Skip to content

Commit

Permalink
fix: check crds when controller start
Browse files Browse the repository at this point in the history 
Some user upgrade form 1.6 to 1.7 by just change the image. The crds and rbacs are not updated, however the controller starts successfully and hide the issues. This check will panic kube-ovn-controller if crds are not ready and expose the issues.
  • Loading branch information
@oilbeater
oilbeater committed Jun 17, 2021
1 parent e3a3d96 commit 42fbe86
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 0 deletions.
31 changes: 31 additions & 0 deletions cmd/controller/controller.go
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
package controller

import (
"context"
"fmt"
v1 "k8s.io/api/authorization/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"net/http"
_ "net/http/pprof" // #nosec
"os"
Expand Down Expand Up @@ -30,6 +33,10 @@ func CmdMain() {
klog.Fatalf("parse config failed %v", err)
}

if err := checkPermission(config); err != nil {
klog.Fatalf("failed to check permission %v", err)
}

go loopOvnNbctlDaemon(config)
go func() {
http.Handle("/metrics", promhttp.Handler())
Expand Down Expand Up @@ -61,3 +68,27 @@ func loopOvnNbctlDaemon(config *controller.Configuration) {
}
}
}

func checkPermission(config *controller.Configuration) error {
resources := []string{"vpcs", "subnets", "ips", "vlans", "vpc-nat-gateways"}
for _, res := range resources {
ssar := &v1.SelfSubjectAccessReview{
Spec: v1.SelfSubjectAccessReviewSpec{
ResourceAttributes: &v1.ResourceAttributes{
Verb: "watch",
Group: "kubeovn.io",
Resource: res,
},
},
}
ssar, err := config.KubeClient.AuthorizationV1().SelfSubjectAccessReviews().Create(context.Background(), ssar, metav1.CreateOptions{})
if err != nil {
klog.Errorf("failed to get permission for resource %s, %v", res, err)
return err
}
if !ssar.Status.Allowed {
return fmt.Errorf("no permission to wath resource %s, %s", res, ssar.Status.Reason)
}
}
return nil
}
1 change: 1 addition & 0 deletions dist/images/install-pre-1.16.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2207,6 +2207,7 @@ diagnose(){
kubectl get crd vpc-nat-gateways.kubeovn.io
kubectl get crd subnets.kubeovn.io
kubectl get crd ips.kubeovn.io
kubectl get crd vlans.kubeovn.io
kubectl get svc kube-dns -n kube-system
kubectl get svc kubernetes -n default
kubectl get sa -n kube-system ovn
Expand Down
1 change: 1 addition & 0 deletions dist/images/install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2259,6 +2259,7 @@ diagnose(){
kubectl get crd vpc-nat-gateways.kubeovn.io
kubectl get crd subnets.kubeovn.io
kubectl get crd ips.kubeovn.io
kubectl get crd vlans.kubeovn.io
kubectl get svc kube-dns -n kube-system
kubectl get svc kubernetes -n default
kubectl get sa -n kube-system ovn
Expand Down
1 change: 1 addition & 0 deletions dist/images/kubectl-ko
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ diagnose(){
kubectl get crd vpc-nat-gateways.kubeovn.io
kubectl get crd subnets.kubeovn.io
kubectl get crd ips.kubeovn.io
kubectl get crd vlans.kubeovn.io
kubectl get svc kube-dns -n kube-system
kubectl get svc kubernetes -n default
kubectl get sa -n kube-system ovn
Expand Down

0 comments on commit 42fbe86

Please sign in to comment.