-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ExternalNode]Implement SupportBundleCollection on Agent #4338
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4338 +/- ##
==========================================
- Coverage 65.53% 63.80% -1.73%
==========================================
Files 400 402 +2
Lines 56950 57195 +245
==========================================
- Hits 37321 36494 -827
- Misses 16948 18007 +1059
- Partials 2681 2694 +13
*This pull request uses carry forward flags. Click here to find out more.
|
This pull request introduces 1 alert when merging 300dbab into 2971e09 - view on LGTM.com new alerts:
|
6ad148a
to
c34d1a3
Compare
This pull request introduces 1 alert when merging c34d1a3 into 2971e09 - view on LGTM.com new alerts:
|
c34d1a3
to
e426eff
Compare
This pull request introduces 1 alert when merging e426eff into e7aba77 - view on LGTM.com new alerts:
|
e426eff
to
00f2e0f
Compare
This pull request introduces 1 alert when merging 00f2e0f into e7aba77 - view on LGTM.com new alerts:
|
00f2e0f
to
39f2c7c
Compare
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
if strings.ToLower(arr[0]) != "sftp" { | ||
return fmt.Errorf("only sftp is supported for now, protocol %s is not supported", strings.ToLower(arr[0])) | ||
} | ||
url = fileServer.URL[7:] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to calculate the index for url instead of hard-coded with 7 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about it. But the prefix length is fixed which is seven. If we use index, it would be like strings.Index(fileServer.URL, "://") + 3
, which is not necessary in my mind.
pkg/agent/controller/supportbundlecollection/support_bundle_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller_test.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller_test.go
Outdated
Show resolved
Hide resolved
pkg/agent/controller/supportbundlecollection/support_bundle_controller_test.go
Outdated
Show resolved
Hide resolved
This pull request introduces 1 alert when merging 39f2c7c into e7aba77 - view on LGTM.com new alerts:
|
39f2c7c
to
7ca6995
Compare
This pull request introduces 1 alert when merging 7ca6995 into 85e144c - view on LGTM.com new alerts:
|
7ca6995
to
5094000
Compare
This pull request introduces 1 alert when merging 5094000 into 339ed6f - view on LGTM.com new alerts:
|
5094000
to
345a488
Compare
This pull request introduces 1 alert when merging 345a488 into 339ed6f - view on LGTM.com new alerts:
|
345a488
to
c72beea
Compare
/test-all |
This pull request introduces 1 alert when merging c72beea into e516aca - view on LGTM.com new alerts:
|
c72beea
to
9471a3c
Compare
This pull request introduces 1 alert when merging 9471a3c into e516aca - view on LGTM.com new alerts:
|
9471a3c
to
5803c73
Compare
This pull request introduces 1 alert when merging 5803c73 into 5051f54 - view on LGTM.com new alerts:
|
/test-all |
This pull request introduces 1 alert when merging ba22c7f into 19a7de0 - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
ba22c7f
to
0b07cfe
Compare
This pull request introduces 1 alert when merging 0b07cfe into 19a7de0 - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
|
||
func (c *SupportBundleController) addSupportBundleCollection(supportBundle *cpv1b2.SupportBundleCollection) { | ||
c.supportBundleCollectionsMutex.Lock() | ||
defer c.supportBundleCollectionsMutex.Unlock() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unlock the mutex after cosuming resource, no need to wait until it is added into queue?
c.supportBundleCollectionsMutex.Lock()
c.supportBundleCollection = supportBundle
c.supportBundleCollectionsMutex.Unlock()
c.queue.Add(supportBundle.Name)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
} | ||
|
||
func (c *SupportBundleController) deleteSupportBundleCollection(supportBundle *cpv1b2.SupportBundleCollection) { | ||
c.supportBundleCollectionsMutex.Lock() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
antreaClientGetter agent.AntreaClientProvider | ||
queue workqueue.Interface | ||
supportBundleCollection *cpv1b2.SupportBundleCollection | ||
supportBundleCollectionsMutex sync.RWMutex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
supportBundleCollectionsMutex sync.RWMutex | |
supportBundleCollectionMutex sync.RWMutex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
@ceclinux Could you address the latest comments of this PR and move forward? thanks. |
0b07cfe
to
1f5f0e4
Compare
This pull request introduces 1 alert when merging 1f5f0e4 into b0e9636 - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, two minor comments
klog.Info("Started watch for SupportBundleCollections") | ||
eventCount := 0 | ||
defer func() { | ||
klog.InfoS("Stopped watch for SupportBundleCollections", "total items received", eventCount) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sturctured logging's keys shouldn't be space connected words, see https://github.com/tnqn/code-review-comments#use-structure-logging.
"totalItemsReceived"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
obj, err := c.Fake. | ||
Invokes(testing.NewUpdateSubresourceAction(supportbundlecollectionsResource, "status", "", status), &v1beta2.SupportBundleCollectionStatus{}) | ||
|
||
if obj == nil { | ||
return nil | ||
} | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
obj, err := c.Fake. | |
Invokes(testing.NewUpdateSubresourceAction(supportbundlecollectionsResource, "status", "", status), &v1beta2.SupportBundleCollectionStatus{}) | |
if obj == nil { | |
return nil | |
} | |
return err | |
_, err := c.Fake. | |
Invokes(testing.NewUpdateSubresourceAction(supportbundlecollectionsResource, "status", "", status), &v1beta2.SupportBundleCollectionStatus{}) | |
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
return | ||
} | ||
options := metav1.ListOptions{ | ||
FieldSelector: fields.OneTermEqualSelector("nodeName", c.nodeName).String(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use k8s.NamespacedName(c.namespace, c.nodeName)
as the ListOption with the "ExternalNode" case, which is expected after this PR #4401 is merged. Otherwise, ExternalNode would use an incorrect value when controller calculates the span.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
1f5f0e4
to
424a31b
Compare
This pull request introduces 1 alert when merging 424a31b into e94e4cf - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
klog.ErrorS(err, "Failed to get antrea client") | ||
return | ||
} | ||
options := metav1.ListOptions{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You check use namespace/name as filter key only with ExternalNode case by checking c.supportBundleNodeType == controlplane.SupportBundleCollectionNodeTypeExternalNode
. But for K8s worker Node, c.nodeName is expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
1. Watch internal SupportBundleCollection events. 2. Refactor SupportBundle compression to util. 3. Let agent to collect SupportBundle for Node/ExternalNode. 4. Upload the collected SupportBundle to file server. Only SFTP and basic authentication are supported for now. Signed-off-by: Mengdie Song <songm@vmware.com> Co-authored-by: Ruochen Shen <src655@gmail.com>
424a31b
to
2f60340
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
This pull request introduces 1 alert when merging 2f60340 into e94e4cf - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
cfg := &ssh.ClientConfig{ | ||
User: serverAuth.BasicAuthentication.Username, | ||
Auth: []ssh.AuthMethod{ssh.Password(serverAuth.BasicAuthentication.Password)}, | ||
// #nosec G106: skip host key check here and users can specify their own checks if needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there might be some potential issues with the ssh ClientConfig
- The comment is not working to pass the security checker [ExternalNode]Implement SupportBundleCollection on Agent #4338 (comment).
- I am confused about the phrase "users specify their own checks if needed."
- Also, is the security vulnerability critical in this case? Is it possible that the supportbunble tarball can be captured by the attackers through this security vulnerability?
I might have missed some context. Appreciate it if you provide some comments. @tnqn @wenyingd @mengdie-song @jianjuns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think your question is about the ssh configuration option “HostKeyCallback: ssh.InsecureIgnoreHostKey()“. Our choice is to ignore the public key returned by the server because we do not perform check on the key in our implementation. A candidate security risk for a general SSH connection is the target SFTP server connected with the IP address is not the one who has a different public key from the one client used to connect to. But in support bundle collection scenario, the user should ensure the sftp server is valid and accessible from Node/ExternalNode when creating the CR, and Agent is not supposed to connect to an incorrect server using the url provided by user. So I don't think it may introduce security risk to Agent. In another word, even Agent perform actions to cache and validate the public key, nothing could perform in the next step when we found they are dismatched.
) 1. Watch internal SupportBundleCollection events. 2. Refactor SupportBundle compression to util. 3. Let agent to collect SupportBundle for Node/ExternalNode. 4. Upload the collected SupportBundle to file server. Only SFTP and basic authentication are supported for now. Signed-off-by: Mengdie Song <songm@vmware.com> Co-authored-by: Ruochen Shen <src655@gmail.com>
Implement SupportBundleCollection on Agent
Only SFTP and basic authentication are supported for now.
Signed-off-by: Mengdie Song songm@vmware.com