Skip to content

Commit

Permalink
feat: add support for OpenShift
Browse files Browse the repository at this point in the history
  • Loading branch information
@aleoli @adamjensenbot
aleoli authored and adamjensenbot committed Mar 7, 2025
1 parent b432eb5 commit 0860da2
Show file tree
Hide file tree
Showing 18 changed files with 176 additions and 2 deletions.
2 changes: 1 addition & 1 deletion deployments/liqo/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@
| offloading.runtimeClass.tolerations | object | `{"enabled":true,"tolerations":[{"effect":"NoExecute","key":"virtual-node.liqo.io/not-allowed","operator":"Exists"}]}` | Tolerations for the runtime class. |
| offloading.runtimeClass.tolerations.tolerations | list | `[{"effect":"NoExecute","key":"virtual-node.liqo.io/not-allowed","operator":"Exists"}]` | Tolerations for the tolerations. |
| openshiftConfig.enabled | bool | `false` | Enable/Disable the OpenShift support, enabling Openshift-specific resources, and setting the pod security contexts in a way that is compatible with Openshift. |
| openshiftConfig.virtualKubeletSCCs | list | `["anyuid"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |
| openshiftConfig.virtualKubeletSCCs | list | `["anyuid","privileged"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |
| proxy.config.listeningPort | int | `8118` | Port used by the proxy pod. |
| proxy.enabled | bool | `true` | Enable/Disable the proxy pod. This pod is mandatory to allow in-band peering and to connect to the consumer k8s api server from a remotly offloaded pod. |
| proxy.image.name | string | `"ghcr.io/liqotech/proxy"` | Image repository for the proxy pod. |
Expand Down
37 changes: 37 additions & 0 deletions deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces/finalizers
- nodes/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -61,6 +68,8 @@ rules:
resources:
- identities/finalizers
- renews/finalizers
- resourceslices/finalizers
- tenants/finalizers
verbs:
- update
- apiGroups:
Expand Down Expand Up @@ -189,6 +198,20 @@ rules:
- patch
- update
- watch
- apiGroups:
- networking.liqo.io
resources:
- configurations/finalizers
- gatewayclients/finalizers
- gatewayservers/finalizers
- genevetunnels/finalizers
- internalfabrics/finalizers
- internalnodes/finalizers
- routeconfigurations/finalizers
- wggatewayclients/finalizers
- wggatewayservers/finalizers
verbs:
- update
- apiGroups:
- networking.liqo.io
resources:
Expand Down Expand Up @@ -260,6 +283,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- offloading.liqo.io
resources:
- quotas/finalizers
verbs:
- update
- apiGroups:
- offloading.liqo.io
resources:
Expand All @@ -284,6 +313,14 @@ rules:
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings/finalizers
- clusterroles/finalizers
- rolebindings/finalizers
verbs:
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand Down
2 changes: 2 additions & 0 deletions deployments/liqo/templates/liqo-fabric-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ spec:
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/infra
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
{{- if .Values.networking.fabric.tolerations }}
Expand Down
12 changes: 11 additions & 1 deletion deployments/liqo/templates/liqo-fabric-rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking") .) -}}
{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking" "version" .Values.networking.fabric.image.version ) .) -}}

{{- if .Values.networking.enabled }}

Expand Down Expand Up @@ -31,5 +31,15 @@ metadata:
labels:
{{- include "liqo.labels" $fabricConfig | nindent 4 }}
{{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $fabricConfig))) }}
{{- if .Values.openshiftConfig.enabled }}
- apiGroups:
- security.openshift.io
resourceNames:
- {{ include "liqo.prefixedName" $fabricConfig }}
resources:
- securitycontextconstraints
verbs:
- use
{{- end }}

{{- end }}
10 changes: 10 additions & 0 deletions deployments/liqo/templates/liqo-gateway-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,15 @@ metadata:
labels:
{{- include "liqo.labels" $gatewayConfig | nindent 4 }}
{{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $gatewayConfig))) }}
{{- if .Values.openshiftConfig.enabled }}
- apiGroups:
- security.openshift.io
resourceNames:
- liqo-gateway
resources:
- securitycontextconstraints
verbs:
- use
{{- end }}

{{- end }}
44 changes: 44 additions & 0 deletions deployments/liqo/templates/liqo-gateway-scc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{{- if and .Values.networking.enabled .Values.openshiftConfig.enabled }}

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: liqo-gateway
labels:
{{- include "liqo.labels" . | nindent 4 }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
defaultAddCapabilities: []
fsGroup:
type: RunAsAny
groups: []
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
{{- range .Values.openshiftConfig.gatewayServiceAccounts }}
- system:serviceaccount:{{ $.Release.Namespace }}:{{ . }}
{{- end }}
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

{{- end }}
43 changes: 43 additions & 0 deletions deployments/liqo/templates/liqo-scc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{- $fabricConfig := (merge (dict "name" "fabric" "module" "networking" "version" .Values.networking.fabric.image.version ) .) -}}

{{- if and .Values.openshiftConfig.enabled .Values.networking.enabled }}

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "liqo.prefixedName" $fabricConfig }}
labels:
{{- include "liqo.labels" $fabricConfig | nindent 4 }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: true
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
defaultAddCapabilities: []
fsGroup:
type: RunAsAny
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:{{ .Release.Namespace }}:{{ include "liqo.prefixedName" $fabricConfig }}
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

{{- end }}
1 change: 1 addition & 0 deletions deployments/liqo/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -680,3 +680,4 @@ openshiftConfig:
# Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded.
virtualKubeletSCCs:
- anyuid
- privileged
5 changes: 5 additions & 0 deletions pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,15 @@ func NewTenantReconciler(cl client.Client, scheme *runtime.Scheme, config *rest.

// cluster-role
// +kubebuilder:rbac:groups=authentication.liqo.io,resources=tenants;tenants/status,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=authentication.liqo.io,resources=tenants;tenants/finalizers,verbs=update
// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=namespaces/finalizers,verbs=update
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;deletecollection;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/finalizers,verbs=update
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update

// Reconcile manages the lifecycle of a Tenant.
func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
Expand Down
2 changes: 2 additions & 0 deletions pkg/liqo-controller-manager/networking/external-network/client-operator/client_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@ func NewClientReconciler(cl client.Client, dynClient dynamic.Interface,
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayclients/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclienttemplates,verbs=get;list;watch;delete;create;update;patch

// Reconcile manage GatewayClient lifecycle.
Expand Down
1 change: 1 addition & 0 deletions ...-controller-manager/networking/external-network/configuration/configuration_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ func NewConfigurationReconciler(cl client.Client, s *runtime.Scheme, er record.E
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations/status,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=configurations/finalizers,verbs=update
// +kubebuilder:rbac:groups=ipam.liqo.io,resources=networks,verbs=get;list;watch;create
// +kubebuilder:rbac:groups=ipam.liqo.io,resources=networks/status,verbs=get;list;watch

Expand Down
2 changes: 2 additions & 0 deletions pkg/liqo-controller-manager/networking/external-network/server-operator/server_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@ func NewServerReconciler(cl client.Client, dynClient dynamic.Interface,
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=gatewayservers/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservertemplates,verbs=get;list;watch;delete;create;update;patch

// Reconcile manage GatewayServer lifecycle.
Expand Down
1 change: 1 addition & 0 deletions ...qo-controller-manager/networking/external-network/wireguard/wggatewayclient_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ func NewWgGatewayClientReconciler(cl client.Client, s *runtime.Scheme,
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayclients/finalizers,verbs=update
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;delete;update
// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;delete;create;update;patch
Expand Down
2 changes: 2 additions & 0 deletions ...qo-controller-manager/networking/external-network/wireguard/wggatewayserver_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,11 @@ func NewWgGatewayServerReconciler(cl client.Client, s *runtime.Scheme,

// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=wggatewayservers/finalizers,verbs=update
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=nodes/finalizers,verbs=update
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;delete;update
// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;delete;create;update;patch
Expand Down
4 changes: 4 additions & 0 deletions ...anager/networking/internal-network/internalfabric-controller/internalfabric_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,13 @@ func NewInternalFabricReconciler(cl client.Client, s *runtime.Scheme) *InternalF
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalfabrics,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalfabrics/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalfabrics/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=routeconfigurations,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=routeconfigurations/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=genevetunnels,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=genevetunnels/finalizers,verbs=update
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalnodes,verbs=get;list;watch
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalnodes/finalizers,verbs=update

// Reconcile manage InternalFabric lifecycle.
func (r *InternalFabricReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
Expand Down
1 change: 1 addition & 0 deletions pkg/liqo-controller-manager/networking/internal-network/node-controller/node_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ func NewNodeReconciler(cl client.Client, s *runtime.Scheme, liqoNamespace string
// cluster-role
// +kubebuilder:rbac:groups=networking.liqo.io,resources=internalnodes,verbs=get;list;watch;delete;create;update;patch
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=nodes/finalizers,verbs=update
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;

// Reconcile manage Node lifecycle.
Expand Down
2 changes: 2 additions & 0 deletions pkg/liqo-controller-manager/quotacreator-controller/quotacreator_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ func NewQuotaCreatorReconciler(

// cluster-role
// +kubebuilder:rbac:groups=authentication.liqo.io,resources=resourceslices,verbs=get;list;watch
// +kubebuilder:rbac:groups=authentication.liqo.io,resources=resourceslices/finalizers,verbs=update
// +kubebuilder:rbac:groups=offloading.liqo.io,resources=quotas,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=offloading.liqo.io,resources=quotas/finalizers,verbs=update

// Reconcile manage Quotas resources.
func (r *QuotaCreatorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
Expand Down
7 changes: 7 additions & 0 deletions pkg/liqoctl/install/openshift/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,13 @@ func (o *Options) Values() map[string]interface{} {
"openshiftConfig": map[string]interface{}{
"enabled": true,
},
"networking": map[string]interface{}{
"gatewayTemplates": map[string]interface{}{
"wireguard": map[string]interface{}{
"implementation": "userspace",
},
},
},
}
}

Expand Down

0 comments on commit 0860da2

Please sign in to comment.