Optimize how we check runtime KubeletConfig

we propose to store the runtime KubeletConfig in a ConfigMap per node when a node scan is launched. Then, we mount the ConfigMap to the scanner pod to scan for it.

Author: Vincent056

CHANGELOG.md

@@ -13,7 +13,13 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Fixes
 
--
+- Optimize how we check the KubeletConfig rule, we now store the runtime KubeletConfig
+  in a ConfigMap per node when a node scan is launched. Then, we mount the ConfigMap to
+  the scanner pod to scan for it. Hold on to applying remediation until all scans are 
+  done in the suite.
+  This fixes issues when comparing the KubeletConfig for each node.
+  This also fixes "/api/v1/nodes/NODE_NAME/proxy/configz" warning message in the log.
+  [OCPBUGS-11037](https://issues.redhat.com/browse/OCPBUGS-11037)
 
 ### Internal Changes
 
@@ -25,7 +31,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Removals
 
--
+- We have reverted commit 9cbf874, which is a fix for OCPBUGS-3864, the fix
+  is not needed anymore since the issue is fixed when we switched back to
+  the old way remediate the KubeletConfig.
 
 ### Security
 

bundle/manifests/compliance-operator.clusterserviceversion.yaml

@@ -1093,11 +1093,19 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - nodes
           - namespaces
           verbs:
           - list
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - nodes
+          - nodes/proxy
+          verbs:
+          - list
+          - watch
+          - get
         - apiGroups:
           - machineconfiguration.openshift.io
           resources:
@@ -1347,6 +1355,15 @@ spec:
           - update
           - delete
           - deletecollection
+        - apiGroups:
+          - ""
+          resources:
+          - nodes
+          - nodes/proxy
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - ""
           resources:

cmd/manager/operator.go

@@ -289,7 +289,7 @@ func RunOperator(cmd *cobra.Command, args []string) {
 	}
 
 	// Setup all Controllers
-	if err := controller.AddToManager(mgr, met, si); err != nil {
+	if err := controller.AddToManager(mgr, met, si, kubeClient); err != nil {
 		setupLog.Error(err, "")
 		os.Exit(1)
 	}

config/rbac/operator_cluster_role.yaml

@@ -6,11 +6,19 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - nodes  # We need to list the nodes to be able to selectively scan
       - namespaces # We need this to get the range
     verbs:
       - list
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes # We need to list the nodes to be able to selectively scan
+      - nodes/proxy # We need to be able to get runtime kubeletconfig from the nodes
+    verbs:
+      - list
+      - watch
+      - get
   - apiGroups:
       - machineconfiguration.openshift.io
     resources:

config/rbac/operator_role.yaml

@@ -30,6 +30,15 @@ rules:
       - update     # The Suite controller annotates configMaps
       - delete            # Needed for result cleanup on re-scanning
       - deletecollection  # Needed for result cleanup on re-scanning
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+    verbs:
+      - get
+      - list
+      - watch 
   - apiGroups:
       - ""
     resources:

main.go

@@ -18,9 +18,10 @@ package main
 
 import (
 	"fmt"
-	"github.com/ComplianceAsCode/compliance-operator/cmd/manager"
 	"os"
 
+	"github.com/ComplianceAsCode/compliance-operator/cmd/manager"
+
 	"github.com/spf13/cobra"
 )
 

pkg/apis/compliance/v1alpha1/compliancescan_types.go

@@ -29,6 +29,9 @@ const ComplianceScanLabel = "compliance.openshift.io/scan-name"
 // ScriptLabel defines that the object is a script for a scan object
 const ScriptLabel = "complianceoperator.openshift.io/scan-script"
 
+// KubeletConfigLabel defines that the object is a fetched KubeletConfig for a scan object
+const KubeletConfigLabel = "complianceoperator.openshift.io/scan-kubeletconfig"
+
 // ResultLabel defines that the object is a result of a scan
 const ResultLabel = "complianceoperator.openshift.io/scan-result"
 

pkg/apis/compliance/v1alpha1/scansettingbinding_types.go

@@ -20,10 +20,10 @@ type ScanSettingBinding struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec     ScanSettingBindingSpec `json:"spec,omitempty"`
-	Profiles []NamedObjectReference `json:"profiles,omitempty"`
-	// +kubebuilder:default={"name":"default","kind": "ScanSetting", "apiGroup": "compliance.openshift.io/v1alpha1"}
-	SettingsRef *NamedObjectReference `json:"settingsRef,omitempty"`
+	Spec        ScanSettingBindingSpec `json:"spec,omitempty"`
+	Profiles    []NamedObjectReference `json:"profiles,omitempty"`
+        // +kubebuilder:default={"name":"default","kind": "ScanSetting", "apiGroup": "compliance.openshift.io/v1alpha1"}
+	SettingsRef *NamedObjectReference  `json:"settingsRef,omitempty"`
 	// +optional
 	Status ScanSettingBindingStatus `json:"status,omitempty"`
 }

pkg/controller/complianceremediation/complianceremediation_controller.go

@@ -21,6 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -47,7 +48,7 @@ func (r *ReconcileComplianceRemediation) SetupWithManager(mgr ctrl.Manager) erro
 
 // Add creates a new ComplianceRemediation Controller and adds it to the Manager. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
-func Add(mgr manager.Manager, met *metrics.Metrics, _ utils.CtlplaneSchedulingInfo) error {
+func Add(mgr manager.Manager, met *metrics.Metrics, _ utils.CtlplaneSchedulingInfo, _ *kubernetes.Clientset) error {
 	return add(mgr, newReconciler(mgr, met))
 }
 

pkg/controller/compliancescan/compliancescan_controller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	goerrors "errors"
 	"fmt"
+	"io/ioutil"
 	"math"
 	"strings"
 	"time"
@@ -17,8 +18,10 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -59,14 +62,15 @@ func (r *ReconcileComplianceScan) SetupWithManager(mgr ctrl.Manager) error {
 
 // Add creates a new ComplianceScan Controller and adds it to the Manager. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
-func Add(mgr manager.Manager, met *metrics.Metrics, si utils.CtlplaneSchedulingInfo) error {
-	return add(mgr, newReconciler(mgr, met, si))
+func Add(mgr manager.Manager, met *metrics.Metrics, si utils.CtlplaneSchedulingInfo, kubeClient *kubernetes.Clientset) error {
+	return add(mgr, newReconciler(mgr, met, si, kubeClient))
 }
 
 // newReconciler returns a new reconcile.Reconciler
-func newReconciler(mgr manager.Manager, met *metrics.Metrics, si utils.CtlplaneSchedulingInfo) reconcile.Reconciler {
+func newReconciler(mgr manager.Manager, met *metrics.Metrics, si utils.CtlplaneSchedulingInfo, kubeClient *kubernetes.Clientset) reconcile.Reconciler {
 	return &ReconcileComplianceScan{
 		Client:         mgr.GetClient(),
+		ClientSet:      kubeClient,
 		Scheme:         mgr.GetScheme(),
 		Recorder:       mgr.GetEventRecorderFor("scanctrl"),
 		Metrics:        met,
@@ -89,10 +93,11 @@ var _ reconcile.Reconciler = &ReconcileComplianceScan{}
 type ReconcileComplianceScan struct {
 	// This Client, initialized using mgr.Client() above, is a split Client
 	// that reads objects from the cache and writes to the apiserver
-	Client   client.Client
-	Scheme   *runtime.Scheme
-	Recorder record.EventRecorder
-	Metrics  *metrics.Metrics
+	Client    client.Client
+	ClientSet *kubernetes.Clientset
+	Scheme    *runtime.Scheme
+	Recorder  record.EventRecorder
+	Metrics   *metrics.Metrics
 	// helps us schedule platform scans on the nodes labeled for the
 	// compliance operator's control plane
 	schedulingInfo utils.CtlplaneSchedulingInfo
@@ -104,6 +109,7 @@ type ReconcileComplianceScan struct {
 //+kubebuilder:rbac:groups="",resources=persistentvolumeclaims,persistentvolumes,verbs=watch,create,get,list,delete
 //+kubebuilder:rbac:groups="",resources=pods,configmaps,events,verbs=create,get,list,watch,patch,update,delete,deletecollection
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=create,get,list,update,watch,delete
+//+kubebuilder:rbac:groups="",resources=nodes,nodes/proxy,verbs=get,list,watch
 //+kubebuilder:rbac:groups=apps,resources=replicasets,deployments,verbs=get,list,watch,create,update,delete
 //+kubebuilder:rbac:groups=compliance.openshift.io,resources=compliancescans,verbs=create,watch,patch,get,list
 //+kubebuilder:rbac:groups=compliance.openshift.io,resources=*,verbs=*
@@ -275,7 +281,6 @@ func (r *ReconcileComplianceScan) validate(instance *compv1alpha1.ComplianceScan
 
 func (r *ReconcileComplianceScan) phasePendingHandler(instance *compv1alpha1.ComplianceScan, logger logr.Logger) (reconcile.Result, error) {
 	logger.Info("Phase: Pending")
-
 	// Remove annotation if needed
 	if instance.NeedsRescan() {
 		instanceCopy := instance.DeepCopy()
@@ -350,6 +355,11 @@ func (r *ReconcileComplianceScan) phaseLaunchingHandler(h scanTypeHandler, logge
 		return reconcile.Result{}, err
 	}
 
+	if err = r.handleRuntimeKubeletConfig(scan, logger); err != nil {
+		logger.Error(err, "Cannot handle runtime kubelet config")
+		return reconcile.Result{}, err
+	}
+
 	if err = h.createScanWorkload(); err != nil {
 		if !common.IsRetriable(err) {
 			// Surface non-retriable errors to the CR
@@ -380,6 +390,101 @@ func (r *ReconcileComplianceScan) phaseLaunchingHandler(h scanTypeHandler, logge
 	return reconcile.Result{}, nil
 }
 
+// getRuntimeKubeletConfig gets the runtime kubeletconfig for a node
+// by fetching /api/v1/nodes/$nodeName/proxy/configz endpoint use the kubeClientset
+// and store it in a configmap for each node
+func (r *ReconcileComplianceScan) getRuntimeKubeletConfig(nodeName string) (string, error) {
+	// get the runtime kubeletconfig
+	kubeletConfigIO, err := r.ClientSet.CoreV1().RESTClient().Get().RequestURI("/api/v1/nodes/" + nodeName + "/proxy/configz").Stream(context.TODO())
+	if err != nil {
+		return "", err
+	}
+	defer kubeletConfigIO.Close()
+	kubeletConfig, err := ioutil.ReadAll(kubeletConfigIO)
+	if err != nil {
+		return "", err
+	}
+	// kubeletConfig is a byte array, we need to convert it to string
+	kubeletConfigStr := string(kubeletConfig)
+	return kubeletConfigStr, nil
+}
+
+func (r *ReconcileComplianceScan) createKubeletConfigCM(instance *compv1alpha1.ComplianceScan, node *corev1.Node) error {
+	kubeletConfig, err := r.getRuntimeKubeletConfig(node.Name)
+	if err != nil {
+		return fmt.Errorf("cannot get the runtime kubelet config for node %s: %v", node.Name, err)
+	}
+	trueP := true
+	// create a configmap for the node
+	kubeletConfigCM := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getKubeletCMNameForScan(instance, node),
+			Namespace: instance.Namespace,
+			CreationTimestamp: metav1.Time{
+				Time: time.Now(),
+			},
+			Labels: map[string]string{
+				compv1alpha1.ComplianceScanLabel: instance.Name,
+				compv1alpha1.KubeletConfigLabel:  "",
+			},
+		},
+		Data: map[string]string{
+			KubeletConfigMapName: kubeletConfig,
+		},
+		Immutable: &trueP,
+	}
+	err = r.Client.Create(context.TODO(), kubeletConfigCM)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *ReconcileComplianceScan) getNodesForScan(instance *compv1alpha1.ComplianceScan) (corev1.NodeList, error) {
+	nodes := corev1.NodeList{}
+	nodeScanSelector := map[string]string{"kubernetes.io/os": "linux"}
+	listOpts := client.ListOptions{
+		LabelSelector: labels.SelectorFromSet(labels.Merge(instance.Spec.NodeSelector, nodeScanSelector)),
+	}
+
+	if err := r.Client.List(context.TODO(), &nodes, &listOpts); err != nil {
+		return nodes, err
+	}
+	return nodes, nil
+}
+
+func (r *ReconcileComplianceScan) handleRuntimeKubeletConfig(instance *compv1alpha1.ComplianceScan, logger logr.Logger) error {
+	// only handle node scans
+	if instance.Spec.ScanType != compv1alpha1.ScanTypeNode {
+		return nil
+	}
+	nodes, err := r.getNodesForScan(instance)
+	if err != nil {
+		logger.Error(err, "Cannot get the nodes for the scan")
+		return err
+	}
+	for _, node := range nodes.Items {
+		// check if the configmap already exists for the node
+		kubeletConfigCM := &corev1.ConfigMap{}
+		err := r.Client.Get(context.TODO(), types.NamespacedName{Name: getKubeletCMNameForScan(instance, &node), Namespace: instance.Namespace}, kubeletConfigCM)
+		if err != nil {
+			if !errors.IsNotFound(err) {
+				logger.Error(err, "Error getting the configmap for the runtime kubeletconfig", "node", node.Name)
+				return err
+			}
+			// create a configmap for the node
+			err = r.createKubeletConfigCM(instance, &node)
+			logger.Info("Created a new configmap for the node", "configmap", kubeletConfigCM.Name, "node", node.Name)
+			if err != nil {
+				logger.Error(err, "Error creating the configmap for the runtime kubeletconfig", "node", node.Name)
+				return err
+			}
+			continue
+		}
+	}
+	return nil
+}
+
 func (r *ReconcileComplianceScan) phaseRunningHandler(h scanTypeHandler, logger logr.Logger) (reconcile.Result, error) {
 	logger.Info("Phase: Running")
 
@@ -575,6 +680,7 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance *
 			logger.Error(err, "Cannot delete aggregator")
 			return reconcile.Result{}, err
 		}
+
 	}
 
 	// We need to remove resources before doing a re-scan
@@ -605,6 +711,11 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance *
 			return reconcile.Result{}, err
 		}
 
+		if err := r.deleteKubeletConfigConfigMaps(instance, logger); err != nil {
+			logger.Error(err, "Cannot delete KubeletConfig ConfigMaps")
+			return reconcile.Result{}, err
+		}
+
 		if instance.NeedsRescan() {
 			if err = r.deleteResultConfigMaps(instance, logger); err != nil {
 				logger.Error(err, "Cannot delete result ConfigMaps")
@@ -752,6 +863,19 @@ func (r *ReconcileComplianceScan) deleteResultConfigMaps(instance *compv1alpha1.
 	return nil
 }
 
+func (r *ReconcileComplianceScan) deleteKubeletConfigConfigMaps(instance *compv1alpha1.ComplianceScan, logger logr.Logger) error {
+	inNs := client.InNamespace(common.GetComplianceOperatorNamespace())
+	withLabel := client.MatchingLabels{
+		compv1alpha1.ComplianceScanLabel: instance.Name,
+		compv1alpha1.KubeletConfigLabel:  "",
+	}
+	err := r.Client.DeleteAllOf(context.Background(), &corev1.ConfigMap{}, inNs, withLabel)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // returns true if the pod is still running, false otherwise
 func isPodRunningInNode(r *ReconcileComplianceScan, scanInstance *compv1alpha1.ComplianceScan, node *corev1.Node, timeout time.Duration, logger logr.Logger) (bool, error) {
 	podName := getPodForNodeName(scanInstance.Name, node.Name)