Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove xtables.lock and privileged=true from node-local-dns example #14319

Merged
merged 1 commit into from
Dec 11, 2020
Merged

remove xtables.lock and privileged=true from node-local-dns example #14319

merged 1 commit into from
Dec 11, 2020

Conversation

ghouscht
Copy link
Contributor

@ghouscht ghouscht commented Dec 9, 2020

As discussed in slack, the node-local-dns cache container does not need the iptables xtables.lock mount and can thus be run unprivileged. This PR fixes the example deployment by removing the mount of the lock and the privileged: true directive.

\cc @Weil0ng

@ghouscht ghouscht requested a review from a team as a code owner December 9, 2020 06:00
@ghouscht ghouscht requested a review from joestringer December 9, 2020 06:00
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 9, 2020
@aanm aanm added the release-note/misc This PR makes changes that have no direct user impact. label Dec 9, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 9, 2020
@brb brb requested a review from Weil0ng December 9, 2020 12:44
brb
brb approved these changes Dec 9, 2020
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Weil0ng
Weil0ng approved these changes Dec 9, 2020
View reviewed changes
Copy link
Contributor

@Weil0ng Weil0ng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@joestringer
Copy link
Member

Before we merge, I would like to understand the testing of these changes.

@Weil0ng @aditighag I couldn't find this file being used in CI, do we do integration/regression testing automatically?

@ghouscht what kind of manual testing have you performed while preparing the PR?

@ghouscht
Copy link
Contributor Author

Probably the only use of this file is here https://docs.cilium.io/en/v1.9/gettingstarted/local-redirect-policy/#node-local-dns-cache. We're currently evaluating node-local-dns in our environment and during review I noticed that the container ran priviledged. This is not necessary since cilium handles traffic redirection (by a local redirect policy) to node-local-dns cache containers and due to that, the container does not need to write iptables rules itself (see also the -setupiptables=false flag). So there is simply no need to mount xtables.lock and running in priviledged mode.

This is also the setup we're currently still testing on our infrastructure and by the time of writing it works as expected.

@joestringer joestringer added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 10, 2020
@jrajahalme jrajahalme merged commit 564f047 into cilium:master Dec 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Weil0ng Weil0ng Weil0ng approved these changes

@joestringer joestringer joestringer approved these changes

@brb brb brb approved these changes

Assignees

@joestringer joestringer

@Weil0ng Weil0ng

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ghouscht @joestringer @brb @Weil0ng @aanm @jrajahalme