Use env var

antrea-io · Dec 18, 2020 · e29bea1 · e29bea1
1 parent 784af6e
commit e29bea1
Show file tree

Hide file tree

Showing 10 changed files with 50 additions and 15 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -1370,6 +1370,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: SERVICEACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         name: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -1370,6 +1370,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: SERVICEACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         name: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -1370,6 +1370,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: SERVICEACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         name: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -1384,6 +1384,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: SERVICEACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         name: antrea-controller

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -1375,6 +1375,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: SERVICEACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         name: antrea-controller

diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml
@@ -222,6 +222,11 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            # Provide ServiceAccount name for validation webhook.
+            - name: SERVICEACCOUNT_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
           ports:
             - containerPort: 10349
               name: api

diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
@@ -86,10 +86,10 @@ Tier CRD object, that will be enforced after developer-created K8s NetworkPolici
 The details for these tiers are shown below:
 
 ```text
-    Emergency   -> Tier name "emergency" with priority "20"
-    SecurityOps -> Tier name "securityops" with priority "50"
-    NetworkOps  -> Tier name "networkops" with priority "100"
-    Platform    -> Tier name "platform" with priority "150"
+    Emergency   -> Tier name "emergency" with priority "50"
+    SecurityOps -> Tier name "securityops" with priority "100"
+    NetworkOps  -> Tier name "networkops" with priority "150"
+    Platform    -> Tier name "platform" with priority "200"
     Application -> Tier name "application" with priority "250"
     Baseline    -> Tier name "baseline" with priority "253"
 ```

diff --git a/pkg/controller/networkpolicy/tier.go b/pkg/controller/networkpolicy/tier.go
@@ -139,10 +139,10 @@ func (n *NetworkPolicyController) InitializeTiers() {
 			klog.V(2).Infof("%s Tier already created", t.Name)
 			// Update existing Emergency Tier's priority from 5 to 20.
 			oldPrio, ok := oldPriorityMap[t.Name]
-			if ok && oldPrio != oldTier.Spec.Priority {
+			if ok && oldPrio == oldTier.Spec.Priority {
 				tToUpdate := oldTier.DeepCopy()
 				tToUpdate.Spec.Priority = priorityMap[t.Name]
-				n.initTierUpdates(tToUpdate)
+				n.updateTier(tToUpdate)
 			}
 			continue
 		}
@@ -178,17 +178,17 @@ func (n *NetworkPolicyController) initTier(t *secv1alpha1.Tier) {
 	}
 }
 
-// initTierUpdates attempts to update Tiers using an
+// updateTier attempts to update Tiers using an
 // exponential backoff period from 1 to max of 8secs.
-func (n *NetworkPolicyController) initTierUpdates(t *secv1alpha1.Tier) {
+func (n *NetworkPolicyController) updateTier(t *secv1alpha1.Tier) {
 	var err error
 	const maxBackoffTime = 8 * time.Second
 	backoff := 1 * time.Second
 	retryAttempt := 1
 	for {
 		klog.V(2).Infof("Updating %s Tier", t.Name)
 		_, err = n.crdClient.SecurityV1alpha1().Tiers().Update(context.TODO(), t, metav1.UpdateOptions{})
-		// Attempt to recreate Tier after a backoff only if it does not exist.
+		// Attempt to update Tier after a backoff.
 		if err != nil {
 			klog.Warningf("Failed to update %s Tier on init: %v. Retry attempt: %d", t.Name, err, retryAttempt)
 			// Tier update may fail because antrea APIService is not yet ready

diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go
@@ -23,9 +23,11 @@ import (
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/klog"
 
 	secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1"
+	"github.com/vmware-tanzu/antrea/pkg/util/env"
 )
 
 // validator interface introduces the set of functions that must be implemented
@@ -409,12 +411,9 @@ func (t *tierValidator) updateValidate(curObj, oldObj interface{}, userInfo auth
 	reason := ""
 	curTier := curObj.(*secv1alpha1.Tier)
 	oldTier := oldObj.(*secv1alpha1.Tier)
-	// Allow exception of Tier Priority updates as we downgrade their priority intentionally
-	// from antrea-controller.
-	if oldPrio, ok := oldPriorityMap[curTier.Name]; ok {
-		if oldPrio == oldTier.Spec.Priority && priorityMap[curTier.Name] == curTier.Spec.Priority {
-			return "", true
-		}
+	// Allow exception of Tier Priority updates performed by the antrea-controller
+	if serviceaccount.MatchesUsername("kube-system", env.GetAntreaControllerServiceAccount(), userInfo.Username) {
+		return "", true
 	}
 	if curTier.Spec.Priority != oldTier.Spec.Priority {
 		allowed = false

diff --git a/pkg/util/env/env.go b/pkg/util/env/env.go
@@ -26,6 +26,7 @@ const (
 	nodeNameEnvKey     = "NODE_NAME"
 	podNameEnvKey      = "POD_NAME"
 	podNamespaceEnvKey = "POD_NAMESPACE"
+	svcAcctNameEnvKey  = "SERVICEACCOUNT_NAME"
 
 	antreaCloudEKSEnvKey = "ANTREA_CLOUD_EKS"
 )
@@ -66,6 +67,16 @@ func GetPodNamespace() string {
 	return podNamespace
 }
 
+// GetAntreaCtrlServiceAccountName returns the ServiceAccount's name associated with antrea-controller.
+func GetAntreaControllerServiceAccount() string {
+	svcAcctName := os.Getenv(svcAcctNameEnvKey)
+	if svcAcctName == "" {
+		// default value set for antrea-controller
+		svcAcctName = "antrea-controller"
+	}
+	return svcAcctName
+}
+
 func getBoolEnvVar(name string, defaultValue bool) bool {
 	if strValue := os.Getenv(name); strValue != "" {
 		parsedValue, err := strconv.ParseBool(strValue)