Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for setting the namespace that the CNI plugin is installed #1756

Merged
merged 3 commits into from
Nov 30, 2022
Merged

Add support for setting the namespace that the CNI plugin is installed #1756

merged 3 commits into from
Nov 30, 2022

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented Nov 30, 2022
edited
Loading

Kubernetes 1.25 uses the PSA system which controls pod security standards at the namespace level.
The CNI plugin requires elevated permissions which would otherwise interfere with setting the rest of the consul-k8s resources compliant with restricted modes of the PSA.
By allowing the CNI plugin to be installed into another namespace, like kube-system or consul-system we can still run the rest of Consul in restricted mode while the CNI plugin runs in another elevated namespace.
This is a common workflow for other CNI plugins:

demo $ k get pods -A
NAMESPACE            NAME                                        READY   STATUS    RESTARTS      AGE
calico-apiserver     calico-apiserver-db5d9d654-hlf62            1/1     Running   0             19h
calico-apiserver     calico-apiserver-db5d9d654-w5ljk            1/1     Running   0             19h
calico-system        calico-kube-controllers-5d95c5d5fb-7vm9h    1/1     Running   0             19h
calico-system        calico-node-9tglm                           1/1     Running   0             19h
calico-system        calico-typha-664b86ccfd-bs65l               1/1     Running   0             19h
calico-system        csi-node-driver-tftld                       2/2     Running   0             19h

Changes proposed in this PR:

  • Introduces a new field namespace into the connectInject.cni stanza which controls which namespace CNI related resources are installed in.

How I've tested this PR:
Unit tests + manually test by installing the plugin:

$ cat x.yaml
connectInject:
  enabled: true
  cni:
    enabled: true
    namespace: kube-system

$ helm install consul /Users/kyle/go/src/github.com/hashicorp/consul-k8s/charts/consul -f x.yaml
<snip>

$ k get pods -A
NAMESPACE            NAME                                        READY   STATUS    RESTARTS      AGE
calico-apiserver     calico-apiserver-db5d9d654-hlf62            1/1     Running   0             20h
calico-apiserver     calico-apiserver-db5d9d654-w5ljk            1/1     Running   0             20h
calico-system        calico-kube-controllers-5d95c5d5fb-7vm9h    1/1     Running   0             20h
calico-system        calico-node-9tglm                           1/1     Running   0             20h
calico-system        calico-typha-664b86ccfd-bs65l               1/1     Running   0             20h
calico-system        csi-node-driver-tftld                       2/2     Running   0             20h
kube-system          consul-consul-cni-94n62                     1/1     Running   0             13s

Note to Reviewers:

  • Is there anything in the consul-k8s cli that might need to change for this?

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@kschoche kschoche added the area/chart-only Related to changes that simply require yaml Helm chart changes, e.g. exposing a new field label Nov 30, 2022
@kschoche kschoche requested a review from curtbushko November 30, 2022 15:36
@kschoche kschoche self-assigned this Nov 30, 2022
@kschoche kschoche changed the title Add support for setting the namespace that the CNI plugin is installed into Add support for setting the namespace that the CNI plugin is installed Nov 30, 2022
@kschoche kschoche marked this pull request as ready for review November 30, 2022 15:52
curtbushko
curtbushko reviewed Nov 30, 2022
View reviewed changes
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just a few requests/comments!

@kschoche kschoche requested review from a team, analogue and thisisnotashwin and removed request for a team November 30, 2022 17:08
thisisnotashwin
thisisnotashwin approved these changes Nov 30, 2022
View reviewed changes
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work here!!

@kschoche kschoche requested a review from curtbushko November 30, 2022 19:41
@kschoche kschoche merged commit 0a64d26 into main Nov 30, 2022
@kschoche kschoche deleted the allow_cni_namespacing branch November 30, 2022 19:45
Merged
2 tasks
@curtbushko curtbushko mentioned this pull request Dec 5, 2022
Merged
3 tasks
This was referenced Dec 5, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@curtbushko curtbushko curtbushko approved these changes

@thisisnotashwin thisisnotashwin thisisnotashwin approved these changes

@analogue analogue Awaiting requested review from analogue

Assignees

@kschoche kschoche

Labels
area/chart-only Related to changes that simply require yaml Helm chart changes, e.g. exposing a new field
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kschoche @curtbushko @thisisnotashwin