From 57589391cb07d061131260430f44a02c0b53a15b Mon Sep 17 00:00:00 2001 From: Mario Macias Date: Tue, 8 Nov 2022 17:48:40 +0100 Subject: [PATCH 1/3] NETOBSERV-638: avoid infinite update-retrigger loop --- controllers/ebpf/agent_controller.go | 21 +++++-- .../ebpf/internal/permissions/permissions.go | 14 ++++- .../flowcollector_controller_ebpf_test.go | 3 + controllers/flowcollector_controller_test.go | 8 ++- .../flowlogspipeline/flp_common_objects.go | 10 +++- go.mod | 2 +- go.sum | 6 +- pkg/helper/helpers.go | 17 +++++- pkg/helper/helpers_test.go | 12 ++++ .../pkg/apis/apiextensions/deepcopy.go | 6 ++ .../pkg/apis/apiextensions/v1/conversion.go | 6 ++ .../pkg/apis/apiextensions/v1/deepcopy.go | 6 ++ .../v1/zz_generated.conversion.go | 5 ++ .../apis/apiextensions/v1beta1/deepcopy.go | 6 ++ vendor/modules.txt | 4 +- vendor/sigs.k8s.io/controller-runtime/go.mod | 16 ++--- vendor/sigs.k8s.io/controller-runtime/go.sum | 38 ++++++------ .../pkg/cache/internal/informers_map.go | 58 ++++++++----------- 18 files changed, 160 insertions(+), 78 deletions(-) diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go index 88b498e4c..af3de0298 100644 --- a/controllers/ebpf/agent_controller.go +++ b/controllers/ebpf/agent_controller.go @@ -161,6 +161,7 @@ func (c *AgentController) desired(coll *flowsv1alpha1.FlowCollector) *v1.DaemonS // This operation must currently be performed manually (run "make fix-ebpf-kafka-tls"). It could be automated here. volumes, volumeMounts = helper.AppendCertVolumes(volumes, volumeMounts, &coll.Spec.Kafka.TLS, kafkaCerts) } + return &v1.DaemonSet{ ObjectMeta: metav1.ObjectMeta{ Name: constants.EBPFAgentName, @@ -241,7 +242,10 @@ func (c *AgentController) envConfig(coll *flowsv1alpha1.FlowCollector) []corev1. } dedup := dedupeDefault dedupJustMark := dedupeJustMarkDefault - for k, v := range coll.Spec.Agent.EBPF.Env { + // we need to sort env map to keep idempotency, + // as equal maps could be iterated in different order + for _, pair := range helper.KeySorted(coll.Spec.Agent.EBPF.Env) { + k, v := pair[0], pair[1] if k == envDedupe { dedup = v } else if k == envDedupeJustMark { @@ -279,7 +283,8 @@ func (c *AgentController) envConfig(coll *flowsv1alpha1.FlowCollector) []corev1. Name: envFlowsTargetHost, ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ - FieldPath: "status.hostIP", + APIVersion: "v1", + FieldPath: "status.hostIP", }, }, }, corev1.EnvVar{ @@ -297,10 +302,16 @@ func (c *AgentController) requiredAction(current, desired *v1.DaemonSet) reconci if current == nil && desired != nil { return actionCreate } - if equality.Semantic.DeepDerivative(&desired.Spec, current.Spec) { - return actionNone + cSpec, dSpec := current.Spec, desired.Spec + eq := equality.Semantic.DeepDerivative + if !helper.IsSubSet(current.ObjectMeta.Labels, desired.ObjectMeta.Labels) || + !eq(dSpec.Selector, cSpec.Selector) || + !eq(dSpec.Template, cSpec.Template) { + + return actionUpdate } - return actionUpdate + + return actionNone } func (c *AgentController) securityContext(coll *flowsv1alpha1.FlowCollector) *corev1.SecurityContext { diff --git a/controllers/ebpf/internal/permissions/permissions.go b/controllers/ebpf/internal/permissions/permissions.go index f7ba8455e..038a16fa7 100644 --- a/controllers/ebpf/internal/permissions/permissions.go +++ b/controllers/ebpf/internal/permissions/permissions.go @@ -89,7 +89,11 @@ func (c *Reconciler) reconcileNamespace(ctx context.Context) error { return c.client.CreateOwned(ctx, desired) } if actual != nil && desired != nil { - if !helper.IsSubSet(actual.ObjectMeta.Labels, desired.ObjectMeta.Labels) { + // We noticed that some labels (e.g. audit: privileged) are automatically removed + // in some configurations of K8s, so to avoid an infinite update loop, we just ignore + // the labels, as they don't provide any actual functionality that the reconcile should + // take care of (if the user modifies them manually, it's at their own risk) + if !helper.IsSubSet(actual.ObjectMeta.Annotations, desired.ObjectMeta.Annotations) { rlog.Info("updating namespace") return c.client.UpdateOwned(ctx, actual, desired) } @@ -169,7 +173,13 @@ func (c *Reconciler) reconcileOpenshiftPermissions( rlog.Info("creating SecurityContextConstraints") return c.client.CreateOwned(ctx, scc) } - if !equality.Semantic.DeepDerivative(&scc, &actual) { + if scc.AllowHostNetwork != actual.AllowHostNetwork || + !equality.Semantic.DeepDerivative(&scc.RunAsUser, &actual.RunAsUser) || + !equality.Semantic.DeepDerivative(&scc.SELinuxContext, &actual.SELinuxContext) || + !equality.Semantic.DeepDerivative(&scc.Users, &actual.Users) || + scc.AllowPrivilegedContainer != actual.AllowPrivilegedContainer || + !equality.Semantic.DeepDerivative(&scc.AllowedCapabilities, &actual.AllowedCapabilities) { + rlog.Info("updating SecurityContextConstraints") return c.client.UpdateOwned(ctx, actual, scc) } diff --git a/controllers/flowcollector_controller_ebpf_test.go b/controllers/flowcollector_controller_ebpf_test.go index 458d6f40e..6da297fdc 100644 --- a/controllers/flowcollector_controller_ebpf_test.go +++ b/controllers/flowcollector_controller_ebpf_test.go @@ -62,6 +62,8 @@ func flowCollectorEBPFSpecs() { ExcludeInterfaces: []string{"br-3", "lo"}, LogLevel: "trace", Env: map[string]string{ + // we'll test that multiple variables are reordered + "GOGC": "400", "BUFFERS_LENGTH": "100", }, }, @@ -96,6 +98,7 @@ func flowCollectorEBPFSpecs() { v1.EnvVar{Name: "INTERFACES", Value: "veth0,/^br-/"}, v1.EnvVar{Name: "EXCLUDE_INTERFACES", Value: "br-3,lo"}, v1.EnvVar{Name: "BUFFERS_LENGTH", Value: "100"}, + v1.EnvVar{Name: "GOGC", Value: "400"}, v1.EnvVar{Name: "SAMPLING", Value: "123"}, v1.EnvVar{Name: "FLOWS_TARGET_PORT", Value: "9999"}, )) diff --git a/controllers/flowcollector_controller_test.go b/controllers/flowcollector_controller_test.go index 459a1c70c..830126d2d 100644 --- a/controllers/flowcollector_controller_test.go +++ b/controllers/flowcollector_controller_test.go @@ -191,7 +191,9 @@ func flowCollectorControllerSpecs() { LogLevel: "error", Image: "testimg:latest", Env: map[string]string{ - "GOGC": "400", + // we'll test that env vars are sorted, to keep idempotency + "GOMAXPROCS": "33", + "GOGC": "400", }, } fc.Spec.Loki = flowsv1alpha1.FlowCollectorLoki{} @@ -251,7 +253,9 @@ func flowCollectorControllerSpecs() { ContainerPort: 7891, Protocol: "UDP", })) - Expect(cnt.Env).To(ContainElement(v1.EnvVar{Name: "GOGC", Value: "400"})) + Expect(cnt.Env).To(Equal([]v1.EnvVar{ + {Name: "GOGC", Value: "400"}, {Name: "GOMAXPROCS", Value: "33"}, + })) }) By("Allocating the proper toleration to allow its placement in the master nodes", func() { diff --git a/controllers/flowlogspipeline/flp_common_objects.go b/controllers/flowlogspipeline/flp_common_objects.go index be80e8a06..21d4a30c7 100644 --- a/controllers/flowlogspipeline/flp_common_objects.go +++ b/controllers/flowlogspipeline/flp_common_objects.go @@ -184,8 +184,10 @@ func (b *builder) podTemplate(hasHostPort, hasLokiInterface, hostNetwork bool, c } var envs []corev1.EnvVar - for k, v := range b.desired.Processor.Env { - envs = append(envs, corev1.EnvVar{Name: k, Value: v}) + // we need to sort env map to keep idempotency, + // as equal maps could be iterated in different order + for _, pair := range helper.KeySorted(b.desired.Processor.Env) { + envs = append(envs, corev1.EnvVar{Name: pair[0], Value: pair[1]}) } container := corev1.Container{ @@ -482,6 +484,10 @@ func (b *builder) fillPromService(svc *corev1.Service) { Name: prometheusServiceName, Port: b.desired.Processor.Metrics.Server.Port, Protocol: corev1.ProtocolTCP, + // Some Kubernetes versions might automatically set TargetPort to Port. We need to + // explicitly set it here so the reconcile loop verifies that the owned service + // is equal as the desired service + TargetPort: intstr.FromInt(int(b.desired.Processor.Metrics.Server.Port)), }} if b.desired.Processor.Metrics.Server.TLS.Type == flowsv1alpha1.ServerTLSAuto { if svc.ObjectMeta.Annotations == nil { diff --git a/go.mod b/go.mod index d95aeb6c7..d3fad1dbc 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( k8s.io/client-go v0.24.0 k8s.io/kube-aggregator v0.23.5 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 - sigs.k8s.io/controller-runtime v0.11.0 + sigs.k8s.io/controller-runtime v0.11.2 ) replace github.com/prometheus/common v0.32.1 => github.com/netobserv/prometheus-common v0.31.2-0.20220720134304-43e74fd22881 diff --git a/go.sum b/go.sum index 2e4f3020c..face53264 100644 --- a/go.sum +++ b/go.sum @@ -1741,8 +1741,9 @@ k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg= k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= k8s.io/api v0.24.0 h1:J0hann2hfxWr1hinZIDefw7Q96wmCBx6SSB8IY0MdDg= k8s.io/api v0.24.0/go.mod h1:5Jl90IUrJHUJYEMANRURMiVvJ0g7Ax7r3R1bqO8zx8I= -k8s.io/apiextensions-apiserver v0.23.0 h1:uii8BYmHYiT2ZTAJxmvc3X8UhNYMxl2A0z0Xq3Pm+WY= k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4= +k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= +k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc= @@ -1794,8 +1795,9 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.25/go.mod h1:Mlj9PNLmG9bZ6BHFwFKDo5afkpWyUISkb9Me0GnK66I= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= -sigs.k8s.io/controller-runtime v0.11.0 h1:DqO+c8mywcZLFJWILq4iktoECTyn30Bkj0CwgqMpZWQ= sigs.k8s.io/controller-runtime v0.11.0/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eMbCQznLP5zcqA= +sigs.k8s.io/controller-runtime v0.11.2 h1:H5GTxQl0Mc9UjRJhORusqfJCIjBO8UtUxGggCwL1rLA= +sigs.k8s.io/controller-runtime v0.11.2/go.mod h1:P6QCzrEjLaZGqHsfd+os7JQ+WFZhvB8MRFsn4dWF7O4= sigs.k8s.io/e2e-framework v0.0.6/go.mod h1:XSknNb1ovbtOyNNjV8DKuY9Nr4rta4wwtnZq3IRGMl0= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= diff --git a/pkg/helper/helpers.go b/pkg/helper/helpers.go index 30e6379df..158fe74e8 100644 --- a/pkg/helper/helpers.go +++ b/pkg/helper/helpers.go @@ -2,7 +2,10 @@ // to perform some basic computational operations package helper -import "strings" +import ( + "sort" + "strings" +) func ContainsString(slice []string, s string) bool { for _, item := range slice { @@ -41,3 +44,15 @@ func IsSubSet(set, subset map[string]string) bool { } return true } + +// KeySorted returns the map key-value pairs sorted by Key +func KeySorted(set map[string]string) [][2]string { + vals := make([][2]string, 0, len(set)) + for k, v := range set { + vals = append(vals, [2]string{k, v}) + } + sort.Slice(vals, func(i, j int) bool { + return vals[i][0] < vals[j][0] + }) + return vals +} diff --git a/pkg/helper/helpers_test.go b/pkg/helper/helpers_test.go index abf5127c2..001045f05 100644 --- a/pkg/helper/helpers_test.go +++ b/pkg/helper/helpers_test.go @@ -47,3 +47,15 @@ func TestRemoveAllStrings(t *testing.T) { s = RemoveAllStrings(s, "five") assert.Equal([]string{"one", "two", "four"}, s) } + +func TestKeySorted(t *testing.T) { + set := map[string]string{ + "b": "1", + "c": "2", + "a": "3", + "d": "4", + } + assert.Equal(t, + [][2]string{{"a", "3"}, {"b", "1"}, {"c", "2"}, {"d", "4"}}, + KeySorted(set)) +} diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/deepcopy.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/deepcopy.go index 761e27cc4..2bd5d5293 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/deepcopy.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/deepcopy.go @@ -290,5 +290,11 @@ func (in *JSONSchemaProps) DeepCopy() *JSONSchemaProps { **out = **in } + if in.XValidations != nil { + in, out := &in.XValidations, &out.XValidations + *out = make([]ValidationRule, len(*in)) + copy(*out, *in) + } + return out } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go index 9bcbe5026..4d29ff823 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/conversion.go @@ -18,6 +18,7 @@ package v1 import ( "bytes" + unsafe "unsafe" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -207,3 +208,8 @@ func Convert_apiextensions_CustomResourceConversion_To_v1_CustomResourceConversi } return nil } + +func Convert_apiextensions_ValidationRules_To_v1_ValidationRules(in *apiextensions.ValidationRules, out *ValidationRules, s conversion.Scope) error { + *out = *(*ValidationRules)(unsafe.Pointer(in)) + return nil +} diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/deepcopy.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/deepcopy.go index 84dda976b..28dfb99f1 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/deepcopy.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/deepcopy.go @@ -250,5 +250,11 @@ func (in *JSONSchemaProps) DeepCopy() *JSONSchemaProps { **out = **in } + if in.XValidations != nil { + in, out := &in.XValidations, &out.XValidations + *out = make([]ValidationRule, len(*in)) + copy(*out, *in) + } + return out } diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go index 77d22c16c..95a58529b 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go @@ -242,6 +242,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*apiextensions.ValidationRules)(nil), (*ValidationRules)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_apiextensions_ValidationRules_To_v1_ValidationRules(a.(*apiextensions.ValidationRules), b.(*ValidationRules), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*CustomResourceConversion)(nil), (*apiextensions.CustomResourceConversion)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_CustomResourceConversion_To_apiextensions_CustomResourceConversion(a.(*CustomResourceConversion), b.(*apiextensions.CustomResourceConversion), scope) }); err != nil { diff --git a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/deepcopy.go b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/deepcopy.go index 857beac4a..9f64585da 100644 --- a/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/deepcopy.go +++ b/vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/deepcopy.go @@ -266,5 +266,11 @@ func (in *JSONSchemaProps) DeepCopy() *JSONSchemaProps { **out = **in } + if in.XValidations != nil { + in, out := &in.XValidations, &out.XValidations + *out = make([]ValidationRule, len(*in)) + copy(*out, *in) + } + return out } diff --git a/vendor/modules.txt b/vendor/modules.txt index fa0762fbe..dc19ea3ce 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -328,7 +328,7 @@ k8s.io/api/scheduling/v1beta1 k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 -# k8s.io/apiextensions-apiserver v0.23.0 +# k8s.io/apiextensions-apiserver v0.23.5 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1 @@ -551,7 +551,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# sigs.k8s.io/controller-runtime v0.11.0 +# sigs.k8s.io/controller-runtime v0.11.2 ## explicit sigs.k8s.io/controller-runtime sigs.k8s.io/controller-runtime/pkg/builder diff --git a/vendor/sigs.k8s.io/controller-runtime/go.mod b/vendor/sigs.k8s.io/controller-runtime/go.mod index c843d2031..bdf2cbad7 100644 --- a/vendor/sigs.k8s.io/controller-runtime/go.mod +++ b/vendor/sigs.k8s.io/controller-runtime/go.mod @@ -16,12 +16,12 @@ require ( golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac gomodules.xyz/jsonpatch/v2 v2.2.0 - k8s.io/api v0.23.0 - k8s.io/apiextensions-apiserver v0.23.0 - k8s.io/apimachinery v0.23.0 - k8s.io/client-go v0.23.0 - k8s.io/component-base v0.23.0 - k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b + k8s.io/api v0.23.5 + k8s.io/apiextensions-apiserver v0.23.5 + k8s.io/apimachinery v0.23.5 + k8s.io/client-go v0.23.5 + k8s.io/component-base v0.23.5 + k8s.io/utils v0.0.0-20211116205334-6203023598ed sigs.k8s.io/yaml v1.3.0 ) @@ -49,7 +49,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect - golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect + golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect golang.org/x/text v0.3.7 // indirect @@ -62,5 +62,5 @@ require ( k8s.io/klog/v2 v2.30.0 // indirect k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect ) diff --git a/vendor/sigs.k8s.io/controller-runtime/go.sum b/vendor/sigs.k8s.io/controller-runtime/go.sum index 1872ab8ce..fd64bd0bb 100644 --- a/vendor/sigs.k8s.io/controller-runtime/go.sum +++ b/vendor/sigs.k8s.io/controller-runtime/go.sum @@ -583,8 +583,9 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210825183410-e898025ed96a h1:bRuuGXV8wwSdGTB+CtJf+FjgO1APK1CoO39T4BN/XBw= golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -914,18 +915,18 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.23.0 h1:WrL1gb73VSC8obi8cuYETJGXEoFNEh3LU0Pt+Sokgro= -k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg= -k8s.io/apiextensions-apiserver v0.23.0 h1:uii8BYmHYiT2ZTAJxmvc3X8UhNYMxl2A0z0Xq3Pm+WY= -k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4= -k8s.io/apimachinery v0.23.0 h1:mIfWRMjBuMdolAWJ3Fd+aPTMv3X9z+waiARMpvvb0HQ= -k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc= -k8s.io/apiserver v0.23.0/go.mod h1:Cec35u/9zAepDPPFyT+UMrgqOCjgJ5qtfVJDxjZYmt4= -k8s.io/client-go v0.23.0 h1:vcsOqyPq7XV3QmQRCBH/t9BICJM9Q1M18qahjv+rebY= -k8s.io/client-go v0.23.0/go.mod h1:hrDnpnK1mSr65lHHcUuIZIXDgEbzc7/683c6hyG4jTA= -k8s.io/code-generator v0.23.0/go.mod h1:vQvOhDXhuzqiVfM/YHp+dmg10WDZCchJVObc9MvowsE= -k8s.io/component-base v0.23.0 h1:UAnyzjvVZ2ZR1lF35YwtNY6VMN94WtOnArcXBu34es8= -k8s.io/component-base v0.23.0/go.mod h1:DHH5uiFvLC1edCpvcTDV++NKULdYYU6pR9Tt3HIKMKI= +k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA= +k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= +k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= +k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= +k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0= +k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= +k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= +k8s.io/client-go v0.23.5 h1:zUXHmEuqx0RY4+CsnkOn5l0GU+skkRXKGJrhmE2SLd8= +k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4= +k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= +k8s.io/component-base v0.23.5 h1:8qgP5R6jG1BBSXmRYW+dsmitIrpk8F/fPEvgDenMCCE= +k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= @@ -934,18 +935,17 @@ k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b h1:wxEMGetGMur3J1xuGLQY7GEQYg9bZxKn3tKo5k/eYcs= -k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE= +k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.25/go.mod h1:Mlj9PNLmG9bZ6BHFwFKDo5afkpWyUISkb9Me0GnK66I= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= -sigs.k8s.io/structured-merge-diff/v4 v4.2.0 h1:kDvPBbnPk+qYmkHmSo8vKGp438IASWofnbbUKDE/bv0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.0/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= +sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go index 07f2f1261..2eb68e840 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go @@ -409,41 +409,31 @@ func createMetadataListWatch(gvk schema.GroupVersionKind, ip *specificInformersM }, nil } -type gvkFixupWatcher struct { - watcher watch.Interface - ch chan watch.Event - gvk schema.GroupVersionKind - wg sync.WaitGroup -} - +// newGVKFixupWatcher adds a wrapper that preserves the GVK information when +// events come in. +// +// This works around a bug where GVK information is not passed into mapping +// functions when using the OnlyMetadata option in the builder. +// This issue is most likely caused by kubernetes/kubernetes#80609. +// See kubernetes-sigs/controller-runtime#1484. +// +// This was originally implemented as a cache.ResourceEventHandler wrapper but +// that contained a data race which was resolved by setting the GVK in a watch +// wrapper, before the objects are written to the cache. +// See kubernetes-sigs/controller-runtime#1650. +// +// The original watch wrapper was found to be incompatible with +// k8s.io/client-go/tools/cache.Reflector so it has been re-implemented as a +// watch.Filter which is compatible. +// See kubernetes-sigs/controller-runtime#1789. func newGVKFixupWatcher(gvk schema.GroupVersionKind, watcher watch.Interface) watch.Interface { - ch := make(chan watch.Event) - w := &gvkFixupWatcher{ - gvk: gvk, - watcher: watcher, - ch: ch, - } - w.wg.Add(1) - go w.run() - return w -} - -func (w *gvkFixupWatcher) run() { - for e := range w.watcher.ResultChan() { - e.Object.GetObjectKind().SetGroupVersionKind(w.gvk) - w.ch <- e - } - w.wg.Done() -} - -func (w *gvkFixupWatcher) Stop() { - w.watcher.Stop() - w.wg.Wait() - close(w.ch) -} - -func (w *gvkFixupWatcher) ResultChan() <-chan watch.Event { - return w.ch + return watch.Filter( + watcher, + func(in watch.Event) (watch.Event, bool) { + in.Object.GetObjectKind().SetGroupVersionKind(gvk) + return in, true + }, + ) } // resyncPeriod returns a function which generates a duration each time it is From 21b81c4d7de9435e50d3803ae4a00238525e4671 Mon Sep 17 00:00:00 2001 From: Mario Macias Date: Wed, 9 Nov 2022 15:57:28 +0100 Subject: [PATCH 2/3] Fixed reconciliation also for Kafka transformer and ingestor --- controllers/flowlogspipeline/flp_ingest_reconciler.go | 4 ++-- controllers/flowlogspipeline/flp_monolith_reconciler.go | 4 ++-- controllers/flowlogspipeline/flp_reconciler.go | 8 ++++---- controllers/flowlogspipeline/flp_transfo_reconciler.go | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/controllers/flowlogspipeline/flp_ingest_reconciler.go b/controllers/flowlogspipeline/flp_ingest_reconciler.go index 5b3227aa9..d27885c5a 100644 --- a/controllers/flowlogspipeline/flp_ingest_reconciler.go +++ b/controllers/flowlogspipeline/flp_ingest_reconciler.go @@ -2,11 +2,11 @@ package flowlogspipeline import ( "context" - "reflect" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/equality" "sigs.k8s.io/controller-runtime/pkg/log" flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" @@ -98,7 +98,7 @@ func (r *flpIngesterReconciler) reconcile(ctx context.Context, desired *flowsv1a if err := r.CreateOwned(ctx, newCM); err != nil { return err } - } else if !reflect.DeepEqual(newCM.Data, r.owned.configMap.Data) { + } else if !equality.Semantic.DeepDerivative(newCM.Data, r.owned.configMap.Data) { if err := r.UpdateOwned(ctx, r.owned.configMap, newCM); err != nil { return err } diff --git a/controllers/flowlogspipeline/flp_monolith_reconciler.go b/controllers/flowlogspipeline/flp_monolith_reconciler.go index 74e735589..4f1504436 100644 --- a/controllers/flowlogspipeline/flp_monolith_reconciler.go +++ b/controllers/flowlogspipeline/flp_monolith_reconciler.go @@ -2,11 +2,11 @@ package flowlogspipeline import ( "context" - "reflect" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/equality" "sigs.k8s.io/controller-runtime/pkg/log" flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" @@ -100,7 +100,7 @@ func (r *flpMonolithReconciler) reconcile(ctx context.Context, desired *flowsv1a if err := r.CreateOwned(ctx, newCM); err != nil { return err } - } else if !reflect.DeepEqual(newCM.Data, r.owned.configMap.Data) { + } else if !equality.Semantic.DeepDerivative(newCM.Data, r.owned.configMap.Data) { if err := r.UpdateOwned(ctx, r.owned.configMap, newCM); err != nil { return err } diff --git a/controllers/flowlogspipeline/flp_reconciler.go b/controllers/flowlogspipeline/flp_reconciler.go index a4d67fd9e..e80aa50aa 100644 --- a/controllers/flowlogspipeline/flp_reconciler.go +++ b/controllers/flowlogspipeline/flp_reconciler.go @@ -3,10 +3,10 @@ package flowlogspipeline import ( "context" "fmt" - "reflect" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/equality" flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" "github.com/netobserv/network-observability-operator/controllers/constants" @@ -93,8 +93,8 @@ func configChanged(tmpl *corev1.PodTemplateSpec, configDigest string) bool { } func serviceNeedsUpdate(actual *corev1.Service, desired *corev1.Service) bool { - return !reflect.DeepEqual(actual.ObjectMeta, desired.ObjectMeta) || - !reflect.DeepEqual(actual.Spec, desired.Spec) + return !equality.Semantic.DeepDerivative(desired.ObjectMeta, actual.ObjectMeta) || + !equality.Semantic.DeepDerivative(desired.Spec, actual.Spec) } func containerNeedsUpdate(podSpec *corev1.PodSpec, desired *flpSpec, expectHostPort bool) bool { @@ -105,7 +105,7 @@ func containerNeedsUpdate(podSpec *corev1.PodSpec, desired *flpSpec, expectHostP desired.Image != container.Image || desired.ImagePullPolicy != string(container.ImagePullPolicy) || probesNeedUpdate(container, desired.EnableKubeProbes) || - !reflect.DeepEqual(desired.Resources, container.Resources) + !equality.Semantic.DeepDerivative(desired.Resources, container.Resources) } func probesNeedUpdate(container *corev1.Container, enabled bool) bool { diff --git a/controllers/flowlogspipeline/flp_transfo_reconciler.go b/controllers/flowlogspipeline/flp_transfo_reconciler.go index d3af2ce58..6d99ab756 100644 --- a/controllers/flowlogspipeline/flp_transfo_reconciler.go +++ b/controllers/flowlogspipeline/flp_transfo_reconciler.go @@ -2,12 +2,12 @@ package flowlogspipeline import ( "context" - "reflect" appsv1 "k8s.io/api/apps/v1" ascv2 "k8s.io/api/autoscaling/v2beta2" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/equality" "sigs.k8s.io/controller-runtime/pkg/log" flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" @@ -102,7 +102,7 @@ func (r *flpTransformerReconciler) reconcile(ctx context.Context, desired *flows if err := r.CreateOwned(ctx, newCM); err != nil { return err } - } else if !reflect.DeepEqual(newCM.Data, r.owned.configMap.Data) { + } else if !equality.Semantic.DeepDerivative(newCM.Data, r.owned.configMap.Data) { if err := r.UpdateOwned(ctx, r.owned.configMap, newCM); err != nil { return err } @@ -196,7 +196,7 @@ func autoScalerNeedsUpdate(asc *ascv2.HorizontalPodAutoscaler, desired flowsv1al differentPointerValues(asc.Spec.MinReplicas, desired.MinReplicas) { return true } - if !reflect.DeepEqual(asc.Spec.Metrics, desired.Metrics) { + if !equality.Semantic.DeepDerivative(desired.Metrics, asc.Spec.Metrics) { return true } return false From 2cfb2b48313e66e06b7b22ccf56df42e2c00a736 Mon Sep 17 00:00:00 2001 From: Mario Macias Date: Thu, 10 Nov 2022 10:27:09 +0100 Subject: [PATCH 3/3] Reverting PR#191 (NETOBSERV-694) --- .../ebpf/internal/permissions/permissions.go | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/controllers/ebpf/internal/permissions/permissions.go b/controllers/ebpf/internal/permissions/permissions.go index 038a16fa7..768f29ecc 100644 --- a/controllers/ebpf/internal/permissions/permissions.go +++ b/controllers/ebpf/internal/permissions/permissions.go @@ -76,12 +76,6 @@ func (c *Reconciler) reconcileNamespace(ctx context.Context) error { "pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/audit": "privileged", }, - Annotations: map[string]string{ - // Means that only userID 0 is allowed in the eBPF pods - "openshift.io/sa.scc.uid-range": "0/1", - // unclassified Multi-Category Security (MCS) level of SELinux - "openshift.io/sa.scc.mcs": "s0", - }, }, } if actual == nil && desired != nil { @@ -89,11 +83,14 @@ func (c *Reconciler) reconcileNamespace(ctx context.Context) error { return c.client.CreateOwned(ctx, desired) } if actual != nil && desired != nil { - // We noticed that some labels (e.g. audit: privileged) are automatically removed + // We noticed that audit labels are automatically removed // in some configurations of K8s, so to avoid an infinite update loop, we just ignore - // the labels, as they don't provide any actual functionality that the reconcile should - // take care of (if the user modifies them manually, it's at their own risk) - if !helper.IsSubSet(actual.ObjectMeta.Annotations, desired.ObjectMeta.Annotations) { + // it (if the user removes it manually, it's at their own risk) + if !helper.IsSubSet(actual.ObjectMeta.Labels, + map[string]string{ + "app": constants.OperatorName, + "pod-security.kubernetes.io/enforce": "privileged", + }) { rlog.Info("updating namespace") return c.client.UpdateOwned(ctx, actual, desired) }