-
Notifications
You must be signed in to change notification settings - Fork 7.7k
/
injection.go
128 lines (102 loc) · 3.88 KB
/
injection.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package injection
import (
"strings"
v1 "k8s.io/api/core/v1"
"istio.io/api/label"
"istio.io/api/annotation"
"istio.io/istio/galley/pkg/config/analysis"
"istio.io/istio/galley/pkg/config/analysis/analyzers/util"
"istio.io/istio/galley/pkg/config/analysis/msg"
"istio.io/istio/pkg/config/resource"
"istio.io/istio/pkg/config/schema/collection"
"istio.io/istio/pkg/config/schema/collections"
)
// Analyzer checks conditions related to Istio sidecar injection.
type Analyzer struct{}
var _ analysis.Analyzer = &Analyzer{}
// We assume that enablement is via an istio-injection=enabled or istio.io/rev namespace label
// In theory, there can be alternatives using Mutatingwebhookconfiguration, but they're very uncommon
// See https://istio.io/docs/ops/troubleshooting/injection/ for more info.
const (
InjectionLabelName = "istio-injection"
InjectionLabelEnableValue = "enabled"
RevisionInjectionLabelName = label.IstioRev
istioProxyName = "istio-proxy"
)
// Metadata implements Analyzer
func (a *Analyzer) Metadata() analysis.Metadata {
return analysis.Metadata{
Name: "injection.Analyzer",
Description: "Checks conditions related to Istio sidecar injection",
Inputs: collection.Names{
collections.K8SCoreV1Namespaces.Name(),
collections.K8SCoreV1Pods.Name(),
},
}
}
// Analyze implements Analyzer
func (a *Analyzer) Analyze(c analysis.Context) {
injectedNamespaces := make(map[string]bool)
c.ForEach(collections.K8SCoreV1Namespaces.Name(), func(r *resource.Instance) bool {
ns := r.Metadata.FullName.String()
if util.IsSystemNamespace(resource.Namespace(ns)) {
return true
}
injectionLabel := r.Metadata.Labels[InjectionLabelName]
_, okNewInjectionLabel := r.Metadata.Labels[RevisionInjectionLabelName]
if injectionLabel == "" && !okNewInjectionLabel {
// TODO: if Istio is installed with sidecarInjectorWebhook.enableNamespacesByDefault=true
// (in the istio-sidecar-injector configmap), we need to reverse this logic and treat this as an injected namespace
c.Report(collections.K8SCoreV1Namespaces.Name(), msg.NewNamespaceNotInjected(r, r.Metadata.FullName.String(), r.Metadata.FullName.String()))
return true
}
if okNewInjectionLabel {
if injectionLabel != "" {
c.Report(collections.K8SCoreV1Namespaces.Name(),
msg.NewNamespaceMultipleInjectionLabels(r,
r.Metadata.FullName.String(),
r.Metadata.FullName.String()))
return true
}
} else if injectionLabel != InjectionLabelEnableValue {
// If legacy label has any value other than the enablement value, they are deliberately not injecting it, so ignore
return true
}
injectedNamespaces[r.Metadata.FullName.String()] = true
return true
})
c.ForEach(collections.K8SCoreV1Pods.Name(), func(r *resource.Instance) bool {
pod := r.Message.(*v1.Pod)
if !injectedNamespaces[pod.GetNamespace()] {
return true
}
// If a pod has injection explicitly disabled, no need to check further
if val := pod.GetAnnotations()[annotation.SidecarInject.Name]; strings.EqualFold(val, "false") {
return true
}
proxyImage := ""
for _, container := range pod.Spec.Containers {
if container.Name == istioProxyName {
proxyImage = container.Image
break
}
}
if proxyImage == "" {
c.Report(collections.K8SCoreV1Pods.Name(), msg.NewPodMissingProxy(r))
}
return true
})
}