Skip to content

[Feature Request] Add podDisruptionBudget in API server #2940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tmjd merged 4 commits into from
Apr 1, 2024
Merged

[Feature Request] Add podDisruptionBudget in API server #2940

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4eff499
feature request: add podDisruptionBudget in API server
MuhtasimTanmoy Oct 20, 2023
768a877
feat(apiserver): generalize resource name resolver based on configure…
MuhtasimTanmoy Oct 27, 2023
ff1459a
feat(apiserver): deployment selecter fix
MuhtasimTanmoy Oct 27, 2023
1d16645
apiserver: Fix up UTs and fix namespace of PodDisruption Budget
tmjd Mar 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 56 additions & 100 deletions pkg/render/apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2019-2023 Tigera, Inc. All rights reserved.
// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.

// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -21,6 +21,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
netv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
policyv1beta1 "k8s.io/api/policy/v1beta1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -57,6 +58,7 @@ const (

// Use the same API server container name for both OSS and Enterprise.
APIServerContainerName = "calico-apiserver"
APIServerK8sAppName = "calico-apiserver"
TigeraAPIServerQueryServerContainerName = "tigera-queryserver"

calicoAPIServerTLSSecretName = "calico-apiserver-certs"
Expand Down Expand Up @@ -222,6 +224,7 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
c.apiServerServiceAccount(),
c.apiServerDeployment(),
c.apiServerService(),
c.apiServerPodDisruptionBudget(),
)

// Add in certificates for API server TLS.
Expand Down Expand Up @@ -290,6 +293,47 @@ func (c *apiServerComponent) Ready() bool {
return true
}

// For legacy reasons we use apiserver: true here instead of the k8s-app: name label,
// so we need to set it explicitly rather than use the common labeling logic.
func (c *apiServerComponent) deploymentSelector() *metav1.LabelSelector {
return &metav1.LabelSelector{
MatchLabels: map[string]string{
"apiserver": "true",
},
}
}

// Determine names based on the configured variant
// It takes two name as parameters, enterpriseName and ossName, and returns name and nameToDelete.
func (c *apiServerComponent) resourceNameBasedOnVariant(enterpriseName, ossName string) (string, string) {
var name, nameToDelete string
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}
return name, nameToDelete
}

func (c *apiServerComponent) apiServerPodDisruptionBudget() *policyv1.PodDisruptionBudget {
maxUnavailable := intstr.FromInt(1)
name, _ := c.resourceNameBasedOnVariant("tigera-apiserver", "calico-apiserver")
return &policyv1.PodDisruptionBudget{
TypeMeta: metav1.TypeMeta{Kind: "PodDisruptionBudget", APIVersion: "policy/v1"},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: rmeta.APIServerNamespace(c.cfg.Installation.Variant),
Comment thread
caseydavenport marked this conversation as resolved.
},
Spec: policyv1.PodDisruptionBudgetSpec{
MaxUnavailable: &maxUnavailable,
Selector: c.deploymentSelector(),
},
}
}

// apiServiceRegistration creates an API service that registers Tigera Secure APIs (and API server).
//
// Both Calico and Calico Enterprise, with the same name.
Expand Down Expand Up @@ -322,18 +366,7 @@ func (c *apiServerComponent) apiServiceRegistration(cert []byte) *apiregv1.APISe
// Both Calico and Calico Enterprise, but different names.
func (c *apiServerComponent) delegateAuthClusterRoleBinding() (client.Object, client.Object) {
// Determine names based on the configured variant.
var name, nameToDelete string
enterpriseName := "tigera-apiserver-delegate-auth"
ossName := "calico-apiserver-delegate-auth"
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-apiserver-delegate-auth", "calico-apiserver-delegate-auth")
return &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -365,18 +398,7 @@ func (c *apiServerComponent) delegateAuthClusterRoleBinding() (client.Object, cl
//
// Both Calico and Calico Enterprise, but different names.
func (c *apiServerComponent) authReaderRoleBinding() (client.Object, client.Object) {
var name, nameToDelete string
enterpriseName := "tigera-auth-reader"
ossName := "calico-apiserver-auth-reader"
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-auth-reader", "calico-apiserver-auth-reader")
return &rbacv1.RoleBinding{
TypeMeta: metav1.TypeMeta{Kind: "RoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -594,18 +616,7 @@ func (c *apiServerComponent) calicoCustomResourcesClusterRoleBinding() *rbacv1.C
//
// Both Calico and Calico Enterprise, with different names.
func (c *apiServerComponent) authClusterRole() (client.Object, client.Object) {
var name, nameToDelete string
enterpriseName := "tigera-extension-apiserver-auth-access"
ossName := "calico-extension-apiserver-auth-access"
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-extension-apiserver-auth-access", "calico-extension-apiserver-auth-access")
rules := []rbacv1.PolicyRule{
{
APIGroups: []string{
Expand Down Expand Up @@ -764,18 +775,7 @@ func (c *apiServerComponent) secretsRBAC() []client.Object {
//
// Both Calico and Calico Enterprise, with different names.
func (c *apiServerComponent) authClusterRoleBinding() (client.Object, client.Object) {
var name, nameToDelete string
enterpriseName := "tigera-extension-apiserver-auth-access"
ossName := "calico-extension-apiserver-auth-access"
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-extension-apiserver-auth-access", "calico-extension-apiserver-auth-access")
return &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -806,18 +806,7 @@ func (c *apiServerComponent) authClusterRoleBinding() (client.Object, client.Obj
//
// Both Calico and Calico Enterprise, with different names.
func (c *apiServerComponent) webhookReaderClusterRole() (client.Object, client.Object) {
var name, nameToDelete string
enterpriseName := "tigera-webhook-reader"
ossName := "calico-webhook-reader"
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-webhook-reader", "calico-webhook-reader")
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -851,20 +840,14 @@ func (c *apiServerComponent) webhookReaderClusterRole() (client.Object, client.O
//
// Both Calico and Calico Enterprise, with different names.
func (c *apiServerComponent) webhookReaderClusterRoleBinding() (client.Object, client.Object) {
var name, nameToDelete, refName string
enterpriseName := "tigera-apiserver-webhook-reader"
ossName := "calico-apiserver-webhook-reader"
name, nameToDelete := c.resourceNameBasedOnVariant("tigera-apiserver-webhook-reader", "calico-apiserver-webhook-reader")
var refName string
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
refName = "tigera-webhook-reader"
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
refName = "calico-webhook-reader"
}

return &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{Name: name},
Expand Down Expand Up @@ -928,14 +911,7 @@ func (c *apiServerComponent) apiServerService() *corev1.Service {

// apiServer creates a deployment containing the API and query servers.
func (c *apiServerComponent) apiServerDeployment() *appsv1.Deployment {
var name string
switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = "tigera-apiserver"
case operatorv1.Calico:
name = "calico-apiserver"
}

name, _ := c.resourceNameBasedOnVariant("tigera-apiserver", "calico-apiserver")
hostNetwork := c.hostNetwork()
dnsPolicy := corev1.DNSClusterFirst
if hostNetwork {
Expand Down Expand Up @@ -969,9 +945,7 @@ func (c *apiServerComponent) apiServerDeployment() *appsv1.Deployment {
Strategy: appsv1.DeploymentStrategy{
Type: appsv1.RecreateDeploymentStrategyType,
},
// For legacy reasons we use apiserver: true here instead of the k8s-app: name label,
// so we need to set it explicitly rather than use the common labeling logic.
Selector: &metav1.LabelSelector{MatchLabels: map[string]string{"apiserver": "true"}},
Selector: c.deploymentSelector(),
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand Down Expand Up @@ -1227,25 +1201,11 @@ func (c *apiServerComponent) tolerations() []corev1.Toleration {
//
// Both Calico and Calico Enterprise, with different names.
func (c *apiServerComponent) apiServerPodSecurityPolicy() (client.Object, client.Object) {
var name, nameToDelete string
enterpriseName := "tigera-apiserver"
ossName := "calico-apiserver"

switch c.cfg.Installation.Variant {
case operatorv1.TigeraSecureEnterprise:
name = enterpriseName
nameToDelete = ossName
case operatorv1.Calico:
name = ossName
nameToDelete = enterpriseName
}

name, nameToDelete := c.resourceNameBasedOnVariant("tigera-apiserver", "calico-apiserver")
psp := podsecuritypolicy.NewBasePolicy(name)
psp.Spec.Volumes = append(psp.Spec.Volumes, policyv1beta1.HostPath)
psp.Spec.RunAsUser.Rule = policyv1beta1.RunAsUserStrategyRunAsAny

pspToDelete := podsecuritypolicy.NewBasePolicy(nameToDelete)

return psp, pspToDelete
}

Expand All @@ -1260,11 +1220,7 @@ func (c *apiServerComponent) networkPolicy() *netv1.NetworkPolicy {
TypeMeta: metav1.TypeMeta{Kind: "NetworkPolicy", APIVersion: "networking.k8s.io/v1"},
ObjectMeta: metav1.ObjectMeta{Name: "allow-apiserver", Namespace: rmeta.APIServerNamespace(c.cfg.Installation.Variant)},
Spec: netv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{
"apiserver": "true",
},
},
PodSelector: *c.deploymentSelector(),
PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress},
Ingress: []netv1.NetworkPolicyIngressRule{
{
Expand Down
Loading