Merge pull request #247 from ltagliamonte-dd/master

make configurable the cache refresh interval
jtblin · Dec 19, 2019 · 47b54eb · 47b54eb
2 parents b4d482c + 2e6efc1
commit 47b54eb
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -571,6 +571,7 @@ Usage of kube2iam:
       --metadata-addr string                  Address for the ec2 metadata (default "169.254.169.254")
       --metrics-port string                   Metrics server http port (default: same as kube2iam server port) (default "8181")
       --namespace-key string                  Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array) (default "iam.amazonaws.com/allowed-roles")
+      --cache-resync-period                   Refresh interval for pod and namespace caches
       --namespace-restriction-format string   Namespace Restriction Format (glob/regexp) (default "glob")
       --namespace-restrictions                Enable namespace restrictions
       --node string                           Name of the node where kube2iam is running

diff --git a/cmd/main.go b/cmd/main.go
@@ -33,6 +33,7 @@ func addFlags(s *server.Server, fs *pflag.FlagSet) {
 	fs.BoolVar(&s.NamespaceRestriction, "namespace-restrictions", false, "Enable namespace restrictions")
 	fs.StringVar(&s.NamespaceRestrictionFormat, "namespace-restriction-format", s.NamespaceRestrictionFormat, "Namespace Restriction Format (glob/regexp)")
 	fs.StringVar(&s.NamespaceKey, "namespace-key", s.NamespaceKey, "Namespace annotation key used to retrieve the IAM roles allowed (value in annotation should be json array)")
+	fs.DurationVar(&s.CacheResyncPeriod, "cache-resync-period", s.CacheResyncPeriod, "Kubernetes caches resync period")
 	fs.StringVar(&s.HostIP, "host-ip", s.HostIP, "IP address of host")
 	fs.StringVar(&s.NodeName, "node", s.NodeName, "Name of the node where kube2iam is running")
 	fs.DurationVar(&s.BackoffMaxInterval, "backoff-max-interval", s.BackoffMaxInterval, "Max interval for backoff when querying for role.")

diff --git a/iam/iam.go b/iam/iam.go
@@ -155,7 +155,7 @@ func (iam *Client) AssumeRole(roleARN, externalID string, remoteIP string, sessi
 			RoleSessionName: aws.String(sessionName(roleARN, remoteIP)),
 		}
 		// Only inject the externalID if one was provided with the request
-		if (externalID != "") {
+		if externalID != "" {
 			assumeRoleInput.SetExternalId(externalID)
 		}
 		resp, err := svc.AssumeRole(&assumeRoleInput)

diff --git a/k8s/k8s.go b/k8s/k8s.go
@@ -7,7 +7,7 @@ import (
 	"github.com/jtblin/kube2iam"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/pkg/api/v1"
+	v1 "k8s.io/client-go/pkg/api/v1"
 	selector "k8s.io/client-go/pkg/fields"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
@@ -16,8 +16,6 @@ import (
 const (
 	podIPIndexName     = "byPodIP"
 	namespaceIndexName = "byName"
-	// Resync period for the kube controller loop.
-	resyncPeriod = 30 * time.Minute
 )
 
 // Client represents a kubernetes client.
@@ -40,7 +38,7 @@ func (k8s *Client) createPodLW() *cache.ListWatch {
 }
 
 // WatchForPods watches for pod changes.
-func (k8s *Client) WatchForPods(podEventLogger cache.ResourceEventHandler) cache.InformerSynced {
+func (k8s *Client) WatchForPods(podEventLogger cache.ResourceEventHandler, resyncPeriod time.Duration) cache.InformerSynced {
 	k8s.podIndexer, k8s.podController = cache.NewIndexerInformer(
 		k8s.createPodLW(),
 		&v1.Pod{},
@@ -58,7 +56,7 @@ func (k8s *Client) createNamespaceLW() *cache.ListWatch {
 }
 
 // WatchForNamespaces watches for namespaces changes.
-func (k8s *Client) WatchForNamespaces(nsEventLogger cache.ResourceEventHandler) cache.InformerSynced {
+func (k8s *Client) WatchForNamespaces(nsEventLogger cache.ResourceEventHandler, resyncPeriod time.Duration) cache.InformerSynced {
 	k8s.namespaceIndexer, k8s.namespaceController = cache.NewIndexerInformer(
 		k8s.createNamespaceLW(),
 		&v1.Namespace{},

diff --git a/mappings/mapper.go b/mappings/mapper.go
@@ -163,13 +163,13 @@ func (r *RoleMapper) DumpDebugInfo() map[string]interface{} {
 // NewRoleMapper returns a new RoleMapper for use.
 func NewRoleMapper(roleKey string, externalIDKey string, defaultRole string, namespaceRestriction bool, namespaceKey string, iamInstance *iam.Client, kubeStore store, namespaceRestrictionFormat string) *RoleMapper {
 	return &RoleMapper{
-		defaultRoleARN:       iamInstance.RoleARN(defaultRole),
-		iamRoleKey:           roleKey,
-		iamExternalIDKey:     externalIDKey,
-		namespaceKey:         namespaceKey,
-		namespaceRestriction: namespaceRestriction,
-		iam:                  iamInstance,
-		store:                kubeStore,
+		defaultRoleARN:             iamInstance.RoleARN(defaultRole),
+		iamRoleKey:                 roleKey,
+		iamExternalIDKey:           externalIDKey,
+		namespaceKey:               namespaceKey,
+		namespaceRestriction:       namespaceRestriction,
+		iam:                        iamInstance,
+		store:                      kubeStore,
 		namespaceRestrictionFormat: namespaceRestrictionFormat,
 	}
 }
diff --git a/server/server.go b/server/server.go
@@ -36,6 +36,7 @@ const (
 	defaultMaxInterval                = 1 * time.Second
 	defaultMetadataAddress            = "169.254.169.254"
 	defaultNamespaceKey               = "iam.amazonaws.com/allowed-roles"
+	defaultCacheResyncPeriod          = 30 * time.Minute
 	defaultNamespaceRestrictionFormat = "glob"
 	healthcheckInterval               = 30 * time.Second
 )
@@ -60,6 +61,7 @@ type Server struct {
 	HostIP                     string
 	NodeName                   string
 	NamespaceKey               string
+	CacheResyncPeriod          time.Duration
 	LogLevel                   string
 	LogFormat                  string
 	NamespaceRestrictionFormat string
@@ -375,8 +377,9 @@ func (s *Server) Run(host, token, nodeName string, insecure bool) error {
 	s.iam = iam.NewClient(s.BaseRoleARN, s.UseRegionalStsEndpoint)
 	log.Debugln("Caches have been synced.  Proceeding with server.")
 	s.roleMapper = mappings.NewRoleMapper(s.IAMRoleKey, s.IAMExternalID, s.DefaultIAMRole, s.NamespaceRestriction, s.NamespaceKey, s.iam, s.k8s, s.NamespaceRestrictionFormat)
-	podSynched := s.k8s.WatchForPods(kube2iam.NewPodHandler(s.IAMRoleKey))
-	namespaceSynched := s.k8s.WatchForNamespaces(kube2iam.NewNamespaceHandler(s.NamespaceKey))
+	log.Debugf("Starting pod and namespace sync jobs with %s resync period", s.CacheResyncPeriod.String())
+	podSynched := s.k8s.WatchForPods(kube2iam.NewPodHandler(s.IAMRoleKey), s.CacheResyncPeriod)
+	namespaceSynched := s.k8s.WatchForNamespaces(kube2iam.NewNamespaceHandler(s.NamespaceKey), s.CacheResyncPeriod)
 
 	synced := false
 	for i := 0; i < defaultCacheSyncAttempts && !synced; i++ {
@@ -435,6 +438,7 @@ func NewServer() *Server {
 		LogFormat:                  defaultLogFormat,
 		MetadataAddress:            defaultMetadataAddress,
 		NamespaceKey:               defaultNamespaceKey,
+		CacheResyncPeriod:          defaultCacheResyncPeriod,
 		NamespaceRestrictionFormat: defaultNamespaceRestrictionFormat,
 		HealthcheckFailReason:      "Healthcheck not yet performed",
 		IAMRoleSessionTTL:          defaultIAMRoleSessionTTL,