Add logic to register pod Info CRD

Currently tetragon uses cilium Endoints to get Pod Labels. Pod Info CRD is a mapping between Pod IPs and Pod metadata therefore, instead of using cilium endpoints, it can use the pod info CRs, hence removing the dependency on cilium. This commit: - Added flag to skip PodInfo CRD in the operator, tetragon will use endpoints in this case. - Integrated logic to register the PodInfo CRD with the API server, similar to tracing Policies CRD. Signed-off-by: Prateek Singh <[email protected]>
cilium · Aug 28, 2023 · bcd7caf · bcd7caf
1 parent 0de4662
commit bcd7caf
Show file tree

Hide file tree

Showing 17 changed files with 697 additions and 65 deletions.
diff --git a/install/kubernetes/templates/clusterrole.yaml b/install/kubernetes/templates/clusterrole.yaml
@@ -45,7 +45,7 @@ rules:
     resourceNames:
       - tracingpolicies.cilium.io
       - tracingpoliciesnamespaced.cilium.io
-      - tetragonpods.cilium.io
+      - podinfo.cilium.io
     verbs:
       - update
       - get

diff --git a/install/kubernetes/templates/operator_clusterrole.yaml b/install/kubernetes/templates/operator_clusterrole.yaml
@@ -17,7 +17,7 @@ rules:
   - apiGroups:
       - cilium.io
     resources:
-      - tetragonpods
+      - podinfo
     verbs:
       - create
       - delete

diff --git a/operator/crd/crd.go b/operator/crd/crd.go
@@ -55,8 +55,11 @@ func RegisterCRDs() {
 	// Register the CRDs after validating that we are running on a supported
 	// version of K8s.
 	if !option.Config.SkipCRDCreation {
-		if err := client.RegisterCRDs(k8sAPIExtClient); err != nil {
-			log.WithError(err).Fatal("Unable to register CRDs")
+		skipPodInfo := option.Config.SkipPodInfoCRD
+
+		// if skipPodInfoCRD flag set true, don't register Pod Info CRD.
+		if err := client.RegisterCRDs(k8sAPIExtClient, skipPodInfo); err != nil {
+			log.WithError(err).Fatal("Unable to Register CRDs")
 		}
 	} else {
 		log.Info("Skipping creation of CRDs")

diff --git a/operator/flags.go b/operator/flags.go
@@ -45,12 +45,15 @@ func initializeFlags() {
 
 	flags.String(operatorOption.ConfigDir, "", "Directory in which tetragon-operator-config configmap is mounted")
 
+	flags.Bool(operatorOption.SkipPodInfoCRD, false, "When true, PodInfo Custom Resource Definition (CRD) will not be created")
+
 	viper.BindPFlags(flags)
 }
 
-// Populate sets all options with the values from viper.
+// configPopulate sets all options with the values from viper.
 func configPopulate() {
 	operatorOption.Config.SkipCRDCreation = viper.GetBool(operatorOption.SkipCRDCreation)
 	operatorOption.Config.KubeCfgPath = viper.GetString(operatorOption.KubeCfgPath)
 	operatorOption.Config.ConfigDir = viper.GetString(operatorOption.ConfigDir)
+	operatorOption.Config.SkipPodInfoCRD = viper.GetBool(operatorOption.SkipPodInfoCRD)
 }
diff --git a/operator/option/config.go b/operator/option/config.go
@@ -18,6 +18,10 @@ const (
 
 	// ConfigDir specifies the directory in which tetragon-operator-config configmap is mounted.
 	ConfigDir = "config-dir"
+
+	// SkipPodInfoCRD specifies whether the tetragonPod CustomResourceDefinition will be
+	// disabled
+	SkipPodInfoCRD = "skip-pod-info-crd"
 )
 
 // OperatorConfig is the configuration used by the operator.
@@ -31,6 +35,9 @@ type OperatorConfig struct {
 
 	// ConfigDir specifies the directory in which tetragon-operator-config configmap is mounted.
 	ConfigDir string
+
+	// SkipPodInfoCRD disables creation of the TetragonPod CustomResourceDefinition only.
+	SkipPodInfoCRD bool
 }
 
 // Config represents the operator configuration.

diff --git a/pkg/k8s/Makefile b/pkg/k8s/Makefile
@@ -29,6 +29,7 @@ generate:
 	  -o . \
 	  --trim-path-prefix github.com/cilium/tetragon/pkg/k8s \
 	  --plural-exceptions TracingPolicyNamespaced:TracingPoliciesNamespaced \
+	  --plural-exceptions PodInfo:PodInfo \
 
 .PHONY: vendor
 vendor:

diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_podinfo.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_podinfo.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: podinfo.cilium.io
+spec:
+  group: cilium.io
+  names:
+    kind: PodInfo
+    listKind: PodInfoList
+    plural: podinfo
+    singular: podinfo
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: PodInfo is the Schema for the PodInfo API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                hostNetwork:
+                  description: Host networking requested for this pod. Use the host's
+                    network namespace. If this option is set, the ports that will be
+                    used must be specified.
+                  type: boolean
+              type: object
+            status:
+              properties:
+                podIP:
+                  description: IP address allocated to the pod. Routable at least within
+                    the cluster. Empty if not yet allocated.
+                  type: string
+                podIPs:
+                  description: List of Ip addresses allocated to the pod. 0th entry
+                    must be same as PodIP.
+                  items:
+                    properties:
+                      ip:
+                        description: ip is an IP address (IPv4 or IPv6) assigned to
+                          the pod
+                        type: string
+                    type: object
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_podinfoes.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_podinfoes.yaml
@@ -0,0 +1,70 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.12.1
+  creationTimestamp: null
+  name: podinfoes.cilium.io
+spec:
+  group: cilium.io
+  names:
+    kind: PodInfo
+    listKind: PodInfoList
+    plural: podinfoes
+    singular: podinfo
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PodInfo is the Scheme for the Podinfo API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              hostNetwork:
+                description: Host networking requested for this pod. Use the host's
+                  network namespace. If this option is set, the ports that will be
+                  used must be specified.
+                type: boolean
+            type: object
+          status:
+            properties:
+              podIP:
+                description: IP address allocated to the pod. Routable at least within
+                  the cluster. Empty if not yet allocated.
+                type: string
+              podIPs:
+                description: List of Ip addresses allocated to the pod. 0th entry
+                  must be same as PodIP.
+                items:
+                  properties:
+                    IP:
+                      description: IP is an IP address (IPv4 or IPv6) assigned to
+                        the pod
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []