Add volume and volumeMount for buster-based proxy-init#4692
Conversation
alpeb
left a comment
alpeb
left a comment
There was a problem hiding this comment.
Thanks for the very comprehensive changeset 👍
Just one question: why a volume mount using subPath? My understanding is that that's used only when doing multiple mounts drawn from the same volume...
| - mountPath: {{.Values.global.proxyInit.xtMountPath.mountPath}} | ||
| name: {{.Values.global.proxyInit.xtMountPath.name}} | ||
| subPath: {{.Values.global.proxyInit.xtMountPath.subPath}} |
There was a problem hiding this comment.
TIOLI: To be consistent with the changes for the volume declarations in the other files, we could wrap this with {{ if not .Values.global.cniEnabled -}}, but that might turn things a bit complicated as we also have to check for .Values.global.proxyInit.saMountPath to decide whether the volumeMounts section is rendered at all...
There was a problem hiding this comment.
Good catch @alpeb I added those statements.
The reason I used subPath is to limit the volume to just /run/xtables.lock rather than the entire /run directory. I may be misusing subPath and will change it if that's not the right way to limit the scope of the volume
There was a problem hiding this comment.
Right, in that case I believe the right format would be
mountPath: /run/xtables.lock
name: linkerd-proxy-init-xtables-lock
subPath: xtables.lockbut even so, it doesn't feel very kosher to me given xtables.lock doesn't even exist when this gets mounted. IMO we should leave things simpler and omit subPath.
| name: {{ printf "%s-config-val" .Values.collector.name}} | ||
| - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} | ||
| {{ if not .Values.global.noInitContainer -}} | ||
| {{ if not .Values.global.cniEnabled -}} |
| - mountPath: {{.Values.global.proxyInit.xtMountPath.mountPath}} | ||
| name: {{.Values.global.proxyInit.xtMountPath.name}} | ||
| subPath: {{.Values.global.proxyInit.xtMountPath.subPath}} |
There was a problem hiding this comment.
Right, in that case I believe the right format would be
mountPath: /run/xtables.lock
name: linkerd-proxy-init-xtables-lock
subPath: xtables.lockbut even so, it doesn't feel very kosher to me given xtables.lock doesn't even exist when this gets mounted. IMO we should leave things simpler and omit subPath.
|
TIL @alpeb 😄 I'll remove the |
cpretzer
force-pushed
the
cpretzer/add-xtables-emptydir
branch
2 times, most recently
from
6eb85d2 to
e5951f0
Compare
|
@alpeb I've removed the |
Signed-off-by: Charles Pretzer <charles@buoyant.io>
Signed-off-by: Charles Pretzer <charles@buoyant.io>
Signed-off-by: Charles Pretzer <charles@buoyant.io>
Signed-off-by: Charles Pretzer <charles@buoyant.io>
cpretzer
force-pushed
the
cpretzer/add-xtables-emptydir
branch
from
25cf600 to
b84b867
Compare
Pothulapati
left a comment
Pothulapati
left a comment
There was a problem hiding this comment.
LGTM and tried the same with the init image from linkerd/linkerd2-proxy-init#3 and it works without failing.
|
|
||
| {{ define "partials.proxyInit.volumes.xtables" -}} | ||
| emptyDir: {} | ||
| name: linkerd-proxy-init-xtables-lock |
There was a problem hiding this comment.
How about using .Values.global.proxyInit,xMountPath.name directly here too? so that we don't have to maintain multiple copies of this?
* Add volume and volumeMount for buster-based proxy-init Signed-off-by: Charles Pretzer <charles@buoyant.io> Signed-off-by: Eric Solomon <errcsool@engineer.com>
3 participants
Subject
Add volume and volumeMount resources for the proxy-init container which uses
busteras described in proxy-init PR 3Problem
The buster image uses iptables 1.8.x which attempts to lock a file named
/run/xtables.lockin order to safely manage iptables updates to the system. This also requires usingiptables-legacyto support backwards compatibility.The securityPolicy of the proxy-init container sets
readOnlyRootFileSytemto true, and the buster-based proxy-init container fails to start because it can't create/run/xtables.lock.Solution
This PR adds a
volumeMountto the proxy-init container with usingsubPathto ensure that/run/xtables.lockis writeable by the container. In addition, anemptyDirvolumeresource is added to the pod spec to make thevolumeMountavailable to the container.Many of the template files have been updated to ensure that the injected/patched pod spec output correctly reflects the changes required by these additions.
This change touches how the service account volume mount is handled in
values.go. TheSAMountPathstruct is renamed to a more abstractVolumeMountPathand a field namedSubPathhas been added. The ProxyInit struct has a new field namedXTMountPathwhich is of typeVolumeMountPathand instances of this field are instantiated ininstall.goandinject.go.uninject.goincludes a check for the volume namedInitXtablesLockVolumeMountName, as defined inlabels.go.Validation
These changes were validated by running
bin/testswithkindon a laptop. All test ran successfully.A second validation was done by manually installing linkerd from the binary generated from this branch and adding the
--init-image-versionand--init-imageflags to make sure that the changes are compatible with the changes in the proxy init PRDuring this test:
emojivotoapp was injected and confirmed that it works as expectedlinkerd dashboardworkslinkerd statandlinked tapwork for the emojivoto app and linkerd control plane componentsproxy-init:v1.3.3(the current release version)Signed-off-by: Charles Pretzer charles@buoyant.io