From d0f3e60893e27d34c4030702f3ade4f2e0590fd9 Mon Sep 17 00:00:00 2001 From: David Elie-Dit-Cosaque Date: Fri, 17 Jun 2022 15:32:07 -0500 Subject: [PATCH 1/2] Some documentations updates --- README.md | 5 ++++- doc/ethertypeListening.svg | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 doc/ethertypeListening.svg diff --git a/README.md b/README.md index ab1ecbc..0d39ab2 100644 --- a/README.md +++ b/README.md @@ -68,4 +68,7 @@ Each openshift node reports L2 connectivity with a JSON log as shown below. The } ``` -In addition to frames with the experimental, frames with the ptp Ethertype are collected, but not transmitted. This helps identify which port are already receiving PTP protocol frames. \ No newline at end of file + +Frames with the ptp Ethertype are also collected, but not transmitted. This helps identify which port are already receiving PTP protocol frames. + +![discovery_workflow](doc/ethertypeListening.svg) diff --git a/doc/ethertypeListening.svg b/doc/ethertypeListening.svg new file mode 100644 index 0000000..1af0499 --- /dev/null +++ b/doc/ethertypeListening.svg @@ -0,0 +1,4 @@ + + + +
LAN 1
LAN 1
LAN 2
LAN 2
L2 topology
L2 topology
Openshift worker 1
Openshift worker 1
Port1
Port1
Port2
Port2
Step2: Record which MAC SA are received on each ports
Step2: Record which MAC SA a...
Step 1: ptp frames are generated somewhere in the network
Step 1: ptp frames are ge...Text is not SVG - cannot display \ No newline at end of file From 232a86b20b98c65ccfe46276a26cad05cb800db0 Mon Sep 17 00:00:00 2001 From: David Elie-Dit-Cosaque Date: Fri, 17 Jun 2022 16:24:01 -0500 Subject: [PATCH 2/2] Deploy deamonset in default namespace to be able to use default scc --- resources/daemonset.yml | 24 ++++++++++-------- resources/namespace.yml | 8 ------ resources/role.yml | 15 ------------ resources/rolebinding.yml | 12 --------- resources/scc.yml | 46 ----------------------------------- resources/service-account.yml | 5 ---- 6 files changed, 14 insertions(+), 96 deletions(-) delete mode 100644 resources/namespace.yml delete mode 100644 resources/role.yml delete mode 100644 resources/rolebinding.yml delete mode 100644 resources/scc.yml delete mode 100644 resources/service-account.yml diff --git a/resources/daemonset.yml b/resources/daemonset.yml index bb6254d..49c0625 100644 --- a/resources/daemonset.yml +++ b/resources/daemonset.yml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - namespace: l2discovery + namespace: default name: l2discovery labels: tier: node @@ -20,24 +20,28 @@ spec: name: l2discovery spec: hostNetwork: true - serviceAccountName: l2discovery + securityContext: {} + serviceAccount: default + serviceAccountName: default nodeSelector: kubernetes.io/os: linux tolerations: - - operator: Exists - effect: NoSchedule + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + - effect: NoSchedule + key: node-role.kubernetes.io/master containers: - name: l2discovery imagePullPolicy: Always securityContext: privileged: true runAsUser: 0 - capabilities: - add: - - NET_ADMIN - - NET_RAW - - SYS_CHROOT - - FOWNER image: quay.io/testnetworkfunction/l2discovery:latest resources: requests: diff --git a/resources/namespace.yml b/resources/namespace.yml deleted file mode 100644 index 69c7704..0000000 --- a/resources/namespace.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: l2discovery - labels: - name: l2discovery - openshift.io/cluster-monitoring: "true" diff --git a/resources/role.yml b/resources/role.yml deleted file mode 100644 index df92174..0000000 --- a/resources/role.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: l2discovery-role - namespace: l2discovery -rules: - - apiGroups: - - security.openshift.io - resourceNames: - - privileged - resources: - - securitycontextconstraints - verbs: - - use diff --git a/resources/rolebinding.yml b/resources/rolebinding.yml deleted file mode 100644 index f0e4a4a..0000000 --- a/resources/rolebinding.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: l2discovery-rolebinding -subjects: -- kind: ServiceAccount - name: l2discovery -roleRef: - kind: Role - name: l2discovery-role - apiGroup: rbac.authorization.k8s.io diff --git a/resources/scc.yml b/resources/scc.yml deleted file mode 100644 index 09c9971..0000000 --- a/resources/scc.yml +++ /dev/null @@ -1,46 +0,0 @@ -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: true -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: false -allowedCapabilities: null -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: null -fsGroup: - type: MustRunAs -groups: -- system:authenticated -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: denies access excepted for l2discovery required stuff - name: scc-l2discovery -priority: null -readOnlyRootFilesystem: false -allowedCapabilities: -- NET_ADMIN -- NET_RAW -- SYS_CHROOT -- FOWNER -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: MustRunAsNonRoot -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: -- l2discovery -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret diff --git a/resources/service-account.yml b/resources/service-account.yml deleted file mode 100644 index 216feb4..0000000 --- a/resources/service-account.yml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: l2discovery - namespace: l2discovery