github.phpd.cn/cilium/cilium@v1.6.12/pkg/k8s/endpointsynchronizer/cep.go (about)

     1  // Copyright 2016-2018 Authors of Cilium
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package endpointsynchronizer
    16  
    17  import (
    18  	"context"
    19  	"encoding/json"
    20  	"fmt"
    21  	"github.com/cilium/cilium/pkg/k8s"
    22  	"reflect"
    23  	"time"
    24  
    25  	"github.com/cilium/cilium/pkg/controller"
    26  	"github.com/cilium/cilium/pkg/endpoint"
    27  	cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    28  	k8sversion "github.com/cilium/cilium/pkg/k8s/version"
    29  	pkgLabels "github.com/cilium/cilium/pkg/labels"
    30  	"github.com/cilium/cilium/pkg/option"
    31  
    32  	k8serrors "k8s.io/apimachinery/pkg/api/errors"
    33  	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    34  	"k8s.io/apimachinery/pkg/types"
    35  )
    36  
    37  // EndpointSynchronizer currently is an empty type, which wraps around syncing
    38  // of CiliumEndpoint resources.
    39  // TODO - see whether folding the global variables below into this function
    40  // is cleaner.
    41  type EndpointSynchronizer struct{}
    42  
    43  // RunK8sCiliumEndpointSync starts a controller that synchronizes the endpoint
    44  // to the corresponding k8s CiliumEndpoint CRD. It is expected that each CEP
    45  // has 1 controller that updates it, and a local copy is retained and only
    46  // updates are pushed up.
    47  // CiliumEndpoint objects have the same name as the pod they represent.
    48  func (epSync *EndpointSynchronizer) RunK8sCiliumEndpointSync(e *endpoint.Endpoint) {
    49  	var (
    50  		endpointID     = e.ID
    51  		controllerName = fmt.Sprintf("sync-to-k8s-ciliumendpoint (%v)", endpointID)
    52  		scopedLog      = e.Logger(subsysEndpointSync).WithField("controller", controllerName)
    53  	)
    54  
    55  	if option.Config.DisableCiliumEndpointCRD {
    56  		scopedLog.Warn("Not running controller. CEP CRD synchronization is disabled")
    57  		return
    58  	}
    59  
    60  	if !k8s.IsEnabled() {
    61  		scopedLog.Debug("Not starting controller because k8s is disabled")
    62  		return
    63  	}
    64  
    65  	ciliumClient := k8s.CiliumClient().CiliumV2()
    66  
    67  	// The health endpoint doesn't really exist in k8s and updates to it caused
    68  	// arbitrary errors. Disable the controller for these endpoints.
    69  	if isHealthEP := e.HasLabels(pkgLabels.LabelHealth); isHealthEP {
    70  		scopedLog.Debug("Not starting unnecessary CEP controller for cilium-health endpoint")
    71  		return
    72  	}
    73  
    74  	var (
    75  		lastMdl  *cilium_v2.EndpointStatus
    76  		localCEP *cilium_v2.CiliumEndpoint // the local copy of the CEP object. Reused.
    77  		needInit = true                    // needInit indicates that we may need to create the CEP
    78  	)
    79  
    80  	// NOTE: The controller functions do NOT hold the endpoint locks
    81  	e.UpdateController(controllerName,
    82  		controller.ControllerParams{
    83  			RunInterval: 10 * time.Second,
    84  			DoFunc: func(ctx context.Context) (err error) {
    85  				// Update logger as scopeLog might not have the podName when it
    86  				// was created.
    87  				scopedLog = e.Logger(subsysEndpointSync).WithField("controller", controllerName)
    88  
    89  				if k8sversion.Version() == nil {
    90  					return fmt.Errorf("Kubernetes apiserver is not available")
    91  				}
    92  
    93  				capabilities := k8sversion.Capabilities()
    94  
    95  				// K8sPodName and K8sNamespace are not always available when an
    96  				// endpoint is first created, so we collect them here.
    97  				podName := e.GetK8sPodName()
    98  				if podName == "" {
    99  					scopedLog.Debug("Skipping CiliumEndpoint update because it has no k8s pod name")
   100  					return nil
   101  				}
   102  
   103  				namespace := e.GetK8sNamespace()
   104  				if namespace == "" {
   105  					scopedLog.Debug("Skipping CiliumEndpoint update because it has no k8s namespace")
   106  					return nil
   107  				}
   108  
   109  				// Serialize the endpoint into a model. It is compared with the one
   110  				// from before, only updating on changes.
   111  				mdl := e.GetCiliumEndpointStatus()
   112  				if reflect.DeepEqual(mdl, lastMdl) {
   113  					scopedLog.Debug("Skipping CiliumEndpoint update because it has not changed")
   114  					return nil
   115  				}
   116  
   117  				// Initialize the CEP by deleting the upstream instance and recreating
   118  				// it. Deleting first allows for upgrade scenarios where the format has
   119  				// changed but our k8s CEP code cannot read in the upstream value.
   120  				if needInit {
   121  					state := e.GetState()
   122  					// Don't bother to create if the
   123  					// endpoint is already disconnecting
   124  					if state == endpoint.StateDisconnecting ||
   125  						state == endpoint.StateDisconnected {
   126  						return nil
   127  					}
   128  
   129  					scopedLog.Debug("Deleting CEP during an initialization")
   130  					err := ciliumClient.CiliumEndpoints(namespace).Delete(podName, &meta_v1.DeleteOptions{})
   131  					// It's only an error if it exists but something else happened
   132  					if err != nil && !k8serrors.IsNotFound(err) {
   133  						scopedLog.WithError(err).Warn("Error deleting CEP")
   134  						return err
   135  					}
   136  
   137  					// We can't create localCEP directly, it must come from the k8s
   138  					// server via an API call.
   139  					cep := &cilium_v2.CiliumEndpoint{
   140  						ObjectMeta: meta_v1.ObjectMeta{
   141  							Name: podName,
   142  						},
   143  						Status: *mdl,
   144  					}
   145  					localCEP, err = ciliumClient.CiliumEndpoints(namespace).Create(cep)
   146  					if err != nil {
   147  						scopedLog.WithError(err).Error("Cannot create CEP")
   148  						return err
   149  					}
   150  
   151  					// We have successfully created the CEP and can return. Subsequent
   152  					// runs will update using localCEP.
   153  					needInit = false
   154  					return nil
   155  				}
   156  
   157  				// We have no localCEP copy. We need to fetch it for updates, below.
   158  				// This is unexpected as there should be only 1 writer per CEP, this
   159  				// controller, and the localCEP created on startup will be used.
   160  				if localCEP == nil {
   161  					localCEP, err = ciliumClient.CiliumEndpoints(namespace).Get(podName, meta_v1.GetOptions{})
   162  					switch {
   163  					// The CEP doesn't exist in k8s. This is unexpetected but may occur
   164  					// if the endpoint was removed from k8s but not yet within the agent.
   165  					// Mark the CEP for creation on the next controller iteration. This
   166  					// may never occur if the controller is stopped on Endpoint delete.
   167  					case err != nil && k8serrors.IsNotFound(err):
   168  						needInit = true
   169  						return err
   170  
   171  					// We cannot read the upstream CEP. needInit will cause the next
   172  					// iteration to delete and create the CEP. This is an unexpected
   173  					// situation.
   174  					case err != nil && k8serrors.IsInvalid(err):
   175  						scopedLog.WithError(err).Warn("Invalid CEP during update")
   176  						needInit = true
   177  						return nil
   178  
   179  					// A real error
   180  					case err != nil:
   181  						scopedLog.WithError(err).Error("Cannot get CEP during update")
   182  						return err
   183  					}
   184  				}
   185  
   186  				switch {
   187  				case capabilities.Patch:
   188  					// For json patch we don't need to perform a GET for endpoints
   189  
   190  					// If it fails it means the test from the previous patch failed
   191  					// so we can safely replace this node in the CNP status.
   192  					replaceCEPStatus := []k8s.JSONPatch{
   193  						{
   194  							OP:    "replace",
   195  							Path:  "/status",
   196  							Value: mdl,
   197  						},
   198  					}
   199  					var createStatusPatch []byte
   200  					createStatusPatch, err = json.Marshal(replaceCEPStatus)
   201  					if err != nil {
   202  						return err
   203  					}
   204  					localCEP, err = ciliumClient.CiliumEndpoints(namespace).Patch(podName, types.JSONPatchType, createStatusPatch, "status")
   205  				default:
   206  					// We have an object to reuse. Update and push it up. In the case of an
   207  					// update error, we retry in the next iteration of the controller using
   208  					// the copy returned by Update.
   209  					scopedLog.Debug("Updating CEP from local copy")
   210  					mdl.DeepCopyInto(&localCEP.Status)
   211  					switch {
   212  					case capabilities.UpdateStatus:
   213  						localCEP, err = ciliumClient.CiliumEndpoints(namespace).UpdateStatus(localCEP)
   214  					default:
   215  						localCEP, err = ciliumClient.CiliumEndpoints(namespace).Update(localCEP)
   216  					}
   217  				}
   218  
   219  				// Handle Update errors or return successfully
   220  				switch {
   221  				// Return no error when we see a conflict. We want to retry without a
   222  				// backoff and the Update* calls returned the current localCEP
   223  				case err != nil && k8serrors.IsConflict(err):
   224  					scopedLog.WithError(err).Warn("Cannot update CEP due to a revision conflict. The next controller execution will try again")
   225  					needInit = true
   226  					return nil
   227  
   228  				// Ensure we re-init when we see a generic error. This will recrate the
   229  				// CEP.
   230  				case err != nil:
   231  					scopedLog.WithError(err).Error("Cannot update CEP")
   232  					needInit = true
   233  					return err
   234  
   235  				// A successful update means no more updates unless mdl changes
   236  				default:
   237  					lastMdl = mdl
   238  					return nil
   239  				}
   240  			},
   241  			StopFunc: func(ctx context.Context) error {
   242  				podName := e.GetK8sPodName()
   243  				if podName == "" {
   244  					scopedLog.Debug("Skipping CiliumEndpoint deletion because it has no k8s pod name")
   245  					return nil
   246  				}
   247  				namespace := e.GetK8sNamespace()
   248  				if namespace == "" {
   249  					scopedLog.Debug("Skipping CiliumEndpoint deletion because it has no k8s namespace")
   250  					return nil
   251  				}
   252  				if err := ciliumClient.CiliumEndpoints(namespace).Delete(podName, &meta_v1.DeleteOptions{}); err != nil {
   253  					if !k8serrors.IsNotFound(err) {
   254  						scopedLog.WithError(err).Warning("Unable to delete CEP")
   255  					}
   256  				}
   257  				return nil
   258  			},
   259  		})
   260  }