k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e_node/environment/conformance.go

/*
Copyright 2015 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Build the binary with `go build conformance.go`, then run the conformance binary on a node candidate.  If compiled
// on a non-linux machine, must be cross compiled for the host.
package main

import (
	"flag"
	"fmt"
	"net"
	"os/exec"
	"regexp"
	"strings"

	"errors"
	"os"
)

const success = "\033[0;32mSUCCESS\033[0m"
const failed = "\033[0;31mFAILED\033[0m"
const notConfigured = "\033[0;34mNOT CONFIGURED\033[0m"
const skipped = "\033[0;34mSKIPPED\033[0m"

var checkFlag = flag.String(
	"check", "all", "what to check for conformance.  One or more of all,container-runtime,daemons,dns,firewall,kernel")

func init() {
	// Set this to false to undo util/logs.go settings it to true.  Prevents cadvisor log spam.
	// Remove this once util/logs.go stops setting the flag to true.
	flag.Set("logtostderr", "false")
}

// TODO: Should we write an e2e test for this?
func main() {
	flag.Parse()
	o := strings.Split(*checkFlag, ",")
	errs := check(o...)
	if len(errs) > 0 {
		os.Exit(1)
	} else {
		os.Exit(0)
	}
}

// check returns errors found while checking the provided components.  Will prevent errors to stdout.
func check(options ...string) []error {
	errs := []error{}
	for _, c := range options {
		switch c {
		case "all":
			errs = appendNotNil(errs, kernel())
			errs = appendNotNil(errs, daemons())
			errs = appendNotNil(errs, firewall())
			errs = appendNotNil(errs, dns())
		case "daemons":
			errs = appendNotNil(errs, daemons())
		case "dns":
			errs = appendNotNil(errs, dns())
		case "firewall":
			errs = appendNotNil(errs, firewall())
		case "kernel":
			errs = appendNotNil(errs, kernel())
		default:
			fmt.Printf("Unrecognized option %s\n", c)
			errs = append(errs, fmt.Errorf("Unrecognized option %s", c))
		}
	}
	return errs
}

const kubeletClusterDNSRegexStr = `\/kubelet.*--cluster-dns=(\S+) `
const kubeletClusterDomainRegexStr = `\/kubelet.*--cluster-domain=(\S+)`

// dns checks that cluster dns has been properly configured and can resolve the kubernetes.default service
func dns() error {
	dnsRegex, err := regexp.Compile(kubeletClusterDNSRegexStr)
	if err != nil {
		// This should never happen and can only be fixed by changing the code
		panic(err)
	}
	domainRegex, err := regexp.Compile(kubeletClusterDomainRegexStr)
	if err != nil {
		// This should never happen and can only be fixed by changing the code
		panic(err)
	}

	h, err := net.LookupHost("kubernetes.default")
	if err == nil {
		return printSuccess("Dns Check (Optional): %s", success)
	}
	if len(h) > 0 {
		return printSuccess("Dns Check (Optional): %s", success)
	}

	kubecmd, err := exec.Command("ps", "aux").CombinedOutput()
	if err != nil {
		// Executing ps aux shouldn't have failed
		panic(err)
	}

	// look for the dns flag and parse the value
	dns := dnsRegex.FindStringSubmatch(string(kubecmd))
	if len(dns) < 2 {
		return printSuccess(
			"Dns Check (Optional): %s No hosts resolve to kubernetes.default.  kubelet will need to set "+
				"--cluster-dns and --cluster-domain when run", notConfigured)
	}

	// look for the domain flag and parse the value
	domain := domainRegex.FindStringSubmatch(string(kubecmd))
	if len(domain) < 2 {
		return printSuccess(
			"Dns Check (Optional): %s No hosts resolve to kubernetes.default.  kubelet will need to set "+
				"--cluster-dns and --cluster-domain when run", notConfigured)
	}

	// do a lookup with the flags the kubelet is running with
	nsArgs := []string{"-q=a", fmt.Sprintf("kubernetes.default.%s", domain[1]), dns[1]}
	if err = exec.Command("nslookup", nsArgs...).Run(); err != nil {
		// Mark this as failed since there was a clear intention to set it up, but it is done so improperly
		return printError(
			"Dns Check (Optional): %s No hosts resolve to kubernetes.default  kubelet found, but cannot resolve "+
				"kubernetes.default using nslookup %s error: %v", failed, strings.Join(nsArgs, " "), err)
	}

	// Can resolve kubernetes.default using the kubelete dns and domain values
	return printSuccess("Dns Check (Optional): %s", success)
}

const cmdlineCGroupMemory = `cgroup_enable=memory`

// kernel checks that the kernel has been configured correctly to support the required cgroup features
func kernel() error {
	cmdline, err := os.ReadFile("/proc/cmdline")
	if err != nil {
		return printError("Kernel Command Line Check %s: Could not check /proc/cmdline", failed)
	}
	if !strings.Contains(string(cmdline), cmdlineCGroupMemory) {
		return printError("Kernel Command Line Check %s: cgroup_enable=memory not enabled in /proc/cmdline", failed)
	}
	return printSuccess("Kernel Command Line %s", success)
}

const iptablesInputRegexStr = `Chain INPUT \(policy DROP\)`
const iptablesForwardRegexStr = `Chain FORWARD \(policy DROP\)`

// firewall checks that iptables does not have common firewall rules setup that would disrupt traffic
func firewall() error {
	out, err := exec.Command("iptables", "-L", "INPUT").CombinedOutput()
	if err != nil {
		return printSuccess("Firewall IPTables Check %s: Could not run iptables", skipped)
	}
	inputRegex, err := regexp.Compile(iptablesInputRegexStr)
	if err != nil {
		// This should never happen and can only be fixed by changing the code
		panic(err)
	}
	if inputRegex.Match(out) {
		return printError("Firewall IPTables Check %s: Found INPUT rule matching %s", failed, iptablesInputRegexStr)
	}

	// Check GCE forward rules
	out, err = exec.Command("iptables", "-L", "FORWARD").CombinedOutput()
	if err != nil {
		return printSuccess("Firewall IPTables Check %s: Could not run iptables", skipped)
	}
	forwardRegex, err := regexp.Compile(iptablesForwardRegexStr)
	if err != nil {
		// This should never happen and can only be fixed by changing the code
		panic(err)
	}
	if forwardRegex.Match(out) {
		return printError("Firewall IPTables Check %s: Found FORWARD rule matching %s", failed, iptablesInputRegexStr)
	}

	return printSuccess("Firewall IPTables Check %s", success)
}

// daemons checks that the required node programs are running: kubelet and kube-proxy
func daemons() error {
	if exec.Command("pgrep", "-f", "kubelet").Run() != nil {
		return printError("Daemon Check %s: kubelet process not found", failed)
	}

	if exec.Command("pgrep", "-f", "kube-proxy").Run() != nil {
		return printError("Daemon Check %s: kube-proxy process not found", failed)
	}

	return printSuccess("Daemon Check %s", success)
}

// printError provides its arguments to print a format string to the console (newline terminated) and returns an
// error with the same string
func printError(s string, args ...interface{}) error {
	es := fmt.Sprintf(s, args...)
	fmt.Println(es)
	return errors.New(es)
}

// printSuccess provides its arguments to print a format string to the console (newline terminated) and returns nil
func printSuccess(s string, args ...interface{}) error {
	fmt.Println(fmt.Sprintf(s, args...))
	return nil
}

// appendNotNil appends err to errs iff err is not nil
func appendNotNil(errs []error, err error) []error {
	if err != nil {
		return append(errs, err)
	}
	return errs
}