From 305777e76837363041e27b345d46314b75e9bf1e Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 30 Aug 2022 15:34:01 +0200 Subject: [PATCH] kubeadm/cilium: patch Cilium daemon set This is required even with Permissive mode. Can be dropped once `spc_t` is supported on Flatcar. Picked-From: e8e97516601150c335ea0ea8961b04506dcdafb5 Signed-off-by: Mathieu Tortuyaux --- kola/tests/kubeadm/kubeadm.go | 8 ++++++-- kola/tests/kubeadm/templates.go | 1 + kola/tests/kubeadm/testdata/master-cilium-script.sh | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/kola/tests/kubeadm/kubeadm.go b/kola/tests/kubeadm/kubeadm.go index e625427a0..e703dc8fc 100644 --- a/kola/tests/kubeadm/kubeadm.go +++ b/kola/tests/kubeadm/kubeadm.go @@ -54,8 +54,12 @@ var ( _ = c.MustSSH(controller, "/opt/bin/cilium uninstall") version := params["CiliumVersion"].(string) cidr := params["PodSubnet"].(string) - cmd := fmt.Sprintf("/opt/bin/cilium install --config enable-endpoint-routes=true --config cluster-pool-ipv4-cidr=%s --version=%s --encryption=ipsec --wait --wait-duration 1m", cidr, version) - _ = c.MustSSH(controller, cmd) + cmd := fmt.Sprintf("/opt/bin/cilium install --config enable-endpoint-routes=true --config cluster-pool-ipv4-cidr=%s --version=%s --encryption=ipsec --wait=false --restart-unmanaged-pods=false --rollback=false", cidr, version) + _, _ = c.SSH(controller, cmd) + patch := `/opt/bin/kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}'` + _ = c.MustSSH(controller, patch) + status := "/opt/bin/cilium status --wait --wait-duration 1m" + _ = c.MustSSH(controller, status) }, }, }, diff --git a/kola/tests/kubeadm/templates.go b/kola/tests/kubeadm/templates.go index f54cfa990..45da1c44c 100644 --- a/kola/tests/kubeadm/templates.go +++ b/kola/tests/kubeadm/templates.go @@ -403,6 +403,7 @@ EOF --config enable-endpoint-routes=true \ --config cluster-pool-ipv4-cidr={{ .PodSubnet }} \ --version={{ .CiliumVersion }} 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT + kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}' # --wait will wait for status to report success /opt/bin/cilium status --wait 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT {{ end }} diff --git a/kola/tests/kubeadm/testdata/master-cilium-script.sh b/kola/tests/kubeadm/testdata/master-cilium-script.sh index 72c099e77..7964f8930 100644 --- a/kola/tests/kubeadm/testdata/master-cilium-script.sh +++ b/kola/tests/kubeadm/testdata/master-cilium-script.sh @@ -91,6 +91,7 @@ EOF --config enable-endpoint-routes=true \ --config cluster-pool-ipv4-cidr=192.168.0.0/17 \ --version=v0.11.1 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT + kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}' # --wait will wait for status to report success /opt/bin/cilium status --wait 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT