diff --git a/Dockerfile b/Dockerfile index 77ea4d0..bd9d8d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ FROM ghcr.io/cybozu/ubuntu:22.04 LABEL org.opencontainers.image.source=https://github.com/cybozu-go/network-policy-viewer WORKDIR / +COPY bin/download/cilium / COPY --from=builder /work/cilium-agent-proxy / -USER 10000:10000 ENTRYPOINT ["/cilium-agent-proxy"] diff --git a/Makefile b/Makefile index a4d5f0e..e7137d2 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,8 @@ TOOLS_DIR := $(BIN_DIR)/download CACHE_DIR := $(shell pwd)/cache # Test tools +CILIUM_IMAGE_VERSION := 1.14.14.1 +CILIUM_CLI := $(TOOLS_DIR)/cilium CUSTOMCHECKER := $(TOOLS_DIR)/custom-checker HELM := helm --repository-cache $(CACHE_DIR)/helm/repository --repository-config $(CACHE_DIR)/helm/repositories.yaml STATICCHECK := $(TOOLS_DIR)/staticcheck @@ -17,7 +19,7 @@ help: ## Display this help @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) .PHONY: setup -setup: $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools +setup: $(CILIUM_CLI) $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools if ! which aqua; then \ echo 'setup needs aqua.'; \ exit 1; \ @@ -26,6 +28,13 @@ setup: $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools $(HELM) repo add cilium https://helm.cilium.io/ $(HELM) repo update cilium +$(CILIUM_CLI): + mkdir -p $(TOOLS_DIR) + CONTAINER_ID=$$(docker run --detach --entrypoint pause ghcr.io/cybozu/cilium:$(CILIUM_IMAGE_VERSION)); \ + docker cp $${CONTAINER_ID}:/usr/bin/cilium $(CILIUM_CLI); \ + docker stop $${CONTAINER_ID}; \ + docker rm $${CONTAINER_ID} + $(CUSTOMCHECKER): GOBIN=$(TOOLS_DIR) go install github.com/cybozu-go/golang-custom-analyzer/cmd/custom-checker@latest diff --git a/cmd/cilium-agent-proxy/sub/run.go b/cmd/cilium-agent-proxy/sub/run.go index e8d625a..397668f 100644 --- a/cmd/cilium-agent-proxy/sub/run.go +++ b/cmd/cilium-agent-proxy/sub/run.go @@ -69,7 +69,26 @@ func handleIdentity(w http.ResponseWriter, r *http.Request) { } func handlePolicy(w http.ResponseWriter, r *http.Request) { - fmt.Fprint(w, "error\n") + param := r.URL.Path[len("/policy/"):] + if len(param) == 0 { + renderError(w, r.URL.Path, "failed to read endpoint ID", http.StatusBadRequest) + return + } + + // Convert to number to avoid parameter injection + endpoint, err := strconv.Atoi(param) + if err != nil { + renderError(w, r.URL.Path, "failed to read endpoint ID", http.StatusBadRequest) + return + } + + stdout, _, err := runCommand(ciliumPath, nil, "bpf", "policy", "get", strconv.Itoa(endpoint), "-ojson") + if err != nil { + renderError(w, r.URL.Path, "failed to read BPF map", http.StatusInternalServerError) + return + } + + renderJSON(w, r.URL.Path, stdout, http.StatusOK) } func subMain() error { diff --git a/e2e/testdata/cilium-agent-proxy.yaml b/e2e/testdata/cilium-agent-proxy.yaml index 76066fa..7c105aa 100644 --- a/e2e/testdata/cilium-agent-proxy.yaml +++ b/e2e/testdata/cilium-agent-proxy.yaml @@ -20,11 +20,13 @@ spec: volumeMounts: - name: cilium-socket mountPath: /var/run/cilium - securityContext: - capabilities: - drop: - - ALL + - name: bpf + mountPath: /sys/fs/bpf volumes: - name: cilium-socket hostPath: path: /var/run/cilium + - name: bpf + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate