Support for Load/Attach Split with Initial Cluster-Scoped XDP Programs

This commit introduces the foundation for the load/attach split, including:
- Updates to the `BpfApplication` CRD to support a separate list of optional
  attach points for programs. This allows programs to be loaded before
  attachments are made and enables dynamic attachment updates.
- An initial version of the `BpfApplicationNode` CRD to manage per-node
  information for a single `BpfApplication`.
- Proof of concept and initial implementation for cluster-scoped XDP
  programs, with working unit tests in the app-agent.

Additionally:
- Updated existing controllers to work with the new CRD format, though
  currently limited to XDP programs.
- Initial changes in the operator to support the load/attach split, with
  further cleanup and support for additional program types planned.

TODO:
- Generalize the agent code to support multiple program types.
- Support for namespace-scoped CRDs and other program types beyond XDP.
- More clean-up, complete testing, and address remaining edge cases.

Signed-off-by: Andre Fredette <[email protected]>

Author: anfredette

Makefile

@@ -208,8 +208,8 @@ COMMON_FLAGS ?= ${VERIFY_FLAG} --go-header-file $(shell pwd)/hack/boilerplate.go
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
-	$(CONTROLLER_GEN) rbac:roleName=agent-role paths="./controllers/bpfman-agent/..." output:rbac:artifacts:config=config/rbac/bpfman-agent
-	$(CONTROLLER_GEN) rbac:roleName=operator-role paths="./controllers/bpfman-operator" output:rbac:artifacts:config=config/rbac/bpfman-operator
+	$(CONTROLLER_GEN) rbac:roleName=agent-role paths="./controllers/bpfman-agent/...;./controllers/app-agent/..." output:rbac:artifacts:config=config/rbac/bpfman-agent
+	$(CONTROLLER_GEN) rbac:roleName=operator-role paths="./controllers/bpfman-operator;./controllers/app-operator" output:rbac:artifacts:config=config/rbac/bpfman-operator
 
 .PHONY: generate
 generate: manifests generate-register generate-deepcopy generate-typed-clients generate-typed-listers generate-typed-informers ## Generate ALL auto-generated code.

PROJECT

@@ -129,4 +129,11 @@ resources:
   kind: BpfNsApplication
   path: github.com/bpfman/bpfman-operator/apis/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: bpfman.io
+  kind: BpfApplicationNode
+  path: github.com/bpfman/bpfman-operator/apis/v1alpha1
+  version: v1alpha1
 version: "3"

apis/v1alpha1/bpfApplicationNode_types.go

@@ -0,0 +1,172 @@
+/*
+Copyright 2023 The bpfman Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1types "k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// BpfApplicationProgramNode defines the desired state of BpfApplication
+// +union
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'XDP' ?  has(self.xdp) : !has(self.xdp)",message="xdp configuration is required when type is XDP, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TC' ?  has(self.tc) : !has(self.tc)",message="tc configuration is required when type is TC, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'TCX' ?  has(self.tcx) : !has(self.tcx)",message="tcx configuration is required when type is TCX, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Fentry' ?  has(self.fentry) : !has(self.fentry)",message="fentry configuration is required when type is Fentry, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Fexit' ?  has(self.fexit) : !has(self.fexit)",message="fexit configuration is required when type is Fexit, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Kprobe' ?  has(self.kprobe) : !has(self.kprobe)",message="kprobe configuration is required when type is Kprobe, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Kretprobe' ?  has(self.kretprobe) : !has(self.kretprobe)",message="kretprobe configuration is required when type is Kretprobe, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uprobe' ?  has(self.uprobe) : !has(self.uprobe)",message="uprobe configuration is required when type is Uprobe, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Uretprobe' ?  has(self.uretprobe) : !has(self.uretprobe)",message="uretprobe configuration is required when type is Uretprobe, and forbidden otherwise"
+// // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Tracepoint' ?  has(self.tracepoint) : !has(self.tracepoint)",message="tracepoint configuration is required when type is Tracepoint, and forbidden otherwise"
+type BpfApplicationProgramNode struct {
+	// ProgramAttachStatus records whether the program should be loaded and whether
+	// the program is loaded.
+	ProgramAttachStatus BpfProgramConditionType `json:"programattachstatus"`
+
+	// ProgramId is the id of the program in the kernel.  Not set until the
+	// program is loaded.
+	// +optional
+	ProgramId *uint32 `json:"program_id"`
+
+	// Type specifies the bpf program type
+	// +unionDiscriminator
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum:="XDP";"TC";"TCX";"Fentry";"Fexit";"Kprobe";"Kretprobe";"Uprobe";"Uretprobe";"Tracepoint"
+	Type EBPFProgType `json:"type,omitempty"`
+
+	// xdp defines the desired state of the application's XdpPrograms.
+	// +unionMember
+	// +optional
+	XDP *XdpProgramInfoNode `json:"xdp,omitempty"`
+
+	// tc defines the desired state of the application's TcPrograms.
+	// +unionMember
+	// +optional
+	TC *TcProgramInfoNode `json:"tc,omitempty"`
+
+	// // tcx defines the desired state of the application's TcxPrograms.
+	// // +unionMember
+	// // +optional
+	// TCX *TcxProgramInfoNode `json:"tcx,omitempty"`
+
+	// fentry defines the desired state of the application's FentryPrograms.
+	// +unionMember
+	// +optional
+	Fentry *FentryProgramInfoNode `json:"fentry,omitempty"`
+
+	// // fexit defines the desired state of the application's FexitPrograms.
+	// // +unionMember
+	// // +optional
+	// Fexit *FexitProgramInfoNode `json:"fexit,omitempty"`
+
+	// // kprobe defines the desired state of the application's KprobePrograms.
+	// // +unionMember
+	// // +optional
+	// Kprobe *KprobeProgramInfoNode `json:"kprobe,omitempty"`
+
+	// // kretprobe defines the desired state of the application's KretprobePrograms.
+	// // +unionMember
+	// // +optional
+	// Kretprobe *KprobeProgramInfoNode `json:"kretprobe,omitempty"`
+
+	// // uprobe defines the desired state of the application's UprobePrograms.
+	// // +unionMember
+	// // +optional
+	// Uprobe *UprobeProgramInfoNode `json:"uprobe,omitempty"`
+
+	// // uretprobe defines the desired state of the application's UretprobePrograms.
+	// // +unionMember
+	// // +optional
+	// Uretprobe *UprobeProgramInfoNode `json:"uretprobe,omitempty"`
+
+	// // tracepoint defines the desired state of the application's TracepointPrograms.
+	// // +unionMember
+	// // +optional
+	// Tracepoint *TracepointProgramInfoNode `json:"tracepoint,omitempty"`
+}
+
+// BpfApplicationSpec defines the desired state of BpfApplication
+type BpfApplicationNodeSpec struct {
+	// The number of times the BpfApplicationNode has been updated.  Set to 1
+	// when the object is created, then it is incremented prior to each update.
+	// This allows us to verify that the API server has the updated object prior
+	// to starting a new Reconcile operation.
+	UpdateCount int64 `json:"updatecount"`
+	// AppLoadStatus reflects the status of loading the bpf application on the
+	// given node.
+	AppLoadStatus BpfProgramConditionType `json:"apploadstatus"`
+	// Programs is a list of bpf programs contained in the parent application.
+	// It is a map from the bpf program name to BpfApplicationProgramNode
+	// elements.
+	Programs map[string]BpfApplicationProgramNode `json:"programs,omitempty"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// BpfApplicationNode is the Schema for the bpfapplications API
+// +kubebuilder:printcolumn:name="Node",type=string,JSONPath=".metadata.labels['kubernetes.io/hostname']"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[0].reason`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+type BpfApplicationNode struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BpfApplicationNodeSpec `json:"spec,omitempty"`
+	Status BpfAppStatus           `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// BpfApplicationList contains a list of BpfApplications
+type BpfApplicationNodeList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BpfApplicationNode `json:"items"`
+}
+
+func (an BpfApplicationNode) GetName() string {
+	return an.Name
+}
+
+func (an BpfApplicationNode) GetUID() metav1types.UID {
+	return an.UID
+}
+
+func (an BpfApplicationNode) GetAnnotations() map[string]string {
+	return an.Annotations
+}
+
+func (an BpfApplicationNode) GetLabels() map[string]string {
+	return an.Labels
+}
+
+func (an BpfApplicationNode) GetStatus() *BpfAppStatus {
+	return &an.Status
+}
+
+func (an BpfApplicationNode) GetClientObject() client.Object {
+	return &an
+}
+
+func (anl BpfApplicationNodeList) GetItems() []BpfApplicationNode {
+	return anl.Items
+}

apis/v1alpha1/bpfApplication_types.go

@@ -129,16 +129,11 @@ type BpfApplicationProgram struct {
 type BpfApplicationSpec struct {
 	BpfAppCommon `json:",inline"`
 
-	// Programs is a list of bpf programs supported for a specific application.
-	// It's possible that the application can selectively choose which program(s)
-	// to run from this list.
-	// +kubebuilder:validation:MinItems:=1
-	Programs []BpfApplicationProgram `json:"programs,omitempty"`
-}
-
-// BpfApplicationStatus defines the observed state of BpfApplication
-type BpfApplicationStatus struct {
-	BpfProgramStatusCommon `json:",inline"`
+	// Programs is the list of bpf programs in the BpfApplication that should be
+	// loaded. The application can selectively choose which program(s) to run
+	// from this list based on the optional attach points provided.  The list is
+	// implemented as a map from the bpf function name to BpfApplicationProgram.
+	Programs map[string]BpfApplicationProgram `json:"programs,omitempty"`
 }
 
 // +genclient
@@ -155,8 +150,8 @@ type BpfApplication struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   BpfApplicationSpec   `json:"spec,omitempty"`
-	Status BpfApplicationStatus `json:"status,omitempty"`
+	Spec   BpfApplicationSpec `json:"spec,omitempty"`
+	Status BpfAppStatus       `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/v1alpha1/bpfNsApplication_types.go

@@ -85,7 +85,7 @@ type BpfNsApplication struct {
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	Spec   BpfNsApplicationSpec `json:"spec,omitempty"`
-	Status BpfApplicationStatus `json:"status,omitempty"`
+	Status BpfAppStatus         `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/v1alpha1/fentryProgram_types.go

@@ -37,9 +37,8 @@ type FentryProgram struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec FentryProgramSpec `json:"spec"`
-	// +optional
-	Status FentryProgramStatus `json:"status,omitempty"`
+	Spec   FentryProgramSpec `json:"spec"`
+	Status BpfAppStatus      `json:"status,omitempty"`
 }
 
 // FentryProgramSpec defines the desired state of FentryProgram
@@ -52,13 +51,19 @@ type FentryProgramSpec struct {
 // FentryProgramInfo defines the Fentry program details
 type FentryProgramInfo struct {
 	BpfProgramCommon `json:",inline"`
-	// Function to attach the fentry to.
-	FunctionName string `json:"func_name"`
+	FentryLoadInfo   `json:",inline"`
+	// Whether the program should be attached to the function.
+	// This may be updated after the program has been loaded.
+	// +optional
+	// +kubebuilder:default=false
+	Attach bool `json:"attach"`
 }
 
-// FentryProgramStatus defines the observed state of FentryProgram
-type FentryProgramStatus struct {
-	BpfProgramStatusCommon `json:",inline"`
+// FentryLoadInfo contains the program-specific load information for Fentry
+// programs
+type FentryLoadInfo struct {
+	// FunctionName is the name of the function to attach the Fentry program to.
+	FunctionName string `json:"function_name"`
 }
 
 // +kubebuilder:object:root=true
@@ -68,3 +73,21 @@ type FentryProgramList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []FentryProgram `json:"items"`
 }
+
+type FentryProgramInfoNode struct {
+	// The list of points to which the program should be attached.
+	// FentryAttachInfoNode is similar to FentryAttachInfo, but the interface and
+	// container selectors are expanded, and we have one instance of
+	// FentryAttachInfoNode for each unique attach point. The list is optional and
+	// may be udated after the bpf program has been loaded.
+	// +optional
+	AttachPoint FentryAttachInfoNode `json:"attach_points"`
+}
+
+type FentryAttachInfoNode struct {
+	AttachInfoCommon `json:",inline"`
+	// An identifier for the attach point assigned by bpfman. This field is
+	// empty until the program is successfully attached and bpfman returns the
+	// id.
+	AttachId *uint32 `json:"attachid"`
+}

apis/v1alpha1/fexitProgram_types.go

@@ -37,9 +37,8 @@ type FexitProgram struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec FexitProgramSpec `json:"spec"`
-	// +optional
-	Status FexitProgramStatus `json:"status,omitempty"`
+	Spec   FexitProgramSpec `json:"spec"`
+	Status BpfAppStatus     `json:"status,omitempty"`
 }
 
 // FexitProgramSpec defines the desired state of FexitProgram
@@ -52,13 +51,19 @@ type FexitProgramSpec struct {
 // FexitProgramInfo defines the Fexit program details
 type FexitProgramInfo struct {
 	BpfProgramCommon `json:",inline"`
-	// Function to attach the fexit to.
-	FunctionName string `json:"func_name"`
+	FexitLoadInfo    `json:",inline"`
+	// Whether the program should be attached to the function.
+	// This may be updated after the program has been loaded.
+	// +optional
+	// +kubebuilder:default=false
+	Attach bool `json:"attach"`
 }
 
-// FexitProgramStatus defines the observed state of FexitProgram
-type FexitProgramStatus struct {
-	BpfProgramStatusCommon `json:",inline"`
+// FexitLoadInfo contains the program-specific load information for Fexit
+// programs
+type FexitLoadInfo struct {
+	// FunctionName is the name of the function to attach the Fexit program to.
+	FunctionName string `json:"function_name"`
 }
 
 // +kubebuilder:object:root=true

apis/v1alpha1/kprobeProgram_types.go

@@ -39,16 +39,14 @@ type KprobeProgram struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec KprobeProgramSpec `json:"spec"`
-	// +optional
-	Status KprobeProgramStatus `json:"status,omitempty"`
+	Spec   KprobeProgramSpec `json:"spec"`
+	Status BpfAppStatus      `json:"status,omitempty"`
 }
 
 // KprobeProgramSpec defines the desired state of KprobeProgram
 // +kubebuilder:printcolumn:name="FunctionName",type=string,JSONPath=`.spec.func_name`
 // +kubebuilder:printcolumn:name="Offset",type=integer,JSONPath=`.spec.offset`
 // +kubebuilder:printcolumn:name="RetProbe",type=boolean,JSONPath=`.spec.retprobe`
-// +kubebuilder:validation:XValidation:message="offset cannot be set for kretprobes",rule="self.retprobe == false || self.offset == 0"
 type KprobeProgramSpec struct {
 	KprobeProgramInfo `json:",inline"`
 	BpfAppCommon      `json:",inline"`
@@ -57,7 +55,14 @@ type KprobeProgramSpec struct {
 // KprobeProgramInfo defines the common fields for KprobeProgram
 type KprobeProgramInfo struct {
 	BpfProgramCommon `json:",inline"`
+	// The list of points to which the program should be attached.  The list is
+	// optional and may be udated after the bpf program has been loaded
+	// +optional
+	AttachPoints []KprobeAttachInfo `json:"attach_points"`
+}
 
+// +kubebuilder:validation:XValidation:message="offset cannot be set for kretprobes",rule="self.retprobe == false || self.offset == 0"
+type KprobeAttachInfo struct {
 	// Functions to attach the kprobe to.
 	FunctionName string `json:"func_name"`
 
@@ -73,11 +78,6 @@ type KprobeProgramInfo struct {
 	RetProbe bool `json:"retprobe"`
 }
 
-// KprobeProgramStatus defines the observed state of KprobeProgram
-type KprobeProgramStatus struct {
-	BpfProgramStatusCommon `json:",inline"`
-}
-
 // +kubebuilder:object:root=true
 // KprobeProgramList contains a list of KprobePrograms
 type KprobeProgramList struct {