istio
424 строки · 15.8 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14)45)69// NamespacedResources gets specific pruning resources based on the k8s version71func NamespacedResources() []schema.GroupVersionKind {72res := []schema.GroupVersionKind{73{Group: "apps", Version: "v1", Kind: name.DeploymentStr},74{Group: "apps", Version: "v1", Kind: name.DaemonSetStr},75{Group: "", Version: "v1", Kind: name.ServiceStr},76{Group: "", Version: "v1", Kind: name.CMStr},77{Group: "", Version: "v1", Kind: name.PodStr},78{Group: "", Version: "v1", Kind: name.SecretStr},79{Group: "", Version: "v1", Kind: name.SAStr},80{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: name.RoleBindingStr},81{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: name.RoleStr},82{Group: "policy", Version: "v1", Kind: name.PDBStr},83{Group: "autoscaling", Version: "v2", Kind: name.HPAStr},84gvk.EnvoyFilter.Kubernetes(),85}86return res87}88// Prune removes any resources not specified in manifests generated by HelmReconciler h.90func (h *HelmReconciler) Prune(manifests name.ManifestMap, all bool) error {91return h.runForAllTypes(func(labels map[string]string, objects *unstructured.UnstructuredList) error {92var errs util.Errors93if all {94errs = util.AppendErr(errs, h.deleteResources(nil, labels, "", objects, all))95} else {96for cname, manifest := range manifests.Consolidated() {97errs = util.AppendErr(errs, h.deleteResources(object.AllObjectHashes(manifest), labels, cname, objects, all))98}99}100return errs.ToError()101})102}103// PruneControlPlaneByRevisionWithController is called to remove specific control plane revision105// during reconciliation process of controller.106// It returns the install status and any error encountered.107func (h *HelmReconciler) PruneControlPlaneByRevisionWithController(iopSpec *v1alpha1.IstioOperatorSpec) (*v1alpha1.InstallStatus, error) {108ns := iopv1alpha1.Namespace(iopSpec)109if ns == "" {110ns = constants.IstioSystemNamespace111}112errStatus := &v1alpha1.InstallStatus{Status: v1alpha1.InstallStatus_ERROR}113enabledComponents, err := translate.GetEnabledComponents(iopSpec)114if err != nil {115return errStatus,116fmt.Errorf("failed to get enabled components: %v", err)117}118pilotEnabled := false119// check whether the istiod is enabled120for _, c := range enabledComponents {121if c == string(name.PilotComponentName) {122pilotEnabled = true123break124}125}126// If istiod is enabled, check if it has any proxies connected.127if pilotEnabled {128cfg := h.kubeClient.RESTConfig()129kubeClient, err := kube.NewCLIClient(kube.NewClientConfigForRestConfig(cfg), iopSpec.Revision)130if err != nil {131return errStatus, err132}133}167}179// DeleteObjectsList removed resources that are in the slice of UnstructuredList.181func (h *HelmReconciler) DeleteObjectsList(objectsList []*unstructured.UnstructuredList, componentName string) error {182var errs util.Errors183deletedObjects := make(map[string]bool)184for _, ul := range objectsList {185for _, o := range ul.Items {186obj := object.NewK8sObject(&o, nil, nil)187oh := obj.Hash()188}202// GetPrunedResources get the list of resources to be removed204// 1. if includeClusterResources is false, we list the namespaced resources by matching revision and component labels.205// 2. if includeClusterResources is true, we list the namespaced and cluster resources by component labels only.206// If componentName is not empty, only resources associated with specific components would be returned207// UnstructuredList of objects and corresponding list of name kind hash of k8sObjects would be returned208func (h *HelmReconciler) GetPrunedResources(revision string, includeClusterResources bool, componentName string) (209[]*unstructured.UnstructuredList, error,210) {211var usList []*unstructured.UnstructuredList212labels := make(map[string]string)213if revision != "" {214labels[label.IoIstioRev.Name] = revision215}216if componentName != "" {217labels[IstioComponentLabelStr] = componentName218}219if h.iop.GetName() != "" {220labels[OwningResourceName] = h.iop.GetName()221}222if h.iop.GetNamespace() != "" {223labels[OwningResourceNamespace] = h.iop.GetNamespace()224}225selector := klabels.Set(labels).AsSelectorPreValidated()226resources := NamespacedResources()227gvkList := append(resources, ClusterCPResources...)228if includeClusterResources {229gvkList = append(resources, AllClusterResources...)230// Cleanup IstioOperator, which may be used with in-cluster operator.231if ioplist := h.getIstioOperatorCR(); ioplist != nil && len(ioplist.Items) > 0 {232usList = append(usList, ioplist)233}234}235for _, gvk := range gvkList {236objects := &unstructured.UnstructuredList{}237objects.SetGroupVersionKind(gvk)238componentRequirement, err := klabels.NewRequirement(IstioComponentLabelStr, selection.Exists, nil)239if err != nil {240return usList, err241}242if includeClusterResources {243s := klabels.NewSelector()244err = h.client.List(context.TODO(), objects,245client.MatchingLabelsSelector{Selector: s.Add(*componentRequirement)})246} else {247// do not prune base components or unknown components248includeCN := []string{249string(name.PilotComponentName),250string(name.IngressComponentName), string(name.EgressComponentName),251string(name.CNIComponentName), string(name.IstioOperatorComponentName),252string(name.IstiodRemoteComponentName),253string(name.ZtunnelComponentName),254}255includeRequirement, err := klabels.NewRequirement(IstioComponentLabelStr, selection.In, includeCN)256if err != nil {257return usList, err258}259if err = h.client.List(context.TODO(), objects,260client.MatchingLabelsSelector{261Selector: selector.Add(*includeRequirement, *componentRequirement),262},263); err != nil {264continue265}266}267if err != nil {268continue269}270for _, obj := range objects.Items {271objName := fmt.Sprintf("%s/%s", obj.GetNamespace(), obj.GetName())272metrics.AddResource(objName, gvk.GroupKind())273}274if len(objects.Items) == 0 {275continue276}277usList = append(usList, objects)278}279}282// getIstioOperatorCR is a helper function to get IstioOperator CR during purge,284// otherwise the resources would be reconciled back later if there is in-cluster operator deployment.285// And it is needed to remove the IstioOperator CRD.286func (h *HelmReconciler) getIstioOperatorCR() *unstructured.UnstructuredList {287iopGVR := iopv1alpha1.IstioOperatorGVR288objects, err := h.kubeClient.Dynamic().Resource(iopGVR).List(context.TODO(), metav1.ListOptions{})289if err != nil {290if kerrors.IsNotFound(err) {291return nil292}293scope.Errorf("failed to list IstioOperator CR: %v", err)294}295return objects296}297// runForAllTypes will collect all existing resource types we care about. For each type, the callback function299// will be called with the labels used to select this type, and all objects.300// This is in internal function meant to support prune and delete301func (h *HelmReconciler) runForAllTypes(callback func(labels map[string]string, objects *unstructured.UnstructuredList) error) error {302var errs util.Errors303// Ultimately, we want to prune based on component labels. Each of these share a common set of labels304// Rather than do N List() calls for each component, we will just filter for the common subset here305// and each component will do its own filtering306// Because we are filtering by the core labels, List() will only return items that some components will care307// about, so we are not querying for an overly broad set of resources.308labels, err := h.getCoreOwnerLabels()309if err != nil {310return err311}312selector := klabels.Set(labels).AsSelectorPreValidated()313componentRequirement, err := klabels.NewRequirement(IstioComponentLabelStr, selection.Exists, nil)314if err != nil {315return err316}317selector = selector.Add(*componentRequirement)318}339}343// deleteResources delete any resources from the given component that are not in the excluded map. Resource345// labels are used to identify the resources belonging to the component.346func (h *HelmReconciler) deleteResources(excluded map[string]bool, coreLabels map[string]string,347componentName string, objects *unstructured.UnstructuredList, all bool,348) error {349var errs util.Errors350labels := h.addComponentLabels(coreLabels, componentName)351selector := klabels.Set(labels).AsSelectorPreValidated()352for _, o := range objects.Items {353obj := object.NewK8sObject(&o, nil, nil)354oh := obj.Hash()355if !all {356// Label mismatch. Provided objects don't select against the component, so this likely means the object357// is for another component.358if !selector.Matches(klabels.Set(o.GetLabels())) {359continue360}361if excluded[oh] {362continue363}364if o.GetLabels()[OwningResourceNotPruned] == "true" {365continue366}367}368if err := h.deleteResource(obj, componentName, oh); err != nil {369errs = append(errs, err)370}371}372if all {373cache.FlushObjectCaches()374}375}378}415// RemoveObject removes object with objHash in componentName from the object cache.417func (h *HelmReconciler) removeFromObjectCache(componentName, objHash string) {418crHash, err := h.getCRHash(componentName)419if err != nil {420scope.Error(err.Error())421}422cache.RemoveObject(crHash, objHash)423scope.Infof("Removed object %s from Cache.", objHash)424}425