Relax Linseed Policy in case we have DPI installed (#2831) (#2837)

* Relax Linseed Policy in case we have DPI installed DPI runs on the Host network and it is hard to create a policy that targerts its endpoints. Thus, for Linseed we will relax the ingress policy to allow all traffic in case we have DPI enabled. * Wait for watch and add tests * Check dpi resources inside createLinseedhasDPIResource, * Clean up
tigera · Aug 29, 2023 · 0e401c8 · 0e401c8
1 parent d8820d8
commit 0e401c8
Show file tree

Hide file tree

Showing 16 changed files with 700 additions and 188 deletions.
diff --git a/pkg/controller/logstorage/linseed.go b/pkg/controller/logstorage/linseed.go
@@ -17,6 +17,8 @@ package logstorage
 import (
 	"context"
 
+	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+
 	relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch"
 
 	"github.com/go-logr/logr"
@@ -46,6 +48,13 @@ func (r *ReconcileLogStorage) createLinseed(
 	esClusterConfig *relasticsearch.ClusterConfig,
 ) (reconcile.Result, bool, error) {
 
+	dpiList := &v3.DeepPacketInspectionList{}
+	if err := r.client.List(ctx, dpiList); err != nil {
+		r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to retrieve DeepPacketInspection resource", err, reqLogger)
+		return reconcile.Result{}, false, err
+	}
+	hasDPIResource := len(dpiList.Items) != 0
+
 	cfg := &linseed.Config{
 		Installation:      install,
 		PullSecrets:       pullSecrets,
@@ -56,6 +65,7 @@ func (r *ReconcileLogStorage) createLinseed(
 		UsePSP:            usePSP,
 		ESClusterConfig:   esClusterConfig,
 		ManagementCluster: managementCluster,
+		HasDPIResource:    hasDPIResource,
 	}
 
 	linseedComponent := linseed.Linseed(cfg)

diff --git a/pkg/controller/logstorage/logstorage_controller.go b/pkg/controller/logstorage/logstorage_controller.go
@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/tigera/operator/pkg/render/intrusiondetection/dpi"
 
 	"github.com/go-logr/logr"
@@ -84,7 +86,8 @@ func Add(mgr manager.Manager, opts options.AddOptions) error {
 
 	// Create the reconciler
 	tierWatchReady := &utils.ReadyFlag{}
-	r, err := newReconciler(mgr.GetClient(), mgr.GetScheme(), status.New(mgr.GetClient(), "log-storage", opts.KubernetesVersion), opts, utils.NewElasticClient, tierWatchReady)
+	dpiAPIReady := &utils.ReadyFlag{}
+	r, err := newReconciler(mgr.GetClient(), mgr.GetScheme(), status.New(mgr.GetClient(), "log-storage", opts.KubernetesVersion), opts, utils.NewElasticClient, tierWatchReady, dpiAPIReady)
 	if err != nil {
 		return err
 	}
@@ -100,6 +103,10 @@ func Add(mgr manager.Manager, opts options.AddOptions) error {
 		return fmt.Errorf("log-storage-controller failed to establish a connection to k8s: %w", err)
 	}
 
+	// Start the watch for DPI
+	go utils.WaitToAddResourceWatch(c, k8sClient, log, dpiAPIReady,
+		[]client.Object{&v3.DeepPacketInspection{TypeMeta: metav1.TypeMeta{Kind: v3.KindDeepPacketInspection}}})
+
 	go utils.WaitToAddTierWatch(networkpolicy.TigeraComponentTierName, c, k8sClient, log, tierWatchReady)
 	go utils.WaitToAddNetworkPolicyWatches(c, k8sClient, log, []types.NamespacedName{
 		{Name: render.ElasticsearchPolicyName, Namespace: render.ElasticsearchNamespace},
@@ -126,6 +133,7 @@ func newReconciler(
 	opts options.AddOptions,
 	esCliCreator utils.ElasticsearchClientCreator,
 	tierWatchReady *utils.ReadyFlag,
+	dpiAPIReady *utils.ReadyFlag,
 ) (*ReconcileLogStorage, error) {
 	c := &ReconcileLogStorage{
 		client:         cli,
@@ -135,6 +143,7 @@ func newReconciler(
 		esCliCreator:   esCliCreator,
 		clusterDomain:  opts.ClusterDomain,
 		tierWatchReady: tierWatchReady,
+		dpiAPIReady:    dpiAPIReady,
 		usePSP:         opts.UsePSP,
 	}
 
@@ -243,6 +252,10 @@ func add(mgr manager.Manager, c controller.Controller) error {
 		return fmt.Errorf("logstorage-controller failed to watch logstorage Tigerastatus: %w", err)
 	}
 
+	if err = utils.AddAPIServerWatch(c); err != nil {
+		return fmt.Errorf("logstorage-controller failed to watch APIServer resource: %v", err)
+	}
+
 	return nil
 }
 
@@ -260,6 +273,7 @@ type ReconcileLogStorage struct {
 	esCliCreator   utils.ElasticsearchClientCreator
 	clusterDomain  string
 	tierWatchReady *utils.ReadyFlag
+	dpiAPIReady    *utils.ReadyFlag
 	usePSP         bool
 }
 
@@ -627,12 +641,23 @@ func (r *ReconcileLogStorage) Reconcile(ctx context.Context, request reconcile.R
 		return reconcile.Result{}, err
 	}
 
+	if !utils.IsAPIServerReady(r.client, reqLogger) {
+		r.status.SetDegraded(operatorv1.ResourceNotReady, "Waiting for Tigera API server to be ready", nil, reqLogger)
+		return reconcile.Result{}, err
+	}
+
 	// Validate that the tier watch is ready before querying the tier to ensure we utilize the cache.
 	if !r.tierWatchReady.IsReady() {
 		r.status.SetDegraded(operatorv1.ResourceNotReady, "Waiting for Tier watch to be established", nil, reqLogger)
 		return reconcile.Result{RequeueAfter: 10 * time.Second}, nil
 	}
 
+	if !r.dpiAPIReady.IsReady() {
+		log.Info("Waiting for DeepPacketInspection API to be ready")
+		r.status.SetDegraded(operatorv1.ResourceNotReady, "Waiting for DeepPacketInspection API to be ready", nil, reqLogger)
+		return reconcile.Result{RequeueAfter: 10 * time.Second}, nil
+	}
+
 	// Ensure the allow-tigera tier exists, before rendering any network policies within it.
 	if err := r.client.Get(ctx, client.ObjectKey{Name: networkpolicy.TigeraComponentTierName}, &v3.Tier{}); err != nil {
 		if errors.IsNotFound(err) {