Remove control-plane egress context and fix agent mode.

The control-plane context handles requests outside the cluster and should not be sent to the proxy. In agent mode, we don't watch pods and just direct-dial any request for a non-node address, which is the original behavior. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-09 14:05:24 -07:00 · 2022-06-09 14:05:24 -07:00 · 7a323400e9
parent 15b8fb962a
commit 7a323400e9
3 changed files with 33 additions and 51 deletions
--- a/pkg/agent/tunnel/tunnel.go
+++ b/pkg/agent/tunnel/tunnel.go
@ -28,7 +28,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 	toolswatch "k8s.io/client-go/tools/watch"
 	"k8s.io/kubectl/pkg/util/podutils"
 )
 type agentTunnel struct {
@ -194,18 +193,17 @@ func (a *agentTunnel) watchPods(ctx context.Context, apiServerReady <-chan struc
 				logrus.Errorf("Tunnel watch failed: event object not of type v1.Pod")
 				continue
 			}
 			ready := podutils.IsPodReady(pod)
 			if pod.Spec.HostNetwork {
 				for _, container := range pod.Spec.Containers {
 					for _, port := range container.Ports {
 						if port.Protocol == v1.ProtocolTCP {
 							containerPort := fmt.Sprint(port.ContainerPort)
-							if ready {
+							if pod.DeletionTimestamp != nil {
 								logrus.Debugf("Tunnel authorizer adding Node Port %s", containerPort)
 								a.ports[containerPort] = true
 							} else {
 								logrus.Debugf("Tunnel authorizer removing Node Port %s", containerPort)
 								delete(a.ports, containerPort)
 							} else {
 								logrus.Debugf("Tunnel authorizer adding Node Port %s", containerPort)
 								a.ports[containerPort] = true
 							}
 						}
 					}
@ -213,12 +211,12 @@ func (a *agentTunnel) watchPods(ctx context.Context, apiServerReady <-chan struc
 			} else {
 				for _, ip := range pod.Status.PodIPs {
 					if cidr, err := util.IPStringToIPNet(ip.IP); err == nil {
-						if ready {
+						if pod.DeletionTimestamp != nil {
 							logrus.Debugf("Tunnel authorizer adding Pod IP %s", cidr)
 							a.cidrs.Insert(&podEntry{cidr: *cidr})
 						} else {
 							logrus.Debugf("Tunnel authorizer removing Pod IP %s", cidr)
 							a.cidrs.Remove(*cidr)
 						} else {
 							logrus.Debugf("Tunnel authorizer adding Pod IP %s", cidr)
 							a.cidrs.Insert(&podEntry{cidr: *cidr})
 						}
 					}
 				}
--- a/pkg/daemons/control/deps/deps.go
+++ b/pkg/daemons/control/deps/deps.go
@ -723,33 +723,26 @@ func genEncryptionConfigAndState(controlConfig *config.Control) error {
 }
 func genEgressSelectorConfig(controlConfig *config.Control) error {
-	direct := apiserver.Connection{
+	var clusterConn apiserver.Connection
 		ProxyProtocol: apiserver.ProtocolDirect,
 	}
-	proxy := apiserver.Connection{
+	if controlConfig.EgressSelectorMode == config.EgressSelectorModeDisabled {
-		ProxyProtocol: apiserver.ProtocolHTTPConnect,
+		clusterConn = apiserver.Connection{
-		Transport: &apiserver.Transport{
+			ProxyProtocol: apiserver.ProtocolDirect,
-			TCP: &apiserver.TCPTransport{
+		}
-				URL: fmt.Sprintf("https://%s:%d", controlConfig.Loopback(), controlConfig.SupervisorPort),
+	} else {
-				TLSConfig: &apiserver.TLSConfig{
+		clusterConn = apiserver.Connection{
-					CABundle:   controlConfig.Runtime.ServerCA,
+			ProxyProtocol: apiserver.ProtocolHTTPConnect,
-					ClientKey:  controlConfig.Runtime.ClientKubeAPIKey,
+			Transport: &apiserver.Transport{
-					ClientCert: controlConfig.Runtime.ClientKubeAPICert,
+				TCP: &apiserver.TCPTransport{
 					URL: fmt.Sprintf("https://%s:%d", controlConfig.Loopback(), controlConfig.SupervisorPort),
 					TLSConfig: &apiserver.TLSConfig{
 						CABundle:   controlConfig.Runtime.ServerCA,
 						ClientKey:  controlConfig.Runtime.ClientKubeAPIKey,
 						ClientCert: controlConfig.Runtime.ClientKubeAPICert,
 					},
 				},
 			},
-		},
+		}
 	}
 	clusterConn := direct
 	controlConn := direct
 	switch controlConfig.EgressSelectorMode {
 	case config.EgressSelectorModeAgent:
 		controlConn = proxy
 	case config.EgressSelectorModeCluster, config.EgressSelectorModePod:
 		clusterConn = proxy
 		controlConn = proxy
 	}
 	egressConfig := apiserver.EgressSelectorConfiguration{
@ -762,10 +755,6 @@ func genEgressSelectorConfig(controlConfig *config.Control) error {
 				Name:       "cluster",
 				Connection: clusterConn,
 			},
 			{
 				Name:       "controlplane",
 				Connection: controlConn,
 			},
 		},
 	}
--- a/pkg/daemons/control/tunnel.go
+++ b/pkg/daemons/control/tunnel.go
@ -245,19 +245,14 @@ func (t *TunnelServer) dialBackend(addr string) (net.Conn, error) {
 		useTunnel = false
 	}
-	if t.server.HasSession(nodeName) {
+	if useTunnel && t.server.HasSession(nodeName) {
-		if useTunnel {
+		// Have a session and it is safe to use for this destination, do so.
-			// Have a session and it is safe to use for this destination, do so.
+		logrus.Debugf("Tunnel server egress proxy dialing %s via session to %s", addr, nodeName)
-			logrus.Debugf("Tunnel server egress proxy dialing %s via session to %s", addr, nodeName)
+		return t.server.Dial(nodeName, 15*time.Second, "tcp", addr)
 			return t.server.Dial(nodeName, 15*time.Second, "tcp", addr)
 		}
 		// Have a session but the agent doesn't support tunneling to this destination or
 		// the destination is local; fall back to direct connection.
 		logrus.Debugf("Tunnel server egress proxy dialing %s directly", addr)
 		return net.Dial("tcp", addr)
 	}
-	// don't provide a proxy connection for anything else
+	// Don't have a session, the agent doesn't support tunneling to this destination, or
-	logrus.Debugf("Tunnel server egress proxy rejecting connection to %s", addr)
+	// the destination is local; fall back to direct connection.
-	return nil, fmt.Errorf("no sessions available for host %s", host)
+	logrus.Debugf("Tunnel server egress proxy dialing %s directly", addr)
 	return net.Dial("tcp", addr)
 }