From 6cbe64f351e2f91a208ca93fb9438ce5250e95de Mon Sep 17 00:00:00 2001 From: Albian Krasniqi Date: Fri, 24 Jan 2025 09:04:32 +0100 Subject: [PATCH 1/2] Reject dynakubes that use public image and not read only oneAgents --- pkg/api/validation/dynakube/image_test.go | 6 +-- pkg/api/validation/dynakube/oneagent.go | 10 +++++ pkg/api/validation/dynakube/oneagent_test.go | 45 ++++++++++++++++++++ pkg/api/validation/dynakube/validation.go | 1 + 4 files changed, 59 insertions(+), 3 deletions(-) diff --git a/pkg/api/validation/dynakube/image_test.go b/pkg/api/validation/dynakube/image_test.go index 8f5081339d..d581d4417d 100644 --- a/pkg/api/validation/dynakube/image_test.go +++ b/pkg/api/validation/dynakube/image_test.go @@ -49,7 +49,7 @@ func TestImageFieldHasTenantImage(t *testing.T) { Spec: dynakube.DynaKubeSpec{ APIURL: testTenantUrl + "/api", OneAgent: dynakube.OneAgentSpec{ - ClassicFullStack: &dynakube.HostInjectSpec{ + HostMonitoring: &dynakube.HostInjectSpec{ Image: testRegistryUrl + "/linux/oneagent:latest", }, }, @@ -71,7 +71,7 @@ func TestImageFieldHasTenantImage(t *testing.T) { Spec: dynakube.DynaKubeSpec{ APIURL: testTenantUrl + "/api", OneAgent: dynakube.OneAgentSpec{ - ClassicFullStack: &dynakube.HostInjectSpec{ + HostMonitoring: &dynakube.HostInjectSpec{ Image: testRegistryUrl + "/linux/oneagent:latest", }, }, @@ -87,7 +87,7 @@ func TestImageFieldHasTenantImage(t *testing.T) { Spec: dynakube.DynaKubeSpec{ APIURL: testTenantUrl + "/api", OneAgent: dynakube.OneAgentSpec{ - ClassicFullStack: &dynakube.HostInjectSpec{ + HostMonitoring: &dynakube.HostInjectSpec{ Image: "127.0.0.1:5000/test:tag", }, }, diff --git a/pkg/api/validation/dynakube/oneagent.go b/pkg/api/validation/dynakube/oneagent.go index 8df06d5cfb..6dafa3b96f 100644 --- a/pkg/api/validation/dynakube/oneagent.go +++ b/pkg/api/validation/dynakube/oneagent.go @@ -23,6 +23,8 @@ Use a nodeSelector to avoid this conflict. Conflicting DynaKubes: %s` errorVolumeStorageReadOnlyModeConflict = `The DynaKube specification specifies a read-only host file system while OneAgent has volume storage enabled.` + errorPublicImageWithWrongConfig = `The DynaKube specification specifies a custom (and therefor probably a public) image in combination with a mode that needs write permissions for volume mounts.` + warningOneAgentInstallerEnvVars = `The environment variables ONEAGENT_INSTALLER_SCRIPT_URL and ONEAGENT_INSTALLER_TOKEN are only relevant for an unsupported image type. Please ensure you are using a supported image.` warningHostGroupConflict = `The DynaKube specification sets the host group using the --set-host-group parameter. Instead, specify the new spec.oneagent.hostGroup field. If both settings are used, the new field takes precedence over the parameter.` @@ -116,6 +118,14 @@ func mapKeysToString(m map[string]bool, sep string) string { return strings.Join(keys, sep) } +func publicImageSetWithoutReadOnlyMode(_ context.Context, v *Validator, dk *dynakube.DynaKube) string { + if !dk.UseReadOnlyOneAgents() && dk.CustomOneAgentImage() != "" { + return errorPublicImageWithWrongConfig + } + + return "" +} + func imageFieldSetWithoutCSIFlag(_ context.Context, v *Validator, dk *dynakube.DynaKube) string { if dk.ApplicationMonitoringMode() { if len(dk.Spec.OneAgent.ApplicationMonitoring.CodeModulesImage) > 0 && !v.modules.CSIDriver { diff --git a/pkg/api/validation/dynakube/oneagent_test.go b/pkg/api/validation/dynakube/oneagent_test.go index c6dce3c40c..a9039264bb 100644 --- a/pkg/api/validation/dynakube/oneagent_test.go +++ b/pkg/api/validation/dynakube/oneagent_test.go @@ -490,3 +490,48 @@ func TestIsOneAgentVersionValid(t *testing.T) { }) } } + +func TestPublicImageSetWithReadOnlyMode(t *testing.T) { + t.Run("reject dk with hostMon without csi and custom image", func(t *testing.T) { + setupDisabledCSIEnv(t) + assertDenied(t, []string{errorPublicImageWithWrongConfig}, + &dynakube.DynaKube{ + ObjectMeta: defaultDynakubeObjectMeta, + Spec: dynakube.DynaKubeSpec{ + APIURL: testApiUrl, + OneAgent: dynakube.OneAgentSpec{ + HostMonitoring: &dynakube.HostInjectSpec{ + Image: "test/image/test-image:some-tag", + }, + }, + }, + }) + }) + t.Run("allow dk with hostMon without csi and no custom image", func(t *testing.T) { + setupDisabledCSIEnv(t) + assertAllowed(t, + &dynakube.DynaKube{ + ObjectMeta: defaultDynakubeObjectMeta, + Spec: dynakube.DynaKubeSpec{ + APIURL: testApiUrl, + OneAgent: dynakube.OneAgentSpec{ + HostMonitoring: &dynakube.HostInjectSpec{}, + }, + }, + }) + }) + t.Run("allow dk with hostMon with csi and custom image", func(t *testing.T) { + assertAllowed(t, &dynakube.DynaKube{ + ObjectMeta: defaultDynakubeObjectMeta, + Spec: dynakube.DynaKubeSpec{ + APIURL: testApiUrl, + OneAgent: dynakube.OneAgentSpec{ + HostMonitoring: &dynakube.HostInjectSpec{ + Image: "test/image/test-image:some-tag", + }, + }, + }, + }) + }) + +} diff --git a/pkg/api/validation/dynakube/validation.go b/pkg/api/validation/dynakube/validation.go index 531b286155..f48aa9cd88 100644 --- a/pkg/api/validation/dynakube/validation.go +++ b/pkg/api/validation/dynakube/validation.go @@ -55,6 +55,7 @@ var ( missingLogMonitoringImage, logMonitoringWithoutK8SMonitoring, extensionsWithoutK8SMonitoring, + publicImageSetWithoutReadOnlyMode, } validatorWarningFuncs = []validatorFunc{ missingActiveGateMemoryLimit, From 0d4fc8742e339b02c15c207a258baf93fcaddcb4 Mon Sep 17 00:00:00 2001 From: Albian Krasniqi Date: Fri, 24 Jan 2025 09:22:37 +0100 Subject: [PATCH 2/2] Fix linting --- pkg/api/validation/dynakube/oneagent_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/api/validation/dynakube/oneagent_test.go b/pkg/api/validation/dynakube/oneagent_test.go index a9039264bb..c7e7681494 100644 --- a/pkg/api/validation/dynakube/oneagent_test.go +++ b/pkg/api/validation/dynakube/oneagent_test.go @@ -533,5 +533,4 @@ func TestPublicImageSetWithReadOnlyMode(t *testing.T) { }, }) }) - }