@ func main() {
 	for {
 		userIPTablesRulesFound := nodeHasUserIPTablesRules(fileReader, iptablesClient)
 
-		// update node label based on whether user iptables rules were found
-		err = patchNodeLabel(dynamicClient, userIPTablesRulesFound, currentNodeName)
+		// update label based on whether user iptables rules were found
+		err = patchLabel(dynamicClient, userIPTablesRulesFound, currentNodeName)
 		if err != nil {
-			klog.Errorf("failed to patch node label: %v", err)
+			klog.Errorf("failed to patch label: %v", err)
 		} else {
-			klog.V(2).Infof("Successfully updated node label for %s: %s=%v", currentNodeName, nodeLabel, userIPTablesRulesFound)
+			klog.V(2).Infof("Successfully updated label for %s: %s=%v", currentNodeName, label, userIPTablesRulesFound)
 		}
 
 		if *sendEvents && userIPTablesRulesFound {
