From e624e929a352f7719e31e705aef026cc95015a38 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:03:21 +0300 Subject: [PATCH 01/22] Update .gitignore Removes the unused e2etest and include the communication-matirx dir which holds the artifacts and the commatrix-gen binary. Signed-off-by: Lior Noy --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 427e6f94..8d6aa368 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -e2etest/artifacts/* -!e2etest/artifacts/.gitkeep +communication-matrix/* +commatrix-gen From 32d85af2cbe98524843bbd2ee966d5a76859687b Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:05:47 +0300 Subject: [PATCH 02/22] Make the raw-ss files to truncate old files Change the flag passed to `os.OpenFile` from O_APPEND to O_TRUNC so each run will produce clean artifacts. Signed-off-by: Lior Noy --- cmd/main.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 7ea09d25..d0a47c92 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -82,7 +82,7 @@ func main() { } comMatrixFileName := filepath.Join(destDir, fmt.Sprintf("communication-matrix.%s", format)) - err = os.WriteFile(comMatrixFileName, []byte(string(res)), 0644) + err = os.WriteFile(comMatrixFileName, res, 0644) if err != nil { panic(err) } @@ -92,13 +92,13 @@ func main() { panic(err) } - tcpFile, err := os.OpenFile(path.Join(destDir, "raw-ss-tcp"), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + tcpFile, err := os.OpenFile(path.Join(destDir, "raw-ss-tcp"), os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644) if err != nil { panic(err) } defer tcpFile.Close() - udpFile, err := os.OpenFile(path.Join(destDir, "raw-ss-udp"), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + udpFile, err := os.OpenFile(path.Join(destDir, "raw-ss-udp"), os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644) if err != nil { panic(err) } @@ -140,7 +140,7 @@ func main() { } ssMatrixFileName := filepath.Join(destDir, fmt.Sprintf("ss-generated-matrix.%s", format)) - err = os.WriteFile(ssMatrixFileName, []byte(string(res)), 0644) + err = os.WriteFile(ssMatrixFileName, res, 0644) if err != nil { panic(err) } From 7bed033660c5eca694a23b6723d28a958391fce4 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:09:53 +0300 Subject: [PATCH 03/22] Fix error handling in debug\`createNamespace` Utilize apimachinery errors package to check if error is of type AlreadyExists, and remove prior check that performs "Get". Signed-off-by: Lior Noy --- debug/debug.go | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/debug/debug.go b/debug/debug.go index 869cdd28..13c8f50e 100644 --- a/debug/debug.go +++ b/debug/debug.go @@ -9,6 +9,7 @@ import ( "time" corev1 "k8s.io/api/core/v1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/utils/ptr" @@ -290,18 +291,9 @@ func getPodDefinition(node string, namespace string, image string) *corev1.Pod { } func createNamespace(cs *client.ClientSet, namespace string) error { - _, err := cs.Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{}) - if err != nil && !strings.Contains(err.Error(), "not found") { - return fmt.Errorf("failed checking if namespace %s already exists: %v", namespace, err) - } - - if err == nil { - return nil - } - ns := getNamespaceDefinition(namespace) - _, err = cs.Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) - if err != nil && !strings.Contains(err.Error(), "already exists") { + _, err := cs.Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) + if err != nil && !k8serrors.IsAlreadyExists(err) { return fmt.Errorf("failed creating namespace %s: %v", namespace, err) } From 0434c06f34f37e38303bafd8bacaa521535e0fff Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:12:25 +0300 Subject: [PATCH 04/22] Clean fields in getNamespaceDefinition Removed unnecessary fields in getNamespaceDefinition function. Signed-off-by: Lior Noy --- debug/debug.go | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/debug/debug.go b/debug/debug.go index 13c8f50e..f44dc82b 100644 --- a/debug/debug.go +++ b/debug/debug.go @@ -303,24 +303,11 @@ func createNamespace(cs *client.ClientSet, namespace string) error { func getNamespaceDefinition(namespace string) *corev1.Namespace { return &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - "oc.openshift.io/command": "oc debug", - "openshift.io/node-selector": "", - "openshift.io/sa.scc.mcs": "s0:c26,c25", - "openshift.io/sa.scc.supplemental-groups": "1000700000/10000", - "openshift.io/sa.scc.uid-range": "1000700000/10000", - }, Name: namespace, Labels: map[string]string{ - "pod-security.kubernetes.io/audit": "privileged", - "pod-security.kubernetes.io/enforce": "privileged", - "pod-security.kubernetes.io/warn": "privileged", - "security.openshift.io/scc.podSecurityLabelSync": "false", - }, - }, - Spec: corev1.NamespaceSpec{ - Finalizers: []corev1.FinalizerName{ - "kubernetes", + "pod-security.kubernetes.io/audit": "privileged", + "pod-security.kubernetes.io/enforce": "privileged", + "pod-security.kubernetes.io/warn": "privileged", }, }, } From 2871bf32174f57d070412748ac98c1b2ffebd6bb Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:14:30 +0300 Subject: [PATCH 05/22] Separate var declaration Separate var block in the GetIngressEndpointSlicesInfo function. Signed-off-by: Lior Noy --- endpointslices/endpointslices.go | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/endpointslices/endpointslices.go b/endpointslices/endpointslices.go index eca436aa..09c5b58f 100644 --- a/endpointslices/endpointslices.go +++ b/endpointslices/endpointslices.go @@ -24,24 +24,21 @@ type EndpointSlicesInfo struct { } func GetIngressEndpointSlicesInfo(cs *client.ClientSet) ([]EndpointSlicesInfo, error) { - var ( - epSlicesList discoveryv1.EndpointSliceList - servicesList corev1.ServiceList - podsList corev1.PodList - ) - + var epSlicesList discoveryv1.EndpointSliceList err := cs.List(context.TODO(), &epSlicesList, &rtclient.ListOptions{}) if err != nil { return nil, fmt.Errorf("failed to list endpointslices: %w", err) } log.Debugf("amount of EndpointSlices in the cluster: %d", len(epSlicesList.Items)) + var servicesList corev1.ServiceList err = cs.List(context.TODO(), &servicesList, &rtclient.ListOptions{}) if err != nil { return nil, fmt.Errorf("failed to list services: %w", err) } log.Debugf("amount of Services in the cluster: %d", len(servicesList.Items)) + var podsList corev1.PodList err = cs.List(context.TODO(), &podsList, &rtclient.ListOptions{}) if err != nil { return nil, fmt.Errorf("failed to list pods: %w", err) From 4b6bb372cd97da19beb69bd2772ebc29ece2dd75 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:16:23 +0300 Subject: [PATCH 06/22] Reword function comment Reword function comment for clarity. Signed-off-by: Lior Noy --- endpointslices/endpointslices.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/endpointslices/endpointslices.go b/endpointslices/endpointslices.go index 09c5b58f..335faab9 100644 --- a/endpointslices/endpointslices.go +++ b/endpointslices/endpointslices.go @@ -76,7 +76,7 @@ func ToComDetails(cs *client.ClientSet, epSlicesInfo []EndpointSlicesInfo) ([]ty return cleanedComDetails, nil } -// createEPSliceInfos retrieves lists of EndpointSlices, Services, and Pods from the cluster and generates +// createEPSliceInfos gets lists of EndpointSlices, Services, and Pods and generates // a slice of EndpointSlicesInfo, each representing a distinct service. func createEPSliceInfos(epSlicesList *discoveryv1.EndpointSliceList, servicesList *corev1.ServiceList, podsList *corev1.PodList) ([]EndpointSlicesInfo, error) { var service *corev1.Service From 7e22b9c2e159a7faee9a4dcceb6f96a9ec47d608 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:43:39 +0300 Subject: [PATCH 07/22] Change `getPod` and `getService` This commit changes the functions `getPod` and `getService` to return only pointer instead val and bool, so that when it fails to find the required object it returns nil. Also made the required changes in createEPSliceInfos. Signed-off-by: Lior Noy --- endpointslices/endpointslices.go | 38 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/endpointslices/endpointslices.go b/endpointslices/endpointslices.go index 335faab9..b7ca07d9 100644 --- a/endpointslices/endpointslices.go +++ b/endpointslices/endpointslices.go @@ -45,7 +45,7 @@ func GetIngressEndpointSlicesInfo(cs *client.ClientSet) ([]EndpointSlicesInfo, e } log.Debug("amount of Pods in the cluster: ", len(podsList.Items)) - epsliceInfos, err := createEPSliceInfos(&epSlicesList, &servicesList, &podsList) + epsliceInfos, err := createEPSliceInfos(epSlicesList.Items, servicesList.Items, podsList.Items) if err != nil { return nil, fmt.Errorf("failed to bundle resources: %w", err) } @@ -78,13 +78,10 @@ func ToComDetails(cs *client.ClientSet, epSlicesInfo []EndpointSlicesInfo) ([]ty // createEPSliceInfos gets lists of EndpointSlices, Services, and Pods and generates // a slice of EndpointSlicesInfo, each representing a distinct service. -func createEPSliceInfos(epSlicesList *discoveryv1.EndpointSliceList, servicesList *corev1.ServiceList, podsList *corev1.PodList) ([]EndpointSlicesInfo, error) { - var service *corev1.Service - var pod corev1.Pod - var found bool +func createEPSliceInfos(epSlices []discoveryv1.EndpointSlice, services []corev1.Service, pods []corev1.Pod) ([]EndpointSlicesInfo, error) { res := make([]EndpointSlicesInfo, 0) - for _, epSlice := range epSlicesList.Items { + for _, epSlice := range epSlices { // Fetch info about the service behind the endpointslice. if len(epSlice.OwnerReferences) == 0 { log.Warnf("empty OwnerReferences in EndpointSlice %s/%s. skipping", epSlice.Namespace, epSlice.Name) @@ -94,12 +91,14 @@ func createEPSliceInfos(epSlicesList *discoveryv1.EndpointSliceList, servicesLis ownerRef := epSlice.OwnerReferences[0] name := ownerRef.Name namespace := epSlice.Namespace - if service, found = getService(name, namespace, servicesList); !found { + + service := getService(name, namespace, services) + if service == nil { return nil, fmt.Errorf("failed to get service for endpoint %s/%s", epSlice.Namespace, epSlice.Name) } // Fetch info about the pods behind the endpointslice. - pods := make([]corev1.Pod, 0) + resPods := make([]corev1.Pod, 0) for _, endpoint := range epSlice.Endpoints { if endpoint.TargetRef == nil { log.Warnf("empty TargetRef for endpoint %s in EndpointSlice %s. skipping", *endpoint.NodeName, epSlice.Name) @@ -108,17 +107,18 @@ func createEPSliceInfos(epSlicesList *discoveryv1.EndpointSliceList, servicesLis name := endpoint.TargetRef.Name namespace := endpoint.TargetRef.Namespace - if pod, found = getPod(name, namespace, podsList); !found { + pod := getPod(name, namespace, pods) + if pod == nil { log.Warnf("failed to get pod %s/%s for endpoint in EndpointSlice %s. skipping", namespace, name, epSlice.Name) continue } - pods = append(pods, pod) + resPods = append(resPods, *pod) log.Debugf("Added a new endpointSliceInfo with pods len: %d", len(pods)) res = append(res, EndpointSlicesInfo{ EndpointSlice: epSlice, Service: *service, - Pods: pods, + Pods: resPods, }) } } @@ -126,23 +126,23 @@ func createEPSliceInfos(epSlicesList *discoveryv1.EndpointSliceList, servicesLis return res, nil } -func getPod(name, namespace string, podsList *corev1.PodList) (corev1.Pod, bool) { - for _, pod := range podsList.Items { +func getPod(name, namespace string, pods []corev1.Pod) *corev1.Pod { + for _, pod := range pods { if pod.Name == name && pod.Namespace == namespace { - return pod, true + return &pod } } - return corev1.Pod{}, false + return nil } -func getService(name, namespace string, serviceList *corev1.ServiceList) (*corev1.Service, bool) { - for _, service := range serviceList.Items { +func getService(name, namespace string, services []corev1.Service) *corev1.Service { + for _, service := range services { if service.Name == name && service.Namespace == namespace { - return &service, true + return &service } } - return nil, false + return nil } // getEndpointSliceNodeRoles gets endpointslice Info struct and returns which node roles the services are on. From ce6050f510f271bdd57a3a4a2f14f9a3a77772c0 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 11:46:32 +0300 Subject: [PATCH 08/22] Modify `ss.go` to include container name in matrix Utilize identifyContainerForPort in `toComDetails` so that each ss entry will also include the container name. Also removed unused const `processeNameFieldIdx` Signed-off-by: Lior Noy --- ss/ss.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index 937ae024..cb2e9d0c 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -8,6 +8,7 @@ import ( "strings" "time" + log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" "github.com/openshift-kni/commatrix/client" @@ -18,7 +19,6 @@ import ( ) const ( - processeNameFieldIdx = 5 localAddrPortFieldIdx = 3 interval = time.Millisecond * 500 duration = time.Second * 5 @@ -70,11 +70,11 @@ func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, return nil, fmt.Errorf("failed writing to file: %s", err) } - tcpComDetails, err := toComDetails(ssOutFilteredTCP, "TCP", node) + tcpComDetails, err := toComDetails(debugPod, ssOutFilteredTCP, "TCP", node) if err != nil { return nil, err } - udpComDetails, err := toComDetails(ssOutFilteredUDP, "UDP", node) + udpComDetails, err := toComDetails(debugPod, ssOutFilteredUDP, "UDP", node) if err != nil { return nil, err } @@ -91,7 +91,7 @@ func splitByLines(bytes []byte) []string { return strings.Split(str, "\n") } -func toComDetails(ssOutput []string, protocol string, node *corev1.Node) ([]types.ComDetails, error) { +func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, node *corev1.Node) ([]types.ComDetails, error) { res := make([]types.ComDetails, 0) nodeRoles := nodes.GetRole(node) @@ -100,6 +100,12 @@ func toComDetails(ssOutput []string, protocol string, node *corev1.Node) ([]type if err != nil { return nil, err } + name, err := identifyContainerForPort(debugPod, ssEntry) + if err != nil { + log.Debugf("failed to identify container for ss entry: %serr: %s", ssEntry, err) + } + + cd.Container = name cd.Protocol = protocol cd.NodeRole = nodeRoles cd.Optional = false From 491dd865a7cf56cebf92dcc378ac4ff304def6cc Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 12:13:09 +0300 Subject: [PATCH 09/22] Update README.md This commit updates the README.md Signed-off-by: Lior Noy --- README.md | 94 +++++++++++++++++++++++++------------------------------ 1 file changed, 43 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 35886fb4..6f0c2a54 100644 --- a/README.md +++ b/README.md @@ -1,64 +1,56 @@ ## commatrix -This go library provide tools to produce k8s node communication matrix, i.e. -a file that describes what ports the cluster listens to. +This project allows to automatically generate an accurate and up-to-date communication +flows matrix that can be delivered to customers as part of product documentation for all +ingress flows of OpenShift (multi-node and single-node deployments). -We produce this matrix from the existing EndpointSlieces, and in order to fetch -the relevant ones, the `endpointslices` package provide various querying methods. +### Usage of the EndpointSlice Resource +This library leverages the EndpointSlice resource to identify the ports the +cluster uses for ingress traffic. Relevant EndpointSlices include those +referencing host-networked pods, Node Port services, and LoadBalancer services. -### e2etest: -To invoke the e2etest, start by exporting the "KUBECONFIG" variable, and then run 'make e2etest.' This test will generate two matrices: -One from the EndpointSlices when the host services are manually produced using the 'customEndpointSlices.json' file. -The other matrix is generated by running 'ss' on the nodes. -The test is expected to fail. You can find the output of the 'ss' command for each node and protocol, -as well as the raw communication matrices in the 'e2etest/artifacts' directory, and the diff will be printed as part of the test output. - -### Communication Matrix Creation Guide - -The Communication Matrix is a structured list of Communication Details, -with each `ComDetails` entry representing a port. The fields for each entry -include `Direction` (currently "ingress" only), `Protocol` ("TCP" or "UDP"), -`Port` (number), `NodeRole` ("master" or "worker"), `ServiceName`, -and `Required` (false if optional). - -Struct Definitions: +### Creating Custom ComDetails with ss Command +The `ss` command, a Linux utility, lists listening ports on +the host with `ss -anplt` for TCP or `ss -anplu` for UDP. +For example, consider the following ss entry: ``` -type ComMatrix struct { - Matrix []ComDetails -} - -type ComDetails struct { - Direction string `json:"direction"` - Protocol string `json:"protocol"` - Port string `json:"port"` - NodeRole string `json:"nodeRole"` - ServiceName string `json:"serviceName"` - Required bool `json:"required"` -} +LISTEN 0 4096 127.0.0.1:10248 0.0.0.0:* users:(("kubelet",pid=6187,fd=20)) ``` -#### Usage of EndpointSlice Resource - -This library leverages the EndpointSlice resource to identify the ports the -cluster uses for ingress traffic. Relevant EndpointSlices include those -referencing host-networked pods, Node Port services, LoadBalancer services, -or any custom EndpointSlice labeled with `"ingress":""`. +The `ss` package provides the `CreateComDetailsFromNode` function that runs +the `ss` command on each node, and converts the output into a corresponding ComDetails list. -Explore the example in `/examples/query_endpointslices/main.go`. - -#### Creating Custom ComDetails with ss Command - -To encompass all ports Kubernetes nodes are listening to, querying existing -EndpointSlices may be insufficient. Not all services, like the SSH service, -are represented. The `ss` command, a Linux utility, lists listening ports on -the host with `ss -anplt` for TCP or `ss -anplu` for UDP. +### Communication Matrix Creation Guide -The `ss` package provides the `ToComDetails` function, converting `ss` command -output into a corresponding ComDetails list. Use the `ToEndpointSlice` method -to create an EndpointSlice object from this list. +Use the `generate` Makefile target to create the matrix. +The following environment variables are used to configure: +``` +FORMAT (csv/json/yaml) +CLUSTER_ENV (baremetal/aws) +DEST_DIR (path to the directory containing the artifacts) +DEPLOYMENT (mno/sno) +``` -As a convention, EndpointSlices referencing non-critical services are labeled with `"optional": ""`. +The generated artifcats are: +``` +communication-matrix - The generated communication matrix. +ss-generated-matrix - The communication matrix that generated by the `ss` command. +matrix-diff-ss - Shows the variance between two matrices. Entries present in the communication matrix but absent in the ss matrix are marked with '+', while entries present in the ss matrix but not in the communication matrix are marked with '-'. +raw-ss-tcp - The raw `ss` output for TCP. +raw-ss-udp - The raw `ss` output for UDP. +``` -Check the example in `/examples/create_custom_endpointslices/main.go` for a practical demonstration. \ No newline at end of file +Each record describes a flow with the following information: +``` +direction Data flow direction (currently ingress only) +protocol IP protocol (TCP/UDP/SCTP/etc) +port Flow port number +namespace EndpointSlice Namespace +service EndpointSlice owner Service name +pod EndpointSlice target Pod name +container Port owner Container name +nodeRole Service node host role (master/worker/master&worker[for SNO]) +optional Optional or mandatory flow for OpenShift +``` From 3b8e21b4d9afad70de2c07ff291ce3be589c53e9 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 12:13:29 +0300 Subject: [PATCH 10/22] Fix the `test` command Fix the `go test` path in tasks.py. Signed-off-by: Lior Noy --- tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks.py b/tasks.py index 4e4c2d15..2f13e1e2 100644 --- a/tasks.py +++ b/tasks.py @@ -3,7 +3,7 @@ @task def test(ctx): """Run unit tests.""" - run("go test ./pkg/...") + run("go test ./...") @task(help={ "env": "Specify in which environment to run the linter . Default 'container'. Supported: 'container','host'" From 4f1945e54509774617ee5c5c89118b83480b52b3 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 12:24:27 +0300 Subject: [PATCH 11/22] Fix lint - add period for comments To fix lint check, added period in end of line of comments. Signed-off-by: Lior Noy --- commatrix/commatrix.go | 2 +- commatrix/static-custom-entries.go | 2 +- consts/consts.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/commatrix/commatrix.go b/commatrix/commatrix.go index e7165ed4..4da8f578 100644 --- a/commatrix/commatrix.go +++ b/commatrix/commatrix.go @@ -12,7 +12,7 @@ import ( "github.com/openshift-kni/commatrix/types" ) -// TODO: add integration tests +// TODO: add integration tests. type Env int diff --git a/commatrix/static-custom-entries.go b/commatrix/static-custom-entries.go index e9ac0e8b..a9372a1e 100644 --- a/commatrix/static-custom-entries.go +++ b/commatrix/static-custom-entries.go @@ -1,6 +1,6 @@ package commatrix -// TODO: can just be commat struct +// TODO: can just be commat struct. var generalStaticEntriesWorker = ` [ diff --git a/consts/consts.go b/consts/consts.go index d7c54fbf..4a0155e1 100644 --- a/consts/consts.go +++ b/consts/consts.go @@ -7,6 +7,6 @@ const ( OptionalTrue = "true" RoleLabel = "node-role.kubernetes.io/" DefaultDebugNamespace = "openshift-commatrix-debug" - // TODO: change the image + // TODO: change the image. DefaultDebugPodImage = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:535ce24b5f1894d2a07bfa7eed7ad028ffde0659693f2a571ac4712a21cd028c" ) From e64cc102b8fd2933618d6c8486afd753a926aac4 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 21 Apr 2024 18:18:48 +0300 Subject: [PATCH 12/22] Check `oc` exist in Makefile This commit adds a check in the Makefile to see if the `oc` binary exist. if not, download and install it. Signed-off-by: Lior Noy --- Makefile | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c8900878..557ddbcc 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ CLUSTER_ENV ?= baremetal DEST_DIR ?= . DEPLOYMENT ?= mno GO_SRC := cmd/main.go +OC_VERSION_TAG := 4.15.0-202402082307 EXECUTABLE := commatrix-gen @@ -11,8 +12,22 @@ EXECUTABLE := commatrix-gen build: go build -o $(EXECUTABLE) $(GO_SRC) -# TODO: check if oc is installed -generate: build +oc: +ifeq (, $(shell which oc)) + @{ \ + set -e ;\ + curl -LO https://github.com/openshift/oc/archive/refs/tags/openshift-clients-$(OC_VERSION_TAG).tar.gz ;\ + tar -xf openshift-clients-$(OC_VERSION_TAG).tar.gz ;\ + cd $(PWD)/oc-openshift-clients-$(OC_VERSION_TAG) ;\ + make oc ;\ + mv oc $(GOBIN)/oc ;\ + chmod u+x $(GOBIN)/oc ;\ + rm -rf $(PWD)/oc-openshift-clients-$(OC_VERSION_TAG) ;\ + rm $(PWD)/openshift-clients-$(OC_VERSION_TAG).tar.gz ;\ + } +endif + +generate: oc build mkdir -p $(DEST_DIR)/communication-matrix ./$(EXECUTABLE) -format=$(FORMAT) -env=$(CLUSTER_ENV) -destDir=$(DEST_DIR)/communication-matrix -deployment=$(DEPLOYMENT) From e199866cf4b28b36d2d258fc213773ff4751b6c4 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Tue, 30 Apr 2024 13:48:45 +0300 Subject: [PATCH 13/22] Modify the ss filtering functions This commit joins both filtering function for the ss entries, and rename it with a better name. Signed-off-by: Lior Noy --- ss/ss.go | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index cb2e9d0c..1732aad3 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -24,18 +24,9 @@ const ( duration = time.Second * 5 ) -var ( - // TcpSSFilterFn is a function variable in Go that filters entries from the 'ss' command output. - // It takes an entry from the 'ss' command output and returns true if the entry represents a TCP port in the listening state. - tcpSSFilterFn = func(s string) bool { - return strings.Contains(s, "127.0.0") || !strings.Contains(s, "LISTEN") - } - // UdpSSFilterFn is a function variable in Go that filters entries from the 'ss' command output. - // It takes an entry from the 'ss' command output and returns true if the entry represents a UDP port in the listening state. - udpSSFilterFn = func(s string) bool { - return strings.Contains(s, "127.0.0") || !strings.Contains(s, "ESTAB") - } -) +var filterOutFn = func(s string) bool { + return strings.Contains(s, "127.0.0") || strings.Contains(s, "::1") || s == "" +} func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, udpFile *os.File) ([]types.ComDetails, error) { debugPod, err := debug.New(cs, node.Name, consts.DefaultDebugNamespace, consts.DefaultDebugPodImage) @@ -49,17 +40,17 @@ func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, } }() - ssOutTCP, err := debugPod.ExecWithRetry("ss -anplt", interval, duration) + ssOutTCP, err := debugPod.ExecWithRetry("ss -anpltH", interval, duration) if err != nil { return nil, err } - ssOutUDP, err := debugPod.ExecWithRetry("ss -anplu", interval, duration) + ssOutUDP, err := debugPod.ExecWithRetry("ss -anpluH", interval, duration) if err != nil { return nil, err } - ssOutFilteredTCP := filterStrings(tcpSSFilterFn, splitByLines(ssOutTCP)) - ssOutFilteredUDP := filterStrings(udpSSFilterFn, splitByLines(ssOutUDP)) + ssOutFilteredTCP := filterStrings(filterOutFn, splitByLines(ssOutTCP)) + ssOutFilteredUDP := filterStrings(filterOutFn, splitByLines(ssOutUDP)) _, err = tcpFile.Write([]byte(fmt.Sprintf("node: %s\n%s", node.Name, strings.Join(ssOutFilteredTCP, "\n")))) if err != nil { From 09c5a1710df4a152f3615493cd3041c945ea41d3 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Thu, 2 May 2024 11:57:27 +0300 Subject: [PATCH 14/22] Update the static custom entries This commit updates the static custom entries to be in struct format and not string. also add ports 111 and 53 for UDP. Signed-off-by: Lior Noy --- commatrix/commatrix.go | 37 +- commatrix/static-custom-entries.go | 1050 ++++++++++++++-------------- 2 files changed, 525 insertions(+), 562 deletions(-) diff --git a/commatrix/commatrix.go b/commatrix/commatrix.go index 4da8f578..5841cb07 100644 --- a/commatrix/commatrix.go +++ b/commatrix/commatrix.go @@ -94,54 +94,29 @@ func addFromFile(fp string) ([]types.ComDetails, error) { func getStaticEntries(e Env, d Deployment) ([]types.ComDetails, error) { comDetails := []types.ComDetails{} - add := []types.ComDetails{} switch e { case Baremetal: - err := json.Unmarshal([]byte(baremetalStaticEntriesMaster), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, baremetalStaticEntriesMaster...) if d == SNO { break } - err = json.Unmarshal([]byte(baremetalStaticEntriesWorker), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, baremetalStaticEntriesWorker...) case AWS: - err := json.Unmarshal([]byte(awsCloudStaticEntriesMaster), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, awsCloudStaticEntriesMaster...) if d == SNO { break } - err = json.Unmarshal([]byte(awsCloudStaticEntriesWorker), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, awsCloudStaticEntriesWorker...) default: return nil, fmt.Errorf("invalid value for cluster environment") } - err := json.Unmarshal([]byte(generalStaticEntriesMaster), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, generalStaticEntriesMaster...) if d == SNO { return comDetails, nil } - err = json.Unmarshal([]byte(generalStaticEntriesWorker), &add) - if err != nil { - return nil, fmt.Errorf("failed to unmarshal static entries: %v", err) - } - comDetails = append(comDetails, add...) + comDetails = append(comDetails, generalStaticEntriesWorker...) return comDetails, nil } diff --git a/commatrix/static-custom-entries.go b/commatrix/static-custom-entries.go index a9372a1e..6fd39b90 100644 --- a/commatrix/static-custom-entries.go +++ b/commatrix/static-custom-entries.go @@ -1,539 +1,527 @@ package commatrix -// TODO: can just be commat struct. +import "github.com/openshift-kni/commatrix/types" -var generalStaticEntriesWorker = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "22", - "nodeRole": "worker", - "service": "sshd", - "namespace": "system", - "pod": "system", - "container": "system", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9637", - "nodeRole": "worker", - "service": "kube-rbac-proxy", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10250", - "nodeRole": "worker", - "service": "kubelet", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9107", - "nodeRole": "worker", - "service": "egressip-node-healthcheck", - "namespace": "openshift-ovn-kubernetes", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "111", - "nodeRole": "worker", - "service": "rpcbind", - "namespace": "system", - "pod": "system", - "container": "system", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10256", - "nodeRole": "worker", - "service": "openshift-sdn", - "namespace": "", - "pod": "", - "container": "", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9001", - "nodeRole": "worker", - "service": "machine-config-daemon", - "namespace": "openshift-machine-config-operator", - "pod": "machine-config-daemon", - "container": "kube-rbac-proxy", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9537", - "nodeRole": "worker", - "service": "crio-metrics", - "namespace": "", - "pod": "", - "container": "", - "optional": false - } -] -` +var generalStaticEntriesWorker = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "22", + NodeRole: "worker", + Service: "sshd", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9637", + NodeRole: "worker", + Service: "kube-rbac-proxy", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10250", + NodeRole: "worker", + Service: "kubelet", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9107", + NodeRole: "worker", + Service: "egressip-node-healthcheck", + Namespace: "openshift-ovn-kubernetes", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "111", + NodeRole: "worker", + Service: "rpcbind", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "UDP", + Port: "111", + NodeRole: "worker", + Service: "rpcbind", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10256", + NodeRole: "worker", + Service: "ovnkube", + Namespace: "openshift-sdn", + Pod: "ovnkube", + Container: "ovnkube-controller", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9001", + NodeRole: "worker", + Service: "machine-config-daemon", + Namespace: "openshift-machine-config-operator", + Pod: "machine-config-daemon", + Container: "kube-rbac-proxy", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9537", + NodeRole: "worker", + Service: "crio-metrics", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, +} -var generalStaticEntriesMaster = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "9637", - "nodeRole": "master", - "service": "kube-rbac-proxy", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10256", - "nodeRole": "master", - "service": "openshift-sdn", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9537", - "nodeRole": "master", - "service": "crio-metrics", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10250", - "nodeRole": "master", - "service": "kubelet", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9107", - "nodeRole": "master", - "service": "egressip-node-healthcheck", - "namespace": "openshift-ovn-kubernetes", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "111", - "nodeRole": "master", - "service": "rpcbind", - "namespace": "system", - "pod": "system", - "container": "system", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "22", - "nodeRole": "master", - "service": "sshd", - "namespace": "system", - "pod": "system", - "container": "system", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9192", - "nodeRole": "master", - "service": "machine-approver", - "namespace": "openshift-cluster-machine-approver", - "pod": "machine-approver", - "container": "kube-rbac-proxy", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9258", - "nodeRole": "master", - "service": "machine-approver", - "namespace": "openshift-cloud-controller-manager-operator", - "pod": "cluster-cloud-controller-manager", - "container": "cluster-cloud-controller-manager", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9099", - "nodeRole": "master", - "service": "cluster-version-operator", - "namespace": "openshift-cluster-version", - "pod": "cluster-version-operator", - "container": "cluster-version-operator", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9980", - "nodeRole": "master", - "service": "etcd", - "namespace": "openshift-etcd", - "pod": "etcd", - "container": "etcd", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9979", - "nodeRole": "master", - "service": "etcd", - "namespace": "openshift-etcd", - "pod": "etcd", - "container": "etcd-metrics", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9978", - "nodeRole": "master", - "service": "etcd", - "namespace": "openshift-etcd", - "pod": "etcd-metrics", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10357", - "nodeRole": "master", - "service": "cluster-policy-controller-apiserver-healthz", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "17697", - "nodeRole": "master", - "service": "no-service", - "namespace": "openshift-kube-apiserver", - "pod": "kube-apiserve", - "container": "kube-apiserver-check-endpoints", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "2380", - "nodeRole": "master", - "service": "healthz", - "namespace": "etcd", - "pod": "etcd", - "container": "etcd", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "2379", - "nodeRole": "master", - "service": "etcd", - "namespace": "openshift-etcd", - "pod": "etcd", - "container": "etcdctl", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "6080", - "nodeRole": "master", - "service": "no-service", - "namespace": "openshift-kube-apiserver", - "pod": "kube-apiserver", - "container": "kube-apiserver-insecure-readyz", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "22624", - "nodeRole": "master", - "service": "machine-config-server", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "22623", - "nodeRole": "master", - "service": "machine-config-server", - "namespace": "", - "pod": "", - "container": "", - "optional": false - } -] -` +var generalStaticEntriesMaster = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "9637", + NodeRole: "master", + Service: "kube-rbac-proxy", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10256", + NodeRole: "master", + Service: "openshift-sdn", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9537", + NodeRole: "master", + Service: "crio-metrics", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10250", + NodeRole: "master", + Service: "kubelet", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9107", + NodeRole: "master", + Service: "egressip-node-healthcheck", + Namespace: "openshift-ovn-kubernetes", + Pod: "ovnkube", + Container: "ovnkube-controller", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "111", + NodeRole: "master", + Service: "rpcbind", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "UDP", + Port: "111", + NodeRole: "master", + Service: "rpcbind", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "22", + NodeRole: "master", + Service: "sshd", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9192", + NodeRole: "master", + Service: "machine-approver", + Namespace: "openshift-cluster-machine-approver", + Pod: "machine-approver", + Container: "kube-rbac-proxy", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9258", + NodeRole: "master", + Service: "machine-approver", + Namespace: "openshift-cloud-controller-manager-operator", + Pod: "cluster-cloud-controller-manager", + Container: "cluster-cloud-controller-manager", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9099", + NodeRole: "master", + Service: "cluster-version-operator", + Namespace: "openshift-cluster-version", + Pod: "cluster-version-operator", + Container: "cluster-version-operator", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9980", + NodeRole: "master", + Service: "etcd", + Namespace: "openshift-etcd", + Pod: "etcd", + Container: "etcd", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9979", + NodeRole: "master", + Service: "etcd", + Namespace: "openshift-etcd", + Pod: "etcd", + Container: "etcd-metrics", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9978", + NodeRole: "master", + Service: "etcd", + Namespace: "openshift-etcd", + Pod: "etcd", + Container: "etcd-metrics", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10357", + NodeRole: "master", + Service: "cluster-policy-controller-apiserver-healthz", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "17697", + NodeRole: "master", + Service: "cluster-policy-controller-apiserver-healthz", + Namespace: "openshift-kube-apiserver", + Pod: "kube-apiserver", + Container: "kube-apiserver-check-endpoints", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "2380", + NodeRole: "master", + Service: "healthz", + Namespace: "openshift-etcd", + Pod: "etcd", + Container: "etcd", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "2379", + NodeRole: "master", + Service: "etcd", + Namespace: "openshift-etcd", + Pod: "etcd", + Container: "etcdctl", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "6080", + NodeRole: "master", + Service: "", + Namespace: "openshift-kube-apiserver", + Pod: "kube-apiserver", + Container: "kube-apiserver-insecure-readyz", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "22624", + NodeRole: "master", + Service: "machine-config-server", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "22623", + NodeRole: "master", + Service: "machine-config-server", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, +} -var baremetalStaticEntriesWorker = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "53", - "nodeRole": "worker", - "service": "none", - "namespace": "openshift-dns", - "pod": "dnf-default", - "container": "dns", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "18080", - "service": "openshift-kni-infra-coredns", - "nodeRole": "worker", - "namespace": "openshift-kni-infra", - "pod": "coredns", - "container": "coredns", - "optional": false - } -] -` +var baremetalStaticEntriesWorker = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "53", + NodeRole: "worker", + Service: "dns-default", + Namespace: "openshift-dns", + Pod: "dnf-default", + Container: "dns", + Optional: false, + }, { + Direction: "ingress", + Protocol: "UDP", + Port: "53", + NodeRole: "worker", + Service: "dns-default", + Namespace: "openshift-dns", + Pod: "dnf-default", + Container: "dns", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "18080", + NodeRole: "worker", + Service: "openshift-kni-infra-coredns", + Namespace: "openshift-kni-infra", + Pod: "coredns", + Container: "coredns", + Optional: false, + }, +} -var baremetalStaticEntriesMaster = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "53", - "nodeRole": "master", - "service": "dns-default", - "namespace": "openshift-dns", - "pod": "dnf-default", - "container": "dns", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "5050", - "nodeRole": "master", - "service": "metal3", - "namespace": "openshift-machine-api", - "pod": "ironic-proxy", - "container": "ironic-proxy", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9444", - "nodeRole": "master", - "service": "openshift-kni-infra-haproxy-haproxy", - "namespace": "openshift-kni-infra", - "pod": "haproxy", - "container": "haproxy", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9445", - "nodeRole": "master", - "service": "haproxy-openshift-dsn-internal-loadbalancer", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9191", - "nodeRole": "master", - "service": "machine-approver", - "namespace": "machine-approver", - "pod": "machine-approver", - "container": "machine-approver-controller", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "6385", - "nodeRole": "master", - "service": "no-service", - "namespace": "openshift-machine-api", - "pod": "ironic-proxy", - "container": "ironic-proxy", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "29445", - "nodeRole": "master", - "service": "haproxy-openshift-dsn", - "namespace": "", - "pod": "", - "container": "", - "optional": true - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "18080", - "nodeRole": "master", - "service": "openshift-kni-infra-coredns", - "namespace": "openshift-kni-infra", - "pod": "corend", - "container": "coredns", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "9447", - "nodeRole": "master", - "service": "baremetal-operator-webhook-baremetal provisioning", - "namespace": "", - "pod": "", - "container": "", - "optional": false - } -] -` +var baremetalStaticEntriesMaster = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "53", + NodeRole: "master", + Service: "dns-default", + Namespace: "openshift-dns", + Pod: "dnf-default", + Container: "dns", + Optional: false, + }, { + Direction: "ingress", + Protocol: "UDP", + Port: "53", + NodeRole: "master", + Service: "dns-default", + Namespace: "openshift-dns", + Pod: "dnf-default", + Container: "dns", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "5050", + NodeRole: "master", + Service: "metal3", + Namespace: "openshift-machine-api", + Pod: "ironic-proxy", + Container: "ironic-proxy", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9444", + NodeRole: "master", + Service: "openshift-kni-infra-haproxy-haproxy", + Namespace: "openshift-kni-infra", + Pod: "haproxy", + Container: "haproxy", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9445", + NodeRole: "master", + Service: "haproxy-openshift-dsn-internal-loadbalancer", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9191", + NodeRole: "master", + Service: "machine-approver", + Namespace: "machine-approver", + Pod: "machine-approver", + Container: "machine-approver-controller", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "6385", + NodeRole: "master", + Service: "", + Namespace: "openshift-machine-api", + Pod: "ironic-proxy", + Container: "ironic-proxy", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "29445", + NodeRole: "master", + Service: "haproxy-openshift-dsn", + Namespace: "", + Pod: "", + Container: "", + Optional: true, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "18080", + NodeRole: "master", + Service: "openshift-kni-infra-coredns", + Namespace: "openshift-kni-infra", + Pod: "coredns", + Container: "coredns", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "9447", + NodeRole: "master", + Service: "baremetal-operator-webhook-baremetal provisioning", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, +} -var awsCloudStaticEntriesWorker = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "10304", - "nodeRole": "worker", - "service": "csi-node-driver", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10300", - "nodeRole": "worker", - "service": "csi-livenessprobe", - "namespace": "", - "pod": "", - "container": "", - "optional": false - } -] -` +var awsCloudStaticEntriesWorker = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "10304", + NodeRole: "worker", + Service: "csi-node-driver", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10300", + NodeRole: "worker", + Service: "csi-livenessprobe", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, +} -var awsCloudStaticEntriesMaster = ` -[ - { - "direction": "ingress", - "protocol": "TCP", - "port": "8080", - "nodeRole": "master", - "service": "cluster-network", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10260", - "nodeRole": "master", - "service": "aws-cloud-controller", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10258", - "nodeRole": "master", - "service": "aws-cloud-controller", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10304", - "nodeRole": "master", - "service": "csi-node-driver", - "namespace": "", - "pod": "", - "container": "", - "optional": false - }, - { - "direction": "ingress", - "protocol": "TCP", - "port": "10300", - "nodeRole": "master", - "service": "csi-livenessprobe", - "namespace": "", - "pod": "", - "container": "", - "optional": false - } -] -` +var awsCloudStaticEntriesMaster = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "TCP", + Port: "8080", + NodeRole: "master", + Service: "cluster-network", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10260", + NodeRole: "master", + Service: "aws-cloud-controller", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10258", + NodeRole: "master", + Service: "aws-cloud-controller", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10304", + NodeRole: "master", + Service: "csi-node-driver", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "TCP", + Port: "10300", + NodeRole: "master", + Service: "csi-livenessprobe", + Namespace: "", + Pod: "", + Container: "", + Optional: false, + }, +} From 75541e53ed3175c4c11dec0148d6baaaab0b920c Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Mon, 6 May 2024 16:36:23 +0300 Subject: [PATCH 15/22] ss: improve readability This commit modifies the functions respoinsible for extracting the container name of a given ss entry. - Renamed functions. - Added comments. - Changed function order. Signed-off-by: Lior Noy --- ss/ss.go | 74 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index 1732aad3..4a4692f7 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -91,7 +91,7 @@ func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, if err != nil { return nil, err } - name, err := identifyContainerForPort(debugPod, ssEntry) + name, err := getContainerName(debugPod, ssEntry) if err != nil { log.Debugf("failed to identify container for ss entry: %serr: %s", ssEntry, err) } @@ -106,7 +106,8 @@ func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, return res, nil } -func identifyContainerForPort(debugPod *debug.DebugPod, ssEntry string) (string, error) { +// getContainerName receives an ss entry and gets the name of the container exposing this port. +func getContainerName(debugPod *debug.DebugPod, ssEntry string) (string, error) { pid, err := extractPID(ssEntry) if err != nil { return "", err @@ -117,7 +118,7 @@ func identifyContainerForPort(debugPod *debug.DebugPod, ssEntry string) (string, return "", err } - res, err := extractContainerInfo(debugPod, containerID) + res, err := extractContainerName(debugPod, containerID) if err != nil { return "", err } @@ -125,37 +126,21 @@ func identifyContainerForPort(debugPod *debug.DebugPod, ssEntry string) (string, return res, nil } -func extractContainerInfo(debugPod *debug.DebugPod, containerID string) (string, error) { - type ContainerInfo struct { - Containers []struct { - Labels struct { - ContainerName string `json:"io.kubernetes.container.name"` - PodName string `json:"io.kubernetes.pod.name"` - PodNamespace string `json:"io.kubernetes.pod.namespace"` - } `json:"labels"` - } `json:"containers"` - } - containerInfo := &ContainerInfo{} - cmd := fmt.Sprintf("crictl ps -o json --id %s", containerID) +// extractPID receives an ss entry and returns the PID number of it. +func extractPID(ssEntry string) (string, error) { + re := regexp.MustCompile(`pid=(\d+)`) - out, err := debugPod.ExecWithRetry(cmd, interval, duration) - if err != nil { - return "", err - } + match := re.FindStringSubmatch(ssEntry) - err = json.Unmarshal(out, &containerInfo) - if err != nil { - return "", err - } - if len(containerInfo.Containers) != 1 { - return "", fmt.Errorf("failed extracting pod info, got %d results expected 1. got output:\n%s", len(containerInfo.Containers), string(out)) + if len(match) < 2 { + return "", fmt.Errorf("PID not found in the input string") } - containerName := containerInfo.Containers[0].Labels.ContainerName - - return containerName, nil + pid := match[1] + return pid, nil } +// extractContainerID receives a PID of a container, and returns its CRI-O ID. func extractContainerID(debugPod *debug.DebugPod, pid string) (string, error) { cmd := fmt.Sprintf("cat /proc/%s/cgroup", pid) out, err := debugPod.ExecWithRetry(cmd, interval, duration) @@ -174,17 +159,36 @@ func extractContainerID(debugPod *debug.DebugPod, pid string) (string, error) { return containerID, nil } -func extractPID(input string) (string, error) { - re := regexp.MustCompile(`pid=(\d+)`) +// extractContainerName receives CRI-O container ID and returns the container's name. +func extractContainerName(debugPod *debug.DebugPod, containerID string) (string, error) { + type ContainerInfo struct { + Containers []struct { + Labels struct { + ContainerName string `json:"io.kubernetes.container.name"` + PodName string `json:"io.kubernetes.pod.name"` + PodNamespace string `json:"io.kubernetes.pod.namespace"` + } `json:"labels"` + } `json:"containers"` + } + containerInfo := &ContainerInfo{} + cmd := fmt.Sprintf("crictl ps -o json --id %s", containerID) - match := re.FindStringSubmatch(input) + out, err := debugPod.ExecWithRetry(cmd, interval, duration) + if err != nil { + return "", err + } - if len(match) < 2 { - return "", fmt.Errorf("PID not found in the input string") + err = json.Unmarshal(out, &containerInfo) + if err != nil { + return "", err + } + if len(containerInfo.Containers) != 1 { + return "", fmt.Errorf("failed extracting pod info, got %d results expected 1. got output:\n%s", len(containerInfo.Containers), string(out)) } - pid := match[1] - return pid, nil + containerName := containerInfo.Containers[0].Labels.ContainerName + + return containerName, nil } func filterStrings(filterOutFn func(string) bool, strs []string) []string { From 78abf92b86570693716047d67e35a76eb93f6adb Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Wed, 8 May 2024 13:13:05 +0300 Subject: [PATCH 16/22] Modify `filterStrings` function Since now the SS entries filter out functions for TCP and UDP are the same, here we modify the filterStrings function to include the filter out condition inside and remove the filterFn semantics. Signed-off-by: Lior Noy --- ss/ss.go | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index 4a4692f7..db7fad18 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -24,10 +24,6 @@ const ( duration = time.Second * 5 ) -var filterOutFn = func(s string) bool { - return strings.Contains(s, "127.0.0") || strings.Contains(s, "::1") || s == "" -} - func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, udpFile *os.File) ([]types.ComDetails, error) { debugPod, err := debug.New(cs, node.Name, consts.DefaultDebugNamespace, consts.DefaultDebugPodImage) if err != nil { @@ -49,8 +45,8 @@ func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, return nil, err } - ssOutFilteredTCP := filterStrings(filterOutFn, splitByLines(ssOutTCP)) - ssOutFilteredUDP := filterStrings(filterOutFn, splitByLines(ssOutUDP)) + ssOutFilteredTCP := filterEntries(splitByLines(ssOutTCP)) + ssOutFilteredUDP := filterEntries(splitByLines(ssOutUDP)) _, err = tcpFile.Write([]byte(fmt.Sprintf("node: %s\n%s", node.Name, strings.Join(ssOutFilteredTCP, "\n")))) if err != nil { @@ -191,10 +187,10 @@ func extractContainerName(debugPod *debug.DebugPod, containerID string) (string, return containerName, nil } -func filterStrings(filterOutFn func(string) bool, strs []string) []string { +func filterEntries(ssEntries []string) []string { res := make([]string, 0) - for _, s := range strs { - if filterOutFn(s) { + for _, s := range ssEntries { + if strings.Contains(s, "127.0.0") || strings.Contains(s, "::1") || s == "" { continue } From 3b360266d2f8584f1c0c872d74f1cead7eae4127 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Wed, 8 May 2024 13:35:41 +0300 Subject: [PATCH 17/22] ss: Write raw `ss` output before filtering Modify `CreateComDetailsFromNode` function to write the raw-ss files before filtering the SS entries so that the file will reflect the real raw result. Signed-off-by: Lior Noy --- ss/ss.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index db7fad18..a55626a2 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -45,18 +45,18 @@ func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, return nil, err } - ssOutFilteredTCP := filterEntries(splitByLines(ssOutTCP)) - ssOutFilteredUDP := filterEntries(splitByLines(ssOutUDP)) - - _, err = tcpFile.Write([]byte(fmt.Sprintf("node: %s\n%s", node.Name, strings.Join(ssOutFilteredTCP, "\n")))) + _, err = tcpFile.Write([]byte(fmt.Sprintf("node: %s\n%s\n", node.Name, string(ssOutTCP)))) if err != nil { return nil, fmt.Errorf("failed writing to file: %s", err) } - _, err = udpFile.Write([]byte(fmt.Sprintf("node: %s\n%s", node.Name, strings.Join(ssOutFilteredUDP, "\n")))) + _, err = udpFile.Write([]byte(fmt.Sprintf("node: %s\n%s\n", node.Name, string(ssOutUDP)))) if err != nil { return nil, fmt.Errorf("failed writing to file: %s", err) } + ssOutFilteredTCP := filterEntries(splitByLines(ssOutTCP)) + ssOutFilteredUDP := filterEntries(splitByLines(ssOutUDP)) + tcpComDetails, err := toComDetails(debugPod, ssOutFilteredTCP, "TCP", node) if err != nil { return nil, err From f8f64449ada8b2f571ace0e60899c9578e05d04f Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Wed, 8 May 2024 16:12:19 +0300 Subject: [PATCH 18/22] ss: support concurrent execution When using goroutines, the behavior of CreateComDetailsFromNode resulted in the deletion of the debug namespace, causing failure. Here, we relocate the creation and deletion of the debug namespace outside of the function to support running this function in parallel threads. --- cmd/main.go | 32 +++++++++++++++++++++++++++++--- debug/debug.go | 21 ++++++++++----------- ss/ss.go | 14 +------------- 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index d0a47c92..27859879 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -9,12 +9,15 @@ import ( "path/filepath" "sync" + "golang.org/x/sync/errgroup" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + clientutil "github.com/openshift-kni/commatrix/client" "github.com/openshift-kni/commatrix/commatrix" + "github.com/openshift-kni/commatrix/consts" + "github.com/openshift-kni/commatrix/debug" "github.com/openshift-kni/commatrix/ss" "github.com/openshift-kni/commatrix/types" - "golang.org/x/sync/errgroup" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func main() { @@ -110,12 +113,35 @@ func main() { } nodesComDetails := []types.ComDetails{} + + err = debug.CreateNamespace(cs, consts.DefaultDebugNamespace) + if err != nil { + panic(err) + } + defer func() { + err := debug.DeleteNamespace(cs, consts.DefaultDebugNamespace) + if err != nil { + panic(err) + } + }() + nLock := &sync.Mutex{} g := new(errgroup.Group) for _, n := range nodesList.Items { node := n g.Go(func() error { - cds, err := ss.CreateComDetailsFromNode(cs, &node, tcpFile, udpFile) + debugPod, err := debug.New(cs, node.Name, consts.DefaultDebugNamespace, consts.DefaultDebugPodImage) + if err != nil { + return err + } + defer func() { + err := debugPod.Clean() + if err != nil { + fmt.Printf("failed cleaning debug pod %s: %v", debugPod, err) + } + }() + + cds, err := ss.CreateComDetailsFromNode(debugPod, &node, tcpFile, udpFile) if err != nil { return err } diff --git a/debug/debug.go b/debug/debug.go index f44dc82b..6f52221b 100644 --- a/debug/debug.go +++ b/debug/debug.go @@ -35,11 +35,6 @@ func New(cs *client.ClientSet, node string, namespace string, image string) (*De return nil, errors.New("failed creating new debug pod: got empty namespace") } - err := createNamespace(cs, namespace) - if err != nil { - return nil, err - } - pod, err := createPodAndWait(cs, interval, timeout, node, namespace, image) if err != nil { return nil, err @@ -86,11 +81,6 @@ func (dp *DebugPod) Clean() error { return fmt.Errorf("failed deleting debug pod %s/%s: %v\n%s", dp.Namespace, dp.Name, err, string(output)) } - output, err = exec.Command("oc", "delete", "ns", dp.Namespace).CombinedOutput() - if err != nil { - return fmt.Errorf("failed deleting debug namespace %s: %v\n%s", dp.Namespace, err, string(output)) - } - return nil } @@ -290,7 +280,7 @@ func getPodDefinition(node string, namespace string, image string) *corev1.Pod { } } -func createNamespace(cs *client.ClientSet, namespace string) error { +func CreateNamespace(cs *client.ClientSet, namespace string) error { ns := getNamespaceDefinition(namespace) _, err := cs.Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) if err != nil && !k8serrors.IsAlreadyExists(err) { @@ -300,6 +290,15 @@ func createNamespace(cs *client.ClientSet, namespace string) error { return nil } +func DeleteNamespace(cs *client.ClientSet, namespace string) error { + err := cs.Namespaces().Delete(context.TODO(), namespace, metav1.DeleteOptions{}) + if err != nil { + return fmt.Errorf("failed deleting namespace %s: %v", namespace, err) + } + + return nil +} + func getNamespaceDefinition(namespace string) *corev1.Namespace { return &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ diff --git a/ss/ss.go b/ss/ss.go index a55626a2..320fdd3f 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -11,7 +11,6 @@ import ( log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" - "github.com/openshift-kni/commatrix/client" "github.com/openshift-kni/commatrix/consts" "github.com/openshift-kni/commatrix/debug" "github.com/openshift-kni/commatrix/nodes" @@ -24,18 +23,7 @@ const ( duration = time.Second * 5 ) -func CreateComDetailsFromNode(cs *client.ClientSet, node *corev1.Node, tcpFile, udpFile *os.File) ([]types.ComDetails, error) { - debugPod, err := debug.New(cs, node.Name, consts.DefaultDebugNamespace, consts.DefaultDebugPodImage) - if err != nil { - return nil, err - } - defer func() { - err := debugPod.Clean() - if err != nil { - fmt.Printf("failed cleaning debug pod %s: %v", debugPod, err) - } - }() - +func CreateComDetailsFromNode(debugPod *debug.DebugPod, node *corev1.Node, tcpFile, udpFile *os.File) ([]types.ComDetails, error) { ssOutTCP, err := debugPod.ExecWithRetry("ss -anpltH", interval, duration) if err != nil { return nil, err From d01d7d5d679bbbeadafdaca706dfaed39ebd4bd3 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Wed, 8 May 2024 17:12:57 +0300 Subject: [PATCH 19/22] ss: Log warning instead of return error This commit changes the logic of `parseComDetail` function to log warning when can't extract service name, and set it to empty, instead of returning an error. This is to prevent the matrix generation from failing due to an `SS` entry without a service name like the following: `UNCONN 0 0 [::]:6081 [::]:* ` Signed-off-by: Lior Noy --- ss/ss.go | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/ss/ss.go b/ss/ss.go index 320fdd3f..060fea82 100644 --- a/ss/ss.go +++ b/ss/ss.go @@ -45,14 +45,8 @@ func CreateComDetailsFromNode(debugPod *debug.DebugPod, node *corev1.Node, tcpFi ssOutFilteredTCP := filterEntries(splitByLines(ssOutTCP)) ssOutFilteredUDP := filterEntries(splitByLines(ssOutUDP)) - tcpComDetails, err := toComDetails(debugPod, ssOutFilteredTCP, "TCP", node) - if err != nil { - return nil, err - } - udpComDetails, err := toComDetails(debugPod, ssOutFilteredUDP, "UDP", node) - if err != nil { - return nil, err - } + tcpComDetails := toComDetails(debugPod, ssOutFilteredTCP, "TCP", node) + udpComDetails := toComDetails(debugPod, ssOutFilteredUDP, "UDP", node) res := []types.ComDetails{} res = append(res, udpComDetails...) @@ -66,15 +60,13 @@ func splitByLines(bytes []byte) []string { return strings.Split(str, "\n") } -func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, node *corev1.Node) ([]types.ComDetails, error) { +func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, node *corev1.Node) []types.ComDetails { res := make([]types.ComDetails, 0) nodeRoles := nodes.GetRole(node) for _, ssEntry := range ssOutput { - cd, err := parseComDetail(ssEntry) - if err != nil { - return nil, err - } + cd := parseComDetail(ssEntry) + name, err := getContainerName(debugPod, ssEntry) if err != nil { log.Debugf("failed to identify container for ss entry: %serr: %s", ssEntry, err) @@ -87,7 +79,7 @@ func toComDetails(debugPod *debug.DebugPod, ssOutput []string, protocol string, res = append(res, *cd) } - return res, nil + return res } // getContainerName receives an ss entry and gets the name of the container exposing this port. @@ -188,10 +180,10 @@ func filterEntries(ssEntries []string) []string { return res } -func parseComDetail(ssEntry string) (*types.ComDetails, error) { +func parseComDetail(ssEntry string) *types.ComDetails { serviceName, err := extractServiceName(ssEntry) if err != nil { - return nil, err + log.Debugf(err.Error()) } fields := strings.Fields(ssEntry) @@ -202,7 +194,7 @@ func parseComDetail(ssEntry string) (*types.ComDetails, error) { Direction: consts.IngressLabel, Port: port, Service: serviceName, - Optional: false}, nil + Optional: false} } func extractServiceName(ssEntry string) (string, error) { From fcf44489ac7c279c6024a97b397ae3defec175da Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Thu, 9 May 2024 15:25:38 +0300 Subject: [PATCH 20/22] Add MNO only static entry - port 6081 Added the service `ovn-kubernetes geneve` on port 6081 for MNO only, as part of the static-custom-entries.go. Signed-off-by: Lior Noy --- commatrix/commatrix.go | 2 ++ commatrix/static-custom-entries.go | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/commatrix/commatrix.go b/commatrix/commatrix.go index 5841cb07..828e9599 100644 --- a/commatrix/commatrix.go +++ b/commatrix/commatrix.go @@ -117,6 +117,8 @@ func getStaticEntries(e Env, d Deployment) ([]types.ComDetails, error) { return comDetails, nil } + comDetails = append(comDetails, MNOStaticEntries...) comDetails = append(comDetails, generalStaticEntriesWorker...) + return comDetails, nil } diff --git a/commatrix/static-custom-entries.go b/commatrix/static-custom-entries.go index 6fd39b90..28cd9508 100644 --- a/commatrix/static-custom-entries.go +++ b/commatrix/static-custom-entries.go @@ -525,3 +525,27 @@ var awsCloudStaticEntriesMaster = []types.ComDetails{ Optional: false, }, } + +var MNOStaticEntries = []types.ComDetails{ + { + Direction: "ingress", + Protocol: "UDP", + Port: "6081", + NodeRole: "worker", + Service: "ovn-kubernetes geneve", + Namespace: "openshift-ovn-kubernetes", + Pod: "", + Container: "", + Optional: false, + }, { + Direction: "ingress", + Protocol: "UDP", + Port: "6081", + NodeRole: "master", + Service: "ovn-kubernetes geneve", + Namespace: "openshift-ovn-kubernetes", + Pod: "", + Container: "", + Optional: false, + }, +} From bb886a709e3cf91008d7c30e8d49bf1416ff877c Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Wed, 15 May 2024 09:18:28 +0300 Subject: [PATCH 21/22] Fix static-custom-entries Fills fields for entires lacking information. Signed-off-by: Lior Noy --- commatrix/static-custom-entries.go | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/commatrix/static-custom-entries.go b/commatrix/static-custom-entries.go index 28cd9508..768cafa7 100644 --- a/commatrix/static-custom-entries.go +++ b/commatrix/static-custom-entries.go @@ -18,10 +18,10 @@ var generalStaticEntriesWorker = []types.ComDetails{ Protocol: "TCP", Port: "9637", NodeRole: "worker", - Service: "kube-rbac-proxy", - Namespace: "", - Pod: "", - Container: "", + Service: "kube-rbac-proxy-crio", + Namespace: "openshift-machine-config-operator", + Pod: "kube-rbac-proxy-crio", + Container: "kube-rbac-proxy-crio", Optional: false, }, { Direction: "ingress", @@ -102,10 +102,10 @@ var generalStaticEntriesMaster = []types.ComDetails{ Protocol: "TCP", Port: "9637", NodeRole: "master", - Service: "kube-rbac-proxy", - Namespace: "", - Pod: "", - Container: "", + Service: "kube-rbac-proxy-crio", + Namespace: "openshift-machine-config-operator", + Pod: "kube-rbac-proxy-crio", + Container: "kube-rbac-proxy-crio", Optional: false, }, { Direction: "ingress", @@ -242,17 +242,17 @@ var generalStaticEntriesMaster = []types.ComDetails{ Protocol: "TCP", Port: "10357", NodeRole: "master", - Service: "cluster-policy-controller-apiserver-healthz", - Namespace: "", - Pod: "", - Container: "", + Service: "openshift-kube-apiserver-healthz", + Namespace: "openshift-kube-apiserver", + Pod: "kube-apiserver", + Container: "kube-apiserver-check-endpoints", Optional: false, }, { Direction: "ingress", Protocol: "TCP", Port: "17697", NodeRole: "master", - Service: "cluster-policy-controller-apiserver-healthz", + Service: "openshift-kube-apiserver-healthz", Namespace: "openshift-kube-apiserver", Pod: "kube-apiserver", Container: "kube-apiserver-check-endpoints", @@ -283,7 +283,7 @@ var generalStaticEntriesMaster = []types.ComDetails{ Port: "6080", NodeRole: "master", Service: "", - Namespace: "openshift-kube-apiserver", + Namespace: "openshift-kube-apiserver-readyz", Pod: "kube-apiserver", Container: "kube-apiserver-insecure-readyz", Optional: false, @@ -293,9 +293,9 @@ var generalStaticEntriesMaster = []types.ComDetails{ Port: "22624", NodeRole: "master", Service: "machine-config-server", - Namespace: "", - Pod: "", - Container: "", + Namespace: "openshift-machine-config-operator", + Pod: "machine-config-server", + Container: "machine-config-server", Optional: false, }, { Direction: "ingress", @@ -303,9 +303,9 @@ var generalStaticEntriesMaster = []types.ComDetails{ Port: "22623", NodeRole: "master", Service: "machine-config-server", - Namespace: "", - Pod: "", - Container: "", + Namespace: "openshift-machine-config-operator", + Pod: "machine-config-server", + Container: "machine-config-server", Optional: false, }, } From 39d8f269f9e8755a1f42f71bfe3941b0dd4cd759 Mon Sep 17 00:00:00 2001 From: Lior Noy Date: Sun, 19 May 2024 11:09:47 +0300 Subject: [PATCH 22/22] Fix duplicated entry This commit removes from the static custom enties the ports 9001 and 9192, which already exist as an endpointslice, and adds a call for remove duplications functions before returning the communcation matrix, to protect against future duplications. Signed-off-by: Lior Noy --- commatrix/commatrix.go | 4 +++- commatrix/static-custom-entries.go | 20 -------------------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/commatrix/commatrix.go b/commatrix/commatrix.go index 828e9599..e0866fd4 100644 --- a/commatrix/commatrix.go +++ b/commatrix/commatrix.go @@ -69,7 +69,9 @@ func New(kubeconfigPath string, customEntriesPath string, e Env, d Deployment) ( res = append(res, customComDetails...) } - return &types.ComMatrix{Matrix: res}, nil + cleanedComDetails := types.RemoveDups(res) + + return &types.ComMatrix{Matrix: cleanedComDetails}, nil } func addFromFile(fp string) ([]types.ComDetails, error) { diff --git a/commatrix/static-custom-entries.go b/commatrix/static-custom-entries.go index 768cafa7..129bbb40 100644 --- a/commatrix/static-custom-entries.go +++ b/commatrix/static-custom-entries.go @@ -73,16 +73,6 @@ var generalStaticEntriesWorker = []types.ComDetails{ Pod: "ovnkube", Container: "ovnkube-controller", Optional: true, - }, { - Direction: "ingress", - Protocol: "TCP", - Port: "9001", - NodeRole: "worker", - Service: "machine-config-daemon", - Namespace: "openshift-machine-config-operator", - Pod: "machine-config-daemon", - Container: "kube-rbac-proxy", - Optional: false, }, { Direction: "ingress", Protocol: "TCP", @@ -177,16 +167,6 @@ var generalStaticEntriesMaster = []types.ComDetails{ Pod: "", Container: "", Optional: true, - }, { - Direction: "ingress", - Protocol: "TCP", - Port: "9192", - NodeRole: "master", - Service: "machine-approver", - Namespace: "openshift-cluster-machine-approver", - Pod: "machine-approver", - Container: "kube-rbac-proxy", - Optional: false, }, { Direction: "ingress", Protocol: "TCP",