Skip to content

Commit

Permalink
Use await-node-ready command for init containers
Browse files Browse the repository at this point in the history
...in gateway and route-agent daemonsets.

Related to #3274

Signed-off-by: Tom Pantelis <[email protected]>
  • Loading branch information
tpantelis committed Dec 5, 2024
1 parent edbfda0 commit cc33155
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 17 deletions.
29 changes: 13 additions & 16 deletions controllers/submariner/gateway_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,19 +132,6 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
})
}

securityContext := &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"net_admin"},
Drop: []corev1.Capability{"all"},
},
// The gateway needs to be privileged so it can write to /proc/sys
AllowPrivilegeEscalation: ptr.To(true),
Privileged: ptr.To(true),
RunAsNonRoot: ptr.To(false),
// We need to be able to update /var/lib/alternatives (for iptables)
ReadOnlyRootFilesystem: ptr.To(false),
}

podTemplate := corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: podSelectorLabels,
Expand All @@ -167,9 +154,8 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
Name: name + "-init",
Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
SecurityContext: securityContext,
Command: []string{"await-node-ready.sh"},
Env: httpproxy.AddEnvVars([]corev1.EnvVar{
{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "spec.nodeName",
Expand All @@ -183,7 +169,18 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
Name: name,
Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
SecurityContext: securityContext,
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"net_admin"},
Drop: []corev1.Capability{"all"},
},
// The gateway needs to be privileged so it can write to /proc/sys
AllowPrivilegeEscalation: ptr.To(true),
Privileged: ptr.To(true),
RunAsNonRoot: ptr.To(false),
// We need to be able to update /var/lib/alternatives (for iptables)
ReadOnlyRootFilesystem: ptr.To(false),
},
Ports: []corev1.ContainerPort{
{
Name: encapsPortName,
Expand Down
2 changes: 1 addition & 1 deletion controllers/submariner/route_agent_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,8 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
Name: name + "-init",
Image: getImagePath(cr, opnames.RouteAgentImage, names.RouteAgentComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.RouteAgentComponent]),
Command: []string{"await-node-ready.sh"},
Env: httpproxy.AddEnvVars([]corev1.EnvVar{
{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "spec.nodeName",
Expand Down

0 comments on commit cc33155

Please sign in to comment.