mirror of https://github.com/linkerd/linkerd2.git
Add NET_RAW to `linkerd check --pre` (#3055)
`linkerd check --pre` validates that PSPs provide `NET_ADMIN`, but was not validating `NET_RAW`, despite `NET_RAW` being required by Linkerd's proxy-init container since #2969. Introduce a `has NET_RAW capability` check to `linkerd check --pre`. Fixes #3054 Signed-off-by: Andrew Seigner <siggy@buoyant.io>
This commit is contained in:
Andrew Seigner
GitHub
parent
a63c9cedc9
commit
5d0746ff91
|
|
@ -54,9 +54,10 @@ const (
|
|||
LinkerdPreInstallChecks CategoryID = "pre-kubernetes-setup"
|
||||
|
||||
// LinkerdPreInstallCapabilityChecks adds a check to validate the user has the
|
||||
// capabilities necessary to deploy Linkerd. For example, the NET_ADMIN
|
||||
// capability is required by the `linkerd-init` container to modify IP tables.
|
||||
// These checks are no run when the `--linkerd-cni-enabled` flag is set.
|
||||
// capabilities necessary to deploy Linkerd. For example, the NET_ADMIN and
|
||||
// NET_RAW capabilities are required by the `linkerd-init` container to modify
|
||||
// IP tables. These checks are not run when the `--linkerd-cni-enabled` flag
|
||||
// is set.
|
||||
LinkerdPreInstallCapabilityChecks CategoryID = "pre-kubernetes-capability"
|
||||
|
||||
// LinkerdPreInstallGlobalResourcesChecks adds a series of checks to determine
|
||||
|
|
@ -405,7 +406,15 @@ func (hc *HealthChecker) allCategories() []category {
|
|||
hintAnchor: "pre-k8s-cluster-net-admin",
|
||||
warning: true,
|
||||
check: func(context.Context) error {
|
||||
return hc.checkNetAdmin()
|
||||
return hc.checkCapability("NET_ADMIN")
|
||||
},
|
||||
},
|
||||
{
|
||||
description: "has NET_RAW capability",
|
||||
hintAnchor: "pre-k8s-cluster-net-raw",
|
||||
warning: true,
|
||||
check: func(context.Context) error {
|
||||
return hc.checkCapability("NET_RAW")
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -1193,7 +1202,7 @@ func (hc *HealthChecker) checkCanCreate(namespace, group, version, resource stri
|
|||
)
|
||||
}
|
||||
|
||||
func (hc *HealthChecker) checkNetAdmin() error {
|
||||
func (hc *HealthChecker) checkCapability(cap string) error {
|
||||
if hc.kubeAPI == nil {
|
||||
// we should never get here
|
||||
return fmt.Errorf("unexpected error: Kubernetes ClientSet not initialized")
|
||||
|
|
@ -1212,7 +1221,7 @@ func (hc *HealthChecker) checkNetAdmin() error {
|
|||
// if PodSecurityPolicies are found, validate one exists that:
|
||||
// 1) permits usage
|
||||
// AND
|
||||
// 2) provides NET_ADMIN
|
||||
// 2) provides the specified capability
|
||||
for _, psp := range pspList.Items {
|
||||
err := k8s.ResourceAuthz(
|
||||
hc.kubeAPI,
|
||||
|
|
@ -1225,14 +1234,14 @@ func (hc *HealthChecker) checkNetAdmin() error {
|
|||
)
|
||||
if err == nil {
|
||||
for _, capability := range psp.Spec.AllowedCapabilities {
|
||||
if capability == "*" || capability == "NET_ADMIN" {
|
||||
if capability == "*" || string(capability) == cap {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return fmt.Errorf("found %d PodSecurityPolicies, but none provide NET_ADMIN, proxy injection will fail if the PSP admission controller is running", len(pspList.Items))
|
||||
return fmt.Errorf("found %d PodSecurityPolicies, but none provide %s, proxy injection will fail if the PSP admission controller is running", len(pspList.Items), cap)
|
||||
}
|
||||
|
||||
func (hc *HealthChecker) checkClockSkew() error {
|
||||
|
|
|
|||
|
|
@ -391,7 +391,7 @@ status:
|
|||
|
||||
}
|
||||
|
||||
func TestCheckNetAdmin(t *testing.T) {
|
||||
func TestChecCapability(t *testing.T) {
|
||||
tests := []struct {
|
||||
k8sConfigs []string
|
||||
err error
|
||||
|
|
@ -409,13 +409,13 @@ spec:
|
|||
requiredDropCapabilities:
|
||||
- ALL`,
|
||||
},
|
||||
fmt.Errorf("found 1 PodSecurityPolicies, but none provide NET_ADMIN, proxy injection will fail if the PSP admission controller is running"),
|
||||
fmt.Errorf("found 1 PodSecurityPolicies, but none provide TEST_CAP, proxy injection will fail if the PSP admission controller is running"),
|
||||
},
|
||||
}
|
||||
|
||||
for i, test := range tests {
|
||||
test := test // pin
|
||||
t.Run(fmt.Sprintf("%d: returns expected NET_ADMIN result", i), func(t *testing.T) {
|
||||
t.Run(fmt.Sprintf("%d: returns expected capability result", i), func(t *testing.T) {
|
||||
hc := NewHealthChecker(
|
||||
[]CategoryID{},
|
||||
&Options{},
|
||||
|
|
@ -427,7 +427,7 @@ spec:
|
|||
t.Fatalf("Unexpected error: %s", err)
|
||||
}
|
||||
|
||||
err = hc.checkNetAdmin()
|
||||
err = hc.checkCapability("TEST_CAP")
|
||||
if err != nil || test.err != nil {
|
||||
if (err == nil && test.err != nil) ||
|
||||
(err != nil && test.err == nil) ||
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ pre-kubernetes-setup
|
|||
pre-kubernetes-capability
|
||||
-------------------------
|
||||
√ has NET_ADMIN capability
|
||||
√ has NET_RAW capability
|
||||
|
||||
pre-linkerd-global-resources
|
||||
----------------------------
|
||||
|
|
|
|||
Loading…
Reference in New Issue