Reduce permission of antrea-agent service account#3691
Conversation
tnqn
added
kind/cleanup
|
@tnqn The e2e test failed because with this change the testing code cannot determine which Node owns the external IP. Most of the test cases will need to check the assigned Node by the hostname field in the status of a Service. I cannot find an easy way to figure out which Node owns the IP as they are not physically assigned. Do you think it is OK to remove all related test cases until we have a new API for assigned Node checking? |
@xliuxu we don't assign the IP to the transport interface? |
|
@antoninbas No. For LB IP of Services, we do not assign IP to any interfaces on the Node. Otherwise, it will conflict with the implementation of proxyAll feature. We use userspace ARP/NDP responders to handle ARP/NDP queries instead. |
|
@xliuxu we need a way to check which Node owns the IP for troubleshooting anyway. Could we add a |
xliuxu
force-pushed
the
permission_agent_service_status
branch
2 times, most recently
from
ddb269f to
ccbc603
Compare
|
@tnqn Thanks for the suggestion. I have added a new command |
Codecov Report
@@ Coverage Diff @@
## main #3691 +/- ##
==========================================
- Coverage 64.60% 57.91% -6.69%
==========================================
Files 278 393 +115
Lines 39640 56425 +16785
==========================================
+ Hits 25608 32678 +7070
- Misses 12043 21257 +9214
- Partials 1989 2490 +501
Flags with carried forward coverage won't be shown. Click here to find out more.
|
xliuxu
force-pushed
the
permission_agent_service_status
branch
from
ccbc603 to
0be085e
Compare
xliuxu
force-pushed
the
permission_agent_service_status
branch
3 times, most recently
from
7448c54 to
28d0dac
Compare
|
/test-all |
|
@antoninbas will you take another look? |
antoninbas
left a comment
antoninbas
left a comment
There was a problem hiding this comment.
some small comments and questions, but overall LGTM
| s.Handler.NonGoRestfulMux.HandleFunc("/addressgroups", addressgroup.HandleFunc(npq)) | ||
| s.Handler.NonGoRestfulMux.HandleFunc("/ovsflows", ovsflows.HandleFunc(aq)) | ||
| s.Handler.NonGoRestfulMux.HandleFunc("/ovstracing", ovstracing.HandleFunc(aq)) | ||
| s.Handler.NonGoRestfulMux.HandleFunc("/serviceexternalip", serviceexternalip.HandleFunc(seipq)) |
There was a problem hiding this comment.
you may want to add the /serviceexternalip URL to the antctl RBAC ClusterRole, just for consistency (and in case someone is using the antctl ServiceAccount token to access antrea APIs directly)
| info := make([]querier.ServiceExternalIPInfo, len(c.externalIPStates)) | ||
| idx := 0 | ||
| for k, v := range c.externalIPStates { | ||
| info[idx].ServiceName = k.Name | ||
| info[idx].Namespace = k.Namespace | ||
| info[idx].ExternalIP = v.ip | ||
| info[idx].ExternalIPPool = v.ipPool | ||
| info[idx].AssignedNode = v.assignedNode | ||
| idx++ | ||
| } |
There was a problem hiding this comment.
nit: I think something like this is more elegant:
info := make([]querier.ServiceExternalIPInfo, 0, len(c.externalIPStates))
for k, v := range c.externalIPStates {
info = append(info, querier.ServiceExternalIPInfo{
ServiceName: k.Name,
// ...
})| queue workqueue.RateLimitingInterface | ||
|
|
||
| externalIPStates map[apimachinerytypes.NamespacedName]externalIPState | ||
| externalIPStates map[apimachinerytypes.NamespacedName]*externalIPState |
There was a problem hiding this comment.
is there a reason for making this is a pointer? Based on usage in GetServiceExternalIPStatus, it doesn't seem necessary.
There was a problem hiding this comment.
It is just for the defer statement to save the externalIPState. I have reverted this change since it is not necessary and can also be achieved by changing the signature of func saveServiceState.
xliuxu
force-pushed
the
permission_agent_service_status
branch
3 times, most recently
from
157d878 to
03b44ae
Compare
Remove the update permission for services/status of antrea-agent service account. Remove the optimization for ExternalTrafficPolicy setting to Local cases in ServiceExternalIP feature accordingly. Introduce "antctl get serviceexternalip" command for the agent to make checking the assigned Node of external IPs easier. Signed-off-by: Xu Liu <xliu2@vmware.com>
xliuxu
force-pushed
the
permission_agent_service_status
branch
from
03b44ae to
fea1ef5
Compare
| t.Run(cmd, func(t *testing.T) { | ||
| stdout, stderr, err := runAntctl(podName, args, data) | ||
| if err != nil { | ||
| if err != nil && !strings.HasSuffix(stderr, "not enabled\n") { |
There was a problem hiding this comment.
@tnqn I just pushed a new commit with a single line change here to fix the e2e error for antctl.
|
/test-all |
|
/test-networkpolicy |
|
@xliuxu please cherry-pick this to release-1.6 |
4 participants
Remove the update permission for services/status of antrea-agent
service account. Remove the optimization for ExternalTrafficPolicy
setting to Local cases in ServiceExternalIP feature accordingly.
Signed-off-by: Xu Liu xliu2@vmware.com