Skip to content

Commit 32ffd8b

Browse files
memodimemodi
authored
Merge pull request #374 from jpinsonneau/2262
NETOBSERV-2262 Auto-detect feature that require privileged mode in CLI
2 parents 7eab5fd + 16cfd60 commit 32ffd8b

File tree

8 files changed

+148
-60
lines changed

8 files changed

+148
-60
lines changed

e2e/yaml_test.go

Lines changed: 50 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -75,12 +75,12 @@ func TestFlowFiltersYAML(t *testing.T) {
7575
// check yamls parts
7676
yamlStr := string(yamlBytes[:])
7777
yamls = strings.Split(yamlStr, "---")
78-
assert.Equal(t, 6, len(yamls))
78+
assert.Equal(t, 7, len(yamls))
7979

8080
// check yaml contents
8181
assert.Contains(t, yamls[0], "kind: Namespace")
8282
assert.Contains(t, yamls[0], "name: \"netobserv-cli\"")
83-
assert.Contains(t, Normalize(yamls[0]), Normalize("labels: app: netobserv pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged openshift.io/cluster-monitoring: \"true\""))
83+
assert.Contains(t, Normalize(yamls[0]), Normalize("labels:app:netobserv-clipod-security.kubernetes.io/enforce:privilegedpod-security.kubernetes.io/audit:privilegedopenshift.io/cluster-monitoring:\"true\""))
8484

8585
assert.Contains(t, yamls[1], "kind: ServiceAccount")
8686
assert.Contains(t, yamls[1], "name: netobserv-cli")
@@ -100,16 +100,20 @@ func TestFlowFiltersYAML(t *testing.T) {
100100
assert.Contains(t, Normalize(yamls[3]), Normalize("subjects: - kind: ServiceAccount name: netobserv-cli namespace: \"netobserv-cli\""))
101101
assert.Contains(t, Normalize(yamls[3]), Normalize("roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: netobserv-cli"))
102102

103-
assert.Contains(t, yamls[4], "kind: Service")
104-
assert.Contains(t, yamls[4], "name: collector")
103+
assert.Contains(t, yamls[4], "kind: SecurityContextConstraints")
104+
assert.Contains(t, yamls[4], "name: netobserv-cli")
105105
assert.Contains(t, yamls[4], "namespace: \"netobserv-cli\"")
106-
assert.Contains(t, Normalize(yamls[4]), Normalize("ports: - name: collector protocol: TCP port: 9999 targetPort: 9999"))
107106

108-
assert.Contains(t, yamls[5], "kind: DaemonSet")
109-
assert.Contains(t, yamls[5], "name: netobserv-cli")
107+
assert.Contains(t, yamls[5], "kind: Service")
108+
assert.Contains(t, yamls[5], "name: collector")
110109
assert.Contains(t, yamls[5], "namespace: \"netobserv-cli\"")
111-
assert.Contains(t, Normalize(yamls[5]), Normalize("[{\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"TCP\", \"source_port\": 0, \"destination_port\": 0, \"port\": 8080, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}, {\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"UDP\", \"source_port\": 0, \"destination_port\": 0, \"port\": 0, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}]"))
112-
assert.Contains(t, Normalize(yamls[5]), Normalize("\"grpc\": { \"targetHost\": \"collector.netobserv-cli.svc.cluster.local\", \"targetPort\": 9999 }"))
110+
assert.Contains(t, Normalize(yamls[5]), Normalize("ports: - name: collector protocol: TCP port: 9999 targetPort: 9999"))
111+
112+
assert.Contains(t, yamls[6], "kind: DaemonSet")
113+
assert.Contains(t, yamls[6], "name: netobserv-cli")
114+
assert.Contains(t, yamls[6], "namespace: \"netobserv-cli\"")
115+
assert.Contains(t, Normalize(yamls[6]), Normalize("[{\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"TCP\", \"source_port\": 0, \"destination_port\": 0, \"port\": 8080, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}, {\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"UDP\", \"source_port\": 0, \"destination_port\": 0, \"port\": 0, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}]"))
116+
assert.Contains(t, Normalize(yamls[6]), Normalize("\"grpc\": { \"targetHost\": \"collector.netobserv-cli.svc.cluster.local\", \"targetPort\": 9999 }"))
113117

114118
return ctx
115119
},
@@ -169,12 +173,12 @@ func TestPacketFiltersYAML(t *testing.T) {
169173
// check yamls parts
170174
yamlStr := string(yamlBytes[:])
171175
yamls = strings.Split(yamlStr, "---")
172-
assert.Equal(t, 6, len(yamls))
176+
assert.Equal(t, 7, len(yamls))
173177

174178
// check yaml contents
175179
assert.Contains(t, yamls[0], "kind: Namespace")
176180
assert.Contains(t, yamls[0], "name: \"netobserv-cli\"")
177-
assert.Contains(t, Normalize(yamls[0]), Normalize("labels: app: netobserv pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged openshift.io/cluster-monitoring: \"true\""))
181+
assert.Contains(t, Normalize(yamls[0]), Normalize("labels:app:netobserv-clipod-security.kubernetes.io/enforce:privilegedpod-security.kubernetes.io/audit:privilegedopenshift.io/cluster-monitoring:\"true\""))
178182

179183
assert.Contains(t, yamls[1], "kind: ServiceAccount")
180184
assert.Contains(t, yamls[1], "name: netobserv-cli")
@@ -194,16 +198,20 @@ func TestPacketFiltersYAML(t *testing.T) {
194198
assert.Contains(t, Normalize(yamls[3]), Normalize("subjects: - kind: ServiceAccount name: netobserv-cli namespace: \"netobserv-cli\""))
195199
assert.Contains(t, Normalize(yamls[3]), Normalize("roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: netobserv-cli"))
196200

197-
assert.Contains(t, yamls[4], "kind: Service")
198-
assert.Contains(t, yamls[4], "name: collector")
201+
assert.Contains(t, yamls[4], "kind: SecurityContextConstraints")
202+
assert.Contains(t, yamls[4], "name: netobserv-cli")
199203
assert.Contains(t, yamls[4], "namespace: \"netobserv-cli\"")
200-
assert.Contains(t, Normalize(yamls[4]), Normalize("ports: - name: collector protocol: TCP port: 9999 targetPort: 9999"))
201204

202-
assert.Contains(t, yamls[5], "kind: DaemonSet")
203-
assert.Contains(t, yamls[5], "name: netobserv-cli")
205+
assert.Contains(t, yamls[5], "kind: Service")
206+
assert.Contains(t, yamls[5], "name: collector")
204207
assert.Contains(t, yamls[5], "namespace: \"netobserv-cli\"")
205-
assert.Contains(t, Normalize(yamls[5]), Normalize("[{\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"\", \"source_port\": 0, \"destination_port\": 0, \"port\": 80, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}]"))
206-
assert.Contains(t, Normalize(yamls[5]), Normalize("nodeSelector: netobserv: \"true\""))
208+
assert.Contains(t, Normalize(yamls[5]), Normalize("ports: - name: collector protocol: TCP port: 9999 targetPort: 9999"))
209+
210+
assert.Contains(t, yamls[6], "kind: DaemonSet")
211+
assert.Contains(t, yamls[6], "name: netobserv-cli")
212+
assert.Contains(t, yamls[6], "namespace: \"netobserv-cli\"")
213+
assert.Contains(t, Normalize(yamls[6]), Normalize("[{\"direction\": \"\", \"ip_cidr\": \"0.0.0.0/0\", \"protocol\": \"\", \"source_port\": 0, \"destination_port\": 0, \"port\": 80, \"source_port_range\": \"\", \"source_ports\": \"\", \"destination_port_range\": \"\", \"destination_ports\": \"\", \"port_range\": \"\", \"ports\": \"\", \"icmp_type\": 0, \"icmp_code\": 0, \"peer_ip\": \"\", \"peer_cidr\": \"\", \"action\": \"Accept\", \"tcp_flags\": \"\", \"drops\": false}]"))
214+
assert.Contains(t, Normalize(yamls[6]), Normalize("nodeSelector: netobserv: \"true\""))
207215

208216
return ctx
209217
},
@@ -261,12 +269,12 @@ func TestMetricYAML(t *testing.T) {
261269
// check yamls parts
262270
yamlStr := string(yamlBytes[:])
263271
yamls = strings.Split(yamlStr, "---")
264-
assert.Equal(t, 10, len(yamls))
272+
assert.Equal(t, 11, len(yamls))
265273

266274
// check yaml contents
267275
assert.Contains(t, yamls[0], "kind: Namespace")
268276
assert.Contains(t, yamls[0], "name: \"netobserv-cli\"")
269-
assert.Contains(t, Normalize(yamls[0]), Normalize("labels: app: netobserv pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/audit: privileged openshift.io/cluster-monitoring: \"true\""))
277+
assert.Contains(t, Normalize(yamls[0]), Normalize("labels:app:netobserv-clipod-security.kubernetes.io/enforce:privilegedpod-security.kubernetes.io/audit:privilegedopenshift.io/cluster-monitoring:\"true\""))
270278

271279
assert.Contains(t, yamls[1], "kind: ServiceAccount")
272280
assert.Contains(t, yamls[1], "name: netobserv-cli")
@@ -286,37 +294,41 @@ func TestMetricYAML(t *testing.T) {
286294
assert.Contains(t, Normalize(yamls[3]), Normalize("subjects: - kind: ServiceAccount name: netobserv-cli namespace: \"netobserv-cli\""))
287295
assert.Contains(t, Normalize(yamls[3]), Normalize("roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: netobserv-cli"))
288296

289-
assert.Contains(t, yamls[4], "kind: ClusterRole")
290-
assert.Contains(t, yamls[4], "name: netobserv-cli-metrics")
297+
assert.Contains(t, yamls[4], "kind: SecurityContextConstraints")
298+
assert.Contains(t, yamls[4], "name: netobserv-cli")
291299
assert.Contains(t, yamls[4], "namespace: \"netobserv-cli\"")
292-
assert.Contains(t, Normalize(yamls[4]), Normalize("- apiGroups: - resources: - pods - services - endpoints verbs: - list - get - watch - nonResourceURLs: - /metrics verbs: - get"))
293300

294-
assert.Contains(t, yamls[5], "kind: ClusterRoleBinding")
295-
assert.Contains(t, yamls[5], "name: netobserv-cli")
301+
assert.Contains(t, yamls[5], "kind: ClusterRole")
302+
assert.Contains(t, yamls[5], "name: netobserv-cli-metrics")
296303
assert.Contains(t, yamls[5], "namespace: \"netobserv-cli\"")
297-
assert.Contains(t, Normalize(yamls[5]), Normalize("subjects: - kind: ServiceAccount name: prometheus-k8s namespace: openshift-monitoring"))
298-
assert.Contains(t, Normalize(yamls[5]), Normalize("roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: netobserv-cli-metrics"))
304+
assert.Contains(t, Normalize(yamls[5]), Normalize("- apiGroups: - resources: - pods - services - endpoints verbs: - list - get - watch - nonResourceURLs: - /metrics verbs: - get"))
299305

300-
assert.Contains(t, yamls[6], "kind: ServiceMonitor")
306+
assert.Contains(t, yamls[6], "kind: ClusterRoleBinding")
301307
assert.Contains(t, yamls[6], "name: netobserv-cli")
302308
assert.Contains(t, yamls[6], "namespace: \"netobserv-cli\"")
303-
assert.Contains(t, Normalize(yamls[6]), Normalize("namespaceSelector: matchNames: - \"netobserv-cli\""))
304-
assert.Contains(t, Normalize(yamls[6]), Normalize("selector: matchLabels: app: netobserv-cli"))
309+
assert.Contains(t, Normalize(yamls[6]), Normalize("subjects: - kind: ServiceAccount name: prometheus-k8s namespace: openshift-monitoring"))
310+
assert.Contains(t, Normalize(yamls[6]), Normalize("roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: netobserv-cli-metrics"))
305311

306-
assert.Contains(t, yamls[7], "kind: Service")
312+
assert.Contains(t, yamls[7], "kind: ServiceMonitor")
307313
assert.Contains(t, yamls[7], "name: netobserv-cli")
308314
assert.Contains(t, yamls[7], "namespace: \"netobserv-cli\"")
309-
assert.Contains(t, Normalize(yamls[7]), Normalize("ports: - name: prometheus protocol: TCP port: 9401 targetPort: 9401"))
315+
assert.Contains(t, Normalize(yamls[7]), Normalize("namespaceSelector: matchNames: - \"netobserv-cli\""))
316+
assert.Contains(t, Normalize(yamls[7]), Normalize("selector: matchLabels: app: netobserv-cli"))
310317

311-
assert.Contains(t, yamls[8], "kind: ConfigMap")
318+
assert.Contains(t, yamls[8], "kind: Service")
312319
assert.Contains(t, yamls[8], "name: netobserv-cli")
313-
assert.Contains(t, yamls[8], "namespace: openshift-config-managed")
314-
assert.Contains(t, yamls[8], "console.openshift.io/dashboard: \"true\"")
320+
assert.Contains(t, yamls[8], "namespace: \"netobserv-cli\"")
321+
assert.Contains(t, Normalize(yamls[8]), Normalize("ports: - name: prometheus protocol: TCP port: 9401 targetPort: 9401"))
315322

316-
assert.Contains(t, yamls[9], "kind: DaemonSet")
323+
assert.Contains(t, yamls[9], "kind: ConfigMap")
317324
assert.Contains(t, yamls[9], "name: netobserv-cli")
318-
assert.Contains(t, yamls[9], "namespace: \"netobserv-cli\"")
319-
assert.Contains(t, Normalize(yamls[9]), Normalize("ports: - name: prometheus containerPort: 9401 protocol: TCP"))
325+
assert.Contains(t, yamls[9], "namespace: openshift-config-managed")
326+
assert.Contains(t, yamls[9], "console.openshift.io/dashboard: \"true\"")
327+
328+
assert.Contains(t, yamls[10], "kind: DaemonSet")
329+
assert.Contains(t, yamls[10], "name: netobserv-cli")
330+
assert.Contains(t, yamls[10], "namespace: \"netobserv-cli\"")
331+
assert.Contains(t, Normalize(yamls[10]), Normalize("ports: - name: prometheus containerPort: 9401 protocol: TCP"))
320332

321333
return ctx
322334
},

res/flow-capture.yml

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,16 @@ spec:
2424
image: "{{AGENT_IMAGE_URL}}"
2525
imagePullPolicy: Always
2626
securityContext:
27-
privileged: true
27+
allowPrivilegeEscalation: false
28+
capabilities:
29+
add:
30+
- "BPF"
31+
- "PERFMON"
32+
- "NET_ADMIN"
33+
drop:
34+
- ALL
35+
privileged: false
36+
readOnlyRootFilesystem: true
2837
runAsUser: 0
2938
env:
3039
- name: CACHE_ACTIVE_TIMEOUT
@@ -68,16 +77,16 @@ spec:
6877
volumeMounts:
6978
- name: bpf-kernel-debug
7079
mountPath: /sys/kernel/debug
71-
mountPropagation: Bidirectional
80+
mountPropagation: HostToContainer
7281
- name: var-run-ovn
7382
mountPath: /var/run/ovn
74-
mountPropagation: Bidirectional
83+
mountPropagation: HostToContainer
7584
- name: var-run-ovs
7685
mountPath: /var/run/openvswitch
77-
mountPropagation: Bidirectional
86+
mountPropagation: HostToContainer
7887
- name: var-run-netns
7988
mountPath: /var/run/netns
80-
mountPropagation: Bidirectional
89+
mountPropagation: HostToContainer
8190
volumes:
8291
- name: bpf-kernel-debug
8392
hostPath:

res/metric-capture.yml

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,16 @@ spec:
2424
image: "{{AGENT_IMAGE_URL}}"
2525
imagePullPolicy: Always
2626
securityContext:
27-
privileged: true
27+
allowPrivilegeEscalation: false
28+
capabilities:
29+
add:
30+
- "BPF"
31+
- "PERFMON"
32+
- "NET_ADMIN"
33+
drop:
34+
- ALL
35+
privileged: false
36+
readOnlyRootFilesystem: true
2837
runAsUser: 0
2938
env:
3039
- name: METRICS_ENABLE
@@ -66,13 +75,13 @@ spec:
6675
volumeMounts:
6776
- name: bpf-kernel-debug
6877
mountPath: /sys/kernel/debug
69-
mountPropagation: Bidirectional
78+
mountPropagation: HostToContainer
7079
- name: var-run-ovn
7180
mountPath: /var/run/ovn
72-
mountPropagation: Bidirectional
81+
mountPropagation: HostToContainer
7382
- name: var-run-ovs
7483
mountPath: /var/run/openvswitch
75-
mountPropagation: Bidirectional
84+
mountPropagation: HostToContainer
7685
volumes:
7786
- name: bpf-kernel-debug
7887
hostPath:

res/namespace.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ apiVersion: v1
33
metadata:
44
name: "{{NAME}}"
55
labels:
6-
app: netobserv
6+
app: netobserv-cli
77
pod-security.kubernetes.io/enforce: privileged
88
pod-security.kubernetes.io/audit: privileged
99
openshift.io/cluster-monitoring: "true"

res/packet-capture.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,16 @@ spec:
2424
image: "{{AGENT_IMAGE_URL}}"
2525
imagePullPolicy: Always
2626
securityContext:
27-
privileged: true
27+
allowPrivilegeEscalation: false
28+
capabilities:
29+
add:
30+
- "BPF"
31+
- "PERFMON"
32+
- "NET_ADMIN"
33+
drop:
34+
- ALL
35+
privileged: false
36+
readOnlyRootFilesystem: true
2837
runAsUser: 0
2938
env:
3039
- name: CACHE_ACTIVE_TIMEOUT
@@ -48,7 +57,7 @@ spec:
4857
volumeMounts:
4958
- name: bpf-kernel-debug
5059
mountPath: /sys/kernel/debug
51-
mountPropagation: Bidirectional
60+
mountPropagation: HostToContainer
5261
volumes:
5362
- name: bpf-kernel-debug
5463
hostPath:

res/service-account.yml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,4 +61,23 @@ subjects:
6161
roleRef:
6262
apiGroup: rbac.authorization.k8s.io
6363
kind: ClusterRole
64-
name: netobserv-cli
64+
name: netobserv-cli
65+
---
66+
apiVersion: security.openshift.io/v1
67+
kind: SecurityContextConstraints
68+
metadata:
69+
name: netobserv-cli
70+
namespace: "{{NAMESPACE}}"
71+
allowHostDirVolumePlugin: true
72+
allowHostNetwork: true
73+
allowPrivilegedContainer: true
74+
runAsUser:
75+
type: RunAsAny
76+
seLinuxContext:
77+
type: RunAsAny
78+
users:
79+
- 'system:serviceaccount:"{{NAMESPACE}}":netobserv-cli'
80+
allowedCapabilities:
81+
- BPF
82+
- PERFMON
83+
- NET_ADMIN

0 commit comments

Comments
 (0)