fix(webhook): check if pool overlaps service cidr

If the input CIDR overlaps the cluster-wide service CIDR, the spawned agent could not contact kube-apiserver due to routing issue. Such requests should be rejected by the webhook. Signed-off-by: Zespre Chang <zespre.chang@suse.com>
harvester · Feb 27, 2024 · 4939929 · 4939929
1 parent ecc9682
commit 4939929
Show file tree

Hide file tree

Showing 15 changed files with 641 additions and 37 deletions.
diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml
@@ -52,7 +52,7 @@ rules:
   resources: [ "ippools", "virtualmachinenetworkconfigs" ]
   verbs: [ "*" ]
 - apiGroups: [ "" ]
-  resources: [ "secrets" ]
+  resources: [ "nodes", "secrets" ]
   verbs: [ "watch", "list" ]
 - apiGroups: [ "k8s.cni.cncf.io" ]
   resources: [ "network-attachment-definitions" ]

diff --git a/cmd/webhook/run.go b/cmd/webhook/run.go
@@ -9,6 +9,8 @@ import (
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/rest"
 
+	ctlcore "github.com/harvester/vm-dhcp-controller/pkg/generated/controllers/core"
+	ctlcorev1 "github.com/harvester/vm-dhcp-controller/pkg/generated/controllers/core/v1"
 	ctlcni "github.com/harvester/vm-dhcp-controller/pkg/generated/controllers/k8s.cni.cncf.io"
 	ctlcniv1 "github.com/harvester/vm-dhcp-controller/pkg/generated/controllers/k8s.cni.cncf.io/v1"
 	ctlkubevirt "github.com/harvester/vm-dhcp-controller/pkg/generated/controllers/kubevirt.io"
@@ -24,13 +26,17 @@ type caches struct {
 	ippoolCache   ctlnetworkv1.IPPoolCache
 	vmnetcfgCache ctlnetworkv1.VirtualMachineNetworkConfigCache
 
-	nadCache ctlcniv1.NetworkAttachmentDefinitionCache
-	vmCache  ctlkubevirtv1.VirtualMachineCache
+	nadCache  ctlcniv1.NetworkAttachmentDefinitionCache
+	nodeCache ctlcorev1.NodeCache
+	vmCache   ctlkubevirtv1.VirtualMachineCache
 }
 
 func newCaches(ctx context.Context, cfg *rest.Config, threadiness int) (*caches, error) {
 	var starters []start.Starter
 
+	coreFactory := ctlcore.NewFactoryFromConfigOrDie(cfg)
+	starters = append(starters, coreFactory)
+
 	kubevirtFactory := ctlkubevirt.NewFactoryFromConfigOrDie(cfg)
 	starters = append(starters, kubevirtFactory)
 
@@ -45,6 +51,7 @@ func newCaches(ctx context.Context, cfg *rest.Config, threadiness int) (*caches,
 		ippoolCache:   networkFactory.Network().V1alpha1().IPPool().Cache(),
 		vmnetcfgCache: networkFactory.Network().V1alpha1().VirtualMachineNetworkConfig().Cache(),
 		nadCache:      cniFactory.K8s().V1().NetworkAttachmentDefinition().Cache(),
+		nodeCache:     coreFactory.Core().V1().Node().Cache(),
 		vmCache:       kubevirtFactory.Kubevirt().V1().VirtualMachine().Cache(),
 	}
 
@@ -69,7 +76,7 @@ func run(ctx context.Context, cfg *rest.Config, options *config.Options) error {
 	webhookServer := server.NewWebhookServer(ctx, cfg, name, options)
 
 	if err := webhookServer.RegisterValidators(
-		ippool.NewValidator(c.nadCache, c.vmnetcfgCache),
+		ippool.NewValidator(c.nadCache, c.nodeCache, c.vmnetcfgCache),
 		vmnetcfg.NewValidator(c.ippoolCache),
 	); err != nil {
 		return err

diff --git a/pkg/codegen/main.go b/pkg/codegen/main.go
@@ -45,6 +45,7 @@ func main() {
 			},
 			corev1.GroupName: {
 				Types: []interface{}{
+					corev1.Node{},
 					corev1.Pod{},
 				},
 				InformersPackage: "k8s.io/client-go/informers",

diff --git a/pkg/data/data.go b/pkg/data/data.go
diff --git a/pkg/generated/controllers/core/v1/interface.go b/pkg/generated/controllers/core/v1/interface.go