Merge pull request spiffe#1804 from transferwise/reconciler-fix-dns-dots-and-filter-namespaces

Reconciler fix dns dots and filter namespaces

Author: azdagron

support/k8s/k8s-workload-registrar/README.md

@@ -20,18 +20,19 @@ The registrar has the following command line flags:
 The configuration file is a **required** by the registrar. It contains
 [HCL](https://github.com/hashicorp/hcl) encoded configurables.
 
-| Key                        | Type    | Required? | Description                              | Default |
-| -------------------------- | --------| ---------| ----------------------------------------- | ------- |
-| `log_level`                | string  | required | Log level (one of `"panic"`,`"fatal"`,`"error"`,`"warn"`, `"warning"`,`"info"`,`"debug"`,`"trace"`) | `"info"` |
-| `log_path`                 | string  | optional | Path on disk to write the log | |
-| `trust_domain`             | string  | required | Trust domain of the SPIRE server | |
-| `agent_socket_path`        | string  | optional | Path to the Unix domain socket of the SPIRE agent. Required if server_address is not a unix domain socket address. | |
-| `server_address`           | string  | required | Address of the spire server. A local socket can be specified using unix:///path/to/socket. This is not the same as the agent socket. | |
-| `server_socket_path`       | string  | optional | Path to the Unix domain socket of the SPIRE server, equivalent to specifying a server_address with a "unix://..." prefix | |
-| `cluster`                  | string  | required | Logical cluster to register nodes/workloads under. Must match the SPIRE SERVER PSAT node attestor configuration. | |
-| `pod_label`                | string  | optional | The pod label used for [Label Based Workload Registration](#label-based-workload-registration) | |
-| `pod_annotation`           | string  | optional | The pod annotation used for [Annotation Based Workload Registration](#annotation-based-workload-registration) | |
-| `mode`                     | string  | optional | How to run the registrar, either using a `"webhook"`, `"reconcile`" or `"crd"`. See [Differences](#differences-between-modes) for more details. | `"webhook"` |
+| Key                        | Type     | Required? | Description                              | Default |
+| -------------------------- | ---------| ---------| ----------------------------------------- | ------- |
+| `log_level`                | string   | required | Log level (one of `"panic"`,`"fatal"`,`"error"`,`"warn"`, `"warning"`,`"info"`,`"debug"`,`"trace"`) | `"info"` |
+| `log_path`                 | string   | optional | Path on disk to write the log | |
+| `trust_domain`             | string   | required | Trust domain of the SPIRE server | |
+| `agent_socket_path`        | string   | optional | Path to the Unix domain socket of the SPIRE agent. Required if server_address is not a unix domain socket address. | |
+| `server_address`           | string   | required | Address of the spire server. A local socket can be specified using unix:///path/to/socket. This is not the same as the agent socket. | |
+| `server_socket_path`       | string   | optional | Path to the Unix domain socket of the SPIRE server, equivalent to specifying a server_address with a "unix://..." prefix | |
+| `cluster`                  | string   | required | Logical cluster to register nodes/workloads under. Must match the SPIRE SERVER PSAT node attestor configuration. | |
+| `pod_label`                | string   | optional | The pod label used for [Label Based Workload Registration](#label-based-workload-registration) | |
+| `pod_annotation`           | string   | optional | The pod annotation used for [Annotation Based Workload Registration](#annotation-based-workload-registration) | |
+| `mode`                     | string   | optional | How to run the registrar, either using a `"webhook"`, `"reconcile`" or `"crd"`. See [Differences](#differences-between-modes) for more details. | `"webhook"` |
+| `disabled_namespaces`      | []string | optional | Comma seperated list of namespaces to disable auto SVID generation for | `"kube-system", "kube-public"` |
 
 The following configuration directives are specific to `"webhook"` mode:
 
@@ -48,7 +49,6 @@ The following configuration directives are specific to `"crd"` mode:
 | Key                        | Type    | Required? | Description                              | Default |
 | -------------------------- | --------| ---------| ----------------------------------------- | ------- |
 | `add_svc_dns_name`         | bool    | optional | Enable adding service names as SAN DNS names to endpoint pods | `true` |
-| `disabled_namespaces`      | []string| optional | Comma seperated list of namespaces to disable auto SVID generation for | `"kube-system"` |
 | `leader_election`          | bool    | optional | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | `false` |
 | `metrics_bind_addr`        | string  | optional | The address the metric endpoint binds to. The special value of "0" disables metrics. | `":8080"` |
 | `pod_controller`           | bool    | optional | Enable auto generation of SVIDs for new pods that are created | `true` |
@@ -278,4 +278,4 @@ The supported selectors are:
 
 Note: Specifying DNS Names is optional.
 
-Spire enforces that spiffeId+parentId+selectors are unique. The optional `"crd"` mode webhook
+Spire enforces that spiffeId+parentId+selectors are unique. The optional `"crd"` mode webhook

support/k8s/k8s-workload-registrar/config.go

@@ -6,6 +6,8 @@ import (
 	"io/ioutil"
 	"strings"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/spiffe/go-spiffe/v2/logger"
 	"github.com/spiffe/spire/proto/spire/api/registration"
 	"github.com/spiffe/spire/proto/spire/api/server/entry/v1"
@@ -35,18 +37,19 @@ type Mode interface {
 }
 
 type CommonMode struct {
-	LogFormat        string `hcl:"log_format"`
-	LogLevel         string `hcl:"log_level"`
-	LogPath          string `hcl:"log_path"`
-	TrustDomain      string `hcl:"trust_domain"`
-	ServerSocketPath string `hcl:"server_socket_path"`
-	AgentSocketPath  string `hcl:"agent_socket_path"`
-	ServerAddress    string `hcl:"server_address"`
-	Cluster          string `hcl:"cluster"`
-	PodLabel         string `hcl:"pod_label"`
-	PodAnnotation    string `hcl:"pod_annotation"`
-	Mode             string `hcl:"mode"`
-	registrationAPI  RegistrationAPIConnections
+	LogFormat          string   `hcl:"log_format"`
+	LogLevel           string   `hcl:"log_level"`
+	LogPath            string   `hcl:"log_path"`
+	TrustDomain        string   `hcl:"trust_domain"`
+	ServerSocketPath   string   `hcl:"server_socket_path"`
+	AgentSocketPath    string   `hcl:"agent_socket_path"`
+	ServerAddress      string   `hcl:"server_address"`
+	Cluster            string   `hcl:"cluster"`
+	PodLabel           string   `hcl:"pod_label"`
+	PodAnnotation      string   `hcl:"pod_annotation"`
+	Mode               string   `hcl:"mode"`
+	DisabledNamespaces []string `hcl:"disabled_namespaces"`
+	registrationAPI    RegistrationAPIConnections
 }
 
 func (c *CommonMode) ParseConfig(hclConfig string) error {
@@ -80,10 +83,17 @@ func (c *CommonMode) ParseConfig(hclConfig string) error {
 	if c.Mode != modeCRD && c.Mode != modeWebhook && c.Mode != modeReconcile {
 		return errs.New("invalid mode \"%s\", valid values are %s, %s and %s", c.Mode, modeCRD, modeWebhook, modeReconcile)
 	}
+	if c.DisabledNamespaces == nil {
+		c.DisabledNamespaces = defaultDisabledNamespaces()
+	}
 
 	return nil
 }
 
+func defaultDisabledNamespaces() []string {
+	return []string{metav1.NamespaceSystem, metav1.NamespacePublic}
+}
+
 func (c *CommonMode) SetupLogger() (*log.Logger, error) {
 	return log.NewLogger(log.WithLevel(c.LogLevel), log.WithFormat(c.LogFormat), log.WithOutputFile(c.LogPath))
 }

support/k8s/k8s-workload-registrar/config_crd.go

@@ -23,14 +23,13 @@ const (
 
 type CRDMode struct {
 	CommonMode
-	AddSvcDNSName      bool     `hcl:"add_svc_dns_name"`
-	DisabledNamespaces []string `hcl:"disabled_namespaces"`
-	LeaderElection     bool     `hcl:"leader_election"`
-	MetricsBindAddr    string   `hcl:"metrics_bind_addr"`
-	PodController      bool     `hcl:"pod_controller"`
-	WebhookEnabled     bool     `hcl:"webhook_enabled"`
-	WebhookCertDir     string   `hcl:"webhook_cert_dir"`
-	WebhookPort        int      `hcl:"webhook_port"`
+	AddSvcDNSName   bool   `hcl:"add_svc_dns_name"`
+	LeaderElection  bool   `hcl:"leader_election"`
+	MetricsBindAddr string `hcl:"metrics_bind_addr"`
+	PodController   bool   `hcl:"pod_controller"`
+	WebhookEnabled  bool   `hcl:"webhook_enabled"`
+	WebhookCertDir  string `hcl:"webhook_cert_dir"`
+	WebhookPort     int    `hcl:"webhook_port"`
 }
 
 func (c *CRDMode) ParseConfig(hclConfig string) error {
@@ -44,10 +43,6 @@ func (c *CRDMode) ParseConfig(hclConfig string) error {
 		c.MetricsBindAddr = defaultMetricsBindAddr
 	}
 
-	if c.DisabledNamespaces == nil {
-		c.DisabledNamespaces = defaultDisabledNamespaces()
-	}
-
 	if c.WebhookCertDir == "" {
 		c.WebhookCertDir = defaultWebhookCertDir
 	}
@@ -148,10 +143,6 @@ func (c *CRDMode) Run(ctx context.Context) error {
 	return mgr.Start(ctrl.SetupSignalHandler())
 }
 
-func defaultDisabledNamespaces() []string {
-	return []string{"kube-system"}
-}
-
 func getNamespace() string {
 	content, err := ioutil.ReadFile(namespaceFile)
 	if err != nil {

support/k8s/k8s-workload-registrar/config_reconcile.go

@@ -123,6 +123,7 @@ func (c *ReconcileMode) Run(ctx context.Context) error {
 		value,
 		c.ClusterDNSZone,
 		c.AddPodDNSNames,
+		c.DisabledNamespaces,
 	).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "Unable to create controller", "controller", "Pod")
 		return err

support/k8s/k8s-workload-registrar/config_test.go

@@ -36,12 +36,13 @@ func TestLoadMode(t *testing.T) {
 
 	require.Equal(&WebhookMode{
 		CommonMode: CommonMode{
-			ServerSocketPath: "SOCKETPATH",
-			ServerAddress:    "unix://SOCKETPATH",
-			TrustDomain:      "TRUSTDOMAIN",
-			Cluster:          "CLUSTER",
-			LogLevel:         defaultLogLevel,
-			Mode:             "webhook",
+			ServerSocketPath:   "SOCKETPATH",
+			ServerAddress:      "unix://SOCKETPATH",
+			TrustDomain:        "TRUSTDOMAIN",
+			Cluster:            "CLUSTER",
+			LogLevel:           defaultLogLevel,
+			Mode:               "webhook",
+			DisabledNamespaces: []string{"kube-system", "kube-public"},
 		},
 		Addr:       ":8443",
 		CertPath:   defaultCertPath,
@@ -60,12 +61,13 @@ func TestLoadMode(t *testing.T) {
 			in:   testMinimalConfig,
 			out: &WebhookMode{
 				CommonMode: CommonMode{
-					LogLevel:         defaultLogLevel,
-					ServerSocketPath: "SOCKETPATH",
-					ServerAddress:    "unix://SOCKETPATH",
-					TrustDomain:      "TRUSTDOMAIN",
-					Cluster:          "CLUSTER",
-					Mode:             "webhook",
+					LogLevel:           defaultLogLevel,
+					ServerSocketPath:   "SOCKETPATH",
+					ServerAddress:      "unix://SOCKETPATH",
+					TrustDomain:        "TRUSTDOMAIN",
+					Cluster:            "CLUSTER",
+					Mode:               "webhook",
+					DisabledNamespaces: []string{"kube-system", "kube-public"},
 				},
 				Addr:                           ":8443",
 				CertPath:                       defaultCertPath,
@@ -91,14 +93,15 @@ func TestLoadMode(t *testing.T) {
 			`,
 			out: &WebhookMode{
 				CommonMode: CommonMode{
-					LogLevel:         "LEVELOVERRIDE",
-					LogPath:          "PATHOVERRIDE",
-					ServerSocketPath: "SOCKETPATHOVERRIDE",
-					ServerAddress:    "unix://SOCKETPATHOVERRIDE",
-					TrustDomain:      "TRUSTDOMAINOVERRIDE",
-					Cluster:          "CLUSTEROVERRIDE",
-					PodLabel:         "PODLABEL",
-					Mode:             "webhook",
+					LogLevel:           "LEVELOVERRIDE",
+					LogPath:            "PATHOVERRIDE",
+					ServerSocketPath:   "SOCKETPATHOVERRIDE",
+					ServerAddress:      "unix://SOCKETPATHOVERRIDE",
+					TrustDomain:        "TRUSTDOMAINOVERRIDE",
+					Cluster:            "CLUSTEROVERRIDE",
+					PodLabel:           "PODLABEL",
+					Mode:               "webhook",
+					DisabledNamespaces: []string{"kube-system", "kube-public"},
 				},
 				Addr:                           ":1234",
 				CertPath:                       "CERTOVERRIDE",

support/k8s/k8s-workload-registrar/config_webhook.go

@@ -56,13 +56,18 @@ func (c *WebhookMode) Run(ctx context.Context) error {
 		return errs.New("failed to dial server: %v", err)
 	}
 
+	disabledNamespacesMap := make(map[string]bool, len(c.DisabledNamespaces))
+	for _, ns := range c.DisabledNamespaces {
+		disabledNamespacesMap[ns] = true
+	}
 	controller := NewController(ControllerConfig{
-		Log:           log,
-		R:             registrationClient,
-		TrustDomain:   c.TrustDomain,
-		Cluster:       c.Cluster,
-		PodLabel:      c.PodLabel,
-		PodAnnotation: c.PodAnnotation,
+		Log:                log,
+		R:                  registrationClient,
+		TrustDomain:        c.TrustDomain,
+		Cluster:            c.Cluster,
+		PodLabel:           c.PodLabel,
+		PodAnnotation:      c.PodAnnotation,
+		DisabledNamespaces: disabledNamespacesMap,
 	})
 
 	log.Info("Initializing registrar")

support/k8s/k8s-workload-registrar/controller.go

@@ -21,12 +21,13 @@ import (
 )
 
 type ControllerConfig struct {
-	Log           logrus.FieldLogger
-	R             registration.RegistrationClient
-	TrustDomain   string
-	Cluster       string
-	PodLabel      string
-	PodAnnotation string
+	Log                logrus.FieldLogger
+	R                  registration.RegistrationClient
+	TrustDomain        string
+	Cluster            string
+	PodLabel           string
+	PodAnnotation      string
+	DisabledNamespaces map[string]bool
 }
 
 type Controller struct {
@@ -73,8 +74,7 @@ func (c *Controller) ReviewAdmission(ctx context.Context, req *admv1beta1.Admiss
 // non-kubernetes namespaces. Ideally the ValidatingAdmissionWebhook
 // configuration has filters in place to restrict the admission requests.
 func (c *Controller) reviewAdmission(ctx context.Context, req *admv1beta1.AdmissionRequest) error {
-	switch req.Namespace {
-	case metav1.NamespacePublic, metav1.NamespaceSystem:
+	if _, disabled := c.c.DisabledNamespaces[req.Namespace]; disabled {
 		return nil
 	}
 

support/k8s/k8s-workload-registrar/controller_test.go

@@ -411,12 +411,13 @@ func newTestController(podLabel, podAnnotation string) (*Controller, *fakeRegist
 	log, _ := test.NewNullLogger()
 	r := newFakeRegistrationClient()
 	return NewController(ControllerConfig{
-		Log:           log,
-		R:             r,
-		TrustDomain:   "domain.test",
-		Cluster:       "CLUSTER",
-		PodLabel:      podLabel,
-		PodAnnotation: podAnnotation,
+		Log:                log,
+		R:                  r,
+		TrustDomain:        "domain.test",
+		Cluster:            "CLUSTER",
+		PodLabel:           podLabel,
+		PodAnnotation:      podAnnotation,
+		DisabledNamespaces: map[string]bool{"kube-system": true, "kube-public": true},
 	}), r
 }
 

support/k8s/k8s-workload-registrar/mode-reconcile/controllers/base_controller.go

@@ -55,6 +55,8 @@ type ObjectReconciler interface {
 	selectorsToNamespacedName([]*spiretypes.Selector) *types.NamespacedName
 	// Fill additional fields on a spire registration entry for a k8s object
 	fillEntryForObject(context.Context, *spiretypes.Entry, ObjectWithMetadata) (*spiretypes.Entry, error)
+	// Return true if we should continue to reconcile this request, false to skip
+	shouldProcess(req ctrl.Request) bool
 	// Perform any additional manager setup required
 	SetupWithManager(ctrl.Manager, *ctrlBuilder.Builder) error
 }
@@ -82,6 +84,9 @@ type ObjectWithMetadata interface {
 }
 
 func (r *BaseReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+	if !r.shouldProcess(req) {
+		return ctrl.Result{}, nil
+	}
 	ctx := context.Background()
 	reqLogger := r.Log.WithValues("request", req.NamespacedName)
 

support/k8s/k8s-workload-registrar/mode-reconcile/controllers/node_controller.go

@@ -50,6 +50,10 @@ const (
 
 // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
 
+func (r *NodeReconciler) shouldProcess(_ ctrl.Request) bool {
+	return true
+}
+
 func (r *NodeReconciler) makeSpiffeID(obj ObjectWithMetadata) *spiretypes.SPIFFEID {
 	return &spiretypes.SPIFFEID{
 		TrustDomain: r.RootID.TrustDomain,