Skip to content

update webhook check for 4.18 features and pktDrop #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Jan 22, 2025
Merged

update webhook check for 4.18 features and pktDrop #1044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 17 additions & 12 deletions apis/flowcollector/v1beta2/flowcollector_validation_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,30 +86,35 @@ func (r *FlowCollector) warnLogLevels(fc *FlowCollectorSpec) admission.Warnings
func (r *FlowCollector) validateAgent(_ context.Context, fc *FlowCollectorSpec) (admission.Warnings, []error) {
var warnings admission.Warnings
if slices.Contains(fc.Agent.EBPF.Features, NetworkEvents) ||
slices.Contains(fc.Agent.EBPF.Features, UDNMapping) {
slices.Contains(fc.Agent.EBPF.Features, UDNMapping) ||
slices.Contains(fc.Agent.EBPF.Features, EbpfManager) {
// Make sure required version of ocp is installed
if CurrentClusterInfo != nil && CurrentClusterInfo.IsOpenShift() {
b, err := CurrentClusterInfo.OpenShiftVersionIsAtLeast("4.18.0")
if err != nil {
warnings = append(warnings, fmt.Sprintf("Could not detect OpenShift cluster version: %s", err.Error()))
} else if !b {
warnings = append(warnings, fmt.Sprintf("The NetworkEvents feature requires OpenShift 4.18 or above (version detected: %s)", CurrentClusterInfo.GetOpenShiftVersion()))
warnings = append(warnings, fmt.Sprintf("The NetworkEvents/UDNMapping/EbpfManager features require OpenShift 4.18 or above (version detected: %s)", CurrentClusterInfo.GetOpenShiftVersion()))
}
} else {
warnings = append(warnings, "The NetworkEvents feature is only supported with OpenShift")
warnings = append(warnings, "The NetworkEvents/UDNMapping/EbpfManager features are only supported with OpenShift")
}
if !fc.Agent.EBPF.Privileged {
warnings = append(warnings, "The NetworkEvents feature requires eBPF Agent to run in privileged mode")
warnings = append(warnings, "The NetworkEvents/UDNMapping/EbpfManager features require eBPF Agent to run in privileged mode")
}
}
if slices.Contains(fc.Agent.EBPF.Features, PacketDrop) && !fc.Agent.EBPF.Privileged {
warnings = append(warnings, "The PacketDrop feature requires eBPF Agent to run in privileged mode")
}
if slices.Contains(fc.Agent.EBPF.Features, EbpfManager) && !fc.Agent.EBPF.Privileged {
warnings = append(warnings, "The BPF Manager feature requires eBPF Agent to run in privileged mode")
}
if slices.Contains(fc.Agent.EBPF.Features, UDNMapping) && !fc.Agent.EBPF.Privileged {
warnings = append(warnings, "The UDNMapping feature requires eBPF Agent to run in privileged mode")
if slices.Contains(fc.Agent.EBPF.Features, PacketDrop) {
if CurrentClusterInfo != nil && CurrentClusterInfo.IsOpenShift() {
b, err := CurrentClusterInfo.OpenShiftVersionIsAtLeast("4.14.0")
if err != nil {
warnings = append(warnings, fmt.Sprintf("Could not detect OpenShift cluster version: %s", err.Error()))
} else if !b {
warnings = append(warnings, fmt.Sprintf("The PacketDrop feature requires OpenShift 4.14 or above (version detected: %s)", CurrentClusterInfo.GetOpenShiftVersion()))
}
}
if !fc.Agent.EBPF.Privileged {
warnings = append(warnings, "The PacketDrop feature requires eBPF Agent to run in privileged mode")
}
}
var errs []error
if fc.Agent.EBPF.FlowFilter != nil && fc.Agent.EBPF.FlowFilter.Enable != nil && *fc.Agent.EBPF.FlowFilter.Enable {
Expand Down
23 changes: 21 additions & 2 deletions apis/flowcollector/v1beta2/flowcollector_validation_webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,25 @@ func TestValidateAgent(t *testing.T) {
},
expectedWarnings: admission.Warnings{"The PacketDrop feature requires eBPF Agent to run in privileged mode"},
},
{
name: "PacketDrop on ocp 4.12 triggers warning",
ocpVersion: "4.12.5",
fc: &FlowCollector{
ObjectMeta: metav1.ObjectMeta{
Name: "cluster",
},
Spec: FlowCollectorSpec{
Agent: FlowCollectorAgent{
Type: AgentEBPF,
EBPF: FlowCollectorEBPF{
Features: []AgentFeature{PacketDrop},
Privileged: true,
},
},
},
},
expectedWarnings: admission.Warnings{"The PacketDrop feature requires OpenShift 4.14 or above (version detected: 4.12.5)"},
},
{
name: "NetworkEvents on ocp 4.16 triggers warning",
ocpVersion: "4.16.5",
Expand All @@ -128,7 +147,7 @@ func TestValidateAgent(t *testing.T) {
},
},
},
expectedWarnings: admission.Warnings{"The NetworkEvents feature requires OpenShift 4.18 or above (version detected: 4.16.5)"},
expectedWarnings: admission.Warnings{"The NetworkEvents/UDNMapping/EbpfManager features require OpenShift 4.18 or above (version detected: 4.16.5)"},
},
{
name: "NetworkEvents without privilege triggers warning",
Expand All @@ -146,7 +165,7 @@ func TestValidateAgent(t *testing.T) {
},
},
},
expectedWarnings: admission.Warnings{"The NetworkEvents feature requires eBPF Agent to run in privileged mode"},
expectedWarnings: admission.Warnings{"The NetworkEvents/UDNMapping/EbpfManager features require eBPF Agent to run in privileged mode"},
},
{
name: "FlowFilter different ports configs are mutually exclusive",
Expand Down
Loading