From 7238421c8a5e8e3986b1b201ad04cfd59d30bef4 Mon Sep 17 00:00:00 2001 From: Oren Cohen Date: Tue, 26 Sep 2023 14:53:08 +0300 Subject: [PATCH] [Kubevirt] Remove EgressFirewall Creation in HCP namespace Starting from 4.14, the EgressFirewall is not needed any longer, since kubevirt platform consumes the kubevirt provider in RHCOS, thus an attempt to access the metadata server is not being initiated, as opposed to the legacy OpenStack RHCOS provider. Therefore, EgressFirewall is not needed to be deployed on the mgmt/infra cluster for guests >= v4.14. Signed-off-by: Oren Cohen --- cmd/install/assets/hypershift_operator.go | 5 ---- hack/app-sre/saas_template.yaml | 6 ----- .../hostedcluster/hostedcluster_controller.go | 21 ----------------- .../hostedcluster/network_policies.go | 20 ---------------- .../manifests/egressfirewall/manifests.go | 23 ------------------- 5 files changed, 75 deletions(-) delete mode 100644 hypershift-operator/controllers/manifests/egressfirewall/manifests.go diff --git a/cmd/install/assets/hypershift_operator.go b/cmd/install/assets/hypershift_operator.go index 10808dad96..2f188bb512 100644 --- a/cmd/install/assets/hypershift_operator.go +++ b/cmd/install/assets/hypershift_operator.go @@ -990,11 +990,6 @@ func (o HyperShiftOperatorClusterRole) Build() *rbacv1.ClusterRole { Verbs: []string{"delete"}, ResourceNames: []string{hyperv1.GroupVersion.Group}, }, - { - APIGroups: []string{"k8s.ovn.org"}, - Resources: []string{"egressfirewalls"}, - Verbs: []string{"*"}, - }, }, } return role diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index 8eec89a57e..38aa498c2c 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -262,12 +262,6 @@ objects: - validatingwebhookconfigurations verbs: - delete - - apiGroups: - - k8s.ovn.org - resources: - - egressfirewalls - verbs: - - '*' - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go b/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go index 5b2fb5e093..1019d651af 100644 --- a/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go +++ b/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go @@ -77,7 +77,6 @@ import ( "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/intstr" @@ -4029,26 +4028,6 @@ type NodeClientCert struct { Disabled bool `json:"disabled,omitempty"` } -func reconcileVirtLauncherEgressFirewall(egressFirewall *unstructured.Unstructured) error { - egressFirewall.Object["spec"] = map[string]interface{}{ - "egress": []interface{}{ - map[string]interface{}{ - "to": map[string]interface{}{ - "cidrSelector": "169.254.169.254/32", - }, - "type": "Deny", - "ports": []interface{}{ - map[string]interface{}{ - "port": int64(80), - "protocol": "TCP", - }, - }, - }, - }, - } - return nil -} - const ( oidcDocumentsFinalizer = "hypershift.io/aws-oidc-discovery" serviceAccountSigningKeySecret = "sa-signing-key" diff --git a/hypershift-operator/controllers/hostedcluster/network_policies.go b/hypershift-operator/controllers/hostedcluster/network_policies.go index fb6c72aa9e..121a784ed3 100644 --- a/hypershift-operator/controllers/hostedcluster/network_policies.go +++ b/hypershift-operator/controllers/hostedcluster/network_policies.go @@ -10,7 +10,6 @@ import ( configv1 "github.com/openshift/api/config/v1" hyperv1 "github.com/openshift/hypershift/api/v1beta1" "github.com/openshift/hypershift/hypershift-operator/controllers/manifests" - "github.com/openshift/hypershift/hypershift-operator/controllers/manifests/egressfirewall" "github.com/openshift/hypershift/hypershift-operator/controllers/manifests/networkpolicy" "github.com/openshift/hypershift/support/capabilities" "github.com/openshift/hypershift/support/config" @@ -108,25 +107,6 @@ func (r *HostedClusterReconciler) reconcileNetworkPolicies(ctx context.Context, return fmt.Errorf("failed to reconcile virt launcher policy: %w", err) } } - - var creds *hyperv1.KubevirtPlatformCredentials - - if hcluster.Spec.Platform.Kubevirt != nil && hcluster.Spec.Platform.Kubevirt.Credentials != nil { - creds = hcluster.Spec.Platform.Kubevirt.Credentials - } - - kvInfraCluster, err := r.KubevirtInfraClients.DiscoverKubevirtClusterClient(ctx, r.Client, hcluster.Spec.InfraID, creds, hcp.Namespace, hcluster.Namespace) - if err != nil { - return err - } - if hcluster.Spec.Networking.NetworkType == hyperv1.OVNKubernetes { - egressFirewall := egressfirewall.VirtLauncherEgressFirewall(kvInfraCluster.GetInfraNamespace()) - if _, err := createOrUpdate(ctx, kvInfraCluster.GetInfraClient(), egressFirewall, func() error { - return reconcileVirtLauncherEgressFirewall(egressFirewall) - }); err != nil { - return fmt.Errorf("failed to reconcile firewall to deny metadata server egress: %w", err) - } - } } for _, svc := range hcluster.Spec.Services { diff --git a/hypershift-operator/controllers/manifests/egressfirewall/manifests.go b/hypershift-operator/controllers/manifests/egressfirewall/manifests.go deleted file mode 100644 index 903035a898..0000000000 --- a/hypershift-operator/controllers/manifests/egressfirewall/manifests.go +++ /dev/null @@ -1,23 +0,0 @@ -package egressfirewall - -import ( - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -func VirtLauncherEgressFirewall(namespace string) *unstructured.Unstructured { - egressFirewall := &unstructured.Unstructured{ - Object: map[string]interface{}{ - "metadata": map[string]interface{}{ - "name": "default", - "namespace": namespace, - }, - }, - } - egressFirewall.SetGroupVersionKind(schema.GroupVersionKind{ - Group: "k8s.ovn.org", - Kind: "EgressFirewall", - Version: "v1", - }) - return egressFirewall -}