Skip to content

Commit

Permalink
Return policy information from cilium-agent-proxy
Browse files Browse the repository at this point in the history
Signed-off-by: Daichi Sakaue <[email protected]>
  • Loading branch information
yokaze committed Oct 22, 2024
1 parent 7ede7ee commit 7358a8b
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 7 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ FROM ghcr.io/cybozu/ubuntu:22.04
LABEL org.opencontainers.image.source=https://github.com/cybozu-go/network-policy-viewer

WORKDIR /
COPY bin/download/cilium /
COPY --from=builder /work/cilium-agent-proxy /

USER 10000:10000
ENTRYPOINT ["/cilium-agent-proxy"]
11 changes: 10 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ TOOLS_DIR := $(BIN_DIR)/download
CACHE_DIR := $(shell pwd)/cache

# Test tools
CILIUM_IMAGE_VERSION := 1.14.14.1
CILIUM_CLI := $(TOOLS_DIR)/cilium
CUSTOMCHECKER := $(TOOLS_DIR)/custom-checker
HELM := helm --repository-cache $(CACHE_DIR)/helm/repository --repository-config $(CACHE_DIR)/helm/repositories.yaml
STATICCHECK := $(TOOLS_DIR)/staticcheck
Expand All @@ -17,7 +19,7 @@ help: ## Display this help
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

.PHONY: setup
setup: $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools
setup: $(CILIUM_CLI) $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools
if ! which aqua; then \
echo 'setup needs aqua.'; \
exit 1; \
Expand All @@ -26,6 +28,13 @@ setup: $(CUSTOMCHECKER) $(STATICCHECK) ## Install necessary tools
$(HELM) repo add cilium https://helm.cilium.io/
$(HELM) repo update cilium

$(CILIUM_CLI):
mkdir -p $(TOOLS_DIR)
CONTAINER_ID=$$(docker run --detach --entrypoint pause ghcr.io/cybozu/cilium:$(CILIUM_IMAGE_VERSION)); \
docker cp $${CONTAINER_ID}:/usr/bin/cilium $(CILIUM_CLI); \
docker stop $${CONTAINER_ID}; \
docker rm $${CONTAINER_ID}

$(CUSTOMCHECKER):
GOBIN=$(TOOLS_DIR) go install github.com/cybozu-go/golang-custom-analyzer/cmd/custom-checker@latest

Expand Down
21 changes: 20 additions & 1 deletion cmd/cilium-agent-proxy/sub/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,26 @@ func handleIdentity(w http.ResponseWriter, r *http.Request) {
}

func handlePolicy(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "error\n")
param := r.URL.Path[len("/policy/"):]
if len(param) == 0 {
renderError(w, r.URL.Path, "failed to read endpoint ID", http.StatusBadRequest)
return
}

// Convert to number to avoid parameter injection
endpoint, err := strconv.Atoi(param)
if err != nil {
renderError(w, r.URL.Path, "failed to read endpoint ID", http.StatusBadRequest)
return
}

stdout, _, err := runCommand(ciliumPath, nil, "bpf", "policy", "get", strconv.Itoa(endpoint), "-ojson")
if err != nil {
renderError(w, r.URL.Path, "failed to read BPF map", http.StatusInternalServerError)
return
}

renderJSON(w, r.URL.Path, stdout, http.StatusOK)
}

func subMain() error {
Expand Down
28 changes: 28 additions & 0 deletions cmd/cilium-agent-proxy/sub/utils.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package sub

import (
"bytes"
"fmt"
"os/exec"
"path/filepath"
)

const (
ciliumPath = "/cilium"

Check failure on line 11 in cmd/cilium-agent-proxy/sub/utils.go

View workflow job for this annotation

GitHub Actions / e2e

ciliumPath redeclared in this block
)

func runCommand(path string, input []byte, args ...string) ([]byte, []byte, error) {

Check failure on line 14 in cmd/cilium-agent-proxy/sub/utils.go

View workflow job for this annotation

GitHub Actions / e2e

runCommand redeclared in this block
stdout := new(bytes.Buffer)
stderr := new(bytes.Buffer)
cmd := exec.Command(path, args...)
cmd.Stdout = stdout
cmd.Stderr = stderr
if input != nil {
cmd.Stdin = bytes.NewReader(input)
}
if err := cmd.Run(); err != nil {
_, file := filepath.Split(path)
return stdout.Bytes(), stderr.Bytes(), fmt.Errorf("%s failed with %s: stderr=%s", file, err, stderr)
}
return stdout.Bytes(), stderr.Bytes(), nil
}
10 changes: 6 additions & 4 deletions e2e/testdata/cilium-agent-proxy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ spec:
volumeMounts:
- name: cilium-socket
mountPath: /var/run/cilium
securityContext:
capabilities:
drop:
- ALL
- name: bpf
mountPath: /sys/fs/bpf
volumes:
- name: cilium-socket
hostPath:
path: /var/run/cilium
- name: bpf
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate

0 comments on commit 7358a8b

Please sign in to comment.