Reduce permission of antrea-agent service account (#3691)

Remove the update permission for services/status of antrea-agent
service account. Remove the optimization for ExternalTrafficPolicy
setting to Local cases in ServiceExternalIP feature accordingly.
Introduce "antctl get serviceexternalip" command for the agent to
make checking the assigned Node of external IPs easier.

Signed-off-by: Xu Liu <xliu2@vmware.com>

Author: xliuxu

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -42,13 +42,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:

build/charts/antrea/templates/antctl/clusterrole.yaml

@@ -53,5 +53,6 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get

build/yamls/antrea-aks.yml

@@ -2848,13 +2848,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:
@@ -3049,6 +3043,7 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get
 ---

build/yamls/antrea-eks.yml

@@ -2848,13 +2848,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:
@@ -3049,6 +3043,7 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get
 ---

build/yamls/antrea-gke.yml

@@ -2848,13 +2848,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:
@@ -3049,6 +3043,7 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get
 ---

build/yamls/antrea-ipsec.yml

@@ -2861,13 +2861,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:
@@ -3062,6 +3056,7 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get
 ---

build/yamls/antrea.yml

@@ -2848,13 +2848,7 @@ rules:
     verbs:
       - get
       - watch
-      - list  
-  - apiGroups:
-      - ""
-    resources:
-      - services/status
-    verbs:
-      - update
+      - list
   - apiGroups:
       - discovery.k8s.io
     resources:
@@ -3049,6 +3043,7 @@ rules:
       - /ovstracing
       - /podinterfaces
       - /featuregates
+      - /serviceexternalip
     verbs:
       - get
 ---

cmd/antrea-agent/agent.go

@@ -614,6 +614,7 @@ func run(o *Options) error {
 	apiServer, err := apiserver.New(
 		agentQuerier,
 		networkPolicyController,
+		externalIPController,
 		o.config.APIPort,
 		*o.config.EnablePrometheusMetrics,
 		o.config.ClientConnection.Kubeconfig,

pkg/agent/apiserver/apiserver.go

@@ -40,6 +40,7 @@ import (
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/ovsflows"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/ovstracing"
 	"antrea.io/antrea/pkg/agent/apiserver/handlers/podinterface"
+	"antrea.io/antrea/pkg/agent/apiserver/handlers/serviceexternalip"
 	agentquerier "antrea.io/antrea/pkg/agent/querier"
 	systeminstall "antrea.io/antrea/pkg/apis/system/install"
 	systemv1beta1 "antrea.io/antrea/pkg/apis/system/v1beta1"
@@ -72,7 +73,7 @@ func (s *agentAPIServer) Run(stopCh <-chan struct{}) error {
 	return s.GenericAPIServer.PrepareRun().Run(stopCh)
 }
 
-func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, s *genericapiserver.GenericAPIServer) {
+func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, seipq querier.ServiceExternalIPStatusQuerier, s *genericapiserver.GenericAPIServer) {
 	s.Handler.NonGoRestfulMux.HandleFunc("/loglevel", loglevel.HandleFunc())
 	s.Handler.NonGoRestfulMux.HandleFunc("/featuregates", featuregates.HandleFunc())
 	s.Handler.NonGoRestfulMux.HandleFunc("/agentinfo", agentinfo.HandleFunc(aq))
@@ -82,6 +83,7 @@ func installHandlers(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolic
 	s.Handler.NonGoRestfulMux.HandleFunc("/addressgroups", addressgroup.HandleFunc(npq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/ovsflows", ovsflows.HandleFunc(aq))
 	s.Handler.NonGoRestfulMux.HandleFunc("/ovstracing", ovstracing.HandleFunc(aq))
+	s.Handler.NonGoRestfulMux.HandleFunc("/serviceexternalip", serviceexternalip.HandleFunc(seipq))
 }
 
 func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, v4Enabled, v6Enabled bool) error {
@@ -95,8 +97,8 @@ func installAPIGroup(s *genericapiserver.GenericAPIServer, aq agentquerier.Agent
 }
 
 // New creates an APIServer for running in antrea agent.
-func New(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, bindPort int,
-	enableMetrics bool, kubeconfig string, cipherSuites []uint16, tlsMinVersion uint16, v4Enabled, v6Enabled bool) (*agentAPIServer, error) {
+func New(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier, seipq querier.ServiceExternalIPStatusQuerier,
+	bindPort int, enableMetrics bool, kubeconfig string, cipherSuites []uint16, tlsMinVersion uint16, v4Enabled, v6Enabled bool) (*agentAPIServer, error) {
 	cfg, err := newConfig(npq, bindPort, enableMetrics, kubeconfig)
 	if err != nil {
 		return nil, err
@@ -110,7 +112,7 @@ func New(aq agentquerier.AgentQuerier, npq querier.AgentNetworkPolicyInfoQuerier
 	if err := installAPIGroup(s, aq, npq, v4Enabled, v6Enabled); err != nil {
 		return nil, err
 	}
-	installHandlers(aq, npq, s)
+	installHandlers(aq, npq, seipq, s)
 	return &agentAPIServer{GenericAPIServer: s}, nil
 }
 

pkg/agent/apiserver/handlers/serviceexternalip/handler.go

@@ -0,0 +1,70 @@
+// Copyright 2022 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package serviceexternalip
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"antrea.io/antrea/pkg/antctl/transform/common"
+	"antrea.io/antrea/pkg/features"
+	"antrea.io/antrea/pkg/querier"
+)
+
+// HandleFunc creates a http.HandlerFunc which uses an ServiceExternalIPStatusQuerier
+// to query Service external IP status.
+func HandleFunc(sq querier.ServiceExternalIPStatusQuerier) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := r.URL.Query().Get("name")
+		ns := r.URL.Query().Get("namespace")
+		if !features.DefaultFeatureGate.Enabled(features.ServiceExternalIP) {
+			http.Error(w, "ServiceExternalIP is not enabled", http.StatusServiceUnavailable)
+			return
+		}
+		result := sq.GetServiceExternalIPStatus()
+		var response []Response
+		for _, r := range result {
+			if (len(name) == 0 || name == r.ServiceName) && (len(ns) == 0 || ns == r.Namespace) {
+				response = append(response, Response{r})
+			}
+		}
+		if len(name) > 0 && len(response) == 0 {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			http.Error(w, "Failed to encode response: "+err.Error(), http.StatusInternalServerError)
+		}
+	}
+}
+
+// Response describes the response struct of serviceexternalip command.
+type Response struct {
+	querier.ServiceExternalIPInfo
+}
+
+var _ common.TableOutput = (*Response)(nil)
+
+func (r Response) GetTableHeader() []string {
+	return []string{"NAMESPACE", "NAME", "EXTERNAL-IP-POOL", "EXTERNAL-IP", "ASSIGNED-NODE"}
+}
+
+func (r Response) GetTableRow(_ int) []string {
+	return []string{r.Namespace, r.ServiceName, r.ExternalIPPool, r.ExternalIP, r.AssignedNode}
+}
+
+func (r Response) SortRows() bool {
+	return true
+}