mirror of https://github.com/k3s-io/k3s
60 lines
1.5 KiB
Go
60 lines
1.5 KiB
Go
// +build !windows
|
|
|
|
package netpol
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/rancher/k3s/pkg/daemons/config"
|
|
"github.com/sirupsen/logrus"
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
|
"k8s.io/client-go/kubernetes"
|
|
"k8s.io/client-go/tools/clientcmd"
|
|
"k8s.io/client-go/util/retry"
|
|
)
|
|
|
|
func Run(ctx context.Context, nodeConfig *config.Node) error {
|
|
if _, err := NewSavedIPSet(false); err != nil {
|
|
logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
|
|
return nil
|
|
}
|
|
|
|
restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
client, err := kubernetes.NewForConfig(restConfig)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// retry backoff to wait for the clusterrolebinding for the k3s tunnel controller (system:k3s-controller or equivalent)
|
|
// which has to occur before it can bring up the connection to the API server.
|
|
retryBackoff := wait.Backoff{
|
|
Steps: 6,
|
|
Duration: 100 * time.Millisecond,
|
|
Factor: 3.0,
|
|
Cap: 30 * time.Second,
|
|
}
|
|
retryErr := retry.OnError(retryBackoff, errors.IsForbidden, func() error {
|
|
_, err := client.NetworkingV1().NetworkPolicies("").List(ctx, metav1.ListOptions{})
|
|
return err
|
|
})
|
|
if retryErr != nil {
|
|
return retryErr
|
|
}
|
|
|
|
npc, err := NewNetworkPolicyController(ctx.Done(), client, time.Minute, nodeConfig.AgentConfig.NodeName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
go npc.Run(ctx.Done())
|
|
|
|
return nil
|
|
}
|