From 7a323400e9ef78ba9a7f0e489d2578dbc07d0742 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Thu, 9 Jun 2022 14:05:24 -0700 Subject: [PATCH] Remove control-plane egress context and fix agent mode. The control-plane context handles requests outside the cluster and should not be sent to the proxy. In agent mode, we don't watch pods and just direct-dial any request for a non-node address, which is the original behavior. Signed-off-by: Brad Davidson --- pkg/agent/tunnel/tunnel.go | 18 ++++++------- pkg/daemons/control/deps/deps.go | 45 ++++++++++++-------------------- pkg/daemons/control/tunnel.go | 21 ++++++--------- 3 files changed, 33 insertions(+), 51 deletions(-) diff --git a/pkg/agent/tunnel/tunnel.go b/pkg/agent/tunnel/tunnel.go index fc668f70e8..a52220bf87 100644 --- a/pkg/agent/tunnel/tunnel.go +++ b/pkg/agent/tunnel/tunnel.go @@ -28,7 +28,6 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/clientcmd" toolswatch "k8s.io/client-go/tools/watch" - "k8s.io/kubectl/pkg/util/podutils" ) type agentTunnel struct { @@ -194,18 +193,17 @@ func (a *agentTunnel) watchPods(ctx context.Context, apiServerReady <-chan struc logrus.Errorf("Tunnel watch failed: event object not of type v1.Pod") continue } - ready := podutils.IsPodReady(pod) if pod.Spec.HostNetwork { for _, container := range pod.Spec.Containers { for _, port := range container.Ports { if port.Protocol == v1.ProtocolTCP { containerPort := fmt.Sprint(port.ContainerPort) - if ready { - logrus.Debugf("Tunnel authorizer adding Node Port %s", containerPort) - a.ports[containerPort] = true - } else { + if pod.DeletionTimestamp != nil { logrus.Debugf("Tunnel authorizer removing Node Port %s", containerPort) delete(a.ports, containerPort) + } else { + logrus.Debugf("Tunnel authorizer adding Node Port %s", containerPort) + a.ports[containerPort] = true } } } @@ -213,12 +211,12 @@ func (a *agentTunnel) watchPods(ctx context.Context, apiServerReady <-chan struc } else { for _, ip := range pod.Status.PodIPs { if cidr, err := util.IPStringToIPNet(ip.IP); err == nil { - if ready { - logrus.Debugf("Tunnel authorizer adding Pod IP %s", cidr) - a.cidrs.Insert(&podEntry{cidr: *cidr}) - } else { + if pod.DeletionTimestamp != nil { logrus.Debugf("Tunnel authorizer removing Pod IP %s", cidr) a.cidrs.Remove(*cidr) + } else { + logrus.Debugf("Tunnel authorizer adding Pod IP %s", cidr) + a.cidrs.Insert(&podEntry{cidr: *cidr}) } } } diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go index 66f46bec6f..a73fa6c484 100644 --- a/pkg/daemons/control/deps/deps.go +++ b/pkg/daemons/control/deps/deps.go @@ -723,33 +723,26 @@ func genEncryptionConfigAndState(controlConfig *config.Control) error { } func genEgressSelectorConfig(controlConfig *config.Control) error { - direct := apiserver.Connection{ - ProxyProtocol: apiserver.ProtocolDirect, - } + var clusterConn apiserver.Connection - proxy := apiserver.Connection{ - ProxyProtocol: apiserver.ProtocolHTTPConnect, - Transport: &apiserver.Transport{ - TCP: &apiserver.TCPTransport{ - URL: fmt.Sprintf("https://%s:%d", controlConfig.Loopback(), controlConfig.SupervisorPort), - TLSConfig: &apiserver.TLSConfig{ - CABundle: controlConfig.Runtime.ServerCA, - ClientKey: controlConfig.Runtime.ClientKubeAPIKey, - ClientCert: controlConfig.Runtime.ClientKubeAPICert, + if controlConfig.EgressSelectorMode == config.EgressSelectorModeDisabled { + clusterConn = apiserver.Connection{ + ProxyProtocol: apiserver.ProtocolDirect, + } + } else { + clusterConn = apiserver.Connection{ + ProxyProtocol: apiserver.ProtocolHTTPConnect, + Transport: &apiserver.Transport{ + TCP: &apiserver.TCPTransport{ + URL: fmt.Sprintf("https://%s:%d", controlConfig.Loopback(), controlConfig.SupervisorPort), + TLSConfig: &apiserver.TLSConfig{ + CABundle: controlConfig.Runtime.ServerCA, + ClientKey: controlConfig.Runtime.ClientKubeAPIKey, + ClientCert: controlConfig.Runtime.ClientKubeAPICert, + }, }, }, - }, - } - - clusterConn := direct - controlConn := direct - - switch controlConfig.EgressSelectorMode { - case config.EgressSelectorModeAgent: - controlConn = proxy - case config.EgressSelectorModeCluster, config.EgressSelectorModePod: - clusterConn = proxy - controlConn = proxy + } } egressConfig := apiserver.EgressSelectorConfiguration{ @@ -762,10 +755,6 @@ func genEgressSelectorConfig(controlConfig *config.Control) error { Name: "cluster", Connection: clusterConn, }, - { - Name: "controlplane", - Connection: controlConn, - }, }, } diff --git a/pkg/daemons/control/tunnel.go b/pkg/daemons/control/tunnel.go index 5d4aa5dec5..4fc08d8906 100644 --- a/pkg/daemons/control/tunnel.go +++ b/pkg/daemons/control/tunnel.go @@ -245,19 +245,14 @@ func (t *TunnelServer) dialBackend(addr string) (net.Conn, error) { useTunnel = false } - if t.server.HasSession(nodeName) { - if useTunnel { - // Have a session and it is safe to use for this destination, do so. - logrus.Debugf("Tunnel server egress proxy dialing %s via session to %s", addr, nodeName) - return t.server.Dial(nodeName, 15*time.Second, "tcp", addr) - } - // Have a session but the agent doesn't support tunneling to this destination or - // the destination is local; fall back to direct connection. - logrus.Debugf("Tunnel server egress proxy dialing %s directly", addr) - return net.Dial("tcp", addr) + if useTunnel && t.server.HasSession(nodeName) { + // Have a session and it is safe to use for this destination, do so. + logrus.Debugf("Tunnel server egress proxy dialing %s via session to %s", addr, nodeName) + return t.server.Dial(nodeName, 15*time.Second, "tcp", addr) } - // don't provide a proxy connection for anything else - logrus.Debugf("Tunnel server egress proxy rejecting connection to %s", addr) - return nil, fmt.Errorf("no sessions available for host %s", host) + // Don't have a session, the agent doesn't support tunneling to this destination, or + // the destination is local; fall back to direct connection. + logrus.Debugf("Tunnel server egress proxy dialing %s directly", addr) + return net.Dial("tcp", addr) }