Make kmesh cni and manage controller consitent during pod enrollment

pkg/cni/plugin/plugin.go

@@ -20,8 +20,6 @@
 	"context"
 	"encoding/json"
 	"fmt"
-	"strconv"
-	"strings"
 
 	"github.com/cilium/ebpf"
 	"github.com/containernetworking/cni/pkg/skel"
@@ -30,14 +28,10 @@
 	"github.com/containernetworking/cni/pkg/version"
 	netns "github.com/containernetworking/plugins/pkg/ns"
 	"github.com/vishvananda/netlink"
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	k8stypes "k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/kubernetes"
 
 	"kmesh.net/kmesh/pkg/constants"
 	"kmesh.net/kmesh/pkg/logger"
-	"kmesh.net/kmesh/pkg/nets"
 	"kmesh.net/kmesh/pkg/utils"
 )
 
@@ -86,100 +80,6 @@
 	return &cniConf, &k8sCommonArgs, result, nil
 }
 
-// checkKmesh checks whether we should enable kmesh for the given pod
-func checkKmesh(client kubernetes.Interface, pod *v1.Pod) (bool, error) {
-	namespace, err := client.CoreV1().Namespaces().Get(context.TODO(), pod.Namespace, metav1.GetOptions{})
-	if err != nil {
-		return false, err
-	}
-	var enableSidecar bool
-	injectLabel := namespace.Labels["istio-injection"]
-	if injectLabel == "enabled" {
-		enableSidecar = true
-	}
-	// According to istio, it support per pod config.
-	injValue := pod.Annotations["sidecar.istio.io/inject"]
-	if v, ok := pod.Labels["sidecar.istio.io/inject"]; ok {
-		injValue = v
-	}
-	if inject, err := strconv.ParseBool(injValue); err == nil {
-		enableSidecar = inject
-	}
-
-	// If sidecar inject enabled, kmesh do not take charge of it.
-	if enableSidecar {
-		return false, nil
-	}
-
-	// Exclude istio managed gateway
-	if gateway, ok := pod.Labels["gateway.istio.io/managed"]; ok {
-		if strings.EqualFold(gateway, "istio.io-mesh-controller") {
-			return false, nil
-		}
-	}
-
-	mode := namespace.Labels[constants.DataPlaneModeLabel]
-	if strings.EqualFold(mode, constants.DataPlaneModeKmesh) {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func disableKmeshControl(ns string) error {
-	if ns == "" {
-		return nil
-	}
-
-	execFunc := func(netns.NetNS) error {
-		/*
-		 * Attempt to connect to a special IP address. The
-		 * connection triggers the cgroup/connect4/6 ebpf
-		 * program and records the netns cookie information
-		 * of the current connection. The cookie can be used
-		 * to determine whether the netns is managed by Kmesh.
-		 * ControlCommandIp4/6:930(0x3a2) is "cipher key" for cgroup/connect4/6
-		 * ebpf program disable kmesh control
-		 */
-		return nets.TriggerControlCommand(constants.OperDisableControl)
-	}
-
-	if err := netns.WithNetNSPath(ns, execFunc); err != nil {
-		err = fmt.Errorf("enter ns path :%v, run execFunc failed: %v", ns, err)
-		return err
-	}
-	return nil
-}
-
-func enableKmeshControl(ns string) error {
-	execFunc := func(netns.NetNS) error {
-		/*
-		 * Attempt to connect to a special IP address. The
-		 * connection triggers the cgroup/connect4/6 ebpf
-		 * program and records the netns cookie information
-		 * of the current connection. The cookie can be used
-		 * to determine whether the netns is managed by Kmesh.
-		 * ControlCommandIp4/6:929(0x3a1) is "cipher key" for cgroup/connect4/6
-		 * ebpf program.
-		 */
-		return nets.TriggerControlCommand(constants.OperEnableControl)
-	}
-
-	if err := netns.WithNetNSPath(ns, execFunc); err != nil {
-		err = fmt.Errorf("enter ns path :%v, run execFunc failed: %v", ns, err)
-		return err
-	}
-	return nil
-}
-
-const KmeshRedirection = "kmesh.net/redirection"
-
-var annotationPatch = []byte(fmt.Sprintf(
-	`{"metadata":{"annotations":{"%s":"%s"}}}`,
-	KmeshRedirection,
-	"enabled",
-))
-
 func getPrevCniResult(conf *cniConf) (*cniv1.Result, error) {
 	var err error
 	if conf.RawPrevResult == nil {
@@ -228,17 +128,6 @@
 	return nil
 }
 
-func patchKmeshAnnotation(client kubernetes.Interface, pod *v1.Pod) error {
-	_, err := client.CoreV1().Pods(pod.Namespace).Patch(
-		context.Background(),
-		pod.Name,
-		k8stypes.MergePatchType,
-		annotationPatch,
-		metav1.PatchOptions{},
-	)
-	return err
-}
-
 // if cmdadd failed, then we cannot return failed, do nothing and print pre result
 func CmdAdd(args *skel.CmdArgs) error {
 	var err error
@@ -271,22 +160,23 @@
 		return err
 	}
 
-	enableKmesh, err := checkKmesh(client, pod)
+	namespace, err := client.CoreV1().Namespaces().Get(context.TODO(), pod.Namespace, metav1.GetOptions{})
 	if err != nil {
-		log.Errorf("failed to check enable kmesh information: %v", err)
-		return err
+		return fmt.Errorf("failed to get namespace %s: %v", pod.Namespace, err)
 	}
 
+	enableKmesh := utils.ShouldEnroll(pod, namespace)
+
 	if !enableKmesh {
 		return types.PrintResult(preResult, cniConf.CNIVersion)
 	}
 
-	if err := enableKmeshControl(args.Netns); err != nil {
+	if err := utils.HandleKmeshManage(args.Netns, true); err != nil {
 		log.Errorf("failed to enable kmesh control, err is %v", err)
 		return err
 	}
 
-	if err := patchKmeshAnnotation(client, pod); err != nil {
+	if err := utils.PatchKmeshRedirectAnnotation(client, pod); err != nil {
 		log.Errorf("failed to annotate kmesh redirection, err is %v", err)
 	}
 
@@ -314,7 +204,7 @@
 
 func CmdDelete(args *skel.CmdArgs) error {
 	// clean
-	if err := disableKmeshControl(args.Netns); err != nil {
+	if err := utils.HandleKmeshManage(args.Netns, false); err != nil {
 		log.Errorf("failed to disable Kmesh control, err: %v", err)
 	}
 

pkg/constants/constants.go

@@ -43,8 +43,6 @@ const (
 	// Oper code for control command
 	OperEnableControl  = 929
 	OperDisableControl = 930
-	OperEnableBypass   = 931
-	OperDisableByPass  = 932
 
 	// tail call index in tail call prog map
 	TailCallConnect4Index = 0

pkg/controller/bypass/bypass_controller.go

@@ -22,7 +22,6 @@ import (
 	"time"
 
 	netns "github.com/containernetworking/plugins/pkg/ns"
-	"istio.io/api/annotation"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/informers"
@@ -32,6 +31,7 @@ import (
 	ns "kmesh.net/kmesh/pkg/controller/netns"
 	"kmesh.net/kmesh/pkg/logger"
 	"kmesh.net/kmesh/pkg/utils"
+	"kmesh.net/kmesh/pkg/utils/istio"
 )
 
 var (
@@ -64,7 +64,7 @@ func NewByPassController(client kubernetes.Interface) *Controller {
 				log.Errorf("expected *corev1.Pod but got %T", obj)
 				return
 			}
-			if !podHasSidecar(pod) {
+			if !istio.PodHasSidecar(pod) {
 				log.Infof("pod %s/%s does not have sidecar injected, skip", pod.GetNamespace(), pod.GetName())
 				return
 			}
@@ -94,7 +94,7 @@ func NewByPassController(client kubernetes.Interface) *Controller {
 				return
 			}
 
-			if !podHasSidecar(newPod) {
+			if !istio.PodHasSidecar(newPod) {
 				log.Debugf("pod %s/%s does not have a sidecar", newPod.GetNamespace(), newPod.GetName())
 				return
 			}
@@ -190,11 +190,3 @@ func deleteIptables(ns string) error {
 	}
 	return nil
 }
-
-func podHasSidecar(pod *corev1.Pod) bool {
-	if _, f := pod.GetAnnotations()[annotation.SidecarStatus.Name]; f {
-		return true
-	}
-
-	return false
-}