mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-10-31 08:21:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: use only kube-apiserver endpoints for Talos API access endpoints

Browse Source 
Fixes #6566

This avoid putting all node addresses which might not be routeable
across Kubernetes.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2022-12-02 20:53:40 +04:00
parent dc5e0f4af0
commit 0219d1124e
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
internal/app/machined/pkg/controllers/kubeaccess/endpoint.go
View File

@ -11,6 +11,7 @@ import (
"github.com/cosi-project/runtime/pkg/controller"
"github.com/cosi-project/runtime/pkg/resource"
"github.com/cosi-project/runtime/pkg/safe"
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/go-pointer"
"go.uber.org/zap"
@ -76,35 +77,37 @@ func (ctrl *EndpointController) Run(ctx context.Context, r controller.Runtime, l
return nil
}
kubeaccessConfig, err := r.Get(ctx, kubeaccess.NewConfig(config.NamespaceName, kubeaccess.ConfigID).Metadata())
kubeaccessConfig, err := safe.ReaderGet[*kubeaccess.Config](ctx, r, kubeaccess.NewConfig(config.NamespaceName, kubeaccess.ConfigID).Metadata())
if err != nil {
if !state.IsNotFoundError(err) {
return fmt.Errorf("error fetching kubeaccess config: %w", err)
}
}
if kubeaccessConfig == nil || !kubeaccessConfig.(*kubeaccess.Config).TypedSpec().Enabled {
if kubeaccessConfig == nil || !kubeaccessConfig.TypedSpec().Enabled {
// disabled, do not do anything
continue
}
endpointResources, err := r.List(ctx, resource.NewMetadata(k8s.ControlPlaneNamespaceName, k8s.EndpointType, "", resource.VersionUndefined))
// use only api-server endpoints to leave only kubelet node IPs
endpointResource, err := safe.ReaderGet[*k8s.Endpoint](ctx, r, resource.NewMetadata(k8s.ControlPlaneNamespaceName, k8s.EndpointType, k8s.ControlPlaneAPIServerEndpointsID, resource.VersionUndefined))
if err != nil {
return fmt.Errorf("error getting endpoints resources: %w", err)
if !state.IsNotFoundError(err) {
return fmt.Errorf("error getting endpoints resources: %w", err)
}
}
var endpointAddrs k8s.EndpointList
// merge all endpoints into a single list
for _, res := range endpointResources.Items {
endpointAddrs = endpointAddrs.Merge(res.(*k8s.Endpoint))
if endpointResource != nil {
endpointAddrs = endpointAddrs.Merge(endpointResource)
}
if len(endpointAddrs) == 0 {
continue
}
secretsResources, err := r.Get(ctx, resource.NewMetadata(secrets.NamespaceName, secrets.KubernetesType, secrets.KubernetesID, resource.VersionUndefined))
secretsResources, err := safe.ReaderGet[*secrets.Kubernetes](ctx, r, resource.NewMetadata(secrets.NamespaceName, secrets.KubernetesType, secrets.KubernetesID, resource.VersionUndefined))
if err != nil {
if state.IsNotFoundError(err) {
continue
@ -113,7 +116,7 @@ func (ctrl *EndpointController) Run(ctx context.Context, r controller.Runtime, l
return err
}
secrets := secretsResources.(*secrets.Kubernetes).TypedSpec()
secrets := secretsResources.TypedSpec()
kubeconfig, err := clientcmd.BuildConfigFromKubeconfigGetter("", func() (*clientcmdapi.Config, error) {
return clientcmd.Load([]byte(secrets.LocalhostAdminKubeconfig))