Remmove discover of podcidrs:

The permissions needed to list nodes
and pods in the "kube-system" namespace
are too extensive and unneeded by Smee.
Also not a good security posture to make these
permissions available to Smee.

Signed-off-by: Jacob Weinstock <[email protected]>

cmd/smee/backend.go

@@ -2,14 +2,11 @@ package main
 
 import (
 	"context"
-	"strings"
 
 	"github.com/go-logr/logr"
 	"github.com/tinkerbell/dhcp/backend/file"
 	"github.com/tinkerbell/dhcp/backend/kube"
 	"github.com/tinkerbell/dhcp/handler"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -85,84 +82,3 @@ func (s *File) backend(ctx context.Context, logger logr.Logger) (handler.Backend
 
 	return f, nil
 }
-
-// discoverTrustedProxies will use the Kubernetes client to discover the CIDR Ranges for Pods in cluster.
-func (k *Kube) discoverTrustedProxies(ctx context.Context, l logr.Logger, trustedProxies []string) []string {
-	config, err := k.getClient()
-	if err != nil {
-		l.Error(err, "failed to get Kubernetes client config")
-		return nil
-	}
-	c, err := corev1client.NewForConfig(config)
-	if err != nil {
-		l.Error(err, "failed to create Kubernetes client")
-		return nil
-	}
-
-	return combinedCIDRs(ctx, l, c, trustedProxies)
-}
-
-// combinedCIDRs returns the CIDR Ranges for Pods in cluster. Not all Kubernetes distributions provide a way to discover the entire podCIDR.
-// Some distributions just provide the podCIDRs assigned to each node. combinedCIDRs tries all known locations where pod CIDRs might exist.
-// For example, if a cluster has 3 nodes, each with a /24 podCIDR, and the cluster has a /16 podCIDR, combinedCIDRs will return 4 CIDR ranges.
-func combinedCIDRs(ctx context.Context, l logr.Logger, c corev1client.CoreV1Interface, trustedProxies []string) []string {
-	var tp []string
-	tp = append(tp, trustedProxies...)
-	if podCIDRS, err := perNodePodCIDRs(ctx, c); err == nil {
-		tp = append(tp, podCIDRS...)
-	} else {
-		l.V(1).Info("failed to get per node podCIDRs", "err", err)
-	}
-
-	if clusterCIDR, err := clusterPodCIDR(ctx, c); err == nil {
-		tp = append(tp, clusterCIDR...)
-	} else {
-		l.V(1).Info("failed to get cluster wide podCIDR", "err", err)
-	}
-
-	return tp
-}
-
-// perNodePodCIDRs returns the CIDR Range for Pods on each node. This is the per node podCIDR as compared to the total podCIDR.
-// This will get the podCIDR from each node in the cluster, not the entire cluster podCIDR. If a cluster grows after this is run,
-// the new nodes will not be included until this func is run again.
-// This should be used in conjunction with ClusterPodCIDR to be as complete and cross distribution compatible as possible.
-func perNodePodCIDRs(ctx context.Context, c corev1client.CoreV1Interface) ([]string, error) {
-	ns, err := c.Nodes().List(ctx, metav1.ListOptions{})
-	if err != nil {
-		return nil, err
-	}
-
-	var trustedProxies []string
-	for _, n := range ns.Items {
-		trustedProxies = append(trustedProxies, n.Spec.PodCIDRs...)
-	}
-
-	return trustedProxies, nil
-}
-
-// clusterPodCIDR returns the CIDR Range for Pods in cluster. This is the total podCIDR as compared to the per node podCIDR.
-// Some Kubernetes distributions do not run a kube-controller-manager pod, so this func should be used in conjunction with PerNodePodCIDRs
-// to be as complete and cross distribution compatible as possible.
-func clusterPodCIDR(ctx context.Context, c corev1client.CoreV1Interface) ([]string, error) {
-	// https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
-	pods, err := c.Pods("kube-system").List(ctx, metav1.ListOptions{
-		LabelSelector: "component=kube-controller-manager",
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	var trustedProxies []string
-	for _, p := range pods.Items {
-		for _, c := range p.Spec.Containers {
-			for _, e := range c.Command {
-				if strings.HasPrefix(e, "--cluster-cidr") {
-					trustedProxies = append(trustedProxies, strings.Split(e, "=")[1])
-				}
-			}
-		}
-	}
-
-	return trustedProxies, nil
-}

cmd/smee/main.go

@@ -209,9 +209,6 @@ func main() {
 	if len(handlers) > 0 {
 		// start the http server for ipxe binaries and scripts
 		tp := parseTrustedProxies(cfg.ipxeHTTPScript.trustedProxies)
-		if cfg.backends.kubernetes.Enabled {
-			tp = cfg.backends.kubernetes.discoverTrustedProxies(ctx, log, tp)
-		}
 		httpServer := &http.Config{
 			GitRev:         GitRev,
 			StartTime:      startTime,