DEV-52508 Argus deployment rbac privilege compatibility improvement

Author: DzXiaoLMCD

cmd/watch.go

@@ -7,15 +7,17 @@ import (
 	"os"
 	"time"
 
-	"github.com/logicmonitor/k8s-argus/pkg"
+	"github.com/logicmonitor/k8s-argus/pkg/rbac"
+
+	argus "github.com/logicmonitor/k8s-argus/pkg"
 	"github.com/logicmonitor/k8s-argus/pkg/config"
 	"github.com/logicmonitor/k8s-argus/pkg/constants"
 	"github.com/logicmonitor/k8s-argus/pkg/healthz"
 	"github.com/logicmonitor/k8s-collectorset-controller/api"
 	collectorsetconstants "github.com/logicmonitor/k8s-collectorset-controller/pkg/constants"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	grpc "google.golang.org/grpc"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
 )
@@ -48,6 +50,9 @@ var watchCmd = &cobra.Command{
 			log.Fatal(err.Error())
 		}
 
+		// Init the rbac component
+		rbac.Init(base.K8sClient)
+
 		// Set up a gRPC connection to the collectorset controller.
 		conn, err := grpc.Dial(config.Address, grpc.WithInsecure())
 		if err != nil {

pkg/argus.go

@@ -3,8 +3,6 @@ package argus
 import (
 	"time"
 
-	"github.com/logicmonitor/k8s-argus/pkg/utilities"
-
 	"github.com/logicmonitor/k8s-argus/pkg/watch/deployment"
 
 	"github.com/logicmonitor/k8s-argus/pkg/config"
@@ -23,7 +21,6 @@ import (
 	"github.com/logicmonitor/lm-sdk-go/client"
 	log "github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -79,14 +76,11 @@ func NewArgus(base *types.Base, client api.CollectorSetControllerClient) (*Argus
 		Base: base,
 	}
 
-	hasDeploymentRbac := checkHasDeploymentRbac(base)
-	log.Infof("Has deployment rbac: %+v", hasDeploymentRbac)
-
 	// init sync to delete the non-exist resource devices through logicmonitor API
 	initSyncer := sync.InitSyncer{
 		DeviceManager: deviceManager,
 	}
-	initSyncer.InitSync(hasDeploymentRbac)
+	initSyncer.InitSync()
 
 	deviceGroups, err := deviceTree.CreateDeviceTree()
 	if err != nil {
@@ -119,34 +113,14 @@ func NewArgus(base *types.Base, client api.CollectorSetControllerClient) (*Argus
 		&pod.Watcher{
 			DeviceManager: deviceManager,
 		},
-	}
-
-	if hasDeploymentRbac {
-		argus.Watchers = append(argus.Watchers, &deployment.Watcher{
+		&deployment.Watcher{
 			DeviceManager: deviceManager,
-		})
+		},
 	}
 
 	return argus, nil
 }
 
-func checkHasDeploymentRbac(base *types.Base) bool {
-	clusterRole, err := base.K8sClient.RbacV1beta1().ClusterRoles().Get("argus", metav1.GetOptions{})
-	if err != nil {
-		log.Errorf("Get clusterRoles failed: %+v", err)
-	} else {
-		for _, rule := range clusterRole.Rules {
-			if len(rule.APIGroups) == 0 {
-				continue
-			}
-			if utilities.Contains("apps", rule.APIGroups) && utilities.Contains("deployments", rule.Resources) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 // NewBase instantiates and returns the base structure used throughout Argus.
 func NewBase(config *config.Config) (*types.Base, error) {
 	// LogicMonitor API client.
@@ -173,6 +147,10 @@ func NewBase(config *config.Config) (*types.Base, error) {
 // Watch watches the API for events.
 func (a *Argus) Watch() {
 	for _, w := range a.Watchers {
+		if !w.CheckRBAC() {
+			log.Warnf("Resource %s has no rbac, ignore watch", w.Resource())
+			continue
+		}
 		watchlist := cache.NewListWatchFromClient(getK8sRESTClient(a.K8sClient, w.APIVersion()), w.Resource(), v1.NamespaceAll, fields.Everything())
 		_, controller := cache.NewInformer(
 			watchlist,

pkg/device/device.go

@@ -53,6 +53,21 @@ func buildDevice(c *config.Config, client api.CollectorSetControllerClient, opti
 	return device
 }
 
+func (m *Manager) addDevice(device *models.Device) (*lm.AddDeviceOK, error) {
+	params := lm.NewAddDeviceParams()
+	addFromWizard := false
+	params.SetAddFromWizard(&addFromWizard)
+	params.SetBody(device)
+	restResponse, err := m.LMClient.LM.AddDevice(params)
+	if err != nil {
+		_, ok := err.(*lm.AddDeviceDefault)
+		if !ok {
+			return nil, err
+		}
+	}
+	return restResponse, nil
+}
+
 // checkAndUpdateExistingDevice tries to find and update the devices which needs to be changed
 func (m *Manager) checkAndUpdateExistingDevice(device *models.Device) (*models.Device, error) {
 	oldDevice, err := m.FindByDisplayName(*device.DisplayName)
@@ -64,21 +79,22 @@ func (m *Manager) checkAndUpdateExistingDevice(device *models.Device) (*models.D
 	}
 
 	// the device which is not changed will be ignored
-	if *device.Name == *oldDevice.Name {
+	if *device.Name == *oldDevice.Name && oldDevice.PreferredCollectorID == device.PreferredCollectorID {
 		log.Infof("No changes to device (%s). Ignoring update", *device.DisplayName)
 		return device, nil
 	}
 
 	// the device of the other cluster will be ignored
-	oldClusterName := ""
-	if oldDevice.CustomProperties != nil && len(oldDevice.CustomProperties) > 0 {
-		for _, cp := range oldDevice.CustomProperties {
-			if *cp.Name == constants.K8sClusterNamePropertyKey {
-				oldClusterName = *cp.Value
-			}
-		}
-	}
+	oldClusterName := getPropertyValue(oldDevice, constants.K8sClusterNamePropertyKey)
+
 	if oldClusterName != m.Config().ClusterName {
+		newDisplayName := fmt.Sprintf("%s-%s", *device.DisplayName, m.Config().ClusterName)
+		device.DisplayName = &newDisplayName
+		_, err := m.addDevice(device)
+		if err != nil {
+			return device, err
+		}
+
 		log.Infof("Device (%s) belongs to a different cluster (%s). Ignoring update", *device.DisplayName, oldClusterName)
 		return device, nil
 	}
@@ -91,6 +107,27 @@ func (m *Manager) checkAndUpdateExistingDevice(device *models.Device) (*models.D
 	return newDevice, nil
 }
 
+func getPropertyValue(device *models.Device, propertyName string) string {
+	if device == nil {
+		return ""
+	}
+	if len(device.CustomProperties) > 0 {
+		for _, cp := range device.CustomProperties {
+			if *cp.Name == propertyName {
+				return *cp.Value
+			}
+		}
+	}
+	if len(device.SystemProperties) > 0 {
+		for _, cp := range device.SystemProperties {
+			if *cp.Name == propertyName {
+				return *cp.Value
+			}
+		}
+	}
+	return ""
+}
+
 func (m *Manager) updateAndReplace(id int32, device *models.Device) (*models.Device, error) {
 	opType := "replace"
 	params := lm.NewUpdateDeviceParams()

pkg/rbac/rbac.go

@@ -0,0 +1,41 @@
+package rbac
+
+import (
+	log "github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	rbacFlagDefault  = 0
+	rbacFlagEnable   = 1
+	rbacFlagDisabled = -1
+)
+
+var (
+	client *kubernetes.Clientset
+
+	deploymentRBACFlag = 0
+)
+
+func Init(k8sclient *kubernetes.Clientset) {
+	client = k8sclient
+}
+
+// HasDeploymentRBAC is a function that check if the deployment resource has rbac permissions
+func HasDeploymentRBAC() bool {
+	if deploymentRBACFlag != rbacFlagDefault {
+		return deploymentRBACFlag == rbacFlagEnable
+	}
+	_, err := client.AppsV1beta2().Deployments(v1.NamespaceAll).List(metav1.ListOptions{})
+	if err != nil {
+		deploymentRBACFlag = rbacFlagDisabled
+		log.Error("List deployments failed: %+v", err)
+	} else {
+		deploymentRBACFlag = rbacFlagEnable
+	}
+
+	return deploymentRBACFlag == rbacFlagEnable
+
+}

pkg/sync/initsyncer.go

@@ -3,6 +3,8 @@ package sync
 import (
 	"sync"
 
+	"github.com/logicmonitor/k8s-argus/pkg/rbac"
+
 	"github.com/logicmonitor/k8s-argus/pkg/constants"
 	"github.com/logicmonitor/k8s-argus/pkg/device"
 	"github.com/logicmonitor/k8s-argus/pkg/devicegroup"
@@ -20,7 +22,7 @@ type InitSyncer struct {
 }
 
 // InitSync implements the initial sync through logicmonitor API
-func (i *InitSyncer) InitSync(hasDeploymentRbac bool) {
+func (i *InitSyncer) InitSync() {
 	log.Infof("Start to sync the resource devices")
 	rest := i.getDeviceGroups()
 	if rest == nil {
@@ -54,7 +56,8 @@ func (i *InitSyncer) InitSync(hasDeploymentRbac bool) {
 			case constants.DeploymentDeviceGroupName:
 				go func() {
 					defer wg.Done()
-					if !hasDeploymentRbac {
+					if !rbac.HasDeploymentRBAC() {
+						log.Warnf("Resource deployments has no rbac, ignore sync")
 						return
 					}
 					i.initSyncPodsOrServicesOrDeploys(constants.DeploymentDeviceGroupName, rest.ID)

pkg/tree/tree.go

@@ -3,6 +3,7 @@ package tree
 import (
 	"github.com/logicmonitor/k8s-argus/pkg/constants"
 	"github.com/logicmonitor/k8s-argus/pkg/devicegroup"
+	"github.com/logicmonitor/k8s-argus/pkg/rbac"
 	"github.com/logicmonitor/k8s-argus/pkg/types"
 )
 
@@ -87,6 +88,10 @@ func (d *DeviceTree) CreateDeviceTree() (map[string]int32, error) {
 		case constants.ClusterDeviceGroupPrefix + d.Config.ClusterName:
 			// don't do anything for the root cluster group
 		default:
+			if opts.Name == constants.DeploymentDeviceGroupName && !rbac.HasDeploymentRBAC() {
+				// deployment has no rbac, don't create the group
+				continue
+			}
 			opts.ParentID = deviceGroups[constants.ClusterDeviceGroupPrefix+d.Config.ClusterName]
 		}
 

pkg/types/types.go

@@ -18,6 +18,7 @@ type Base struct {
 // Watcher is the LogicMonitor Watcher interface.
 type Watcher interface {
 	APIVersion() string
+	CheckRBAC() bool
 	Resource() string
 	ObjType() runtime.Object
 	AddFunc() func(obj interface{})

pkg/watch/deployment/deployment.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"strconv"
 
+	"github.com/logicmonitor/k8s-argus/pkg/rbac"
+
 	"github.com/logicmonitor/k8s-argus/pkg/constants"
 	"github.com/logicmonitor/k8s-argus/pkg/types"
 	"github.com/logicmonitor/k8s-argus/pkg/utilities"
@@ -30,6 +32,11 @@ func (w *Watcher) APIVersion() string {
 	return constants.K8sAPIVersionAppsV1beta2
 }
 
+// CheckRBAC is a function that check the resource has RBAC permissions.
+func (w *Watcher) CheckRBAC() bool {
+	return rbac.HasDeploymentRBAC()
+}
+
 // Resource is a function that implements the Watcher interface.
 func (w *Watcher) Resource() string {
 	return resource

pkg/watch/namespace/namespace.go

@@ -25,6 +25,11 @@ func (w *Watcher) APIVersion() string {
 	return constants.K8sAPIVersionV1
 }
 
+// CheckRBAC is a function that check the resource has RBAC permissions.
+func (w *Watcher) CheckRBAC() bool {
+	return true
+}
+
 // Resource is a function that implements the Watcher interface.
 func (w *Watcher) Resource() string {
 	return resource

pkg/watch/node/node.go

@@ -34,6 +34,11 @@ func (w *Watcher) APIVersion() string {
 	return constants.K8sAPIVersionV1
 }
 
+// CheckRBAC is a function that check the resource has RBAC permissions.
+func (w *Watcher) CheckRBAC() bool {
+	return true
+}
+
 // Resource is a function that implements the Watcher interface.
 func (w *Watcher) Resource() string {
 	return resource