uninject.go

Documentation: github.com/linkerd/linkerd2/pkg/inject

     1  package inject
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/linkerd/linkerd2/pkg/k8s"
     7  	v1 "k8s.io/api/core/v1"
     8  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
     9  )
    10  
    11  // Uninject removes from the workload in conf the init and proxy containers,
    12  // the TLS volumes and the extra annotations/labels that were added
    13  func (conf *ResourceConfig) Uninject(report *Report) ([]byte, error) {
    14  	if conf.IsNamespace() || conf.IsService() {
    15  		uninjectObjectMeta(conf.workload.Meta, report)
    16  		return conf.YamlMarshalObj()
    17  	}
    18  
    19  	if conf.pod.spec == nil {
    20  		return nil, nil
    21  	}
    22  
    23  	conf.uninjectPodSpec(report)
    24  
    25  	if conf.workload.Meta != nil {
    26  		uninjectObjectMeta(conf.workload.Meta, report)
    27  	}
    28  
    29  	uninjectObjectMeta(conf.pod.meta, report)
    30  	return conf.YamlMarshalObj()
    31  }
    32  
    33  // Given a PodSpec, update the PodSpec in place with the sidecar
    34  // and init-container uninjected
    35  func (conf *ResourceConfig) uninjectPodSpec(report *Report) {
    36  	t := conf.pod.spec
    37  	initContainers := []v1.Container{}
    38  	for _, container := range t.InitContainers {
    39  		switch container.Name {
    40  		case k8s.InitContainerName:
    41  			report.Uninjected.ProxyInit = true
    42  		case k8s.ProxyContainerName:
    43  			report.Uninjected.Proxy = true
    44  		default:
    45  			initContainers = append(initContainers, container)
    46  		}
    47  	}
    48  	t.InitContainers = initContainers
    49  
    50  	containers := []v1.Container{}
    51  	for _, container := range t.Containers {
    52  		if container.Name != k8s.ProxyContainerName {
    53  			containers = append(containers, container)
    54  		} else {
    55  			report.Uninjected.Proxy = true
    56  		}
    57  	}
    58  	t.Containers = containers
    59  
    60  	volumes := []v1.Volume{}
    61  	for _, volume := range t.Volumes {
    62  		if volume.Name != k8s.IdentityEndEntityVolumeName && volume.Name != k8s.InitXtablesLockVolumeMountName && volume.Name != k8s.LinkerdTokenVolumeMountName {
    63  			volumes = append(volumes, volume)
    64  		}
    65  	}
    66  	t.Volumes = volumes
    67  }
    68  
    69  func uninjectObjectMeta(t *metav1.ObjectMeta, report *Report) {
    70  	// We only uninject control plane components in the context
    71  	// of doing an inject --manual. This is done as a way to update
    72  	// something about the injection configuration - for example
    73  	// adding a debug sidecar to the identity service.
    74  	// With that in mind it is not really necessary to strip off
    75  	// the linkerd.io/*  metadata from the pod during uninjection.
    76  	// This is why we skip that part for control plane components.
    77  	// Furthermore the latter will never have linkerd.io/inject as
    78  	// they are always manually injected.
    79  	if _, ok := t.Labels[k8s.ControllerComponentLabel]; !ok {
    80  		newAnnotations := make(map[string]string)
    81  		for key, val := range t.Annotations {
    82  			if !strings.HasPrefix(key, k8s.Prefix) ||
    83  				(key == k8s.ProxyInjectAnnotation && val == k8s.ProxyInjectDisabled) {
    84  				newAnnotations[key] = val
    85  			} else {
    86  				report.Uninjected.Proxy = true
    87  			}
    88  
    89  		}
    90  		t.Annotations = newAnnotations
    91  
    92  		labels := make(map[string]string)
    93  		for key, val := range t.Labels {
    94  			if !strings.HasPrefix(key, k8s.Prefix) {
    95  				labels[key] = val
    96  			}
    97  		}
    98  		t.Labels = labels
    99  	}
   100  }
   101
View as plain text