Skip to content

Commit

Permalink
Add init container to the gateway to wait for node readiness
Browse files Browse the repository at this point in the history
See submariner-io/submariner#3222

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
  • Loading branch information
tpantelis committed Nov 22, 2024
1 parent 497a495 commit 77157a2
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 13 deletions.
43 changes: 31 additions & 12 deletions controllers/submariner/gateway_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,19 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
})
}

securityContext := &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"net_admin"},
Drop: []corev1.Capability{"all"},
},
// The gateway needs to be privileged so it can write to /proc/sys
AllowPrivilegeEscalation: ptr.To(true),
Privileged: ptr.To(true),
RunAsNonRoot: ptr.To(false),
// We need to be able to update /var/lib/alternatives (for iptables)
ReadOnlyRootFilesystem: ptr.To(false),
}

podTemplate := corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: podSelectorLabels,
Expand All @@ -149,23 +162,29 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
},
},
NodeSelector: map[string]string{"submariner.io/gateway": "true"},
// Wait for the node to be ready before starting the gateway.
InitContainers: []corev1.Container{
{
Name: name + "-init",
Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
SecurityContext: securityContext,
Env: httpproxy.AddEnvVars([]corev1.EnvVar{
{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "spec.nodeName",
},
}},
}),
},
},
Containers: []corev1.Container{
{
Name: name,
Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"net_admin"},
Drop: []corev1.Capability{"all"},
},
// The gateway needs to be privileged so it can write to /proc/sys
AllowPrivilegeEscalation: ptr.To(true),
Privileged: ptr.To(true),
RunAsNonRoot: ptr.To(false),
// We need to be able to update /var/lib/alternatives (for iptables)
ReadOnlyRootFilesystem: ptr.To(false),
},
SecurityContext: securityContext,
Ports: []corev1.ContainerPort{
{
Name: encapsPortName,
Expand Down
1 change: 0 additions & 1 deletion controllers/submariner/route_agent_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,6 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
Name: name + "-init",
Image: getImagePath(cr, opnames.RouteAgentImage, names.RouteAgentComponent),
ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.RouteAgentComponent]),
Command: []string{"submariner-route-agent.sh"},
Env: httpproxy.AddEnvVars([]corev1.EnvVar{
{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
Expand Down

0 comments on commit 77157a2

Please sign in to comment.