From 8881d39656a6a69b2473711dd10117c24290e02c Mon Sep 17 00:00:00 2001 From: Rafael Franzke Date: Thu, 4 May 2023 16:00:34 +0200 Subject: [PATCH] Switch to new NetworkPolicys --- Dockerfile | 4 +- pkg/local/create_machine.go | 76 ++++++++++++++++++++++++++----------- pkg/local/driver.go | 13 +++++++ 3 files changed, 69 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index 50aefafd..132c0da3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.18.3 AS builder +FROM golang:1.20.4 AS builder ARG TARGETOS ARG TARGETARCH WORKDIR /go/src/github.com/gardener/machine-controller-manager-provider-local @@ -9,7 +9,7 @@ RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \ -o /usr/local/bin/machine-controller \ cmd/machine-controller/main.go -FROM alpine:3.15.4 AS machine-controller +FROM alpine:3.17.3 AS machine-controller WORKDIR / COPY --from=builder /usr/local/bin/machine-controller /machine-controller ENTRYPOINT ["/machine-controller"] diff --git a/pkg/local/create_machine.go b/pkg/local/create_machine.go index 18c9e057..43c60ed3 100644 --- a/pkg/local/create_machine.go +++ b/pkg/local/create_machine.go @@ -19,19 +19,20 @@ import ( "encoding/json" "fmt" - apiv1alpha1 "github.com/gardener/machine-controller-manager-provider-local/pkg/api/v1alpha1" - "github.com/gardener/machine-controller-manager-provider-local/pkg/api/validation" - machinev1alpha1 "github.com/gardener/machine-controller-manager/pkg/apis/machine/v1alpha1" "github.com/gardener/machine-controller-manager/pkg/util/provider/driver" "github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/codes" "github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/status" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/klog/v2" "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + + apiv1alpha1 "github.com/gardener/machine-controller-manager-provider-local/pkg/api/v1alpha1" + "github.com/gardener/machine-controller-manager-provider-local/pkg/api/validation" ) func (d *localDriver) CreateMachine(ctx context.Context, req *driver.CreateMachineRequest) (*driver.CreateMachineResponse, error) { @@ -47,7 +48,22 @@ func (d *localDriver) CreateMachine(ctx context.Context, req *driver.CreateMachi return nil, err } - pod, err := d.applyPod(ctx, req, providerSpec) + userDataSecret := userDataSecretForMachine(req.Machine) + userDataSecret.Data = map[string][]byte{"userdata": req.Secret.Data["userData"]} + + if err := controllerutil.SetControllerReference(req.Machine, userDataSecret, d.client.Scheme()); err != nil { + return nil, status.Error(codes.Internal, fmt.Sprintf("could not set userData secret ownership: %s", err.Error())) + } + + if err := d.client.Patch(ctx, userDataSecret, client.Apply, fieldOwner, client.ForceOwnership); err != nil { + return nil, status.Error(codes.Internal, fmt.Sprintf("error applying user data secret: %s", err.Error())) + } + + if _, err := d.applyService(ctx, req); err != nil { + return nil, err + } + + pod, err := d.applyPod(ctx, req, providerSpec, userDataSecret) if err != nil { return nil, err } @@ -58,30 +74,46 @@ func (d *localDriver) CreateMachine(ctx context.Context, req *driver.CreateMachi }, nil } -func (d *localDriver) applyPod(ctx context.Context, req *driver.CreateMachineRequest, providerSpec *apiv1alpha1.ProviderSpec) (*corev1.Pod, error) { - userDataSecret := userDataSecretForMachine(req.Machine) - userDataSecret.Data = map[string][]byte{"userdata": req.Secret.Data["userData"]} - - if err := controllerutil.SetControllerReference(req.Machine, userDataSecret, d.client.Scheme()); err != nil { - return nil, status.Error(codes.Internal, fmt.Sprintf("could not set userData secret ownership: %s", err.Error())) +func (d *localDriver) applyService(ctx context.Context, req *driver.CreateMachineRequest) (*corev1.Service, error) { + svc := service(req.Machine) + svc.Spec.Type = corev1.ServiceTypeClusterIP + svc.Spec.ClusterIP = corev1.ClusterIPNone + svc.Spec.Ports = []corev1.ServicePort{{ + Port: 10250, + Protocol: corev1.ProtocolTCP, + TargetPort: intstr.FromInt(10250), + }} + svc.Spec.Selector = map[string]string{ + labelKeyProvider: apiv1alpha1.Provider, + labelKeyApp: labelValueMachine, } - if err := d.client.Patch(ctx, userDataSecret, client.Apply, fieldOwner, client.ForceOwnership); err != nil { - return nil, status.Error(codes.Internal, fmt.Sprintf("error applying user data secret: %s", err.Error())) + if err := d.client.Patch(ctx, svc, client.Apply, fieldOwner, client.ForceOwnership); err != nil { + return nil, status.Error(codes.Internal, fmt.Sprintf("error applying service: %s", err.Error())) } + return svc, nil +} + +func (d *localDriver) applyPod( + ctx context.Context, + req *driver.CreateMachineRequest, + providerSpec *apiv1alpha1.ProviderSpec, + userDataSecret *corev1.Secret, +) ( + *corev1.Pod, + error, +) { pod := podForMachine(req.Machine) pod.Labels = map[string]string{ - labelKeyProvider: apiv1alpha1.Provider, - labelKeyApp: labelValueMachine, - "networking.gardener.cloud/from-prometheus": "allowed", - "networking.gardener.cloud/to-dns": "allowed", - "networking.gardener.cloud/to-private-networks": "allowed", - "networking.gardener.cloud/to-public-networks": "allowed", - "networking.gardener.cloud/to-shoot-networks": "allowed", - "networking.gardener.cloud/to-seed-apiserver": "allowed", // needed for ManagedSeeds such that gardenlets deployed to these Machines can talk to the seed's kube-apiserver (which is the same like the garden cluster kube-apiserver) - "networking.gardener.cloud/to-shoot-apiserver": "allowed", - "networking.gardener.cloud/from-shoot-apiserver": "allowed", + labelKeyProvider: apiv1alpha1.Provider, + labelKeyApp: labelValueMachine, + "networking.gardener.cloud/to-dns": "allowed", + "networking.gardener.cloud/to-private-networks": "allowed", + "networking.gardener.cloud/to-public-networks": "allowed", + "networking.gardener.cloud/to-shoot-networks": "allowed", + "networking.gardener.cloud/to-runtime-apiserver": "allowed", // needed for ManagedSeeds such that gardenlets deployed to these Machines can talk to the seed's kube-apiserver (which is the same like the garden cluster kube-apiserver) + "networking.resources.gardener.cloud/to-kube-apiserver-tcp-443": "allowed", } pod.Spec = corev1.PodSpec{ Containers: []corev1.Container{ diff --git a/pkg/local/driver.go b/pkg/local/driver.go index d537949b..e5608fe7 100644 --- a/pkg/local/driver.go +++ b/pkg/local/driver.go @@ -45,6 +45,19 @@ func (d *localDriver) GenerateMachineClassForMigration(_ context.Context, _ *dri return &driver.GenerateMachineClassForMigrationResponse{}, nil } +func service(machine *machinev1alpha1.Machine) *corev1.Service { + return &corev1.Service{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "Service", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "machines", + Namespace: machine.Namespace, + }, + } +} + func podForMachine(machine *machinev1alpha1.Machine) *corev1.Pod { return &corev1.Pod{ TypeMeta: metav1.TypeMeta{