scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-01 18:58:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

kube-proxy: Optionally do privileged configs only

Browse Source 
A new --init-only flag is added tha makes kube-proxy perform
configuration that requires privileged mode and exit. It is
intended to be executed in a privileged initContainer, while
the main container may run with a stricter securityContext
This commit is contained in:
Lars Ekman
2023-09-25 12:03:45 +02:00
parent 6d7d249372
commit 4b59d2b05c
6 changed files with 43 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/proxy/ipvs/proxier.go
View File

@@ -340,6 +340,7 @@ func NewProxier(ipFamily v1.IPFamily,
scheduler string,
nodePortAddressStrings []string,
kernelHandler KernelHandler,
initOnly bool,
) (*Proxier, error) {
// Set the conntrack sysctl we need for
if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
@@ -402,6 +403,11 @@ func NewProxier(ipFamily v1.IPFamily,
}
}
if initOnly {
klog.InfoS("System initialized and --init-only specified")
return nil, nil
}
// Generate the masquerade mark to use for SNAT rules.
masqueradeValue := 1 << uint(masqueradeBit)
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
@@ -490,6 +496,7 @@ func NewDualStackProxier(
scheduler string,
nodePortAddresses []string,
kernelHandler KernelHandler,
initOnly bool,
) (proxy.Provider, error) {
safeIpset := newSafeIpset(ipset)
@@ -499,7 +506,7 @@ func NewDualStackProxier(
exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP,
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol],
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
if err != nil {
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
}
@@ -508,10 +515,13 @@ func NewDualStackProxier(
exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP,
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol],
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
if err != nil {
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
}
if initOnly {
return nil, nil
}
// Return a meta-proxier that dispatch calls between the two
// single-stack proxier instances