feat: add support for OpenShift

deployments/liqo/README.md

@@ -97,7 +97,7 @@
 | networking.fabric.pod.priorityClassName | string | `""` | PriorityClassName (https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for the fabric pod. |
 | networking.fabric.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the fabric pod. |
 | networking.fabric.tolerations | list | `[]` | Extra tolerations for the fabric daemonset. |
-| networking.gatewayTemplates | object | `{"container":{"gateway":{"image":{"name":"ghcr.io/liqotech/gateway","version":""}},"geneve":{"image":{"name":"ghcr.io/liqotech/gateway/geneve","version":""}},"wireguard":{"image":{"name":"ghcr.io/liqotech/gateway/wireguard","version":""}}},"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1,"server":{"service":{"allocateLoadBalancerNodePorts":"","annotations":{}}},"wireguard":{"implementation":"kernel"}}` | Set the options for the default gateway (server/client) templates. The default templates use a WireGuard implementation to connect the gateway of the clusters. These options are used to configure only the default templates and should not be considered if a custom template is used. |
+| networking.gatewayTemplates | object | `{"container":{"gateway":{"image":{"name":"ghcr.io/liqotech/gateway","version":""}},"geneve":{"image":{"name":"ghcr.io/liqotech/gateway/geneve","version":""}},"wireguard":{"image":{"name":"ghcr.io/liqotech/gateway/wireguard","version":""}}},"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1,"server":{"service":{"allocateLoadBalancerNodePorts":"","annotations":{}}},"wireguard":{"implementation":"userspace"}}` | Set the options for the default gateway (server/client) templates. The default templates use a WireGuard implementation to connect the gateway of the clusters. These options are used to configure only the default templates and should not be considered if a custom template is used. |
 | networking.gatewayTemplates.container.gateway.image.name | string | `"ghcr.io/liqotech/gateway"` | Image repository for the gateway container. |
 | networking.gatewayTemplates.container.gateway.image.version | string | `""` | Custom version for the gateway image. If not specified, the global tag is used. |
 | networking.gatewayTemplates.container.geneve.image.name | string | `"ghcr.io/liqotech/gateway/geneve"` | Image repository for the geneve container. |
@@ -113,7 +113,7 @@
 | networking.gatewayTemplates.server.service | object | `{"allocateLoadBalancerNodePorts":"","annotations":{}}` | Set the options to configure the server service |
 | networking.gatewayTemplates.server.service.allocateLoadBalancerNodePorts | string | `""` | Set to "false" if you expose the gateway service as LoadBalancer and you do not want to create also a NodePort associated to it (Note: this setting is useful only on cloud providers that support this feature). |
 | networking.gatewayTemplates.server.service.annotations | object | `{}` | Annotations for the server service. |
-| networking.gatewayTemplates.wireguard.implementation | string | `"kernel"` | Set the implementation used for the WireGuard connection. Possible values are "kernel" and "userspace". |
+| networking.gatewayTemplates.wireguard.implementation | string | `"userspace"` | Set the implementation used for the WireGuard connection. Possible values are "kernel" and "userspace". |
 | networking.genevePort | int | `6091` | The port used by the geneve tunnels. |
 | networking.reflectIPs | bool | `true` | Reflect pod IPs and EnpointSlices to the remote clusters. |
 | networking.serverResources | list | `[{"apiVersion":"networking.liqo.io/v1beta1","resource":"wggatewayservers"}]` | Set the list of resources that implement the GatewayServer |
@@ -150,8 +150,10 @@
 | offloading.runtimeClass.nodeSelector.labels | object | `{"liqo.io/type":"virtual-node"}` | Labels for the node selector. |
 | offloading.runtimeClass.tolerations | object | `{"enabled":true,"tolerations":[{"effect":"NoExecute","key":"virtual-node.liqo.io/not-allowed","operator":"Exists"}]}` | Tolerations for the runtime class. |
 | offloading.runtimeClass.tolerations.tolerations | list | `[{"effect":"NoExecute","key":"virtual-node.liqo.io/not-allowed","operator":"Exists"}]` | Tolerations for the tolerations. |
-| openshiftConfig.enabled | bool | `false` | Enable/Disable the OpenShift support, enabling Openshift-specific resources, and setting the pod security contexts in a way that is compatible with Openshift. |
-| openshiftConfig.virtualKubeletSCCs | list | `["anyuid"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |
+| openshiftConfig.enabled | bool | `true` | Enable/Disable the OpenShift support, enabling Openshift-specific resources, and setting the pod security contexts in a way that is compatible with Openshift. |
+| openshiftConfig.gatewayServiceAccountPrefixes | list | `["gw-"]` | Prefixes or specific names of gateway service accounts that should be granted SCC privileges |
+| openshiftConfig.gatewayServiceAccounts | list | `[]` | List of service accounts that should be bound to the gateway security context constraint |
+| openshiftConfig.virtualKubeletSCCs | list | `["anyuid","privileged"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |
 | proxy.config.listeningPort | int | `8118` | Port used by the proxy pod. |
 | proxy.enabled | bool | `true` | Enable/Disable the proxy pod. This pod is mandatory to allow in-band peering and to connect to the consumer k8s api server from a remotly offloaded pod. |
 | proxy.image.name | string | `"ghcr.io/liqotech/proxy"` | Image repository for the proxy pod. |

deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml

@@ -18,6 +18,13 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces/finalizers
+  - nodes/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
@@ -61,6 +68,8 @@ rules:
   resources:
   - identities/finalizers
   - renews/finalizers
+  - resourceslices/finalizers
+  - tenants/finalizers
   verbs:
   - update
 - apiGroups:
@@ -189,6 +198,20 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - networking.liqo.io
+  resources:
+  - configurations/finalizers
+  - gatewayclients/finalizers
+  - gatewayservers/finalizers
+  - genevetunnels/finalizers
+  - internalfabrics/finalizers
+  - internalnodes/finalizers
+  - routeconfigurations/finalizers
+  - wggatewayclients/finalizers
+  - wggatewayservers/finalizers
+  verbs:
+  - update
 - apiGroups:
   - networking.liqo.io
   resources:
@@ -260,6 +283,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - offloading.liqo.io
+  resources:
+  - quotas/finalizers
+  verbs:
+  - update
 - apiGroups:
   - offloading.liqo.io
   resources:
@@ -284,6 +313,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings/finalizers
+  - clusterroles/finalizers
+  - rolebindings/finalizers
+  verbs:
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

deployments/liqo/templates/liqo-fabric-daemonset.yaml

@@ -30,6 +30,8 @@ spec:
           operator: Exists
         - effect: NoSchedule
           key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/infra
         - effect: NoSchedule
           key: node-role.kubernetes.io/control-plane
         {{- if .Values.networking.fabric.tolerations }}

deployments/liqo/templates/liqo-fabric-rbac.yaml

@@ -1,4 +1,4 @@
-{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking") .) -}}
+{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking" "version" .Values.networking.fabric.image.version ) .) -}}
 
 {{- if .Values.networking.enabled }}
 
@@ -31,5 +31,15 @@ metadata:
   labels:
     {{- include "liqo.labels" $fabricConfig | nindent 4 }}
 {{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $fabricConfig))) }}
+{{- if .Values.openshiftConfig.enabled }}
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - {{ include "liqo.prefixedName" $fabricConfig }}
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+{{- end }}
 
 {{- end }}

deployments/liqo/templates/liqo-gateway-rbac.yaml

@@ -10,5 +10,15 @@ metadata:
   labels:
     {{- include "liqo.labels" $gatewayConfig | nindent 4 }}
 {{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $gatewayConfig))) }}
+{{- if .Values.openshiftConfig.enabled }}
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - liqo-gateway
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+{{- end }}
 
 {{- end }}

deployments/liqo/templates/liqo-gateway-scc.yaml

@@ -0,0 +1,44 @@
+{{- if and .Values.networking.enabled .Values.openshiftConfig.enabled }}
+
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: liqo-gateway
+  labels:
+    {{- include "liqo.labels" . | nindent 4 }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- NET_ADMIN
+- NET_RAW
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities: []
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+{{- range .Values.openshiftConfig.gatewayServiceAccounts }}
+- system:serviceaccount:{{ $.Release.Namespace }}:{{ . }}
+{{- end }}
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+
+{{- end }}

deployments/liqo/templates/liqo-scc.yaml

@@ -0,0 +1,43 @@
+{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking" "version" .Values.networking.fabric.image.version ) .) -}}
+
+{{- if and .Values.openshiftConfig.enabled .Values.networking.enabled }}
+
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "liqo.prefixedName" $fabricConfig }}
+  labels:
+    {{- include "liqo.labels" $fabricConfig | nindent 4 }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: false
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- NET_ADMIN
+- NET_RAW
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+- '*'
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ include "liqo.prefixedName" $fabricConfig }}
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+
+{{- end }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

@@ -24,10 +24,13 @@ spec:
       service:
         metadata:
           {{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
-          {{- if .Values.networking.gatewayTemplates.server.service.annotations }}
           annotations:
+            {{- if .Values.networking.gatewayTemplates.server.service.annotations }}
             {{- toYaml .Values.networking.gatewayTemplates.server.service.annotations | nindent 12 }}
-          {{- end }}
+            {{- end }}
+            service.beta.kubernetes.io/aws-load-balancer-type: external
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip 
+            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
         spec:
           selector:
             {{- include "liqo.selectorTemplate" (merge (dict "isService" true) $templateConfig) | nindent 12 }}

deployments/liqo/values.yaml

@@ -48,7 +48,7 @@ networking:
   gatewayTemplates:
     wireguard:
       # -- Set the implementation used for the WireGuard connection. Possible values are "kernel" and "userspace".
-      implementation: "kernel"
+      implementation: "userspace"
     # -- Set the number of replicas for the gateway deployments
     replicas: 1
     # -- Set the options to configure the gateway ping used to check connection
@@ -468,7 +468,11 @@ ipam:
   # -- Set of network pools to perform the automatic address mapping in Liqo.
   # Network pools are used to map a cluster network into another one in order to prevent conflicts.
   # If left empty, it is defaulted to the private addresses ranges: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]
-  pools: []
+  pools:
+  - 10.0.0.0/8
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 172.40.0.0/16
 
 crdReplicator:
   pod:
@@ -670,7 +674,7 @@ requirements:
 openshiftConfig:
   # -- Enable/Disable the OpenShift support, enabling Openshift-specific resources,
   # and setting the pod security contexts in a way that is compatible with Openshift.
-  enabled: false
+  enabled: true
   # -- Security context configurations granted to the virtual kubelet in the local cluster.
   # The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments.
   # Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when
@@ -679,3 +683,7 @@ openshiftConfig:
   # Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded.
   virtualKubeletSCCs:
   - anyuid
+  - privileged
+  # -- Prefixes or specific names of gateway service accounts that should be granted SCC privileges
+  gatewayServiceAccountPrefixes:
+  - "gw-"

pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go

@@ -89,10 +89,15 @@ func NewTenantReconciler(cl client.Client, scheme *runtime.Scheme, config *rest.
 
 // cluster-role
 // +kubebuilder:rbac:groups=authentication.liqo.io,resources=tenants;tenants/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=authentication.liqo.io,resources=tenants;tenants/finalizers,verbs=update
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=namespaces/finalizers,verbs=update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;deletecollection;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/finalizers,verbs=update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update
 
 // Reconcile manages the lifecycle of a Tenant.
 func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {

pkg/liqo-controller-manager/networking/external-network/client-operator/client_controller.go

@@ -78,8 +78,10 @@ func NewClientReconciler(cl client.Client, dynClient dynamic.Interface,
 // cluster-role
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients/finalizers,verbs=update
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/finalizers,verbs=update
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclienttemplates,verbs=get;list;watch;delete;create;update;patch
 
 // Reconcile manage GatewayClient lifecycle.

pkg/liqo-controller-manager/networking/external-network/configuration/configuration_controller.go

@@ -57,6 +57,7 @@ func NewConfigurationReconciler(cl client.Client, s *runtime.Scheme, er record.E
 // cluster-role
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations/status,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations/finalizers,verbs=update
 // +kubebuilder:rbac:groups=ipam.liqo.io,resources=networks,verbs=get;list;watch;create
 // +kubebuilder:rbac:groups=ipam.liqo.io,resources=networks/status,verbs=get;list;watch
 

pkg/liqo-controller-manager/networking/external-network/server-operator/server_controller.go

@@ -78,8 +78,10 @@ func NewServerReconciler(cl client.Client, dynClient dynamic.Interface,
 // cluster-role
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers/finalizers,verbs=update
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/finalizers,verbs=update
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservertemplates,verbs=get;list;watch;delete;create;update;patch
 
 // Reconcile manage GatewayServer lifecycle.

pkg/liqo-controller-manager/networking/external-network/wireguard/wggatewayclient_controller.go

@@ -70,6 +70,7 @@ func NewWgGatewayClientReconciler(cl client.Client, s *runtime.Scheme,
 // cluster-role
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/finalizers,verbs=update
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;delete;create;update;patch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;delete;update
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;delete;create;update;patch