Documentation ¶
Index ¶
- Constants
- Variables
- func GetFd(f fs.File) (uintptr, error)
- func GetInode(fi fs.FileInfo) (uint64, error)
- func GetPodUIDAndContainerID(procCgroupData bytes.Buffer) (types.UID, string, error)
- func NetnsDo(fdable NetnsFd, toRun func() error) error
- func NetnsSet(n NetnsFd) error
- func StartHealthServer() (installReady *atomic.Value, watchReady *atomic.Value)
- type AmbientArgs
- type CNIPluginAddEvent
- type Cgroup
- type CniPluginServer
- type IPConfig
- type InformerHandlers
- type K8sHandlers
- type MeshDataplane
- type NetServer
- func (s *NetServer) AddPodToMesh(ctx context.Context, pod *corev1.Pod, podIPs []netip.Addr, netNs string) error
- func (s *NetServer) ConstructInitialSnapshot(ambientPods []*corev1.Pod) error
- func (s *NetServer) RemovePodFromMesh(ctx context.Context, pod *corev1.Pod, isDelete bool) error
- func (s *NetServer) Start(ctx context.Context)
- func (s *NetServer) Stop(_ bool)
- type Netns
- type NetnsCloser
- type NetnsFd
- type NetnsWithFd
- type NetnsWrapper
- type PartialAddError
- type PodNetnsCache
- type PodNetnsEntry
- type PodNetnsFinder
- type PodNetnsProcFinder
- type PodToNetns
- type Server
- type WorkloadInfo
- type ZtunnelConnection
- type ZtunnelServer
Constants ¶
const ( // to reliably identify kubelet healthprobes from inside the pod (versus standard kube-proxy traffic, // since the IP is normally the same), we SNAT identified host probes in the host netns to a fixed // APIPA/"link-local" IP. // // It doesn't matter what this IP is, so long as it's not routable and doesn't collide with anything else. // // IPv6 link local ranges are designed to be collision-resistant by default, and so probably never need to be overridden DefaultHostProbeSNATIP = "169.254.7.127" DefaultHostProbeSNATIPV6 = "fd16:9254:7127:1337:ffff:ffff:ffff:ffff" )
Variables ¶
var ( PodNamespace = env.RegisterStringVar("POD_NAMESPACE", "", "pod's namespace").Get() SystemNamespace = env.RegisterStringVar("SYSTEM_NAMESPACE", constants.IstioSystemNamespace, "istio system namespace").Get() PodName = env.RegisterStringVar("POD_NAME", "", "").Get() NodeName = env.RegisterStringVar("NODE_NAME", "", "").Get() Revision = env.RegisterStringVar("REVISION", "", "").Get() HostProbeSNATIP = netip.MustParseAddr(env.RegisterStringVar("HOST_PROBE_SNAT_IP", DefaultHostProbeSNATIP, "").Get()) HostProbeSNATIPV6 = netip.MustParseAddr(env.RegisterStringVar("HOST_PROBE_SNAT_IPV6", DefaultHostProbeSNATIPV6, "").Get()) UseScopedIptablesLegacyLocking = env.RegisterBoolVar("AMBIENT_USE_SCOPED_XTABLES_LOCKING", true, "").Get() )
var ErrPartialAdd = errors.New("partial add error")
var ErrPodNotFound = errors.New("netns not provided, but is needed as pod is not in cache")
var (
EventTotals = monitoring.NewSum(
"nodeagent_reconcile_events_total",
"The total number of node agent reconcile events.",
)
)
Functions ¶
func GetPodUIDAndContainerID ¶
Types ¶
type AmbientArgs ¶
type CNIPluginAddEvent ¶
Just a composite of the CNI plugin add event struct + some extracted "args"
type Cgroup ¶
Cgroup represents a linux cgroup.
func GetCgroups ¶
GetCGroups returns a slice of cgroups for pid using fs for filesystem calls.
The expected cgroup format is "hierarchy-ID:controller-list:cgroup-path", and this function will return an error if every cgroup does not meet that format.
For more information, see:
type CniPluginServer ¶
type CniPluginServer struct {
// contains filtered or unexported fields
}
func (*CniPluginServer) ReconcileCNIAddEvent ¶
func (s *CniPluginServer) ReconcileCNIAddEvent(ctx context.Context, addCmd CNIPluginAddEvent) error
func (*CniPluginServer) Start ¶
func (s *CniPluginServer) Start() error
Start starts up a UDS server which receives events from the CNI chain plugin.
func (*CniPluginServer) Stop ¶
func (s *CniPluginServer) Stop()
type IPConfig ¶
IPConfig contains an interface/gateway/address combo defined for a newly-started pod by CNI. This is "from the horse's mouth" so to speak and will be populated before Kube is informed of the pod IP.
type InformerHandlers ¶
type InformerHandlers struct {
// contains filtered or unexported fields
}
func (*InformerHandlers) GetActiveAmbientPodSnapshot ¶
func (s *InformerHandlers) GetActiveAmbientPodSnapshot() []*corev1.Pod
Gets a point-in-time snapshot of all pods that are CURRENTLY ambient enabled (as per control plane annotation) Note that this is not the same thing as SHOULD be enabled or WILL be enabled. This is only used for building the initial snapshot ATM.
func (*InformerHandlers) GetPodIfAmbientEnabled ¶
func (s *InformerHandlers) GetPodIfAmbientEnabled(podName, podNamespace string) (*corev1.Pod, error)
GetPodIfAmbientEnabled looks up a pod. It returns: * An error if the pod cannot be found * nil if the pod is found, but is not currently eligible for ambient enrollment * the pod, if it is found and is currently eligible for ambient enrollment
func (*InformerHandlers) Start ¶
func (s *InformerHandlers) Start()
type K8sHandlers ¶
type MeshDataplane ¶
type MeshDataplane interface { // MUST be called first, (even before Start()). ConstructInitialSnapshot(ambientPods []*corev1.Pod) error Start(ctx context.Context) AddPodToMesh(ctx context.Context, pod *corev1.Pod, podIPs []netip.Addr, netNs string) error RemovePodFromMesh(ctx context.Context, pod *corev1.Pod, isDelete bool) error Stop(skipCleanup bool) }
type NetServer ¶
type NetServer struct {
// contains filtered or unexported fields
}
Adapts CNI to ztunnel server. decoupled from k8s for easier integration testing.
func (*NetServer) AddPodToMesh ¶
func (s *NetServer) AddPodToMesh(ctx context.Context, pod *corev1.Pod, podIPs []netip.Addr, netNs string) error
AddPodToMesh adds a pod to mesh by 1. Getting the netns (and making sure the netns is cached in the ztunnel state of the world snapshot) 2. Adding the pod's IPs to the hostnetns ipsets for node probe checks 3. Creating iptables rules inside the pod's netns 4. Notifying the connected ztunnel via GRPC to create a proxy for the pod
You may ask why we pass the pod IPs separately from the pod manifest itself (which contains the pod IPs as a field) - this is because during add specifically, if CNI plugins have not finished executing, K8S may get a pod Add event without any IPs in the object, and the pod will later be updated with IPs.
We always need the IPs, but this is fine because this AddPodToMesh can be called from the CNI plugin as well, which always has the firsthand info of the IPs, even before K8S does - so we pass them separately here because we actually may have them before K8S in the Pod object.
func (*NetServer) ConstructInitialSnapshot ¶
ConstructInitialSnapshot is always called first, before Start. It takes a "snapshot" of ambient pods that were already running when the server started, and:
- initializes a an internal cache of pod info and netns handles with these existing pods. This cache will also be updated when the K8S informer gets a new pod. This cache represents the "state of the world" of all enrolled pods on the node this agent knows about, and will be sent to any connecting ztunnel as a startup message.
func (*NetServer) RemovePodFromMesh ¶
RemovePodFromMesh is called when a pod needs to be removed from the mesh.
It: - Informs the connected ztunnel that the pod no longer needs to be proxied. - Removes the pod's netns file handle from the cache/state of the world snapshot. - Steps into the pod netns to remove the inpod iptables redirection rules.
type NetnsCloser ¶
func OpenNetns ¶
func OpenNetns(nspath string) (NetnsCloser, error)
type NetnsWithFd ¶
type NetnsWithFd struct {
// contains filtered or unexported fields
}
func (*NetnsWithFd) Close ¶
func (n *NetnsWithFd) Close() error
func (*NetnsWithFd) Fd ¶
func (n *NetnsWithFd) Fd() uintptr
func (*NetnsWithFd) Inode ¶
func (n *NetnsWithFd) Inode() uint64
type NetnsWrapper ¶
type NetnsWrapper struct {
// contains filtered or unexported fields
}
func (*NetnsWrapper) Close ¶
func (n *NetnsWrapper) Close() error
func (*NetnsWrapper) Fd ¶
func (n *NetnsWrapper) Fd() uintptr
func (*NetnsWrapper) Inode ¶
func (n *NetnsWrapper) Inode() uint64
type PartialAddError ¶
type PartialAddError struct {
// contains filtered or unexported fields
}
func NewErrPartialAdd ¶
func NewErrPartialAdd(err error) *PartialAddError
func (*PartialAddError) Error ¶
func (e *PartialAddError) Error() string
func (*PartialAddError) Unwrap ¶
func (e *PartialAddError) Unwrap() []error
type PodNetnsCache ¶
type PodNetnsCache interface {
ReadCurrentPodSnapshot() map[string]WorkloadInfo
}
type PodNetnsEntry ¶
type PodNetnsEntry struct {
// contains filtered or unexported fields
}
type PodNetnsFinder ¶
type PodNetnsProcFinder ¶
type PodNetnsProcFinder struct {
// contains filtered or unexported fields
}
func NewPodNetnsProcFinder ¶
func NewPodNetnsProcFinder(proc fs.FS) *PodNetnsProcFinder
func (*PodNetnsProcFinder) FindNetnsForPods ¶
func (p *PodNetnsProcFinder) FindNetnsForPods(pods map[types.UID]*corev1.Pod) (PodToNetns, error)
type PodToNetns ¶
type PodToNetns map[string]WorkloadInfo
func (PodToNetns) Close ¶
func (p PodToNetns) Close()
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
func (*Server) ShouldStopForUpgrade ¶
type WorkloadInfo ¶
type WorkloadInfo struct { Workload *zdsapi.WorkloadInfo Netns NetnsCloser }
type ZtunnelConnection ¶
type ZtunnelConnection struct { Updates chan updateRequest // contains filtered or unexported fields }
func (*ZtunnelConnection) Close ¶
func (z *ZtunnelConnection) Close()