From 5010aaafd4fca4d7e892f96045393f293521e958 Mon Sep 17 00:00:00 2001 From: Krzysztof Klimonda Date: Thu, 20 Apr 2023 13:09:50 +0200 Subject: [PATCH] Add tolerations for node taints when creating privileged pod When the target pod is running on a node with additional taints, the privileged pod cannot be created unless it has matching tolerations. Closes: #167 --- kube/kubernetes_api_service.go | 16 ++++++++++++++-- .../sniffer/privileged_pod_sniffer_service.go | 15 +++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/kube/kubernetes_api_service.go b/kube/kubernetes_api_service.go index 1ed14a6..a29bb93 100644 --- a/kube/kubernetes_api_service.go +++ b/kube/kubernetes_api_service.go @@ -23,9 +23,11 @@ import ( type KubernetesApiService interface { ExecuteCommand(podName string, containerName string, command []string, stdOut io.Writer) (int, error) + GetNodeTaints(nodeName string) ([]corev1.Taint, error) + DeletePod(podName string) error - CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error) + CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string, tolerations []corev1.Toleration) (*corev1.Pod, error) UploadFile(localPath string, remotePath string, podName string, containerName string) error } @@ -102,7 +104,16 @@ func (k *KubernetesApiServiceImpl) DeletePod(podName string) error { return err } -func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error) { +func (k *KubernetesApiServiceImpl) GetNodeTaints(nodeName string) ([]corev1.Taint, error) { + node, err := k.clientset.CoreV1().Nodes().Get(context.TODO(), nodeName, v1.GetOptions{}) + if err != nil { + return nil, err + } + + return node.Spec.Taints, nil +} + +func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string, tolerations []corev1.Toleration) (*corev1.Pod, error) { log.Debugf("creating privileged pod on remote node") isSupported, err := k.IsSupportedContainerRuntime(nodeName) @@ -172,6 +183,7 @@ func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containe RestartPolicy: corev1.RestartPolicyNever, HostPID: true, Containers: []corev1.Container{privilegedContainer}, + Tolerations: tolerations, Volumes: []corev1.Volume{ { Name: "host", diff --git a/pkg/service/sniffer/privileged_pod_sniffer_service.go b/pkg/service/sniffer/privileged_pod_sniffer_service.go index 9c101a5..6861c38 100644 --- a/pkg/service/sniffer/privileged_pod_sniffer_service.go +++ b/pkg/service/sniffer/privileged_pod_sniffer_service.go @@ -42,6 +42,20 @@ func (p *PrivilegedPodSnifferService) Setup() error { p.settings.SocketPath = p.runtimeBridge.GetDefaultSocketPath() } + nodeTaints, err := p.kubernetesApiService.GetNodeTaints(p.settings.DetectedPodNodeName) + if err != nil { + return err + } + + tolerations := make([]v1.Toleration, 0) + for _, taint := range nodeTaints { + tolerations = append(tolerations, v1.Toleration{ + Key: taint.Key, + Operator: v1.TolerationOpExists, + Effect: taint.Effect, + }) + } + p.privilegedPod, err = p.kubernetesApiService.CreatePrivilegedPod( p.settings.DetectedPodNodeName, p.privilegedContainerName, @@ -49,6 +63,7 @@ func (p *PrivilegedPodSnifferService) Setup() error { p.settings.SocketPath, p.settings.UserSpecifiedPodCreateTimeout, p.settings.UserSpecifiedServiceAccount, + tolerations, ) if err != nil { log.WithError(err).Errorf("failed to create privileged pod on node: '%s'", p.settings.DetectedPodNodeName)