From 31a6386994d0000f72decaad694c719c55c7e28b Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Thu, 20 Apr 2023 22:02:04 +0000
Subject: [PATCH] Improve egress selector handling on agentless servers

Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/agent/tunnel/tunnel.go | 24 ++++++++++++++----------
 pkg/cli/server/server.go   |  7 +++++--
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/pkg/agent/tunnel/tunnel.go b/pkg/agent/tunnel/tunnel.go
index 701fdb5fe1e4..b9e6dd9969bc 100644
--- a/pkg/agent/tunnel/tunnel.go
+++ b/pkg/agent/tunnel/tunnel.go
@@ -101,16 +101,20 @@ func Setup(ctx context.Context, config *daemonconfig.Node, proxy proxy.Proxy) er
 		close(apiServerReady)
 	}()
 
-	// Allow the kubelet port, as published via our node object
-	go tunnel.setKubeletPort(ctx, apiServerReady)
-
-	switch tunnel.mode {
-	case daemonconfig.EgressSelectorModeCluster:
-		// In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network.
-		tunnel.clusterAuth(config)
-	case daemonconfig.EgressSelectorModePod:
-		// In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network.
-		go tunnel.watchPods(ctx, apiServerReady, config)
+	// We don't need to run the tunnel authorizer if the container runtime endpoint is /dev/null,
+	// signifying that this is an agentless server that will not register a node.
+	if config.ContainerRuntimeEndpoint != "/dev/null" {
+		// Allow the kubelet port, as published via our node object.
+		go tunnel.setKubeletPort(ctx, apiServerReady)
+
+		switch tunnel.mode {
+		case daemonconfig.EgressSelectorModeCluster:
+			// In Cluster mode, we allow the cluster CIDRs, and any connections to the node's IPs for pods using host network.
+			tunnel.clusterAuth(config)
+		case daemonconfig.EgressSelectorModePod:
+			// In Pod mode, we watch pods assigned to this node, and allow their addresses, as well as ports used by containers with host network.
+			go tunnel.watchPods(ctx, apiServerReady, config)
+		}
 	}
 
 	// The loadbalancer is only disabled when there is a local apiserver.  Servers without a local
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index e3dff660a4e4..facd7aa1e06b 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -530,8 +530,11 @@ func validateNetworkConfiguration(serverConfig server.Config) error {
 	}
 
 	switch serverConfig.ControlConfig.EgressSelectorMode {
-	case config.EgressSelectorModeAgent, config.EgressSelectorModeCluster,
-		config.EgressSelectorModeDisabled, config.EgressSelectorModePod:
+	case config.EgressSelectorModeCluster, config.EgressSelectorModePod:
+	case config.EgressSelectorModeAgent, config.EgressSelectorModeDisabled:
+		if serverConfig.DisableAgent {
+			logrus.Warn("Webhooks and apiserver aggregation may not function properly without an agent; please set egress-selector-mode to 'cluster' or 'pod'")
+		}
 	default:
 		return fmt.Errorf("invalid egress-selector-mode %s", serverConfig.ControlConfig.EgressSelectorMode)
 	}