forked from danehans/cilium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcells.go
348 lines (276 loc) · 12 KB
/
cells.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package cmd
import (
"net/http"
"github.com/cilium/hive/cell"
"github.com/cilium/statedb"
"github.com/sirupsen/logrus"
healthApi "github.com/cilium/cilium/api/v1/health/server"
"github.com/cilium/cilium/api/v1/server"
"github.com/cilium/cilium/daemon/cmd/cni"
agentK8s "github.com/cilium/cilium/daemon/k8s"
"github.com/cilium/cilium/daemon/restapi"
"github.com/cilium/cilium/pkg/api"
"github.com/cilium/cilium/pkg/auth"
"github.com/cilium/cilium/pkg/bgp/speaker"
"github.com/cilium/cilium/pkg/bgpv1"
cgroup "github.com/cilium/cilium/pkg/cgroups/manager"
"github.com/cilium/cilium/pkg/ciliumenvoyconfig"
"github.com/cilium/cilium/pkg/clustermesh"
cmtypes "github.com/cilium/cilium/pkg/clustermesh/types"
"github.com/cilium/cilium/pkg/controller"
"github.com/cilium/cilium/pkg/crypto/certificatemanager"
"github.com/cilium/cilium/pkg/datapath"
"github.com/cilium/cilium/pkg/defaults"
"github.com/cilium/cilium/pkg/dial"
"github.com/cilium/cilium/pkg/driftchecker"
"github.com/cilium/cilium/pkg/dynamicconfig"
"github.com/cilium/cilium/pkg/dynamiclifecycle"
"github.com/cilium/cilium/pkg/egressgateway"
"github.com/cilium/cilium/pkg/endpoint"
"github.com/cilium/cilium/pkg/endpointcleanup"
"github.com/cilium/cilium/pkg/endpointmanager"
"github.com/cilium/cilium/pkg/envoy"
"github.com/cilium/cilium/pkg/gops"
hubble "github.com/cilium/cilium/pkg/hubble/cell"
identity "github.com/cilium/cilium/pkg/identity/cache/cell"
"github.com/cilium/cilium/pkg/identity/identitymanager"
ipamcell "github.com/cilium/cilium/pkg/ipam/cell"
ipcache "github.com/cilium/cilium/pkg/ipcache/cell"
"github.com/cilium/cilium/pkg/k8s"
k8sClient "github.com/cilium/cilium/pkg/k8s/client"
k8sSynced "github.com/cilium/cilium/pkg/k8s/synced"
"github.com/cilium/cilium/pkg/k8s/watchers"
"github.com/cilium/cilium/pkg/kvstore/store"
"github.com/cilium/cilium/pkg/l2announcer"
loadbalancer_experimental "github.com/cilium/cilium/pkg/loadbalancer/experimental"
"github.com/cilium/cilium/pkg/logging/logfields"
"github.com/cilium/cilium/pkg/maps/metricsmap"
natStats "github.com/cilium/cilium/pkg/maps/nat/stats"
"github.com/cilium/cilium/pkg/maps/ratelimitmap"
"github.com/cilium/cilium/pkg/metrics"
"github.com/cilium/cilium/pkg/node"
nodeManager "github.com/cilium/cilium/pkg/node/manager"
"github.com/cilium/cilium/pkg/nodediscovery"
"github.com/cilium/cilium/pkg/option"
policy "github.com/cilium/cilium/pkg/policy/cell"
policyDirectory "github.com/cilium/cilium/pkg/policy/directory"
policyK8s "github.com/cilium/cilium/pkg/policy/k8s"
"github.com/cilium/cilium/pkg/pprof"
"github.com/cilium/cilium/pkg/proxy"
"github.com/cilium/cilium/pkg/recorder"
"github.com/cilium/cilium/pkg/redirectpolicy"
"github.com/cilium/cilium/pkg/service"
"github.com/cilium/cilium/pkg/signal"
)
var (
Agent = cell.Module(
"agent",
"Cilium Agent",
Infrastructure,
ControlPlane,
datapath.Cell,
)
// Infrastructure provides access and services to the outside.
// A cell should live here instead of ControlPlane if it is not needed by
// integrations tests, or needs to be mocked.
Infrastructure = cell.Module(
"infra",
"Infrastructure",
// Register the pprof HTTP handlers, to get runtime profiling data.
pprof.Cell,
cell.Config(pprofConfig),
// Runs the gops agent, a tool to diagnose Go processes.
gops.Cell(defaults.GopsPortAgent),
// Provides Clientset, API for accessing Kubernetes objects.
k8sClient.Cell,
cni.Cell,
// Provide the modular metrics registry, metric HTTP server and legacy metrics cell.
metrics.Cell,
// Provides cilium_datapath_drop/forward Prometheus metrics.
metricsmap.Cell,
// Provides cilium_bpf_ratelimit_dropped_total Prometheus metric.
ratelimitmap.Cell,
// Provide option.Config via hive so cells can depend on the agent config.
cell.Provide(func() *option.DaemonConfig { return option.Config }),
// Cilium API served over UNIX sockets. Accessed by the 'cilium' utility (not cilium-cli).
server.Cell,
cell.Invoke(configureAPIServer),
// Cilium API handlers
cell.Provide(ciliumAPIHandlers),
// Processes endpoint deletions that occurred while the agent was down.
// This starts before the API server as ciliumAPIHandlers() depends on
// the 'deletionQueue' provided by this cell.
deletionQueueCell,
// Store cell provides factory for creating watchStore/syncStore/storeManager
// useful for synchronizing data from/to kvstore.
store.Cell,
// Provide CRD resource names for 'k8sSynced.CRDSyncCell' below.
cell.Provide(func() k8sSynced.CRDSyncResourceNames { return k8sSynced.AgentCRDResourceNames() }),
// CRDSyncCell provides a promise that is resolved as soon as CRDs used by the
// agent have k8sSynced.
// Allows cells to wait for CRDs before trying to list Cilium resources.
// This is separate from k8sSynced.Cell as this one needs to be mocked for tests.
k8sSynced.CRDSyncCell,
// Shell for inspecting the agent. Listens on the 'shell.sock' UNIX socket.
shellCell,
)
// ControlPlane implement the per-node control functions. These are pure
// business logic and depend on datapath or infrastructure to perform
// actions. This separation enables non-privileged integration testing of
// the control-plane.
ControlPlane = cell.Module(
"controlplane",
"Control Plane",
// LocalNodeStore holds onto the information about the local node and allows
// observing changes to it.
node.LocalNodeStoreCell,
// Provide a newLocalNodeSynchronizer that is invoked when LocalNodeStore is started.
// This fills in the initial state before it is accessed by other sub-systems.
// Then, it takes care of keeping selected fields (e.g., labels, annotations)
// synchronized with the corresponding kubernetes object.
cell.Provide(newLocalNodeSynchronizer),
// Controller provides flags and configuration related
// to Controller management, concurrent control loops
// which run throughout the system on specified intervals
controller.Cell,
// Shared resources provide access to k8s resources as event streams or as
// read-only stores.
agentK8s.ResourcesCell,
// Shared synchronization structures for waiting on K8s resources to
// be synced
k8sSynced.Cell,
// IdentityManager maintains the set of identities and a count of its
// users.
identitymanager.Cell,
// EndpointManager maintains a collection of the locally running endpoints.
endpointmanager.Cell,
// Register the startup procedure to remove stale CiliumEndpoints referencing pods no longer
// managed by Cilium.
endpointcleanup.Cell,
// NodeManager maintains a collection of other nodes in the cluster.
nodeManager.Cell,
// Certificate manager provides an API for retrieving secrets and certificate in the form of TLS contexts.
certificatemanager.Cell,
// Cilium API specification cell makes the swagger model available for reuse
server.SpecCell,
// cilium-health connectivity probe API specification cell makes the swagger model available for reuse
healthApi.SpecCell,
// daemonCell wraps the legacy daemon initialization and provides Promise[*Daemon].
daemonCell,
// Experimental control-plane for configuring service load-balancing.
loadbalancer_experimental.Cell,
// Service is a datapath service handler. Its main responsibility is to reflect
// service-related changes into BPF maps used by datapath BPF programs.
service.Cell,
// Proxy provides the proxy port allocation and related datapath coordination and
// makes different L7 proxies (Envoy, DNS proxy) usable to Cilium endpoints through
// a common Proxy 'redirect' abstraction.
proxy.Cell,
// Envoy cell which is the control-plane for the Envoy proxy.
// It is used to provide support for Ingress, GatewayAPI and L7 network policies (e.g. HTTP).
envoy.Cell,
// CiliumEnvoyConfig provides support for the CRD CiliumEnvoyConfig that backs Ingress, Gateway API
// and L7 loadbalancing.
ciliumenvoyconfig.Cell,
// Cilium REST API handlers
restapi.Cell,
// The BGP Control Plane which enables various BGP related interop.
bgpv1.Cell,
// The MetalLB BGP speaker enables support for MetalLB BGP.
speaker.Cell,
// Brokers datapath signals from signalmap
signal.Cell,
// Auth is responsible for authenticating a request if required by a policy.
auth.Cell,
// Provides IdentityAllocators (Responsible for allocating security identities)
identity.Cell,
// IPCache cell provides IPCache (IP to identity mappings)
ipcache.Cell,
// IPAM provides IP address management.
ipamcell.Cell,
// Egress Gateway allows originating traffic from specific IPv4 addresses.
egressgateway.Cell,
// ServiceCache holds the list of known services correlated with the matching endpoints.
k8s.ServiceCacheCell,
// Provides PolicyRepository (List of policy rules)
policy.Cell,
// K8s policy resource watcher cell. It depends on the half-initialized daemon which is
// resolved by newDaemonPromise()
policyK8s.Cell,
// Directory policy watcher cell.
policyDirectory.Cell,
// ClusterMesh is the Cilium's multicluster implementation.
cell.Config(cmtypes.DefaultClusterInfo),
clustermesh.Cell,
// L2announcer resolves l2announcement policies, services, node labels and devices into a list of IPs+netdevs
// which need to be announced on the local network.
l2announcer.Cell,
// RegeneratorCell provides extra options and utilities for endpoints regeneration.
endpoint.RegeneratorCell,
// Redirect policy manages the Local Redirect Policies.
redirectpolicy.Cell,
// The node discovery cell provides the local node configuration and node discovery
// which communicate changes in local node information to the API server or KVStore.
nodediscovery.Cell,
// Cgroup manager maintains Kubernetes and low-level metadata (cgroup path and
// cgroup id) for local pods and their containers.
cgroup.Cell,
// NAT stats provides stat computation and tables for NAT map bpf maps.
natStats.Cell,
// Provide the logic to map DNS names matching Kubernetes services to the
// corresponding ClusterIP, without depending on CoreDNS. Leveraged by etcd
// and clustermesh.
dial.ServiceResolverCell,
// K8s Watcher provides the core k8s watchers
watchers.Cell,
// Provide pcap recorder
recorder.Cell,
// Provides a wrapper of the cilium config that can be watched dynamically
dynamicconfig.Cell,
// Provides the manager for WithDynamicFeature()
// Which allows to group the cell lifecycles together and control the enablement
// by leveraging the dynamicconfig.Cell.
dynamiclifecycle.Cell,
// Allows agent to monitor the configuration drift and publish drift metric
driftchecker.Cell,
// Runs the Hubble servers and Hubble metrics.
hubble.Cell,
)
)
func configureAPIServer(cfg *option.DaemonConfig, s *server.Server, db *statedb.DB, swaggerSpec *server.Spec) {
s.EnabledListeners = []string{"unix"}
s.SocketPath = cfg.SocketPath
s.ReadTimeout = apiTimeout
s.WriteTimeout = apiTimeout
msg := "Required API option %s is disabled. This may prevent Cilium from operating correctly"
hint := "Consider enabling this API in " + server.AdminEnableFlag
for _, requiredAPI := range []string{
"GetConfig", // CNI: Used to detect detect IPAM mode
"GetHealthz", // Kubelet: daemon health checks
"PutEndpointID", // CNI: Provision the network for a new Pod
"DeleteEndpointID", // CNI: Clean up networking for a deleted Pod
"PostIPAM", // CNI: Reserve IPs for new Pods
"DeleteIPAMIP", // CNI: Release IPs for deleted Pods
} {
if _, denied := swaggerSpec.DeniedAPIs[requiredAPI]; denied {
log.WithFields(logrus.Fields{
logfields.Hint: hint,
logfields.Params: requiredAPI,
}).Warning(msg)
}
}
api.DisableAPIs(swaggerSpec.DeniedAPIs, s.GetAPI().AddMiddlewareFor)
s.ConfigureAPI()
// Add the /statedb HTTP handler
mux := http.NewServeMux()
mux.Handle("/", s.GetHandler())
mux.Handle("/statedb/", http.StripPrefix("/statedb", db.HTTPHandler()))
s.SetHandler(mux)
}
var pprofConfig = pprof.Config{
Pprof: false,
PprofAddress: option.PprofAddressAgent,
PprofPort: option.PprofPortAgent,
}