Merge pull request #934 from sanchezl/check-endpoints-reporting-compo…

…nent Bug 1878289: connectivity check events have ambiguous related object
openshift · Sep 15, 2020 · 94905e2 · 94905e2
2 parents a580c2a + e792c06
commit 94905e2
Show file tree

Hide file tree

Showing 7 changed files with 198 additions and 56 deletions.
diff --git a/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrole-node-reader.yaml b/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrole-node-reader.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:controller:check-endpoints-node-reader
+rules:
+  - resources:
+      - nodes
+    apiGroups:
+      - ""
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrole.yaml b/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrole.yaml
@@ -30,3 +30,14 @@ rules:
       - get
       - list
       - watch
+  - resources:
+      - events
+    apiGroups:
+      - ""
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
diff --git a/...r/check-endpoints-clusterrolebinding.yaml → ...ts-clusterrolebinding-auth-delegator.yaml b/...r/check-endpoints-clusterrolebinding.yaml → ...ts-clusterrolebinding-auth-delegator.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:openshift:controller:kube-apiserver-check-endpoints
+  name: system:openshift:controller:kube-apiserver-check-endpoints-auth-delegator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrolebinding-node-reader.yaml b/bindata/v4.1.0/kube-apiserver/check-endpoints-clusterrolebinding-node-reader.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:openshift:controller:kube-apiserver-check-endpoints-node-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:controller:check-endpoints-node-reader
+subjects:
+  - kind: User
+    name: system:serviceaccount:openshift-kube-apiserver:check-endpoints
diff --git a/pkg/cmd/checkendpoints/cmd.go b/pkg/cmd/checkendpoints/cmd.go
@@ -10,25 +10,55 @@ import (
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/cmd/checkendpoints/controller"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/version"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/retry"
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 )
 
 func NewCheckEndpointsCommand() *cobra.Command {
 	config := controllercmd.NewControllerCommandConfig("check-endpoints", version.Get(), func(ctx context.Context, cctx *controllercmd.ControllerContext) error {
+		podName := os.Getenv("POD_NAME")
 		namespace := os.Getenv("POD_NAMESPACE")
 		kubeClient := kubernetes.NewForConfigOrDie(cctx.ProtoKubeConfig)
 		operatorcontrolplaneClient := operatorcontrolplaneclient.NewForConfigOrDie(cctx.KubeConfig)
 		kubeInformers := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, informers.WithNamespace(namespace))
 		operatorcontrolplaneInformers := operatorcontrolplaneinformers.NewSharedInformerFactoryWithOptions(operatorcontrolplaneClient, 10*time.Minute, operatorcontrolplaneinformers.WithNamespace(namespace))
+
+		var involvedObjectRef *corev1.ObjectReference
+		err := retry.RetryOnConnectionErrors(ctx, func(context.Context) (bool, error) {
+			pod, err := kubeClient.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			node, err := kubeClient.CoreV1().Nodes().Get(ctx, pod.Spec.NodeName, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			involvedObjectRef = &corev1.ObjectReference{
+				Kind:       "Node",
+				Namespace:  namespace,
+				Name:       node.Name,
+				UID:        node.UID,
+				APIVersion: node.APIVersion,
+			}
+			return true, nil
+		})
+		if err != nil {
+			return err
+		}
+		recorder := events.NewRecorder(kubeClient.CoreV1().Events(namespace), "check-endpoint", involvedObjectRef)
+
 		check := controller.NewPodNetworkConnectivityCheckController(
-			os.Getenv("POD_NAME"),
+			podName,
 			namespace,
 			operatorcontrolplaneClient.ControlplaneV1alpha1(),
 			operatorcontrolplaneInformers.Controlplane().V1alpha1().PodNetworkConnectivityChecks(),
 			kubeInformers.Core().V1().Secrets(),
-			cctx.EventRecorder,
+			recorder,
 		)
 		controller.RegisterMetrics()
 		operatorcontrolplaneInformers.Start(ctx.Done())

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -124,7 +124,9 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 			"v4.1.0/kube-apiserver/svc.yaml",
 			"v4.1.0/kube-apiserver/kubeconfig-cm.yaml",
 			"v4.1.0/kube-apiserver/check-endpoints-clusterrole.yaml",
-			"v4.1.0/kube-apiserver/check-endpoints-clusterrolebinding.yaml",
+			"v4.1.0/kube-apiserver/check-endpoints-clusterrole-node-reader.yaml",
+			"v4.1.0/kube-apiserver/check-endpoints-clusterrolebinding-auth-delegator.yaml",
+			"v4.1.0/kube-apiserver/check-endpoints-clusterrolebinding-node-reader.yaml",
 			"v4.1.0/kube-apiserver/check-endpoints-kubeconfig-cm.yaml",
 			"v4.1.0/kube-apiserver/check-endpoints-rolebinding-kube-system.yaml",
 			"v4.1.0/kube-apiserver/check-endpoints-rolebinding.yaml",