Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] feat: add yurtappset validation webhook and default nodepool label #1987

Closed
wants to merge 26 commits into from
Closed

[WIP] feat: add yurtappset validation webhook and default nodepool label #1987

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift click to select a range
c719d41
refactor: avoid calling functions under k8s.io/kubernetes
vie-serendipity Mar 6, 2024
8cf34ec
feat: add yurtappset's support for statefulset
vie-serendipity Mar 7, 2024
ae08d24
feat: add support for replacement of {{nodepool}}
vie-serendipity Mar 7, 2024
25f998e
feat: add type label to nodepool
vie-serendipity Mar 7, 2024
6a1a364
feat: add validation webhook for yurtappset
vie-serendipity Mar 8, 2024
a229454
perf: improve the implementation of slowstartbatch
vie-serendipity Mar 8, 2024
62cc2d0
fix: only validate yurtappset spec
vie-serendipity Mar 11, 2024
20970cf
fix: deployment render should only manage workloads created by v1alph…
vie-serendipity Mar 11, 2024
8b7db71
feat: optimize SlowStartBatch
vie-serendipity Mar 12, 2024
4bf243c
feat: add validation for workload
vie-serendipity Mar 8, 2024
96996bc
chore: move apis validation
vie-serendipity Mar 13, 2024
598351c
feat: add yurtappset validation webhook
vie-serendipity Mar 20, 2024
cb8343f
chore: test
vie-serendipity Mar 20, 2024
245cbe0
chore: no tweaks
vie-serendipity Mar 20, 2024
de259bb
feat: revert slowstartbatch
vie-serendipity Mar 20, 2024
ffc5efa
Merge branch 'master' of github.com:vie-serendipity/openyurt into fea…
vie-serendipity Mar 20, 2024
37159d2
fix: deployment render should only mutate workloads created by yurtap…
vie-serendipity Mar 13, 2024
44d9807
feat: improve hostNetwork mode of NodePool by adding NodeAffinity to …
huangchenzhao Mar 13, 2024
f0a7445
feat: improve configuration of concurrent yurtappdaemon workers (#191…
huangchenzhao Mar 19, 2024
a0b35b9
feat: improve configuration of concurrent yurtappoverrider workers (#…
huangchenzhao Mar 19, 2024
b26990e
fix: go:gopkg.in/square/go-jose.v2:v2.6.0 is vulnerable Cxb6dee8d5-b8…
fengshunli Mar 19, 2024
324d789
improve filter manager in yurthub component
rambohe-ch Mar 18, 2024
fcbb22e
build(deps): bump github.com/go-resty/resty/v2 from 2.7.0 to 2.12.0
dependabot[bot] Mar 19, 2024
96b8888
feat: modify to {{nodepool-name}}
vie-serendipity Mar 20, 2024
991c689
chore: resolve conflicts
vie-serendipity Mar 20, 2024
8bd8c18
Merge branch 'feat/yurtappset-webhook' of github.com:vie-serendipity/…
vie-serendipity Mar 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
improve filter manager in yurthub component
  • Loading branch information
@rambohe-ch @vie-serendipity
rambohe-ch authored and vie-serendipity committed Mar 20, 2024
commit 324d789f315eb4c597db806cc999f2ea603a0189
2 changes: 1 addition & 1 deletion cmd/yurthub/app/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 134,7 @@ func Complete(options *options.YurtHubOptions) (*YurtHubConfiguration, error) {
}
tenantNs := util.ParseTenantNsFromOrgs(options.YurtHubCertOrganizations)
registerInformers(options, sharedFactory, workingMode, tenantNs)
filterManager, err := manager.NewFilterManager(options, sharedFactory, dynamicSharedFactory, proxiedClient, serializerManager, us[0].Host)
filterManager, err := manager.NewFilterManager(options, sharedFactory, dynamicSharedFactory, proxiedClient, serializerManager)
if err != nil {
klog.Errorf("could not create filter manager, %v", err)
return nil, err
Expand Down
52 changes: 52 additions & 0 deletions cmd/yurthub/app/options/filters.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 1,52 @@
/*
Copyright 2024 The OpenYurt Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package options

import (
"github.com/openyurtio/openyurt/pkg/yurthub/filter/base"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/discardcloudservice"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/inclusterconfig"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/masterservice"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/nodeportisolation"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/servicetopology"
)

var (
// DisabledInCloudMode contains the filters that should be disabled when yurthub is working in cloud mode.
DisabledInCloudMode = []string{discardcloudservice.FilterName}

// SupportedComponentsForFilter is used for specifying which components are supported by filters as default setting.
SupportedComponentsForFilter = map[string]string{
masterservice.FilterName: "kubelet",
discardcloudservice.FilterName: "kube-proxy",
servicetopology.FilterName: "kube-proxy, coredns, nginx-ingress-controller",
inclusterconfig.FilterName: "kubelet",
nodeportisolation.FilterName: "kube-proxy",
}
)

// RegisterAllFilters by order, the front registered filter will be
// called before the latter registered ones.
// Attention:
// when you add a new filter, you should register new filter here.
func RegisterAllFilters(filters *base.Filters) {
servicetopology.Register(filters)
masterservice.Register(filters)
discardcloudservice.Register(filters)
inclusterconfig.Register(filters)
nodeportisolation.Register(filters)
}
32 changes: 32 additions & 0 deletions cmd/yurthub/app/options/filters_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 1,32 @@
/*
Copyright 2024 The OpenYurt Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package options

import (
"testing"

"github.com/openyurtio/openyurt/pkg/yurthub/filter/base"
)

func TestRegisterAllFilters(t *testing.T) {
disableFilter := "servicetopology"
filters := base.NewFilters([]string{disableFilter})
RegisterAllFilters(filters)
if filters.Enabled(disableFilter) {
t.Errorf("expect %s disable, but it is enabled", disableFilter)
}
}
3 changes: 0 additions & 3 deletions cmd/yurthub/app/options/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 73,6 @@ type YurtHubOptions struct {
HubAgentDummyIfIP string
HubAgentDummyIfName string
DiskCachePath string
AccessServerThroughHub bool
EnableResourceFilter bool
DisabledResourceFilters []string
WorkingMode string
Expand Down Expand Up @@ -115,7 114,6 @@ func NewYurtHubOptions() *YurtHubOptions {
EnableIptables: false,
HubAgentDummyIfName: fmt.Sprintf("%s-dummy0", projectinfo.GetHubName()),
DiskCachePath: disk.CacheBaseDir,
AccessServerThroughHub: true,
EnableResourceFilter: true,
DisabledResourceFilters: make([]string, 0),
WorkingMode: string(util.WorkingModeEdge),
Expand Down Expand Up @@ -211,7 209,6 @@ func (o *YurtHubOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.HubAgentDummyIfIP, "dummy-if-ip", o.HubAgentDummyIfIP, "the ip address of dummy interface that used for container connect hub agent(exclusive ips: 169.254.31.0/24, 169.254.1.1/32)")
fs.StringVar(&o.HubAgentDummyIfName, "dummy-if-name", o.HubAgentDummyIfName, "the name of dummy interface that is used for hub agent")
fs.StringVar(&o.DiskCachePath, "disk-cache-path", o.DiskCachePath, "the path for kubernetes to storage metadata")
fs.BoolVar(&o.AccessServerThroughHub, "access-server-through-hub", o.AccessServerThroughHub, "enable pods access kube-apiserver through yurthub or not")
fs.BoolVar(&o.EnableResourceFilter, "enable-resource-filter", o.EnableResourceFilter, "enable to filter response that comes back from reverse proxy")
fs.StringSliceVar(&o.DisabledResourceFilters, "disabled-resource-filters", o.DisabledResourceFilters, "disable resource filters to handle response")
fs.StringVar(&o.NodePoolName, "nodepool-name", o.NodePoolName, "the name of node pool that runs hub agent")
Expand Down
1 change: 0 additions & 1 deletion cmd/yurthub/app/options/options_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 56,6 @@ func TestNewYurtHubOptions(t *testing.T) {
EnableIptables: false,
HubAgentDummyIfName: fmt.Sprintf("%s-dummy0", projectinfo.GetHubName()),
DiskCachePath: disk.CacheBaseDir,
AccessServerThroughHub: true,
EnableResourceFilter: true,
DisabledResourceFilters: make([]string, 0),
WorkingMode: string(util.WorkingModeEdge),
Expand Down
8 changes: 5 additions & 3 deletions pkg/yurthub/filter/approver.go → pkg/yurthub/filter/approver/approver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package filter
package approver

import (
"fmt"
Expand All @@ -30,7 30,9 @@ import (
"k8s.io/client-go/tools/cache"
"k8s.io/klog/v2"

"github.com/openyurtio/openyurt/cmd/yurthub/app/options"
"github.com/openyurtio/openyurt/pkg/projectinfo"
"github.com/openyurtio/openyurt/pkg/yurthub/filter"
"github.com/openyurtio/openyurt/pkg/yurthub/util"
)

Expand All @@ -48,7 50,7 @@ var (
defaultBlackListRequests = sets.NewString(reqKey(projectinfo.GetHubName(), "configmaps", "list"), reqKey(projectinfo.GetHubName(), "configmaps", "watch"))
)

func NewApprover(sharedFactory informers.SharedInformerFactory, filterSupportedResAndVerbs map[string]map[string]sets.String) Approver {
func NewApprover(sharedFactory informers.SharedInformerFactory, filterSupportedResAndVerbs map[string]map[string]sets.String) filter.Approver {
configMapInformer := sharedFactory.Core().V1().ConfigMaps().Informer()
na := &approver{
reqKeyToNames: make(map[string]sets.String),
Expand All @@ -58,7 60,7 @@ func NewApprover(sharedFactory informers.SharedInformerFactory, filterSupportedR
stopCh: make(chan struct{}),
}

for name, setting := range SupportedComponentsForFilter {
for name, setting := range options.SupportedComponentsForFilter {
for _, key := range na.parseRequestSetting(name, setting) {
if _, ok := na.defaultReqKeyToNames[key]; !ok {
na.defaultReqKeyToNames[key] = sets.NewString()
Expand Down
36 changes: 20 additions & 16 deletions pkg/yurthub/filter/approver_test.go → pkg/yurthub/filter/approver/approver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package filter
package approver

import (
"net/http"
Expand All @@ -30,18 30,22 @@ import (
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes/fake"

"github.com/openyurtio/openyurt/cmd/yurthub/app/options"
"github.com/openyurtio/openyurt/pkg/projectinfo"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/discardcloudservice"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/masterservice"
"github.com/openyurtio/openyurt/pkg/yurthub/filter/servicetopology"
"github.com/openyurtio/openyurt/pkg/yurthub/proxy/util"
)

var supportedResourceAndVerbsForFilter = map[string]map[string]sets.String{
MasterServiceFilterName: {
masterservice.FilterName: {
"services": sets.NewString("list", "watch"),
},
DiscardCloudServiceFilterName: {
discardcloudservice.FilterName: {
"services": sets.NewString("list", "watch"),
},
ServiceTopologyFilterName: {
servicetopology.FilterName: {
"endpoints": sets.NewString("list", "watch"),
"endpointslices": sets.NewString("list", "watch"),
},
Expand All @@ -67,56 71,56 @@ func TestApprove(t *testing.T) {
verb: "GET",
path: "/api/v1/services",
approved: true,
resultFilter: []string{MasterServiceFilterName},
resultFilter: []string{masterservice.FilterName},
},
"kubelet watch services": {
userAgent: "kubelet/v1.20.11",
verb: "GET",
path: "/api/v1/services?watch=true",
approved: true,
resultFilter: []string{MasterServiceFilterName},
resultFilter: []string{masterservice.FilterName},
},
"kube-proxy list services": {
userAgent: "kube-proxy/v1.20.11",
verb: "GET",
path: "/api/v1/services",
approved: true,
resultFilter: []string{DiscardCloudServiceFilterName},
resultFilter: []string{discardcloudservice.FilterName},
},
"kube-proxy watch services": {
userAgent: "kube-proxy/v1.20.11",
verb: "GET",
path: "/api/v1/services?watch=true",
approved: true,
resultFilter: []string{DiscardCloudServiceFilterName},
resultFilter: []string{discardcloudservice.FilterName},
},
"kube-proxy list endpointslices": {
userAgent: "kube-proxy/v1.20.11",
verb: "GET",
path: "/apis/discovery.k8s.io/v1/endpointslices",
approved: true,
resultFilter: []string{ServiceTopologyFilterName},
resultFilter: []string{servicetopology.FilterName},
},
"kube-proxy watch endpointslices": {
userAgent: "kube-proxy/v1.20.11",
verb: "GET",
path: "/apis/discovery.k8s.io/v1/endpointslices?watch=true",
approved: true,
resultFilter: []string{ServiceTopologyFilterName},
resultFilter: []string{servicetopology.FilterName},
},
"nginx-ingress-controller list endpoints": {
userAgent: "nginx-ingress-controller/v1.1.0",
verb: "GET",
path: "/api/v1/endpoints",
approved: true,
resultFilter: []string{ServiceTopologyFilterName},
resultFilter: []string{servicetopology.FilterName},
},
"nginx-ingress-controller watch endpoints": {
userAgent: "nginx-ingress-controller/v1.1.0",
verb: "GET",
path: "/api/v1/endpoints?watch=true",
approved: true,
resultFilter: []string{ServiceTopologyFilterName},
resultFilter: []string{servicetopology.FilterName},
},
"list endpoints without user agent": {
verb: "GET",
Expand Down Expand Up @@ -385,17 389,17 @@ func TestParseRequestSetting(t *testing.T) {
resultKeys []string
}{
"old normal filter setting has two components": {
filterName: MasterServiceFilterName,
filterName: masterservice.FilterName,
filterSetting: "foo/services#list;watch,bar/services#list;watch",
resultKeys: []string{"foo/services/list", "foo/services/watch", "bar/services/list", "bar/services/watch"},
},
"normal filter setting has one component": {
filterName: MasterServiceFilterName,
filterName: masterservice.FilterName,
filterSetting: "foo",
resultKeys: []string{"foo/services/list", "foo/services/watch"},
},
"normal filter setting has two components": {
filterName: MasterServiceFilterName,
filterName: masterservice.FilterName,
filterSetting: "foo, bar",
resultKeys: []string{"foo/services/list", "foo/services/watch", "bar/services/list", "bar/services/watch"},
},
Expand Down Expand Up @@ -660,7 664,7 @@ func newApprover(filterSupportedResAndVerbs map[string]map[string]sets.String) *
}

defaultReqKeyToFilterNames := make(map[string]sets.String)
for name, setting := range SupportedComponentsForFilter {
for name, setting := range options.SupportedComponentsForFilter {
for _, key := range na.parseRequestSetting(name, setting) {
if _, ok := defaultReqKeyToFilterNames[key]; !ok {
defaultReqKeyToFilterNames[key] = sets.NewString()
Expand Down
Loading