diff --git a/cli/cmd/check.go b/cli/cmd/check.go index 83c59a2107777..30d93975cf50b 100644 --- a/cli/cmd/check.go +++ b/cli/cmd/check.go @@ -22,7 +22,6 @@ type checkOptions struct { dataPlaneOnly bool wait time.Duration namespace string - cniEnabled bool output string } @@ -33,7 +32,6 @@ func newCheckOptions() *checkOptions { dataPlaneOnly: false, wait: 300 * time.Second, namespace: "", - cniEnabled: false, output: tableOutput, } } @@ -42,7 +40,6 @@ func newCheckOptions() *checkOptions { func (options *checkOptions) nonConfigFlagSet() *pflag.FlagSet { flags := pflag.NewFlagSet("non-config-check", pflag.ExitOnError) - flags.BoolVar(&options.cniEnabled, "linkerd-cni-enabled", options.cniEnabled, "When running pre-installation checks (--pre), assume the linkerd-cni plugin is already installed, and a NET_ADMIN check is not needed") flags.StringVarP(&options.namespace, "namespace", "n", options.namespace, "Namespace to use for --proxy checks (default: all namespaces)") flags.BoolVar(&options.preInstallOnly, "pre", options.preInstallOnly, "Only run pre-installation checks, to determine if the control plane can be installed") flags.BoolVar(&options.dataPlaneOnly, "proxy", options.dataPlaneOnly, "Only run data-plane checks, to determine if the data plane is healthy") @@ -146,9 +143,6 @@ func configureAndRunChecks(wout io.Writer, werr io.Writer, stage string, options if options.preInstallOnly { checks = append(checks, healthcheck.LinkerdPreInstallChecks) - if !options.cniEnabled { - checks = append(checks, healthcheck.LinkerdPreInstallCapabilityChecks) - } } else { checks = append(checks, healthcheck.LinkerdConfigChecks) diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index 72d80ada4434a..e839fa0c810c1 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -49,12 +49,6 @@ const ( // checks must be added first. LinkerdPreInstallChecks CategoryID = "pre-kubernetes-setup" - // LinkerdPreInstallCapabilityChecks adds a check to validate the user has the - // capabilities necessary to deploy Linkerd. For example, the NET_ADMIN - // capability is required by the `linkerd-init` container to modify IP tables. - // These checks are no run when the `--linkerd-cni-enabled` flag is set. - LinkerdPreInstallCapabilityChecks CategoryID = "pre-kubernetes-capability" - // LinkerdConfigChecks enabled by `linkerd check config` // LinkerdConfigChecks adds a series of checks to validate that the Linkerd @@ -309,6 +303,13 @@ func (hc *HealthChecker) allCategories() []category { return hc.checkCanCreate("", "apiextensions.k8s.io", "v1beta1", "customresourcedefinitions") }, }, + { + description: "can create PodSecurityPolicies", + hintAnchor: "pre-k8s", + check: func(context.Context) error { + return hc.checkCanCreate(hc.ControlPlaneNamespace, "policy", "v1beta1", "podsecuritypolicies") + }, + }, { description: "can create ServiceAccounts", hintAnchor: "pre-k8s", @@ -346,18 +347,6 @@ func (hc *HealthChecker) allCategories() []category { }, }, }, - { - id: LinkerdPreInstallCapabilityChecks, - checkers: []checker{ - { - description: "has NET_ADMIN capability", - hintAnchor: "pre-k8s-cluster-net-admin", - check: func(context.Context) error { - return hc.checkNetAdmin() - }, - }, - }, - }, { id: LinkerdConfigChecks, checkers: []checker{ @@ -966,48 +955,6 @@ func (hc *HealthChecker) checkCanCreate(namespace, group, version, resource stri ) } -func (hc *HealthChecker) checkNetAdmin() error { - if hc.kubeAPI == nil { - // we should never get here - return fmt.Errorf("unexpected error: Kubernetes ClientSet not initialized") - } - - pspList, err := hc.kubeAPI.PolicyV1beta1().PodSecurityPolicies().List(metav1.ListOptions{}) - if err != nil { - return err - } - - if len(pspList.Items) == 0 { - // no PodSecurityPolicies found, assume PodSecurityPolicy admission controller is disabled - return nil - } - - // if PodSecurityPolicies are found, validate one exists that: - // 1) permits usage - // AND - // 2) provides NET_ADMIN - for _, psp := range pspList.Items { - err := k8s.ResourceAuthz( - hc.kubeAPI, - "", - "use", - "policy", - "v1beta1", - "podsecuritypolicies", - psp.GetName(), - ) - if err == nil { - for _, capability := range psp.Spec.AllowedCapabilities { - if capability == "*" || capability == "NET_ADMIN" { - return nil - } - } - } - } - - return fmt.Errorf("found %d PodSecurityPolicies, but none provide NET_ADMIN", len(pspList.Items)) -} - func (hc *HealthChecker) checkClockSkew() error { if hc.kubeAPI == nil { // we should never get here diff --git a/pkg/healthcheck/healthcheck_test.go b/pkg/healthcheck/healthcheck_test.go index 15d2f7c52154f..fe0ec3882d7ec 100644 --- a/pkg/healthcheck/healthcheck_test.go +++ b/pkg/healthcheck/healthcheck_test.go @@ -386,54 +386,6 @@ status: } -func TestCheckNetAdmin(t *testing.T) { - tests := []struct { - k8sConfigs []string - err error - }{ - { - []string{}, - nil, - }, - { - []string{`apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: restricted -spec: - requiredDropCapabilities: - - ALL`, - }, - fmt.Errorf("found 1 PodSecurityPolicies, but none provide NET_ADMIN"), - }, - } - - for i, test := range tests { - test := test // pin - t.Run(fmt.Sprintf("%d: returns expected NET_ADMIN result", i), func(t *testing.T) { - hc := NewHealthChecker( - []CategoryID{}, - &Options{}, - ) - - var err error - hc.kubeAPI, err = k8s.NewFakeAPI(test.k8sConfigs...) - if err != nil { - t.Fatalf("Unexpected error: %s", err) - } - - err = hc.checkNetAdmin() - if err != nil || test.err != nil { - if (err == nil && test.err != nil) || - (err != nil && test.err == nil) || - (err.Error() != test.err.Error()) { - t.Fatalf("Unexpected error (Expected: %s, Got: %s)", test.err, err) - } - } - }) - } -} - func TestConfigExists(t *testing.T) { testCases := []struct { k8sConfigs []string diff --git a/test/testdata/check.pre.golden b/test/testdata/check.pre.golden index d6a19efc05d1a..a621157788026 100644 --- a/test/testdata/check.pre.golden +++ b/test/testdata/check.pre.golden @@ -15,6 +15,7 @@ pre-kubernetes-setup √ can create ClusterRoles √ can create ClusterRoleBindings √ can create CustomResourceDefinitions +√ can create PodSecurityPolicies √ can create ServiceAccounts √ can create Services √ can create Deployments