Added tap pre check (#848)

* Remove config dependency from basenine init

acceptanceTests/cypress/integration/tests/UiTest.js

@@ -64,6 +64,8 @@ it('right side sanity test', function () {
     });
 });
 
+serviceMapCheck();
+
 checkIllegalFilter('invalid filter');
 
 checkFilter({
@@ -188,7 +190,7 @@ function checkFilter(filterDetails){
     const entriesForDeeperCheck = 5;
 
     it(`checking the filter: ${name}`, function () {
-        cy.get('#total-entries').then(number => {
+        cy.get('#total-entries').should('not.have.text', '0').then(number => {
             const totalEntries = number.text();
 
             // checks the hover on the last entry (the only one in DOM at the beginning)
@@ -320,3 +322,42 @@ function checkOnlyLineNumberes(jsonItems, decodedText) {
     cy.get(`${Cypress.env('bodyJsonClass')} >`).should('have.length', 1).and('have.text', decodedText);
     cy.get(`${Cypress.env('bodyJsonClass')} > >`).should('have.length', jsonItems)
 }
+
+function serviceMapCheck() {
+    it('service map test', function () {
+        cy.intercept(`${Cypress.env('testUrl')}/servicemap/get`).as('serviceMapRequest');
+        cy.get('#total-entries').should('not.have.text', '0').then(() => {
+            cy.get('#total-entries').invoke('text').then(entriesNum => {
+                cy.get('[alt="service-map"]').click();
+                cy.wait('@serviceMapRequest').then(({response}) => {
+                    const body = response.body;
+                    const nodeParams = {
+                        destination: 'httpbin.mizu-tests',
+                        source: '127.0.0.1'
+                    };
+                    serviceMapAPICheck(body, parseInt(entriesNum), nodeParams);
+                    cy.reload();
+                });
+            });
+        });
+    });
+}
+
+function serviceMapAPICheck(body, entriesNum, nodeParams) {
+    const {nodes, edges} = body;
+
+    expect(nodes.length).to.equal(Object.keys(nodeParams).length, `Expected nodes count`);
+
+    expect(edges.some(edge => edge.source.name === nodeParams.source)).to.be.true;
+    expect(edges.some(edge => edge.destination.name === nodeParams.destination)).to.be.true;
+
+    let count = 0;
+    edges.forEach(edge => {
+        count += edge.count;
+        if (edge.destination.name === nodeParams.destination) {
+            expect(edge.source.name).to.equal(nodeParams.source);
+        }
+    });
+
+    expect(count).to.equal(entriesNum);
+}

agent/main.go

@@ -140,7 +140,7 @@ func runInApiServerMode(namespace string) *gin.Engine {
 	if err := config.LoadConfig(); err != nil {
 		logger.Log.Fatalf("Error loading config file %v", err)
 	}
-	app.ConfigureBasenineServer(shared.BasenineHost, shared.BaseninePort)
+	app.ConfigureBasenineServer(shared.BasenineHost, shared.BaseninePort, config.Config.MaxDBSizeBytes, config.Config.LogLevel)
 	startTime = time.Now().UnixNano() / int64(time.Millisecond)
 	api.StartResolving(namespace)
 
@@ -216,7 +216,7 @@ func enableExpFeatureIfNeeded() {
 		oas.GetOasGeneratorInstance().Start()
 	}
 	if config.Config.ServiceMap {
-		servicemap.GetInstance().SetConfig(config.Config)
+		servicemap.GetInstance().Enable()
 	}
 	elastic.GetInstance().Configure(config.Config.Elastic)
 }

agent/pkg/app/main.go

@@ -9,7 +9,6 @@ import (
 	"github.com/op/go-logging"
 	basenine "github.com/up9inc/basenine/client/go"
 	"github.com/up9inc/mizu/agent/pkg/api"
-	"github.com/up9inc/mizu/agent/pkg/config"
 	"github.com/up9inc/mizu/agent/pkg/controllers"
 	"github.com/up9inc/mizu/shared/logger"
 	tapApi "github.com/up9inc/mizu/tap/api"
@@ -63,20 +62,18 @@ func LoadExtensions() {
 	controllers.InitExtensionsMap(ExtensionsMap)
 }
 
-func ConfigureBasenineServer(host string, port string) {
+func ConfigureBasenineServer(host string, port string, dbSize int64, logLevel logging.Level) {
 	if !wait.New(
 		wait.WithProto("tcp"),
 		wait.WithWait(200*time.Millisecond),
 		wait.WithBreak(50*time.Millisecond),
 		wait.WithDeadline(5*time.Second),
-		wait.WithDebug(config.Config.LogLevel == logging.DEBUG),
+		wait.WithDebug(logLevel == logging.DEBUG),
 	).Do([]string{fmt.Sprintf("%s:%s", host, port)}) {
 		logger.Log.Panicf("Basenine is not available!")
 	}
 
-	// Limit the database size to default 200MB
+	if err := basenine.Limit(host, port, dbSize); err != nil {
-	err := basenine.Limit(host, port, config.Config.MaxDBSizeBytes)
-	if err != nil {
 		logger.Log.Panicf("Error while limiting database size: %v", err)
 	}
 
@@ -84,8 +81,7 @@ func ConfigureBasenineServer(host string, port string) {
 	for _, extension := range Extensions {
 		macros := extension.Dissector.Macros()
 		for macro, expanded := range macros {
-			err = basenine.Macro(host, port, macro, expanded)
+			if err := basenine.Macro(host, port, macro, expanded); err != nil {
-			if err != nil {
 				logger.Log.Panicf("Error while adding a macro: %v", err)
 			}
 		}

agent/pkg/controllers/service_map_controller_test.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/suite"
-	"github.com/up9inc/mizu/shared"
 	tapApi "github.com/up9inc/mizu/tap/api"
 )
 
@@ -59,9 +58,7 @@ type ServiceMapControllerSuite struct {
 
 func (s *ServiceMapControllerSuite) SetupTest() {
 	s.c = NewServiceMapController()
-	s.c.service.SetConfig(&shared.MizuAgentConfig{
+	s.c.service.Enable()
-		ServiceMap: true,
-	})
 	s.c.service.NewTCPEntry(TCPEntryA, TCPEntryB, ProtocolHttp)
 
 	s.w = httptest.NewRecorder()

agent/pkg/servicemap/servicemap.go

@@ -3,7 +3,6 @@ package servicemap
 import (
 	"sync"
 
-	"github.com/up9inc/mizu/shared"
 	"github.com/up9inc/mizu/shared/logger"
 	tapApi "github.com/up9inc/mizu/tap/api"
 )
@@ -26,13 +25,13 @@ func GetInstance() ServiceMap {
 }
 
 type serviceMap struct {
-	config           *shared.MizuAgentConfig
+	enabled          bool
 	graph            *graph
 	entriesProcessed int
 }
 
 type ServiceMap interface {
-	SetConfig(config *shared.MizuAgentConfig)
+	Enable()
 	IsEnabled() bool
 	NewTCPEntry(source *tapApi.TCP, destination *tapApi.TCP, protocol *tapApi.Protocol)
 	GetStatus() ServiceMapStatus
@@ -46,7 +45,7 @@ type ServiceMap interface {
 
 func newServiceMap() *serviceMap {
 	return &serviceMap{
-		config:           nil,
+		enabled:          false,
 		entriesProcessed: 0,
 		graph:            newDirectedGraph(),
 	}
@@ -156,15 +155,12 @@ func (s *serviceMap) addEdge(u, v *entryData, p *tapApi.Protocol) {
 	s.entriesProcessed++
 }
 
-func (s *serviceMap) SetConfig(config *shared.MizuAgentConfig) {
+func (s *serviceMap) Enable() {
-	s.config = config
+	s.enabled = true
 }
 
 func (s *serviceMap) IsEnabled() bool {
-	if s.config != nil && s.config.ServiceMap {
+	return s.enabled
-		return true
-	}
-	return false
 }
 
 func (s *serviceMap) NewTCPEntry(src *tapApi.TCP, dst *tapApi.TCP, p *tapApi.Protocol) {

agent/pkg/servicemap/servicemap_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/suite"
-	"github.com/up9inc/mizu/shared"
 	tapApi "github.com/up9inc/mizu/tap/api"
 )
 
@@ -96,9 +95,7 @@ func (s *ServiceMapDisabledSuite) SetupTest() {
 
 func (s *ServiceMapEnabledSuite) SetupTest() {
 	s.instance = GetInstance()
-	s.instance.SetConfig(&shared.MizuAgentConfig{
+	s.instance.Enable()
-		ServiceMap: true,
-	})
 }
 
 func (s *ServiceMapDisabledSuite) TestServiceMapInstance() {

cli/cmd/check.go

@@ -1,8 +1,11 @@
 package cmd
 
 import (
+	"github.com/creasty/defaults"
 	"github.com/spf13/cobra"
+	"github.com/up9inc/mizu/cli/config/configStructs"
 	"github.com/up9inc/mizu/cli/telemetry"
+	"github.com/up9inc/mizu/shared/logger"
 )
 
 var checkCmd = &cobra.Command{
@@ -17,4 +20,11 @@ var checkCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(checkCmd)
+
+	defaultCheckConfig := configStructs.CheckConfig{}
+	if err := defaults.Set(&defaultCheckConfig); err != nil {
+		logger.Log.Debug(err)
+	}
+
+	checkCmd.Flags().Bool(configStructs.PreTapCheckName, defaultCheckConfig.PreTap, "Check pre-tap Mizu installation for potential problems")
 }

cli/cmd/checkRunner.go

@@ -3,6 +3,10 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"github.com/up9inc/mizu/shared"
+	rbac "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/scheme"
 	"regexp"
 
 	"github.com/up9inc/mizu/cli/apiserver"
@@ -14,7 +18,7 @@ import (
 )
 
 func runMizuCheck() {
-	logger.Log.Infof("Mizu install checks\n===================")
+	logger.Log.Infof("Mizu checks\n===================")
 
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel() // cancel will be called when this function exits
@@ -25,17 +29,23 @@ func runMizuCheck() {
 		checkPassed = checkKubernetesVersion(kubernetesVersion)
 	}
 
-	var isInstallCommand bool
+	if config.Config.Check.PreTap {
-	if checkPassed {
+		if checkPassed {
-		checkPassed, isInstallCommand = checkMizuMode(ctx, kubernetesProvider)
+			checkPassed = checkK8sTapPermissions(ctx, kubernetesProvider)
-	}
+		}
+	} else {
+		var isInstallCommand bool
+		if checkPassed {
+			checkPassed, isInstallCommand = checkMizuMode(ctx, kubernetesProvider)
+		}
 
-	if checkPassed {
+		if checkPassed {
-		checkPassed = checkK8sResources(ctx, kubernetesProvider, isInstallCommand)
+			checkPassed = checkK8sResources(ctx, kubernetesProvider, isInstallCommand)
-	}
+		}
 
-	if checkPassed {
+		if checkPassed {
-		checkPassed = checkServerConnection(kubernetesProvider)
+			checkPassed = checkServerConnection(kubernetesProvider)
+		}
 	}
 
 	if checkPassed {
@@ -273,9 +283,81 @@ func checkResourceExist(resourceName string, resourceType string, exist bool, er
 	} else if !exist {
 		logger.Log.Errorf("%v '%v' %v doesn't exist", fmt.Sprintf(uiUtils.Red, "✗"), resourceName, resourceType)
 		return false
-	} else {
-		logger.Log.Infof("%v '%v' %v exists", fmt.Sprintf(uiUtils.Green, "√"), resourceName, resourceType)
 	}
 
+	logger.Log.Infof("%v '%v' %v exists", fmt.Sprintf(uiUtils.Green, "√"), resourceName, resourceType)
+	return true
+}
+
+func checkK8sTapPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
+	logger.Log.Infof("\nkubernetes-permissions\n--------------------")
+
+	var filePath string
+	if config.Config.IsNsRestrictedMode() {
+		filePath = "./examples/roles/permissions-ns-tap.yaml"
+	} else {
+		filePath = "./examples/roles/permissions-all-namespaces-tap.yaml"
+	}
+
+	data, err := shared.ReadFromFile(filePath)
+	if err != nil {
+		logger.Log.Errorf("%v error while checking kubernetes permissions, err: %v", fmt.Sprintf(uiUtils.Red, "✗"), err)
+		return false
+	}
+
+	obj, err := getDecodedObject(data)
+	if err != nil {
+		logger.Log.Errorf("%v error while checking kubernetes permissions, err: %v", fmt.Sprintf(uiUtils.Red, "✗"), err)
+		return false
+	}
+
+	var rules []rbac.PolicyRule
+	if config.Config.IsNsRestrictedMode() {
+		rules = obj.(*rbac.Role).Rules
+	} else {
+		rules = obj.(*rbac.ClusterRole).Rules
+	}
+
+	return checkPermissions(ctx, kubernetesProvider, rules)
+}
+
+func getDecodedObject(data []byte) (runtime.Object, error) {
+	decode := scheme.Codecs.UniversalDeserializer().Decode
+
+	obj, _, err := decode(data, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj, nil
+}
+
+func checkPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider, rules []rbac.PolicyRule) bool {
+	permissionsExist := true
+
+	for _, rule := range rules {
+		for _, group := range rule.APIGroups {
+			for _, resource := range rule.Resources {
+				for _, verb := range rule.Verbs {
+					exist, err := kubernetesProvider.CanI(ctx, config.Config.MizuResourcesNamespace, resource, verb, group)
+					permissionsExist = checkPermissionExist(group, resource, verb, exist, err) && permissionsExist
+				}
+			}
+		}
+	}
+
+	return permissionsExist
+}
+
+func checkPermissionExist(group string, resource string, verb string, exist bool, err error) bool {
+	if err != nil {
+		logger.Log.Errorf("%v error checking permission for %v %v in group '%v', err: %v", fmt.Sprintf(uiUtils.Red, "✗"), verb, resource, group, err)
+		return false
+	} else if !exist {
+		logger.Log.Errorf("%v can't %v %v in group '%v'", fmt.Sprintf(uiUtils.Red, "✗"), verb, resource, group)
+		return false
+	}
+
+	logger.Log.Infof("%v can %v %v in group '%v'", fmt.Sprintf(uiUtils.Green, "√"), verb, resource, group)
 	return true
 }

cli/config/configStruct.go

@@ -22,6 +22,7 @@ const (
 
 type ConfigStruct struct {
 	Tap                    configStructs.TapConfig     `yaml:"tap"`
+	Check                  configStructs.CheckConfig   `yaml:"check"`
 	Version                configStructs.VersionConfig `yaml:"version"`
 	View                   configStructs.ViewConfig    `yaml:"view"`
 	Logs                   configStructs.LogsConfig    `yaml:"logs"`

cli/config/configStructs/checkConfig.go

@@ -0,0 +1,9 @@
+package configStructs
+
+const (
+	PreTapCheckName = "pre-tap"
+)
+
+type CheckConfig struct {
+	PreTap bool `yaml:"pre-tap"`
+}

shared/fileUtils.go

@@ -0,0 +1,20 @@
+package shared
+
+import (
+	"io/ioutil"
+	"os"
+)
+
+func ReadFromFile(path string) ([]byte, error) {
+	reader, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}

shared/kubernetes/provider.go

@@ -17,6 +17,7 @@ import (
 	"github.com/up9inc/mizu/shared/semver"
 	"github.com/up9inc/mizu/tap/api"
 	v1 "k8s.io/api/apps/v1"
+	auth "k8s.io/api/authorization/v1"
 	core "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -443,6 +444,26 @@ func (provider *Provider) CreateService(ctx context.Context, namespace string, s
 	return provider.clientSet.CoreV1().Services(namespace).Create(ctx, &service, metav1.CreateOptions{})
 }
 
+func (provider *Provider) CanI(ctx context.Context, namespace string, resource string, verb string, group string) (bool, error) {
+	selfSubjectAccessReview := &auth.SelfSubjectAccessReview{
+		Spec: auth.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &auth.ResourceAttributes{
+				Namespace: namespace,
+				Resource: resource,
+				Verb: verb,
+				Group: group,
+			},
+		},
+	}
+
+	response, err := provider.clientSet.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, selfSubjectAccessReview, metav1.CreateOptions{})
+	if err != nil {
+		return false, err
+	}
+
+	return response.Status.Allowed, nil
+}
+
 func (provider *Provider) DoesNamespaceExist(ctx context.Context, name string) (bool, error) {
 	namespaceResource, err := provider.clientSet.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 	return provider.doesResourceExist(namespaceResource, err)
@@ -829,7 +850,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
 	if tls {
 		mizuCmd = append(mizuCmd, "--tls")
 	}
-	
+
 	if serviceMesh || tls {
 		mizuCmd = append(mizuCmd, "--procfs", procfsMountPath)
 	}
@@ -939,24 +960,6 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
 	sysfsVolumeMount := applyconfcore.VolumeMount().WithName(sysfsVolumeName).WithMountPath(sysfsMountPath).WithReadOnly(true)
 	agentContainer.WithVolumeMounts(sysfsVolumeMount)
 
-	volumeName := ConfigMapName
-	configMapVolume := applyconfcore.VolumeApplyConfiguration{
-		Name: &volumeName,
-		VolumeSourceApplyConfiguration: applyconfcore.VolumeSourceApplyConfiguration{
-			ConfigMap: &applyconfcore.ConfigMapVolumeSourceApplyConfiguration{
-				LocalObjectReferenceApplyConfiguration: applyconfcore.LocalObjectReferenceApplyConfiguration{
-					Name: &volumeName,
-				},
-			},
-		},
-	}
-	mountPath := shared.ConfigDirPath
-	configMapVolumeMount := applyconfcore.VolumeMountApplyConfiguration{
-		Name:      &volumeName,
-		MountPath: &mountPath,
-	}
-	agentContainer.WithVolumeMounts(&configMapVolumeMount)
-
 	podSpec := applyconfcore.PodSpec()
 	podSpec.WithHostNetwork(true)
 	podSpec.WithDNSPolicy(core.DNSClusterFirstWithHostNet)
@@ -967,7 +970,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
 	podSpec.WithContainers(agentContainer)
 	podSpec.WithAffinity(affinity)
 	podSpec.WithTolerations(noExecuteToleration, noScheduleToleration)
-	podSpec.WithVolumes(&configMapVolume, procfsVolume, sysfsVolume)
+	podSpec.WithVolumes(procfsVolume, sysfsVolume)
 
 	podTemplate := applyconfcore.PodTemplateSpec()
 	podTemplate.WithLabels(map[string]string{
@@ -981,7 +984,7 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
 	labelSelector.WithMatchLabels(map[string]string{"app": tapperPodName})
 
 	applyOptions := metav1.ApplyOptions{
-		Force: true,
+		Force:        true,
 		FieldManager: fieldManagerName,
 	}
 

ui/src/components/EntryDetailed.tsx

@@ -8,6 +8,7 @@ import {toast} from "react-toastify";
 import {useRecoilValue} from "recoil";
 import focusedEntryIdAtom from "../recoil/focusedEntryId";
 import Api from "../helpers/api";
+import queryAtom from "../recoil/query";
 
 const useStyles = makeStyles(() => ({
     entryTitle: {
@@ -82,6 +83,7 @@ const api = Api.getInstance();
 export const EntryDetailed = () => {
 
     const focusedEntryId = useRecoilValue(focusedEntryIdAtom);
+    const query = useRecoilValue(queryAtom);
     const [entryData, setEntryData] = useState(null);
 
     useEffect(() => {
@@ -89,7 +91,7 @@ export const EntryDetailed = () => {
         setEntryData(null);
         (async () => {
             try {
-                const entryData = await api.getEntry(focusedEntryId);
+                const entryData = await api.getEntry(focusedEntryId, query);
                 setEntryData(entryData);
             } catch (error) {
                 if (error.response?.data?.type) {