/
k8s.go
178 lines (159 loc) · 5.69 KB
/
k8s.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
package k8s
import (
"fmt"
"time"
"github.com/jtblin/kube2iam"
"github.com/jtblin/kube2iam/metrics"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
selector "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
)
const (
podIPIndexName = "byPodIP"
namespaceIndexName = "byName"
)
// Client represents a kubernetes client.
type Client struct {
*kubernetes.Clientset
namespaceController cache.Controller
namespaceIndexer cache.Indexer
podController cache.Controller
podIndexer cache.Indexer
nodeName string
resolveDupIPs bool
}
// Returns a cache.ListWatch that gets all changes to pods.
func (k8s *Client) createPodLW() *cache.ListWatch {
fieldSelector := selector.Everything()
if k8s.nodeName != "" {
fieldSelector = selector.OneTermEqualSelector("spec.nodeName", k8s.nodeName)
}
return cache.NewListWatchFromClient(k8s.CoreV1().RESTClient(), "pods", v1.NamespaceAll, fieldSelector)
}
// WatchForPods watches for pod changes.
func (k8s *Client) WatchForPods(podEventLogger cache.ResourceEventHandler, resyncPeriod time.Duration) cache.InformerSynced {
k8s.podIndexer, k8s.podController = cache.NewIndexerInformer(
k8s.createPodLW(),
&v1.Pod{},
resyncPeriod,
podEventLogger,
cache.Indexers{podIPIndexName: kube2iam.PodIPIndexFunc},
)
go k8s.podController.Run(wait.NeverStop)
return k8s.podController.HasSynced
}
// returns a cache.ListWatch of namespaces.
func (k8s *Client) createNamespaceLW() *cache.ListWatch {
return cache.NewListWatchFromClient(k8s.CoreV1().RESTClient(), "namespaces", v1.NamespaceAll, selector.Everything())
}
// WatchForNamespaces watches for namespaces changes.
func (k8s *Client) WatchForNamespaces(nsEventLogger cache.ResourceEventHandler, resyncPeriod time.Duration) cache.InformerSynced {
k8s.namespaceIndexer, k8s.namespaceController = cache.NewIndexerInformer(
k8s.createNamespaceLW(),
&v1.Namespace{},
resyncPeriod,
nsEventLogger,
cache.Indexers{namespaceIndexName: kube2iam.NamespaceIndexFunc},
)
go k8s.namespaceController.Run(wait.NeverStop)
return k8s.namespaceController.HasSynced
}
// ListPodIPs returns the underlying set of pods being managed/indexed
func (k8s *Client) ListPodIPs() []string {
// Decided to simply dump this and leave it up to consumer
// as k8s package currently doesn't need to be concerned about what's
// a signficant annotation to process, that is left up to store/server
return k8s.podIndexer.ListIndexFuncValues(podIPIndexName)
}
// ListNamespaces returns the underlying set of namespaces being managed/indexed
func (k8s *Client) ListNamespaces() []string {
return k8s.namespaceIndexer.ListIndexFuncValues(namespaceIndexName)
}
// PodByIP provides the representation of the pod itself being cached keyed off of it's IP
// Returns an error if there are multiple pods attempting to be keyed off of the same IP
// (Which happens when they of type `hostNetwork: true`)
func (k8s *Client) PodByIP(IP string) (*v1.Pod, error) {
pods, err := k8s.podIndexer.ByIndex(podIPIndexName, IP)
if err != nil {
return nil, err
}
if len(pods) == 0 {
metrics.PodNotFoundInCache.Inc()
return nil, fmt.Errorf("pod with specificed IP not found")
}
if len(pods) == 1 {
return pods[0].(*v1.Pod), nil
}
if !k8s.resolveDupIPs {
podNames := make([]string, len(pods))
for i, pod := range pods {
podNames[i] = pod.(*v1.Pod).ObjectMeta.Name
}
return nil, fmt.Errorf("%d pods (%v) with the ip %s indexed", len(pods), podNames, IP)
}
pod, err := resolveDuplicatedIP(k8s, IP)
if err != nil {
return nil, err
}
return pod, nil
}
// resolveDuplicatedIP queries the k8s api server trying to make a decision based on NON cached data
// If the indexed pods all have HostNetwork = true the function return nil and the error message.
// If we retrive a running pod that doesn't have HostNetwork = true and it is in Running state will return that.
func resolveDuplicatedIP(k8s *Client, IP string) (*v1.Pod, error) {
runningPodList, err := k8s.CoreV1().Pods("").List(metav1.ListOptions{
FieldSelector: selector.OneTermEqualSelector("status.podIP", IP).String(),
})
metrics.K8sAPIDupReqCount.Inc()
if err != nil {
return nil, fmt.Errorf("resolveDuplicatedIP: Error retriving the pod with IP %s from the k8s api", IP)
}
for _, pod := range runningPodList.Items {
if !pod.Spec.HostNetwork && string(pod.Status.Phase) == "Running" {
metrics.K8sAPIDupReqSuccesCount.Inc()
return &pod, nil
}
}
error := fmt.Errorf("more than a pod with the same IP has been indexed, this can happen when pods have hostNetwork: true")
return nil, error
}
// NamespaceByName retrieves a namespace by it's given name.
// Returns an error if there are no namespaces available
func (k8s *Client) NamespaceByName(namespaceName string) (*v1.Namespace, error) {
namespace, err := k8s.namespaceIndexer.ByIndex(namespaceIndexName, namespaceName)
if err != nil {
return nil, err
}
if len(namespace) == 0 {
return nil, fmt.Errorf("namespace was not found")
}
return namespace[0].(*v1.Namespace), nil
}
// NewClient returns a new kubernetes client.
func NewClient(host, token, nodeName string, insecure, resolveDupIPs bool) (*Client, error) {
var config *rest.Config
var err error
if host != "" && token != "" {
config = &rest.Config{
Host: host,
BearerToken: token,
TLSClientConfig: rest.TLSClientConfig{
Insecure: insecure,
},
}
} else {
config, err = rest.InClusterConfig()
if err != nil {
return nil, err
}
}
client, err := kubernetes.NewForConfig(config)
if err != nil {
return nil, err
}
return &Client{Clientset: client, nodeName: nodeName, resolveDupIPs: resolveDupIPs}, nil
}