Add tolerations for node taints when creating privileged pod

When the target pod is running on a node with additional taints, the privileged pod cannot be created unless it has matching tolerations. Closes: #167
eldadru · Apr 20, 2023 · 5010aaa · 5010aaa
1 parent b0b737c
commit 5010aaa
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/kube/kubernetes_api_service.go b/kube/kubernetes_api_service.go
@@ -23,9 +23,11 @@ import (
 type KubernetesApiService interface {
 	ExecuteCommand(podName string, containerName string, command []string, stdOut io.Writer) (int, error)
 
+	GetNodeTaints(nodeName string) ([]corev1.Taint, error)
+
 	DeletePod(podName string) error
 
-	CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error)
+	CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string, tolerations []corev1.Toleration) (*corev1.Pod, error)
 
 	UploadFile(localPath string, remotePath string, podName string, containerName string) error
 }
@@ -102,7 +104,16 @@ func (k *KubernetesApiServiceImpl) DeletePod(podName string) error {
 	return err
 }
 
-func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error) {
+func (k *KubernetesApiServiceImpl) GetNodeTaints(nodeName string) ([]corev1.Taint, error) {
+	node, err := k.clientset.CoreV1().Nodes().Get(context.TODO(), nodeName, v1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	return node.Spec.Taints, nil
+}
+
+func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string, tolerations []corev1.Toleration) (*corev1.Pod, error) {
 	log.Debugf("creating privileged pod on remote node")
 
 	isSupported, err := k.IsSupportedContainerRuntime(nodeName)
@@ -172,6 +183,7 @@ func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containe
 		RestartPolicy: corev1.RestartPolicyNever,
 		HostPID:       true,
 		Containers:    []corev1.Container{privilegedContainer},
+		Tolerations:   tolerations,
 		Volumes: []corev1.Volume{
 			{
 				Name: "host",

diff --git a/pkg/service/sniffer/privileged_pod_sniffer_service.go b/pkg/service/sniffer/privileged_pod_sniffer_service.go
@@ -42,13 +42,28 @@ func (p *PrivilegedPodSnifferService) Setup() error {
 		p.settings.SocketPath = p.runtimeBridge.GetDefaultSocketPath()
 	}
 
+	nodeTaints, err := p.kubernetesApiService.GetNodeTaints(p.settings.DetectedPodNodeName)
+	if err != nil {
+		return err
+	}
+
+	tolerations := make([]v1.Toleration, 0)
+	for _, taint := range nodeTaints {
+		tolerations = append(tolerations, v1.Toleration{
+			Key:      taint.Key,
+			Operator: v1.TolerationOpExists,
+			Effect:   taint.Effect,
+		})
+	}
+
 	p.privilegedPod, err = p.kubernetesApiService.CreatePrivilegedPod(
 		p.settings.DetectedPodNodeName,
 		p.privilegedContainerName,
 		p.settings.Image,
 		p.settings.SocketPath,
 		p.settings.UserSpecifiedPodCreateTimeout,
 		p.settings.UserSpecifiedServiceAccount,
+		tolerations,
 	)
 	if err != nil {
 		log.WithError(err).Errorf("failed to create privileged pod on node: '%s'", p.settings.DetectedPodNodeName)