Switch traceflow CRD validation to webhook validation.

Currently, the traceflow CRD validation is executed in run-time, which is less user-friendly than the webhook validation. I moved most of the validation to the webhook validation. Signed-off-by: shi0rik0 <anguuan@outlook.com>
antrea-io · Jul 11, 2023 · ec9d9ba · ec9d9ba
1 parent 1174935
commit ec9d9ba
Show file tree

Hide file tree

Showing 6 changed files with 208 additions and 41 deletions.
diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go
@@ -113,6 +113,7 @@ var allowedPaths = []string{
 	"/validate/group",
 	"/validate/ippool",
 	"/validate/supportbundlecollection",
+	"/validate/traceflow",
 	"/convert/clustergroup",
 }
 
@@ -291,6 +292,7 @@ func run(o *Options) error {
 		egressController,
 		statsAggregator,
 		bundleCollectionController,
+		traceflowController,
 		*o.config.EnablePrometheusMetrics,
 		cipherSuites,
 		cipher.TLSVersionMap[o.config.TLSMinVersion])
@@ -476,6 +478,7 @@ func createAPIServerConfig(kubeconfig string,
 	egressController *egress.EgressController,
 	statsAggregator *stats.Aggregator,
 	bundleCollectionStore *supportbundlecollection.Controller,
+	traceflowController *traceflow.Controller,
 	enableMetrics bool,
 	cipherSuites []uint16,
 	tlsMinVersion uint16) (*apiserver.Config, error) {
@@ -542,5 +545,6 @@ func createAPIServerConfig(kubeconfig string,
 		endpointQuerier,
 		npController,
 		egressController,
-		bundleCollectionStore), nil
+		bundleCollectionStore,
+		traceflowController), nil
 }
diff --git a/pkg/agent/controller/traceflow/traceflow_controller.go b/pkg/agent/controller/traceflow/traceflow_controller.go
@@ -300,16 +300,6 @@ func (c *Controller) startTraceflow(tf *crdv1alpha1.Traceflow) error {
 		return err
 	}
 
-	liveTraffic := tf.Spec.LiveTraffic
-	if tf.Spec.Source.Pod == "" && tf.Spec.Destination.Pod == "" {
-		klog.Errorf("Traceflow %s has neither source nor destination Pod specified", tf.Name)
-		return nil
-	}
-	if tf.Spec.Source.Pod == "" && !liveTraffic {
-		klog.Errorf("Traceflow %s does not have source Pod specified", tf.Name)
-		return nil
-	}
-
 	receiverOnly := false
 	var pod, ns string
 	if tf.Spec.Source.Pod != "" {
@@ -327,6 +317,7 @@ func (c *Controller) startTraceflow(tf *crdv1alpha1.Traceflow) error {
 	podInterfaces := c.interfaceStore.GetContainerInterfacesByPod(pod, ns)
 	isSender := len(podInterfaces) > 0 && !receiverOnly
 
+	liveTraffic := tf.Spec.LiveTraffic
 	var packet, matchPacket *binding.Packet
 	var ofPort uint32
 	if len(podInterfaces) > 0 {
@@ -383,16 +374,10 @@ func (c *Controller) startTraceflow(tf *crdv1alpha1.Traceflow) error {
 }
 
 func (c *Controller) validateTraceflow(tf *crdv1alpha1.Traceflow) error {
-	if tf.Spec.Destination.Service != "" && !features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
-		return errors.New("using Service destination requires AntreaProxy feature enabled")
-	}
+	// When AntreaProxy is enabled, serviceCIDR is not required and may be set to a
+	// default value which does not match the cluster configuration.
 	if tf.Spec.Destination.IP != "" {
 		destIP := net.ParseIP(tf.Spec.Destination.IP)
-		if destIP == nil {
-			return fmt.Errorf("destination IP is not valid: %s", tf.Spec.Destination.IP)
-		}
-		// When AntreaProxy is enabled, serviceCIDR is not required and may be set to a
-		// default value which does not match the cluster configuration.
 		if !features.DefaultFeatureGate.Enabled(features.AntreaProxy) && c.serviceCIDR.Contains(destIP) {
 			return errors.New("using ClusterIP destination requires AntreaProxy feature enabled")
 		}

diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -66,6 +66,7 @@ import (
 	"antrea.io/antrea/pkg/controller/querier"
 	"antrea.io/antrea/pkg/controller/stats"
 	controllerbundlecollection "antrea.io/antrea/pkg/controller/supportbundlecollection"
+	"antrea.io/antrea/pkg/controller/traceflow"
 	"antrea.io/antrea/pkg/features"
 )
 
@@ -116,6 +117,7 @@ type ExtraConfig struct {
 	statsAggregator               *stats.Aggregator
 	networkPolicyStatusController *controllernetworkpolicy.StatusController
 	bundleCollectionController    *controllerbundlecollection.Controller
+	traceflowController           *traceflow.Controller
 }
 
 // Config defines the config for Antrea apiserver.
@@ -158,7 +160,8 @@ func NewConfig(
 	endpointQuerier controllernetworkpolicy.EndpointQuerier,
 	npController *controllernetworkpolicy.NetworkPolicyController,
 	egressController *egress.EgressController,
-	bundleCollectionController *controllerbundlecollection.Controller) *Config {
+	bundleCollectionController *controllerbundlecollection.Controller,
+	traceflowController *traceflow.Controller) *Config {
 	return &Config{
 		genericConfig: genericConfig,
 		extraConfig: ExtraConfig{
@@ -178,6 +181,7 @@ func NewConfig(
 			networkPolicyStatusController: networkPolicyStatusController,
 			egressController:              egressController,
 			bundleCollectionController:    bundleCollectionController,
+			traceflowController:           traceflowController,
 		},
 	}
 }
@@ -333,6 +337,10 @@ func installHandlers(c *ExtraConfig, s *genericapiserver.GenericAPIServer) {
 	if features.DefaultFeatureGate.Enabled(features.SupportBundleCollection) {
 		s.Handler.NonGoRestfulMux.HandleFunc("/validate/supportbundlecollection", webhook.HandlerForValidateFunc(c.bundleCollectionController.Validate))
 	}
+
+	if features.DefaultFeatureGate.Enabled(features.Traceflow) {
+		s.Handler.NonGoRestfulMux.HandleFunc("/validate/traceflow", webhook.HandlerForValidateFunc(c.traceflowController.Validate))
+	}
 }
 
 func DefaultCAConfig() *certificate.CAConfig {

diff --git a/pkg/controller/traceflow/controller.go b/pkg/controller/traceflow/controller.go
@@ -37,7 +37,6 @@ import (
 	crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1"
 	crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1"
 	"antrea.io/antrea/pkg/controller/grouping"
-	"antrea.io/antrea/pkg/util/k8s"
 )
 
 const (
@@ -249,10 +248,6 @@ func (c *Controller) syncTraceflow(traceflowName string) error {
 }
 
 func (c *Controller) startTraceflow(tf *crdv1alpha1.Traceflow) error {
-	if err := c.validateTraceflow(tf); err != nil {
-		klog.ErrorS(err, "Invalid Traceflow request", "request", tf)
-		return c.updateTraceflowStatus(tf, crdv1alpha1.Failed, fmt.Sprintf("Invalid Traceflow request, err: %+v", err), 0)
-	}
 	// Allocate data plane tag.
 	tag, err := c.allocateTag(tf.Name)
 	if err != nil {
@@ -413,19 +408,3 @@ func (c *Controller) deallocateTag(name string, tag uint8) {
 		}
 	}
 }
-
-func (c *Controller) validateTraceflow(tf *crdv1alpha1.Traceflow) error {
-	if !tf.Spec.LiveTraffic {
-		srcPod, err := c.podLister.Pods(tf.Spec.Source.Namespace).Get(tf.Spec.Source.Pod)
-		if err != nil {
-			if apierrors.IsNotFound(err) {
-				err = fmt.Errorf("requested source Pod %s not found", k8s.NamespacedName(tf.Spec.Source.Namespace, tf.Spec.Source.Pod))
-			}
-			return err
-		}
-		if srcPod.Spec.HostNetwork {
-			return fmt.Errorf("using hostNetwork Pod as source in non-live-traffic Traceflow is not supported")
-		}
-	}
-	return nil
-}
diff --git a/pkg/controller/traceflow/validate.go b/pkg/controller/traceflow/validate.go
@@ -0,0 +1,103 @@
+package traceflow
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+
+	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
+	"antrea.io/antrea/pkg/features"
+	"antrea.io/antrea/pkg/util/k8s"
+	admv1 "k8s.io/api/admission/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+)
+
+func (c *Controller) Validate(review *admv1.AdmissionReview) (resp *admv1.AdmissionResponse) {
+	allowed := true
+	deniedReason := ""
+	var err error
+
+	defer func() {
+		if err == nil {
+			resp = &admv1.AdmissionResponse{
+				UID:     review.Request.UID,
+				Allowed: allowed,
+				Result: &metav1.Status{
+					Message: deniedReason,
+				},
+			}
+		} else {
+			resp = &admv1.AdmissionResponse{
+				UID:     review.Request.UID,
+				Allowed: false,
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
+		}
+	}()
+
+	klog.V(2).InfoS("Validating Traceflow", "request", review.Request)
+
+	var newObj, oldObj crdv1alpha1.Traceflow
+	if review.Request.Object.Raw != nil {
+		if err := json.Unmarshal(review.Request.Object.Raw, &newObj); err != nil {
+			klog.ErrorS(err, "Error de-serializing current Traceflow")
+			return
+		}
+	}
+	if review.Request.OldObject.Raw != nil {
+		if err := json.Unmarshal(review.Request.OldObject.Raw, &oldObj); err != nil {
+			klog.ErrorS(err, "Error de-serializing old Traceflow")
+			return
+		}
+	}
+
+	switch review.Request.Operation {
+	case admv1.Create:
+		klog.V(2).InfoS("Validating CREATE request for Traceflow")
+		allowed, deniedReason = c.validateCreate(&newObj)
+	case admv1.Update:
+		klog.V(2).InfoS("Validating UPDATE request for Traceflow")
+		allowed, deniedReason = c.validateUpdate(&oldObj, &newObj)
+	case admv1.Delete:
+		// This shouldn't happen with the webhook configuration we include in the Antrea YAML manifests.
+		klog.V(2).InfoS("Validating DELETE request for Traceflow")
+		// Always allow DELETE request.
+	}
+	return
+}
+
+func (c *Controller) validateCreate(tf *crdv1alpha1.Traceflow) (allowed bool, deniedReason string) {
+	if tf.Spec.Destination.Service != "" && !features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
+		return false, "using Service destination requires AntreaProxy feature enabled"
+	}
+	if tf.Spec.Destination.IP != "" {
+		destIP := net.ParseIP(tf.Spec.Destination.IP)
+		if destIP == nil {
+			return false, fmt.Sprintf("destination IP is not valid: %s", tf.Spec.Destination.IP)
+		}
+	}
+	if !tf.Spec.LiveTraffic {
+		srcPod, err := c.podLister.Pods(tf.Spec.Source.Namespace).Get(tf.Spec.Source.Pod)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				err = fmt.Errorf("requested source Pod %s not found", k8s.NamespacedName(tf.Spec.Source.Namespace, tf.Spec.Source.Pod))
+			}
+			return false, err.Error()
+		}
+		if srcPod.Spec.HostNetwork {
+			return false, "using hostNetwork Pod as source in non-live-traffic Traceflow is not supported"
+		}
+	}
+	if tf.Spec.Source.Pod == "" && tf.Spec.Destination.Pod == "" {
+		return false, fmt.Sprintf("Traceflow %s has neither source nor destination Pod specified", tf.Name)
+	}
+	return true, ""
+}
+
+func (c *Controller) validateUpdate(oldTf, newTf *crdv1alpha1.Traceflow) (allowed bool, deniedReason string) {
+	return c.validateCreate(newTf)
+}
diff --git a/pkg/controller/traceflow/validate_test.go b/pkg/controller/traceflow/validate_test.go
@@ -0,0 +1,88 @@
+package traceflow
+
+import (
+	"encoding/json"
+	"testing"
+
+	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
+
+	"github.com/stretchr/testify/assert"
+	admv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func TestControllerValidateTraceflow(t *testing.T) {
+	tests := []struct {
+		name string
+
+		// input
+		oldSpec *crdv1alpha1.TraceflowSpec
+		newSpec *crdv1alpha1.TraceflowSpec
+
+		// expected output
+		allowed      bool
+		deniedReason string
+	}{
+		{
+			name: "Validating destination IP",
+			newSpec: &crdv1alpha1.TraceflowSpec{
+				Destination: crdv1alpha1.Destination{IP: "foobar"},
+			},
+			deniedReason: "destination IP is not valid: foobar",
+		},
+		{
+			name: "Traceflow should have either source or destination Pod assigned",
+			newSpec: &crdv1alpha1.TraceflowSpec{
+				LiveTraffic: true,
+			},
+			deniedReason: "Traceflow tf has neither source nor destination Pod specified",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			stopCh := make(chan struct{})
+			defer close(stopCh)
+			controller := newController()
+
+			var request *admv1.AdmissionRequest
+			if tc.oldSpec != nil && tc.newSpec != nil {
+				request = &admv1.AdmissionRequest{
+					Operation: admv1.Update,
+					OldObject: toRawExtension(tc.oldSpec),
+					Object:    toRawExtension(tc.newSpec),
+				}
+			} else if tc.newSpec != nil {
+				request = &admv1.AdmissionRequest{
+					Operation: admv1.Create,
+					Object:    toRawExtension(tc.newSpec),
+				}
+			} else {
+				t.Fatal("invalid test case")
+			}
+			review := &admv1.AdmissionReview{
+				Request: request,
+			}
+
+			expectedResponse := &admv1.AdmissionResponse{
+				Allowed: tc.allowed,
+				Result: &metav1.Status{
+					Message: tc.deniedReason,
+				},
+			}
+
+			response := controller.Validate(review)
+			assert.Equal(t, expectedResponse, response)
+		})
+	}
+}
+
+func toRawExtension(spec *crdv1alpha1.TraceflowSpec) runtime.RawExtension {
+	tf := &crdv1alpha1.Traceflow{Spec: *spec}
+	tf.Name = "tf"
+	raw, err := json.Marshal(tf)
+	if err != nil {
+		panic(err)
+	}
+	return runtime.RawExtension{Raw: raw}
+}