Skip to content

Commit

Permalink
Stage iptables binaries in a sepparate component
Browse files Browse the repository at this point in the history
Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]>
  • Loading branch information
juanluisvaladas committed Nov 18, 2024
1 parent d5c3e59 commit 6b106f2
Show file tree
Hide file tree
Showing 5 changed files with 72 additions and 44 deletions.
33 changes: 20 additions & 13 deletions cmd/worker/worker.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
k0slog "github.com/k0sproject/k0s/internal/pkg/log"
"github.com/k0sproject/k0s/internal/pkg/sysinfo"
"github.com/k0sproject/k0s/pkg/build"
"github.com/k0sproject/k0s/pkg/component/iptables"
"github.com/k0sproject/k0s/pkg/component/manager"
"github.com/k0sproject/k0s/pkg/component/prober"
"github.com/k0sproject/k0s/pkg/component/status"
Expand Down Expand Up @@ -147,21 +148,26 @@ func (c *Command) Start(ctx context.Context) error {
c.WorkerProfile = "default-windows"
}

componentManager.Add(ctx, &worker.Kubelet{
CRISocket: c.CriSocket,
EnableCloudProvider: c.CloudProvider,
K0sVars: c.K0sVars,
StaticPods: staticPods,
Kubeconfig: kubeletKubeconfigPath,
Configuration: *workerConfig.KubeletConfiguration.DeepCopy(),
LogLevel: c.LogLevels.Kubelet,
Labels: c.Labels,
Taints: c.Taints,
ExtraArgs: c.KubeletExtraArgs,
IPTablesMode: c.WorkerOptions.IPTablesMode,
DualStackEnabled: workerConfig.DualStackEnabled,
componentManager.Add(ctx, &iptables.IPTables{
IPTablesMode: c.WorkerOptions.IPTablesMode,
K0sVars: c.K0sVars,
})

componentManager.Add(ctx,
&worker.Kubelet{
CRISocket: c.CriSocket,
EnableCloudProvider: c.CloudProvider,
K0sVars: c.K0sVars,
StaticPods: staticPods,
Kubeconfig: kubeletKubeconfigPath,
Configuration: *workerConfig.KubeletConfiguration.DeepCopy(),
LogLevel: c.LogLevels.Kubelet,
Labels: c.Labels,
Taints: c.Taints,
ExtraArgs: c.KubeletExtraArgs,
DualStackEnabled: workerConfig.DualStackEnabled,
})

certManager := worker.NewCertificateManager(kubeletKubeconfigPath)

// if running inside a controller, status component is already running
Expand Down Expand Up @@ -196,6 +202,7 @@ func (c *Command) Start(ctx context.Context) error {
}

worker.KernelSetup()

err = componentManager.Start(ctx)
if err != nil {
return fmt.Errorf("failed to start worker components: %w", err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,11 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package iptablesutils
package iptables

import (
"bufio"
"context"
"errors"
"fmt"
"os"
Expand All @@ -27,6 +28,7 @@ import (
"strings"

"github.com/k0sproject/k0s/pkg/assets"
"github.com/k0sproject/k0s/pkg/config"
"github.com/k0sproject/k0s/pkg/constant"
"github.com/sirupsen/logrus"
)
Expand All @@ -36,6 +38,31 @@ const (
ModeLegacy = "legacy"
)

type IPTables struct {
IPTablesMode string
K0sVars *config.CfgVars
}

func (i *IPTables) Init(_ context.Context) error {
logrus.WithField("component", constant.IptablesBinariesComponentName).Info("Staging iptables binaries")
err, iptablesMode := ExtractIPTablesBinaries(i.K0sVars.BinDir, i.IPTablesMode)
if err != nil {
return err
}

i.IPTablesMode = iptablesMode
logrus.WithField("component", constant.IptablesBinariesComponentName).Infof("iptables mode: %s", i.IPTablesMode)
return nil
}

func (s *IPTables) Start(_ context.Context) error {
return nil
}

func (s *IPTables) Stop() error {
return nil
}

// ExtractIPTablesBinaries extracts the iptables binaries from the k0s binary and makes the symlinks
// to the backend detected by DetectHostIPTablesMode.
// ExtractIPTablesBinaries only works on linux, if called in another OS it will return an error.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2022 k0s authors
Copyright 2024 k0s authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand All @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package iptablesutils_test
package iptables_test

import (
"fmt"
Expand All @@ -26,7 +26,7 @@ import (
"testing"

"github.com/k0sproject/k0s/internal/pkg/file"
"github.com/k0sproject/k0s/internal/pkg/iptablesutils"
"github.com/k0sproject/k0s/pkg/component/iptables"

"github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -64,7 +64,7 @@ func TestDetectHostIPTablesMode(t *testing.T) {
t.Run("iptables_not_found", func(t *testing.T) {
binDir := t.TempDir()

_, err := iptablesutils.DetectHostIPTablesMode(binDir)
_, err := iptables.DetectHostIPTablesMode(binDir)

var execErr *exec.Error
require.ErrorAs(t, err, &execErr)
Expand All @@ -79,9 +79,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
strings.Repeat("echo KUBE-IPTABLES-HINT\n", 1),
)

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeNFT, mode)
assert.Equal(t, iptables.ModeNFT, mode)
})

t.Run("xtables_legacy", func(t *testing.T) {
Expand All @@ -91,9 +91,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
strings.Repeat("echo KUBE-IPTABLES-HINT\n", 1),
)

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeLegacy, mode)
assert.Equal(t, iptables.ModeLegacy, mode)
})

t.Run("xtables_nft_over_legacy", func(t *testing.T) {
Expand All @@ -108,9 +108,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
strings.Repeat("echo KUBE-IPTABLES-HINT\n", 3),
)

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeNFT, mode)
assert.Equal(t, iptables.ModeNFT, mode)
})

t.Run("xtables_legacy_over_nft_more_entries", func(t *testing.T) {
Expand All @@ -124,9 +124,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
strings.Repeat("echo FOOBAR\n", 2),
)

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeLegacy, mode)
assert.Equal(t, iptables.ModeLegacy, mode)
})

t.Run("fallback_to_iptables_if_xtables_nft_over_legacy_more_entries", func(t *testing.T) {
Expand All @@ -140,7 +140,7 @@ func TestDetectHostIPTablesMode(t *testing.T) {
strings.Repeat("echo FOOBAR\n", 1),
)

_, err := iptablesutils.DetectHostIPTablesMode(binDir)
_, err := iptables.DetectHostIPTablesMode(binDir)
var execErr *exec.Error
require.ErrorAs(t, err, &execErr)
assert.Equal(t, "iptables", execErr.Name)
Expand All @@ -152,27 +152,27 @@ func TestDetectHostIPTablesMode(t *testing.T) {
writeXtables(t, binDir, "nft", "exit 1", "exit 1")
writeXtables(t, binDir, "legacy", "exit 1", "echo KUBE-IPTABLES-HINT")

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeLegacy, mode)
assert.Equal(t, iptables.ModeLegacy, mode)
})

t.Run("xtables_legacy_fails", func(t *testing.T) {
binDir := t.TempDir()
writeXtables(t, binDir, "nft", "exit 1", "echo KUBE-IPTABLES-HINT")
writeXtables(t, binDir, "legacy", "exit 1", "exit 1")

mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeNFT, mode)
assert.Equal(t, iptables.ModeNFT, mode)
})

t.Run("xtables_fails", func(t *testing.T) {
binDir := t.TempDir()
writeXtables(t, binDir, "nft", "exit 99", "exit 88")
writeXtables(t, binDir, "legacy", "exit 77", "exit 66")

_, err := iptablesutils.DetectHostIPTablesMode(binDir)
_, err := iptables.DetectHostIPTablesMode(binDir)
var composite interface{ Unwrap() []error }
require.ErrorAs(t, err, &composite, "No wrapped errors")
errs := composite.Unwrap()
Expand All @@ -190,23 +190,23 @@ func TestDetectHostIPTablesMode(t *testing.T) {
writeXtables(t, binDir, "legacy", "", "")

t.Run("iptables_legacy", func(t *testing.T) {
mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeLegacy, mode)
assert.Equal(t, iptables.ModeLegacy, mode)
})

writeScript(t, pathDir, "iptables", "echo foo-nf_tables-bar")

t.Run("iptables_nft", func(t *testing.T) {
mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
mode, err := iptables.DetectHostIPTablesMode(binDir)
require.NoError(t, err)
assert.Equal(t, iptablesutils.ModeNFT, mode)
assert.Equal(t, iptables.ModeNFT, mode)
})

writeScript(t, pathDir, "iptables", "exit 1")

t.Run("iptables_broken", func(t *testing.T) {
_, err := iptablesutils.DetectHostIPTablesMode(binDir)
_, err := iptables.DetectHostIPTablesMode(binDir)
var exitErr *exec.ExitError
require.ErrorAs(t, err, &exitErr)
assert.Equal(t, 1, exitErr.ExitCode())
Expand Down
7 changes: 0 additions & 7 deletions pkg/component/worker/kubelet.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
"github.com/k0sproject/k0s/internal/pkg/dir"
"github.com/k0sproject/k0s/internal/pkg/file"
"github.com/k0sproject/k0s/internal/pkg/flags"
"github.com/k0sproject/k0s/internal/pkg/iptablesutils"
"github.com/k0sproject/k0s/internal/pkg/stringmap"
"github.com/k0sproject/k0s/pkg/assets"
"github.com/k0sproject/k0s/pkg/component/manager"
Expand Down Expand Up @@ -63,7 +62,6 @@ type Kubelet struct {
Labels []string
Taints []string
ExtraArgs string
IPTablesMode string
DualStackEnabled bool
}

Expand All @@ -81,11 +79,6 @@ func (k *Kubelet) Init(_ context.Context) error {
if err := assets.Stage(k.K0sVars.BinDir, "kubelet", constant.BinDirMode); err != nil {
return err
}
err, iptablesMode := iptablesutils.ExtractIPTablesBinaries(k.K0sVars.BinDir, k.IPTablesMode)
if err != nil {
return err
}
k.IPTablesMode = iptablesMode
}

k.dataDir = filepath.Join(k.K0sVars.DataDir, "kubelet")
Expand Down
1 change: 1 addition & 0 deletions pkg/constant/constant.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ const (
CoreDNSComponentname = "coredns"
CsrApproverComponentName = "csr-approver"
HelmComponentName = "helm"
IptablesBinariesComponentName = "iptables-binaries"
KonnectivityServerComponentName = "konnectivity-server"
KubeControllerManagerComponentName = "kube-controller-manager"
KubeProxyComponentName = "kube-proxy"
Expand Down

0 comments on commit 6b106f2

Please sign in to comment.