support new flag --image-delete-job-host-network

README.md

@@ -321,10 +321,12 @@ For more detailed description, go through _kube-fledged's_ [design proposal](doc
 
 ## Configuration Flags for Kubefledged Controller
 
-`--image-pull-deadline-duration:` Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed. default "5m"
-
 `--image-cache-refresh-frequency:` The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh. default "15m"
 
+`--image-delete-job-host-network:` Whether the pod for the image delete job should be run with 'HostNetwork: true'. Default value: false.
+
+`--image-pull-deadline-duration:` Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed. default "5m"
+
 `--image-pull-policy:` Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled.
 
 `--service-account-name:` serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used

cmd/controller/app/controller.go

@@ -96,7 +96,8 @@ func NewController(
 	criClientImage string,
 	busyboxImage string,
 	imagePullPolicy string,
-	serviceAccountName string) *Controller {
+	serviceAccountName string,
+	imageDeleteJobHostNetwork bool) *Controller {
 
 	runtime.Must(fledgedscheme.AddToScheme(scheme.Scheme))
 	glog.V(4).Info("Creating event broadcaster")
@@ -119,8 +120,9 @@ func NewController(
 		imageCacheRefreshFrequency: imageCacheRefreshFrequency,
 	}
 
-	imageManager, _ := images.NewImageManager(controller.workqueue, controller.imageworkqueue, controller.kubeclientset,
-		controller.fledgedNameSpace, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+	imageManager, _ := images.NewImageManager(controller.workqueue, controller.imageworkqueue,
+		controller.kubeclientset, controller.fledgedNameSpace, imagePullDeadlineDuration,
+		criClientImage, busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 	controller.imageManager = imageManager
 
 	glog.Info("Setting up event handlers")

cmd/controller/app/controller_test.go

@@ -64,6 +64,7 @@ func newTestController(kubeclientset kubernetes.Interface, fledgedclientset clie
 	busyboxImage := "busybox:latest"
 	imagePullPolicy := "IfNotPresent"
 	serviceAccountName := "sa-kube-fledged"
+	imageDeleteJobHostNetwork := false
 
 	/* 	startInformers := true
 	   	if startInformers {
@@ -73,8 +74,10 @@ func newTestController(kubeclientset kubernetes.Interface, fledgedclientset clie
 	   		fledgedInformerFactory.Start(stopCh)
 	   	} */
 
-	controller := NewController(kubeclientset, fledgedclientset, fledgedNameSpace, nodeInformer, imagecacheInformer,
-		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+	controller := NewController(kubeclientset,
+		fledgedclientset, fledgedNameSpace, nodeInformer, imagecacheInformer,
+		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage,
+		busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 	controller.nodesSynced = func() bool { return true }
 	controller.imageCachesSynced = func() bool { return true }
 	return controller, nodeInformer, imagecacheInformer

cmd/controller/main.go

@@ -42,6 +42,7 @@ var (
 	imagePullPolicy            string
 	fledgedNameSpace           string
 	serviceAccountName         string
+	imageDeleteJobHostNetwork  bool
 )
 
 func main() {
@@ -71,7 +72,8 @@ func main() {
 	controller := app.NewController(kubeClient, fledgedClient, fledgedNameSpace,
 		kubeInformerFactory.Core().V1().Nodes(),
 		fledgedInformerFactory.Kubefledged().V1alpha2().ImageCaches(),
-		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage,
+		busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 
 	glog.Info("Starting pre-flight checks")
 	if err = controller.PreFlightChecks(); err != nil {
@@ -101,4 +103,5 @@ func init() {
 		busyboxImage = "busybox:1.29.2"
 	}
 	flag.StringVar(&serviceAccountName, "service-account-name", "", "serviceAccountName used in Jobs created for pulling/deleting images. Optional flag. If not specified the default service account of the namespace is used")
+	flag.BoolVar(&imageDeleteJobHostNetwork, "image-delete-job-host-network", false, "whether the pod for the image delete job should be run with 'HostNetwork: true'. Default value: false")
 }

deploy/kubefledged-operator/helm-charts/kubefledged/README.md

@@ -45,15 +45,16 @@ Kube-fledged is a kubernetes operator for creating and managing a cache of conta
 | image.kubefledgedCRIClientRepository | docker.io/senthilrch/kubefledged-cri-client | Repository name of kubefledged-cri-client image |
 | image.kubefledgedWebhookServerRepository | docker.io/senthilrch/kubefledged-webhook-server | Repository name of kubefledged-webhook-server image |
 | image.pullPolicy | Always | Image pull policy for kubefledged-controller and kubefledged-webhook-server pods |
-| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
-| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImageCacheRefreshFrequency | 15m | The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh |
+| args.controllerImageDeleteJobHostNetwork | false | Whether the pod for the image delete job should be run with 'HostNetwork: true' |
+| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImagePullPolicy | IfNotPresent | Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled |
 | args.controllerServiceAccountName | "" | serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used |
-| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
+| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
 | args.webhookServerCertFile | /var/run/secrets/webhook-server/tls.crt | Path of server certificate of kubefledged-webhook-server |
 | args.webhookServerKeyFile | /var/run/secrets/webhook-server/tls.key | Path of server key of kubefledged-webhook-server |
 | args.webhookServerPort | 443 | Listening port of kubefledged-webhook-server |
+| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
 | nameOverride | "" | nameOverride replaces the name of the chart in Chart.yaml, when this is used to construct Kubernetes object names |
 | fullnameOverride | "" | fullnameOverride completely replaces the generated name |
 |  |  |  |

deploy/kubefledged-operator/helm-charts/kubefledged/templates/deployment-controller.yaml

@@ -38,6 +38,7 @@ spec:
           {{- if .Values.args.controllerServiceAccountName }}
             - "--service-account-name={{ .Values.args.controllerServiceAccountName }}"
           {{- end }}
+            - "--image-delete-job-host-network={{ .Values.args.controllerImageDeleteJobHostNetwork }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: KUBEFLEDGED_NAMESPACE

deploy/kubefledged-operator/helm-charts/kubefledged/values.yaml

@@ -25,6 +25,7 @@ args:
   controllerImageCacheRefreshFrequency: 15m
   controllerImagePullPolicy: IfNotPresent
   controllerServiceAccountName: ""
+  controllerImageDeleteJobHostNetwork: false
   webhookServerLogLevel: INFO
   webhookServerCertFile: /var/run/secrets/webhook-server/tls.crt
   webhookServerKeyFile: /var/run/secrets/webhook-server/tls.key

docs/helm-parameters.md

@@ -11,15 +11,16 @@
 | image.kubefledgedCRIClientRepository | docker.io/senthilrch/kubefledged-cri-client | Repository name of kubefledged-cri-client image |
 | image.kubefledgedWebhookServerRepository | docker.io/senthilrch/kubefledged-webhook-server | Repository name of kubefledged-webhook-server image |
 | image.pullPolicy | Always | Image pull policy for kubefledged-controller and kubefledged-webhook-server pods |
-| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
-| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImageCacheRefreshFrequency | 15m | The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh |
+| args.controllerImageDeleteJobHostNetwork | false | Whether the pod for the image delete job should be run with 'HostNetwork: true' |
+| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImagePullPolicy | IfNotPresent | Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled |
 | args.controllerServiceAccountName | "" | serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used |
-| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
+| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
 | args.webhookServerCertFile | /var/run/secrets/webhook-server/tls.crt | Path of server certificate of kubefledged-webhook-server |
 | args.webhookServerKeyFile | /var/run/secrets/webhook-server/tls.key | Path of server key of kubefledged-webhook-server |
 | args.webhookServerPort | 443 | Listening port of kubefledged-webhook-server |
+| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
 | nameOverride | "" | nameOverride replaces the name of the chart in Chart.yaml, when this is used to construct Kubernetes object names |
 | fullnameOverride | "" | fullnameOverride completely replaces the generated name |
 |  |  |  |

go.mod

@@ -25,19 +25,16 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-        golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
 	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
 	golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect
 	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
-        golang.org/x/tools v0.1.9 // indirect
 	google.golang.org/appengine v1.6.6 // indirect
 	google.golang.org/protobuf v1.25.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-        k8s.io/code-generator v0.21.1 // indirect
 	k8s.io/klog/v2 v2.8.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect

hack/update-codegen.sh

@@ -19,7 +19,7 @@ set -o nounset
 set -o pipefail
 
 export GOPATH=${HOME}/go
-go get -d k8s.io/[email protected]
+go get -u k8s.io/[email protected]
 
 SCRIPT_ROOT=$(dirname ${BASH_SOURCE})/..
 CODEGEN_PKG=${CODEGEN_PKG:-$(cd ${SCRIPT_ROOT}; ls -d -1 $GOPATH/pkg/mod/k8s.io/code-generator@v0.21.1 2>/dev/null || echo ../code-generator)}

hack/verify-golint.sh

@@ -22,11 +22,11 @@ PROJECT_ROOT=$(dirname "${BASH_SOURCE}")/..
 source "${PROJECT_ROOT}/hack/init.sh"
 
 verify_go_version
-go get -u golang.org/x/lint/golint
+go install golang.org/x/lint/golint
 
 if ! which golint > /dev/null; then
   echo 'Can not find golint, install with:'
-  echo 'go get -u golang.org/x/lint/golint'
+  echo 'go install golang.org/x/lint/golint'
   exit 1
 fi
 

pkg/images/image_helpers.go

@@ -31,7 +31,8 @@ import (
 )
 
 // newImagePullJob constructs a job manifest for pulling an image to a node
-func newImagePullJob(imagecache *fledgedv1alpha2.ImageCache, image string, node *corev1.Node, imagePullPolicy string, busyboxImage string, serviceAccountName string) (*batchv1.Job, error) {
+func newImagePullJob(imagecache *fledgedv1alpha2.ImageCache, image string, node *corev1.Node,
+	imagePullPolicy string, busyboxImage string, serviceAccountName string) (*batchv1.Job, error) {
 	var pullPolicy corev1.PullPolicy = corev1.PullIfNotPresent
 	hostname := node.Labels["kubernetes.io/hostname"]
 	if imagecache == nil {
@@ -136,7 +137,9 @@ func newImagePullJob(imagecache *fledgedv1alpha2.ImageCache, image string, node
 }
 
 // newImageDeleteJob constructs a job manifest to delete an image from a node
-func newImageDeleteJob(imagecache *fledgedv1alpha2.ImageCache, image string, node *corev1.Node, containerRuntimeVersion string, dockerclientimage string, serviceAccountName string) (*batchv1.Job, error) {
+func newImageDeleteJob(imagecache *fledgedv1alpha2.ImageCache, image string, node *corev1.Node,
+	containerRuntimeVersion string, dockerclientimage string, serviceAccountName string,
+	imageDeleteJobHostNetwork bool) (*batchv1.Job, error) {
 	hostname := node.Labels["kubernetes.io/hostname"]
 	if imagecache == nil {
 		glog.Error("imagecache pointer is nil")
@@ -207,6 +210,7 @@ func newImageDeleteJob(imagecache *fledgedv1alpha2.ImageCache, image string, nod
 					},
 					RestartPolicy:    corev1.RestartPolicyNever,
 					ImagePullSecrets: imagecache.Spec.ImagePullSecrets,
+					HostNetwork:      imageDeleteJobHostNetwork,
 					Tolerations: []corev1.Toleration{
 						{
 							Operator: corev1.TolerationOpExists,

pkg/images/image_manager.go

@@ -73,6 +73,7 @@ type ImageManager struct {
 	busyboxImage              string
 	imagePullPolicy           string
 	serviceAccountName        string
+	imageDeleteJobHostNetwork bool
 	lock                      sync.RWMutex
 }
 
@@ -121,7 +122,8 @@ func NewImageManager(
 	kubeclientset kubernetes.Interface,
 	namespace string,
 	imagePullDeadlineDuration time.Duration,
-	criClientImage, busyboxImage, imagePullPolicy, serviceAccountName string) (*ImageManager, coreinformers.PodInformer) {
+	criClientImage, busyboxImage, imagePullPolicy, serviceAccountName string,
+	imageDeleteJobHostNetwork bool) (*ImageManager, coreinformers.PodInformer) {
 
 	appEqKubefledged, _ := labels.NewRequirement("app", selection.Equals, []string{"kubefledged"})
 	kubefledgedEqImagemanager, _ := labels.NewRequirement("kubefledged", selection.Equals, []string{"kubefledged-image-manager"})
@@ -150,6 +152,7 @@ func NewImageManager(
 		busyboxImage:              busyboxImage,
 		imagePullPolicy:           imagePullPolicy,
 		serviceAccountName:        serviceAccountName,
+		imageDeleteJobHostNetwork: imageDeleteJobHostNetwork,
 	}
 	podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		//AddFunc: ,
@@ -504,7 +507,8 @@ func (m *ImageManager) pullImage(iwr ImageWorkRequest) (*batchv1.Job, error) {
 // deleteImage deletes the image from the node
 func (m *ImageManager) deleteImage(iwr ImageWorkRequest) (*batchv1.Job, error) {
 	// Construct the Job manifest
-	newjob, err := newImageDeleteJob(iwr.Imagecache, iwr.Image, iwr.Node, iwr.ContainerRuntimeVersion, m.criClientImage, m.serviceAccountName)
+	newjob, err := newImageDeleteJob(iwr.Imagecache, iwr.Image, iwr.Node, iwr.ContainerRuntimeVersion,
+		m.criClientImage, m.serviceAccountName, m.imageDeleteJobHostNetwork)
 	if err != nil {
 		glog.Errorf("Error when constructing job manifest: %v", err)
 		return nil, err

pkg/images/image_manager_test.go

@@ -44,17 +44,19 @@ var node = corev1.Node{
 	},
 }
 
-func newTestImageManager(kubeclientset kubernetes.Interface, imagepullpolicy string, serviceaccountname string) (*ImageManager, coreinformers.PodInformer) {
+func newTestImageManager(kubeclientset kubernetes.Interface, imagepullpolicy string, serviceaccountname string, imagedeletejobhostnetwork bool) (*ImageManager, coreinformers.PodInformer) {
 	imagePullDeadlineDuration := time.Millisecond * 10
 	criClientImage := "senthilrch/fledged-docker-client:latest"
 	busyboxImage := "busybox:latest"
 	imagePullPolicy := imagepullpolicy
 	serviceAccountName := serviceaccountname
+	imageDeleteJobHostNetwork := imagedeletejobhostnetwork
 	imagecacheworkqueue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ImageCaches")
 	imageworkqueue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "ImagePullerStatus")
 
-	imagemanager, podInformer := NewImageManager(imagecacheworkqueue, imageworkqueue, kubeclientset, fledgedNameSpace,
-		imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+	imagemanager, podInformer := NewImageManager(imagecacheworkqueue, imageworkqueue, kubeclientset,
+		fledgedNameSpace, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy,
+		serviceAccountName, imageDeleteJobHostNetwork)
 	imagemanager.podsSynced = func() bool { return true }
 
 	return imagemanager, podInformer
@@ -206,7 +208,7 @@ func TestPullDeleteImage(t *testing.T) {
 			})
 		}
 
-		imagemanager, _ := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged")
+		imagemanager, _ := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged", false)
 		var err error
 		if test.action == "pullimage" {
 			_, err = imagemanager.pullImage(test.iwr)
@@ -304,7 +306,7 @@ func TestHandlePodStatusChange(t *testing.T) {
 	}
 	for _, test := range tests {
 		fakekubeclientset := &fakeclientset.Clientset{}
-		imagemanager, _ := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged")
+		imagemanager, _ := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged", false)
 		imagemanager.imageworkstatus[test.pod.Labels["job-name"]] = ImageWorkResult{
 			Status: ImageWorkResultStatusJobCreated,
 			ImageWorkRequest: ImageWorkRequest{
@@ -617,7 +619,7 @@ func TestUpdateImageCacheStatus(t *testing.T) {
 				return true, nil, apierrors.NewInternalError(fmt.Errorf("fake error"))
 			})
 		}
-		imagemanager, podInformer := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged")
+		imagemanager, podInformer := newTestImageManager(fakekubeclientset, "IfNotPresent", "sa-kube-fledged", false)
 		for _, pod := range test.pods {
 			if !reflect.DeepEqual(pod, corev1.Pod{}) {
 				podInformer.Informer().GetIndexer().Add(&pod)
@@ -896,7 +898,7 @@ func TestProcessNextWorkItem(t *testing.T) {
 	}
 	for _, test := range tests {
 		fakekubeclientset := &fakeclientset.Clientset{}
-		imagemanager, podInformer := newTestImageManager(fakekubeclientset, test.imagepullpolicy, "sa-kube-fledged")
+		imagemanager, podInformer := newTestImageManager(fakekubeclientset, test.imagepullpolicy, "sa-kube-fledged", false)
 		for _, pod := range test.pods {
 			if !reflect.DeepEqual(pod, corev1.Pod{}) {
 				podInformer.Informer().GetIndexer().Add(&pod)