Skip to content

Commit

Permalink
Add core code to support namespace based CRDs
Browse files Browse the repository at this point in the history
For security reasons, cluster admins may want to limit certain applications
to only loading eBPF programs within a given namespace. Currently, all bpfman
Custom Resource Definitions (CRDs) are Cluster scoped. To provide cluster admins
with tighter controls on eBPF program loading, some of the bpfman CRDs also need
to be Namespace scoped.

See Design Doc: bpfman/bpfman#1359

Signed-off-by: Billy McFall <22157057+Billy99@users.noreply.github.com>
  • Loading branch information
Billy99 committed Dec 20, 2024
1 parent 9191140 commit 7bfea5c
Show file tree
Hide file tree
Showing 180 changed files with 19,038 additions and 617 deletions.
191 changes: 119 additions & 72 deletions PROJECT
Original file line number Diff line number Diff line change
Expand Up @@ -4,82 +4,129 @@
# More info: https://book.kubebuilder.io/reference/project-config.html
domain: bpfman.io
layout:
- go.kubebuilder.io/v3
- go.kubebuilder.io/v3
plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
projectName: bpfman-operator
repo: github.com/bpfman
resources:
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: BpfProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: XdpProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TcProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TcxProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TracePointProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: KprobeProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: UprobeProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: FentryProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: FexitProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: BpfApplication
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: BpfProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: XdpProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TcProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TcxProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: TracePointProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: KprobeProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: UprobeProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: FentryProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: FexitProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: bpfman.io
kind: BpfApplication
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: BpfNsProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: XdpNsProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: TcNsProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: TcxNsProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: UprobeNsProgram
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
namespaced: true
controller: true
domain: bpfman.io
kind: BpfNsApplication
path: github.com/bpfman/bpfman-operator/apis/v1alpha1
version: v1alpha1
version: "3"
52 changes: 34 additions & 18 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,32 +173,48 @@ xdp-pass-all-nodes pass {} 0 {"primarynodein

## API Types Overview

Refer to [api-spec.md](https://bpfman.io/main/developer-guide/api-spec/) for a detailed description of all the bpfman Kubernetes API types.
Refer to [api-spec.md](https://bpfman.io/main/developer-guide/api-spec/) for a more detailed description of all the
bpfman Kubernetes API types.

### Cluster Scoped Versus Namespaced Scoped CRDs

For security reasons, cluster admins may want to limit certain applications to only loading eBPF programs
within a given namespace.
To provide these tighter controls on eBPF program loading, some of the bpfman Custom Resource Definitions (CRDs)
are Namespace scoped.
Not all eBPF programs make sense to be namespaced scoped.
The namespaced scoped CRDs use the "<ProgramType\>NsProgram" identifier and cluster scoped CRDs to use "<ProgramType\>Program"
identifier.

### Multiple Program CRDs

The multiple `*Program` CRDs are the bpfman Kubernetes API objects most relevant to users.
They express how and where eBPF programs are to be deployed within a Kubernetes cluster. Currently,
bpfman supports:
The multiple `*Program` CRDs are the bpfman Kubernetes API objects most relevant to users and can be used to
understand clusterwide state for an eBPF program.
It's designed to express how, and where eBPF programs are to be deployed within a Kubernetes cluster.
Currently bpfman supports:

* `fentryProgram`
* `fexitProgram`
* `kprobeProgram`
* `tcProgram`
* `tcProgram` and `tcNsProgram`
* `tcxProgram` and `tcxNsProgram`
* `tracepointProgram`
* `uprobeProgram`
* `xdpProgram`

## BpfApplication CRD

The `BpfApplication` CRD is designed for managing eBPF programs at an application level within a Kubernetes cluster.
This CRD allows Kubernetes users to define which eBPF programs are essential for an application's operations and specify
how these programs should be deployed across the cluster.

## BpfProgram CRD

The `BpfProgram` CRD is used internally by the `bpfman-deployment` to keep track of per-node `bpfman` state,
such as map pinpoints, and to report node-specific errors back to the user.
* `uprobeProgram` and `uprobeNsProgam`
* `xdpProgram` and `xdpNsProgram`

There is also the `bpfApplication` and `bpfNsApplication` CRDs, which are
designed for managing eBPF programs at an application level within a Kubernetes cluster.
These CRD allows Kubernetes users to define which eBPF programs are essential for an application's operations
and specify how these programs should be deployed across the cluster.
With cluster scoped variant (`bpfApplication`), any variation of the cluster scoped
eBPF programs can be loaded.
With namespace scoped variant (`bpfNsApplication`), any variation of the namespace scoped
eBPF programs can be loaded.

### BpfProgram and BpfNsProgram CRD

The `BpfProgram` and `BpfNsProgram` CRDs are used internally by the bpfman-deployment to keep track of per
node bpfman state such as map pin points, and to report node specific errors back to the user.
Kubernetes' users/controllers are only allowed to view these objects, NOT create or edit them.

Applications wishing to use `bpfman` to deploy/manage their eBPF programs in Kubernetes will make use of this
Expand Down
File renamed without changes.
97 changes: 97 additions & 0 deletions apis/v1alpha1/bpfNsApplication_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
Copyright 2024.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// BpfNsApplicationProgram defines the desired state of BpfApplication
// +union
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'XDP' ? has(self.xdp) : !has(self.xdp)",message="xdp configuration is required when type is XDP, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TC' ? has(self.tc) : !has(self.tc)",message="tc configuration is required when type is TC, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TCX' ? has(self.tcx) : !has(self.tcx)",message="tcx configuration is required when type is TCX, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uprobe' ? has(self.uprobe) : !has(self.uprobe)",message="uprobe configuration is required when type is Uprobe, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uretprobe' ? has(self.uretprobe) : !has(self.uretprobe)",message="uretprobe configuration is required when type is Uretprobe, and forbidden otherwise"
type BpfNsApplicationProgram struct {
// Type specifies the bpf program type
// +unionDiscriminator
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum:="XDP";"TC";"TCX";"Uprobe";"Uretprobe"
Type EBPFProgType `json:"type,omitempty"`

// xdp defines the desired state of the application's XdpNsPrograms.
// +unionMember
// +optional
XDP *XdpNsProgramInfo `json:"xdp,omitempty"`

// tc defines the desired state of the application's TcNsPrograms.
// +unionMember
// +optional
TC *TcNsProgramInfo `json:"tc,omitempty"`

// tcx defines the desired state of the application's TcxNsPrograms.
// +unionMember
// +optional
TCX *TcxNsProgramInfo `json:"tcx,omitempty"`

// uprobe defines the desired state of the application's UprobeNsPrograms.
// +unionMember
// +optional
Uprobe *UprobeNsProgramInfo `json:"uprobe,omitempty"`

// uretprobe defines the desired state of the application's UretprobeNsPrograms.
// +unionMember
// +optional
Uretprobe *UprobeNsProgramInfo `json:"uretprobe,omitempty"`
}

// BpfApplicationSpec defines the desired state of BpfApplication
type BpfNsApplicationSpec struct {
BpfAppCommon `json:",inline"`

// Programs is a list of bpf programs supported for a specific application.
// It's possible that the application can selectively choose which program(s)
// to run from this list.
// +kubebuilder:validation:MinItems:=1
Programs []BpfNsApplicationProgram `json:"programs,omitempty"`
}

// +genclient
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
//+kubebuilder:resource:scope=Namespaced

// BpfNsApplication is the Schema for the bpfapplications API
// +kubebuilder:printcolumn:name="NodeSelector",type=string,JSONPath=`.spec.nodeselector`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
type BpfNsApplication struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec BpfNsApplicationSpec `json:"spec,omitempty"`
Status BpfApplicationStatus `json:"status,omitempty"`
}

// +kubebuilder:object:root=true
// BpfNsApplicationList contains a list of BpfNsApplications
type BpfNsApplicationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []BpfNsApplication `json:"items"`
}
Loading

0 comments on commit 7bfea5c

Please sign in to comment.