Skip to content

Commit d08f6bd

Browse files
QxBytesQxBytes
committed
remove dependency on node patching
rbac now requires: - apiGroups: ["cilium.io"] resources: ["ciliumnodes"] verbs: ["patch"] we also must pass NODE_UID as an environment variable to send events
1 parent 1293839 commit d08f6bd

File tree

1 file changed

+28
-19
lines changed

1 file changed

+28
-19
lines changed

azure-iptables-monitor/iptables_monitor.go

Lines changed: 28 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,9 @@ import (
1313
goiptables "github.com/coreos/go-iptables/iptables"
1414
corev1 "k8s.io/api/core/v1"
1515
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
16+
"k8s.io/apimachinery/pkg/runtime/schema"
1617
"k8s.io/apimachinery/pkg/types"
18+
"k8s.io/client-go/dynamic"
1719
"k8s.io/client-go/kubernetes"
1820
"k8s.io/client-go/rest"
1921
"k8s.io/component-base/logs"
@@ -66,7 +68,13 @@ func (OSFileLineReader) Read(filename string) ([]string, error) {
6668

6769
// patchNodeLabel sets a specified node label to a certain value by patching it
6870
// Requires proper rbac (node patch)
69-
func patchNodeLabel(clientset *kubernetes.Clientset, labelValue bool, nodeName string) error {
71+
func patchNodeLabel(clientset dynamic.Interface, labelValue bool, nodeName string) error {
72+
gvr := schema.GroupVersionResource{
73+
Group: "cilium.io",
74+
Version: "v2",
75+
Resource: "ciliumnodes",
76+
}
77+
7078
patch := []byte(fmt.Sprintf(`{
7179
"metadata": {
7280
"labels": {
@@ -75,26 +83,16 @@ func patchNodeLabel(clientset *kubernetes.Clientset, labelValue bool, nodeName s
7583
}
7684
}`, nodeLabel, labelValue))
7785

78-
_, err := clientset.CoreV1().Nodes().Patch(
79-
context.TODO(),
80-
nodeName,
81-
types.StrategicMergePatchType,
82-
patch,
83-
metav1.PatchOptions{},
84-
)
86+
_, err := clientset.Resource(gvr).
87+
Patch(context.TODO(), nodeName, types.MergePatchType, patch, metav1.PatchOptions{})
8588
if err != nil {
86-
return fmt.Errorf("failed to patch node %s with label %s=%v: %w", nodeName, nodeLabel, labelValue, err)
89+
return fmt.Errorf("failed to patch %s with label %s=%v: %w", nodeName, nodeLabel, labelValue, err)
8790
}
8891
return nil
8992
}
9093

9194
// createNodeEvent creates a Kubernetes event for the specified node
92-
func createNodeEvent(clientset *kubernetes.Clientset, nodeName, reason, message, eventType string) error {
93-
node, err := clientset.CoreV1().Nodes().Get(context.TODO(), nodeName, metav1.GetOptions{})
94-
if err != nil {
95-
return fmt.Errorf("failed to get node %s: %w", nodeName, err)
96-
}
97-
95+
func createNodeEvent(clientset *kubernetes.Clientset, nodeName string, nodeUID types.UID, reason, message, eventType string) error {
9896
now := metav1.NewTime(time.Now())
9997

10098
event := &corev1.Event{
@@ -105,7 +103,7 @@ func createNodeEvent(clientset *kubernetes.Clientset, nodeName, reason, message,
105103
InvolvedObject: corev1.ObjectReference{
106104
Kind: "Node",
107105
Name: nodeName,
108-
UID: node.UID, // required for event to show up in node describe
106+
UID: nodeUID, // required for event to show up in node describe
109107
APIVersion: "v1",
110108
},
111109
Reason: reason,
@@ -118,7 +116,7 @@ func createNodeEvent(clientset *kubernetes.Clientset, nodeName, reason, message,
118116
Component: "azure-iptables-monitor",
119117
},
120118
}
121-
_, err = clientset.CoreV1().Events("default").Create(
119+
_, err := clientset.CoreV1().Events("default").Create(
122120
context.TODO(),
123121
event,
124122
metav1.CreateOptions{},
@@ -248,6 +246,10 @@ func main() {
248246
if err != nil {
249247
klog.Fatalf("failed to create kubernetes clientset: %v", err)
250248
}
249+
dynamicClient, err := dynamic.NewForConfig(config)
250+
if err != nil {
251+
klog.Fatalf("failed to create dynamic client: %v", err)
252+
}
251253

252254
var iptablesClient IPTablesClient
253255
iptablesClient, err = goiptables.New()
@@ -261,6 +263,13 @@ func main() {
261263
klog.Fatalf("NODE_NAME environment variable not set")
262264
}
263265

266+
// get current node uid from environment variable
267+
currentNodeUIDStr := os.Getenv("NODE_UID")
268+
if currentNodeUIDStr == "" {
269+
klog.Fatalf("NODE_UID environment variable not set")
270+
}
271+
currentNodeUID := types.UID(currentNodeUIDStr)
272+
264273
klog.Infof("Starting iptables monitor for node: %s", currentNodeName)
265274

266275
var fileReader FileLineReader = OSFileLineReader{}
@@ -269,15 +278,15 @@ func main() {
269278
userIPTablesRulesFound := nodeHasUserIPTablesRules(fileReader, iptablesClient)
270279

271280
// update node label based on whether user iptables rules were found
272-
err = patchNodeLabel(clientset, userIPTablesRulesFound, currentNodeName)
281+
err = patchNodeLabel(dynamicClient, userIPTablesRulesFound, currentNodeName)
273282
if err != nil {
274283
klog.Errorf("failed to patch node label: %v", err)
275284
} else {
276285
klog.V(2).Infof("Successfully updated node label for %s: %s=%v", currentNodeName, nodeLabel, userIPTablesRulesFound)
277286
}
278287

279288
if *sendEvents && userIPTablesRulesFound {
280-
err = createNodeEvent(clientset, currentNodeName, "UnexpectedIPTablesRules", "Node has unexpected iptables rules", corev1.EventTypeWarning)
289+
err = createNodeEvent(clientset, currentNodeName, currentNodeUID, "UnexpectedIPTablesRules", "Node has unexpected iptables rules", corev1.EventTypeWarning)
281290
if err != nil {
282291
klog.Errorf("failed to create event: %v", err)
283292
}

0 commit comments

Comments
 (0)