github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improve egress selector handling on agentless servers 

Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
pull/7371/head
Brad Davidson 2023-04-20 22:02:04 +00:00 committed by Brad Davidson
parent 5348b5e696
commit 31a6386994
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/agent/tunnel/tunnel.go
View File

@ -101,16 +101,20 @@ func Setup(ctx context.Context, config *daemonconfig.Node, proxy proxy.Proxy) er
close(apiServerReady) close(apiServerReady)
}() }()
// Allow the kubelet port, as published via our node object // We don't need to run the tunnel authorizer if the container runtime endpoint is /dev/null,
go tunnel.setKubeletPort(ctx, apiServerReady) // signifying that this is an agentless server that will not register a node.
if config.ContainerRuntimeEndpoint != "/dev/null" {
// Allow the kubelet port, as published via our node object.
go tunnel.setKubeletPort(ctx, apiServerReady)
switch tunnel.mode { switch tunnel.mode {
case daemonconfig.EgressSelectorModeCluster: case daemonconfig.EgressSelectorModeCluster:
// In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network. // In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network.
tunnel.clusterAuth(config) tunnel.clusterAuth(config)
case daemonconfig.EgressSelectorModePod: case daemonconfig.EgressSelectorModePod:
// In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network. // In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network.
go tunnel.watchPods(ctx, apiServerReady, config) go tunnel.watchPods(ctx, apiServerReady, config)
}
} }
// The loadbalancer is only disabled when there is a local apiserver. Servers without a local // The loadbalancer is only disabled when there is a local apiserver. Servers without a local

7
pkg/cli/server/server.go
View File

@ -530,8 +530,11 @@ func validateNetworkConfiguration(serverConfig server.Config) error {
} }
switch serverConfig.ControlConfig.EgressSelectorMode { switch serverConfig.ControlConfig.EgressSelectorMode {
case config.EgressSelectorModeAgent, config.EgressSelectorModeCluster, case config.EgressSelectorModeCluster, config.EgressSelectorModePod:
config.EgressSelectorModeDisabled, config.EgressSelectorModePod: case config.EgressSelectorModeAgent, config.EgressSelectorModeDisabled:
if serverConfig.DisableAgent {
logrus.Warn("Webhooks and apiserver aggregation may not function properly without an agent; please set egress-selector-mode to 'cluster' or 'pod'")
}
default: default:
return fmt.Errorf("invalid egress-selector-mode %s", serverConfig.ControlConfig.EgressSelectorMode) return fmt.Errorf("invalid egress-selector-mode %s", serverConfig.ControlConfig.EgressSelectorMode)
} }