Skip to content

Commit

Permalink
Internal ItemBlockAction plugins
Browse files Browse the repository at this point in the history
This PR implements the internal ItemBlockAction plugins needed for pod, PVC, and SA.

Signed-off-by: Scott Seago <[email protected]>
  • Loading branch information
sseago committed Jul 27, 2024
1 parent f62eeb1 commit 6cb5062
Show file tree
Hide file tree
Showing 16 changed files with 1,459 additions and 147 deletions.
1 change: 1 addition & 0 deletions changelogs/unreleased/8054-sseago
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Internal ItemBlockAction plugins
53 changes: 53 additions & 0 deletions pkg/actionhelpers/pod_helper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/*
Copyright the Velero contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package actionhelpers

import (
"github.com/sirupsen/logrus"
corev1api "k8s.io/api/core/v1"

"github.com/vmware-tanzu/velero/pkg/kuberesource"
"github.com/vmware-tanzu/velero/pkg/plugin/velero"
)

func RelatedItemsForPod(pod *corev1api.Pod, log logrus.FieldLogger) []velero.ResourceIdentifier {
var additionalItems []velero.ResourceIdentifier
if pod.Spec.PriorityClassName != "" {
log.Infof("Adding priorityclass %s to additionalItems", pod.Spec.PriorityClassName)
additionalItems = append(additionalItems, velero.ResourceIdentifier{
GroupResource: kuberesource.PriorityClasses,
Name: pod.Spec.PriorityClassName,
})
}

if len(pod.Spec.Volumes) == 0 {
log.Info("pod has no volumes")
}

for _, volume := range pod.Spec.Volumes {
if volume.PersistentVolumeClaim != nil && volume.PersistentVolumeClaim.ClaimName != "" {
log.Infof("Adding pvc %s to additionalItems", volume.PersistentVolumeClaim.ClaimName)

additionalItems = append(additionalItems, velero.ResourceIdentifier{
GroupResource: kuberesource.PersistentVolumeClaims,
Namespace: pod.Namespace,
Name: volume.PersistentVolumeClaim.ClaimName,
})
}
}
return additionalItems
}
34 changes: 34 additions & 0 deletions pkg/actionhelpers/pvc_helper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*
Copyright the Velero contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package actionhelpers

import (
"github.com/sirupsen/logrus"
corev1api "k8s.io/api/core/v1"

"github.com/vmware-tanzu/velero/pkg/kuberesource"
"github.com/vmware-tanzu/velero/pkg/plugin/velero"
)

func RelatedItemsForPVC(pvc *corev1api.PersistentVolumeClaim, log logrus.FieldLogger) []velero.ResourceIdentifier {
return []velero.ResourceIdentifier{
{
GroupResource: kuberesource.PersistentVolumes,
Name: pvc.Spec.VolumeName,
},
}
}
56 changes: 28 additions & 28 deletions pkg/backup/actions/rbac.go → pkg/actionhelpers/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package actions
package actionhelpers

import (
"context"
Expand All @@ -35,42 +35,42 @@ type ClusterRoleBindingLister interface {
}

// noopClusterRoleBindingLister exists to handle clusters where RBAC is disabled.
type noopClusterRoleBindingLister struct {
type NoopClusterRoleBindingLister struct {
}

func (noop noopClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {
func (noop NoopClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {
return []ClusterRoleBinding{}, nil
}

type v1ClusterRoleBindingLister struct {
type V1ClusterRoleBindingLister struct {
client rbacclient.ClusterRoleBindingInterface
}

func (v1 v1ClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {
func (v1 V1ClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {

Check warning on line 49 in pkg/actionhelpers/rbac.go

View check run for this annotation

Codecov / codecov/patch

pkg/actionhelpers/rbac.go#L49

Added line #L49 was not covered by tests
crbList, err := v1.client.List(context.TODO(), metav1.ListOptions{})
if err != nil {
return nil, errors.WithStack(err)
}
var crbs []ClusterRoleBinding
for _, crb := range crbList.Items {
crbs = append(crbs, v1ClusterRoleBinding{crb: crb})
crbs = append(crbs, V1ClusterRoleBinding{Crb: crb})

Check warning on line 56 in pkg/actionhelpers/rbac.go

View check run for this annotation

Codecov / codecov/patch

pkg/actionhelpers/rbac.go#L56

Added line #L56 was not covered by tests
}

return crbs, nil
}

type v1beta1ClusterRoleBindingLister struct {
type V1beta1ClusterRoleBindingLister struct {
client rbacbetaclient.ClusterRoleBindingInterface
}

func (v1beta1 v1beta1ClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {
func (v1beta1 V1beta1ClusterRoleBindingLister) List() ([]ClusterRoleBinding, error) {

Check warning on line 66 in pkg/actionhelpers/rbac.go

View check run for this annotation

Codecov / codecov/patch

pkg/actionhelpers/rbac.go#L66

Added line #L66 was not covered by tests
crbList, err := v1beta1.client.List(context.TODO(), metav1.ListOptions{})
if err != nil {
return nil, errors.WithStack(err)
}
var crbs []ClusterRoleBinding
for _, crb := range crbList.Items {
crbs = append(crbs, v1beta1ClusterRoleBinding{crb: crb})
crbs = append(crbs, V1beta1ClusterRoleBinding{Crb: crb})

Check warning on line 73 in pkg/actionhelpers/rbac.go

View check run for this annotation

Codecov / codecov/patch

pkg/actionhelpers/rbac.go#L73

Added line #L73 was not covered by tests
}

return crbs, nil
Expand All @@ -81,9 +81,9 @@ func (v1beta1 v1beta1ClusterRoleBindingLister) List() ([]ClusterRoleBinding, err
// Necessary so that callers to the ClusterRoleBindingLister interfaces don't need the kubernetes.Interface.
func NewClusterRoleBindingListerMap(clientset kubernetes.Interface) map[string]ClusterRoleBindingLister {
return map[string]ClusterRoleBindingLister{
rbac.SchemeGroupVersion.Version: v1ClusterRoleBindingLister{client: clientset.RbacV1().ClusterRoleBindings()},
rbacbeta.SchemeGroupVersion.Version: v1beta1ClusterRoleBindingLister{client: clientset.RbacV1beta1().ClusterRoleBindings()},
"": noopClusterRoleBindingLister{},
rbac.SchemeGroupVersion.Version: V1ClusterRoleBindingLister{client: clientset.RbacV1().ClusterRoleBindings()},
rbacbeta.SchemeGroupVersion.Version: V1beta1ClusterRoleBindingLister{client: clientset.RbacV1beta1().ClusterRoleBindings()},
"": NoopClusterRoleBindingLister{},

Check warning on line 86 in pkg/actionhelpers/rbac.go

View check run for this annotation

Codecov / codecov/patch

pkg/actionhelpers/rbac.go#L84-L86

Added lines #L84 - L86 were not covered by tests
}
}

Expand All @@ -97,43 +97,43 @@ type ClusterRoleBinding interface {
RoleRefName() string
}

type v1ClusterRoleBinding struct {
crb rbac.ClusterRoleBinding
type V1ClusterRoleBinding struct {
Crb rbac.ClusterRoleBinding
}

func (c v1ClusterRoleBinding) Name() string {
return c.crb.Name
func (c V1ClusterRoleBinding) Name() string {
return c.Crb.Name
}

func (c v1ClusterRoleBinding) RoleRefName() string {
return c.crb.RoleRef.Name
func (c V1ClusterRoleBinding) RoleRefName() string {
return c.Crb.RoleRef.Name
}

func (c v1ClusterRoleBinding) ServiceAccountSubjects(namespace string) []string {
func (c V1ClusterRoleBinding) ServiceAccountSubjects(namespace string) []string {
var saSubjects []string
for _, s := range c.crb.Subjects {
for _, s := range c.Crb.Subjects {
if s.Kind == rbac.ServiceAccountKind && s.Namespace == namespace {
saSubjects = append(saSubjects, s.Name)
}
}
return saSubjects
}

type v1beta1ClusterRoleBinding struct {
crb rbacbeta.ClusterRoleBinding
type V1beta1ClusterRoleBinding struct {
Crb rbacbeta.ClusterRoleBinding
}

func (c v1beta1ClusterRoleBinding) Name() string {
return c.crb.Name
func (c V1beta1ClusterRoleBinding) Name() string {
return c.Crb.Name
}

func (c v1beta1ClusterRoleBinding) RoleRefName() string {
return c.crb.RoleRef.Name
func (c V1beta1ClusterRoleBinding) RoleRefName() string {
return c.Crb.RoleRef.Name
}

func (c v1beta1ClusterRoleBinding) ServiceAccountSubjects(namespace string) []string {
func (c V1beta1ClusterRoleBinding) ServiceAccountSubjects(namespace string) []string {
var saSubjects []string
for _, s := range c.crb.Subjects {
for _, s := range c.Crb.Subjects {
if s.Kind == rbac.ServiceAccountKind && s.Namespace == namespace {
saSubjects = append(saSubjects, s.Name)
}
Expand Down
84 changes: 84 additions & 0 deletions pkg/actionhelpers/service_account_helper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
/*
Copyright the Velero contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package actionhelpers

import (
"github.com/sirupsen/logrus"
rbac "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"

velerodiscovery "github.com/vmware-tanzu/velero/pkg/discovery"
"github.com/vmware-tanzu/velero/pkg/kuberesource"
"github.com/vmware-tanzu/velero/pkg/plugin/velero"
)

func ClusterRoleBindingsForAction(clusterRoleBindingListers map[string]ClusterRoleBindingLister, discoveryHelper velerodiscovery.Helper) ([]ClusterRoleBinding, error) {
// Look up the supported RBAC version
var supportedAPI metav1.GroupVersionForDiscovery
for _, ag := range discoveryHelper.APIGroups() {
if ag.Name == rbac.GroupName {
supportedAPI = ag.PreferredVersion
break
}
}

crbLister := clusterRoleBindingListers[supportedAPI.Version]

// This should be safe because the List call will return a 0-item slice
// if there's no matching API version.
return crbLister.List()
}

func RelatedItemsForServiceAccount(objectMeta metav1.Object, clusterRoleBindings []ClusterRoleBinding, log logrus.FieldLogger) []velero.ResourceIdentifier {
var (
namespace = objectMeta.GetNamespace()
name = objectMeta.GetName()
bindings = sets.NewString()
roles = sets.NewString()
)

for _, crb := range clusterRoleBindings {
for _, s := range crb.ServiceAccountSubjects(namespace) {
if s == name {
log.Infof("Adding clusterrole %s and clusterrolebinding %s to relatedItems since serviceaccount %s/%s is a subject",
crb.RoleRefName(), crb.Name(), namespace, name)

bindings.Insert(crb.Name())
roles.Insert(crb.RoleRefName())
break
}
}
}

var relatedItems []velero.ResourceIdentifier
for binding := range bindings {
relatedItems = append(relatedItems, velero.ResourceIdentifier{
GroupResource: kuberesource.ClusterRoleBindings,
Name: binding,
})
}

for role := range roles {
relatedItems = append(relatedItems, velero.ResourceIdentifier{
GroupResource: kuberesource.ClusterRoles,
Name: role,
})
}

return relatedItems
}
10 changes: 3 additions & 7 deletions pkg/backup/actions/backup_pv_action.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import (
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"

"github.com/vmware-tanzu/velero/pkg/actionhelpers"
v1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
"github.com/vmware-tanzu/velero/pkg/kuberesource"
"github.com/vmware-tanzu/velero/pkg/plugin/velero"
)

Expand All @@ -51,7 +51,7 @@ func (a *PVCAction) AppliesTo() (velero.ResourceSelector, error) {
func (a *PVCAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
a.log.Info("Executing PVCAction")

var pvc corev1api.PersistentVolumeClaim
pvc := new(corev1api.PersistentVolumeClaim)
if err := runtime.DefaultUnstructuredConverter.FromUnstructured(item.UnstructuredContent(), &pvc); err != nil {
return nil, nil, errors.Wrap(err, "unable to convert unstructured item to persistent volume claim")
}
Expand All @@ -60,10 +60,6 @@ func (a *PVCAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runti
return item, nil, nil
}

pv := velero.ResourceIdentifier{
GroupResource: kuberesource.PersistentVolumes,
Name: pvc.Spec.VolumeName,
}
// remove dataSource if exists from prior restored CSI volumes
if pvc.Spec.DataSource != nil {
pvc.Spec.DataSource = nil
Expand Down Expand Up @@ -94,5 +90,5 @@ func (a *PVCAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runti
return nil, nil, errors.Wrap(err, "unable to convert pvc to unstructured item")
}

return &unstructured.Unstructured{Object: pvcMap}, []velero.ResourceIdentifier{pv}, nil
return &unstructured.Unstructured{Object: pvcMap}, actionhelpers.RelatedItemsForPVC(pvc, a.log), nil
}
31 changes: 2 additions & 29 deletions pkg/backup/actions/pod_action.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ import (
corev1api "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"

"github.com/vmware-tanzu/velero/pkg/actionhelpers"
v1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
"github.com/vmware-tanzu/velero/pkg/kuberesource"
"github.com/vmware-tanzu/velero/pkg/plugin/velero"
)

Expand Down Expand Up @@ -55,32 +55,5 @@ func (a *PodAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runti
if err := runtime.DefaultUnstructuredConverter.FromUnstructured(item.UnstructuredContent(), pod); err != nil {
return nil, nil, errors.WithStack(err)
}

var additionalItems []velero.ResourceIdentifier
if pod.Spec.PriorityClassName != "" {
a.log.Infof("Adding priorityclass %s to additionalItems", pod.Spec.PriorityClassName)
additionalItems = append(additionalItems, velero.ResourceIdentifier{
GroupResource: kuberesource.PriorityClasses,
Name: pod.Spec.PriorityClassName,
})
}

if len(pod.Spec.Volumes) == 0 {
a.log.Info("pod has no volumes")
return item, additionalItems, nil
}

for _, volume := range pod.Spec.Volumes {
if volume.PersistentVolumeClaim != nil && volume.PersistentVolumeClaim.ClaimName != "" {
a.log.Infof("Adding pvc %s to additionalItems", volume.PersistentVolumeClaim.ClaimName)

additionalItems = append(additionalItems, velero.ResourceIdentifier{
GroupResource: kuberesource.PersistentVolumeClaims,
Namespace: pod.Namespace,
Name: volume.PersistentVolumeClaim.ClaimName,
})
}
}

return item, additionalItems, nil
return item, actionhelpers.RelatedItemsForPod(pod, a.log), nil
}
Loading

0 comments on commit 6cb5062

Please sign in to comment.