Improve egress selector handling on agentless servers

Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-20 22:02:04 +00:00 · 2023-04-20 22:02:04 +00:00 · 31a6386994
parent 5348b5e696
commit 31a6386994
2 changed files with 18 additions and 11 deletions
--- a/pkg/agent/tunnel/tunnel.go
+++ b/pkg/agent/tunnel/tunnel.go
@ -101,16 +101,20 @@ func Setup(ctx context.Context, config *daemonconfig.Node, proxy proxy.Proxy) er
 		close(apiServerReady)
 	}()

-	// Allow the kubelet port, as published via our node object
-	go tunnel.setKubeletPort(ctx, apiServerReady)
+	// We don't need to run the tunnel authorizer if the container runtime endpoint is /dev/null,
+	// signifying that this is an agentless server that will not register a node.
+	if config.ContainerRuntimeEndpoint != "/dev/null" {
+		// Allow the kubelet port, as published via our node object.
+		go tunnel.setKubeletPort(ctx, apiServerReady)

-	switch tunnel.mode {
-	case daemonconfig.EgressSelectorModeCluster:
-		// In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network.
-		tunnel.clusterAuth(config)
-	case daemonconfig.EgressSelectorModePod:
-		// In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network.
-		go tunnel.watchPods(ctx, apiServerReady, config)
+		switch tunnel.mode {
+		case daemonconfig.EgressSelectorModeCluster:
+			// In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network.
+			tunnel.clusterAuth(config)
+		case daemonconfig.EgressSelectorModePod:
+			// In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network.
+			go tunnel.watchPods(ctx, apiServerReady, config)
+		}
 	}

 	// The loadbalancer is only disabled when there is a local apiserver.  Servers without a local
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@ -530,8 +530,11 @@ func validateNetworkConfiguration(serverConfig server.Config) error {
 	}

 	switch serverConfig.ControlConfig.EgressSelectorMode {
-	case config.EgressSelectorModeAgent, config.EgressSelectorModeCluster,
-		config.EgressSelectorModeDisabled, config.EgressSelectorModePod:
+	case config.EgressSelectorModeCluster, config.EgressSelectorModePod:
+	case config.EgressSelectorModeAgent, config.EgressSelectorModeDisabled:
+		if serverConfig.DisableAgent {
+			logrus.Warn("Webhooks and apiserver aggregation may not function properly without an agent; please set egress-selector-mode to 'cluster' or 'pod'")
+		}
 	default:
 		return fmt.Errorf("invalid egress-selector-mode %s", serverConfig.ControlConfig.EgressSelectorMode)
 	}