diff --git a/UPGRADE.md b/UPGRADE.md index e7e6e059894c..cb026bbce48a 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -13,6 +13,11 @@ does not have any particular instructions. We've removed the endpoint `POST /tokens` which has been moved by `POST /tokens/dataplane` (same request and response) some time ago. Make sure you are using a recent `kumactl` or that you use the right path if using the api directly to upgrade with no issues. +### Kubernetes + +The sidecar container is always injected first (since [#5436](https://github.com/kumahq/kuma/pull/5436)). This should only impact you when modifying the sidecar container with a container-patch. If you do so, upgrade Kuma and then change your container patch to modify the right container. + + ## Upgrade to `2.0.x` ### Built-in gateway diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go index 22638ba94ffe..41f97ca090e8 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go @@ -109,7 +109,9 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error if err != nil { return err } - pod.Spec.Containers = append(pod.Spec.Containers, patchedContainer) + + // inject sidecar as first container + pod.Spec.Containers = append([]kube_core.Container{patchedContainer}, pod.Spec.Containers...) // annotations if pod.Annotations == nil { diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go index f62e9bd4d830..0a1ffd45b0b9 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go @@ -18,6 +18,7 @@ import ( conf "github.com/kumahq/kuma/pkg/config/plugins/runtime/k8s" "github.com/kumahq/kuma/pkg/plugins/resources/k8s" "github.com/kumahq/kuma/pkg/plugins/resources/k8s/native/api/v1alpha1" + k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util" inject "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/webhooks/injector" "github.com/kumahq/kuma/pkg/test/matchers" ) @@ -117,6 +118,7 @@ spec: err = injector.InjectKuma(context.Background(), pod) // then Expect(err).ToNot(HaveOccurred()) + Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) By("loading golden Pod") // when @@ -286,7 +288,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("10. Pod with `kuma.io/sidecar-injection: disabled` annotation", testCase{ + Entry("10. Namespace - `kuma.io/sidecar-injection: disabled`, Pod - `kuma.io/sidecar-injection: enabled`", testCase{ num: "10", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -300,16 +302,16 @@ spec: metadata: name: default annotations: - kuma.io/sidecar-injection: enabled`, + kuma.io/sidecar-injection: disabled`, cfgFile: "inject.config.yaml", }), - Entry("11. Namespace - `kuma.io/sidecar-injection: disabled`, Pod - `kuma.io/sidecar-injection: enabled`", testCase{ + Entry("11. Mesh name from Namespace", testCase{ num: "11", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: default + name: mesh-name-from-ns spec: {}`, namespace: ` apiVersion: v1 @@ -317,16 +319,17 @@ spec: metadata: name: default annotations: - kuma.io/sidecar-injection: disabled`, + kuma.io/sidecar-injection: enabled + kuma.io/mesh: mesh-name-from-ns`, cfgFile: "inject.config.yaml", }), - Entry("12. Mesh name from Namespace", testCase{ + Entry("12. Override mesh name in Pod", testCase{ num: "12", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: mesh-name-from-ns + name: mesh-name-from-pod spec: {}`, namespace: ` apiVersion: v1 @@ -338,13 +341,13 @@ spec: kuma.io/mesh: mesh-name-from-ns`, cfgFile: "inject.config.yaml", }), - Entry("13. Override mesh name in Pod", testCase{ + Entry("13. Adjust Pod's probes", testCase{ num: "13", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: mesh-name-from-pod + name: default spec: {}`, namespace: ` apiVersion: v1 @@ -352,11 +355,10 @@ spec: metadata: name: default annotations: - kuma.io/sidecar-injection: enabled - kuma.io/mesh: mesh-name-from-ns`, + kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("14. Adjust Pod's probes", testCase{ + Entry("14. virtual probes: config - 9000, pod - 19000", testCase{ num: "14", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -373,7 +375,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("15. virtual probes: config - 9000, pod - 19000", testCase{ + Entry("15. virtual probes: config - enabled, pod - disabled", testCase{ num: "15", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -390,7 +392,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("16. virtual probes: config - enabled, pod - disabled", testCase{ + Entry("16. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports", testCase{ num: "16", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -407,7 +409,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("17. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports", testCase{ + Entry("17. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports from config", testCase{ num: "17", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -422,9 +424,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.config.yaml", + cfgFile: "inject.config-ports.yaml", }), - Entry("18. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports from config", testCase{ + Entry("18. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports overrides config", testCase{ num: "18", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -441,7 +443,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config-ports.yaml", }), - Entry("19. traffic.kuma.io/exclude-inbound-ports and traffic.kuma.io/exclude-outbound-ports overrides config", testCase{ + Entry("19. virtual probes: config - disabled, pod - empty", testCase{ num: "19", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -456,9 +458,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.config-ports.yaml", + cfgFile: "inject.vp-disabled.config.yaml", }), - Entry("20. skip injection for label exception", testCase{ + Entry("20. virtual probes: config - disabled, pod - enabled", testCase{ num: "20", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -473,9 +475,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.config.yaml", + cfgFile: "inject.vp-disabled.config.yaml", }), - Entry("21. virtual probes: config - disabled, pod - empty", testCase{ + Entry("21. Adjust Pod's probes, named port", testCase{ num: "21", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -490,16 +492,15 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.vp-disabled.config.yaml", + cfgFile: "inject.config.yaml", }), - Entry("22. virtual probes: config - disabled, pod - enabled", testCase{ + Entry("22. sidecar env var config overrides", testCase{ num: "22", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: default - spec: {}`, + name: default`, namespace: ` apiVersion: v1 kind: Namespace @@ -507,16 +508,15 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.vp-disabled.config.yaml", + cfgFile: "inject.env-vars.config.yaml", }), - Entry("23. Adjust Pod's probes, named port", testCase{ + Entry("23. sidecar with builtinDNS", testCase{ num: "23", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: default - spec: {}`, + name: default`, namespace: ` apiVersion: v1 kind: Namespace @@ -524,9 +524,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.config.yaml", + cfgFile: "inject.builtindns.config.yaml", }), - Entry("24. sidecar env var config overrides", testCase{ + Entry("24. sidecar with high concurrency", testCase{ num: "24", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -540,9 +540,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.env-vars.config.yaml", + cfgFile: "inject.builtindns.config.yaml", }), - Entry("25. sidecar with builtinDNS", testCase{ + Entry("25. sidecar with high resource limit", testCase{ num: "25", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -556,9 +556,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.builtindns.config.yaml", + cfgFile: "inject.high-resources.config.yaml", }), - Entry("26. sidecar with high concurrency", testCase{ + Entry("26. sidecar with specified service account token volume", testCase{ num: "26", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -572,9 +572,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.builtindns.config.yaml", + cfgFile: "inject.config.yaml", }), - Entry("27. sidecar with high resource limit", testCase{ + Entry("27. sidecar with specified drain time", testCase{ num: "27", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -588,9 +588,9 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.high-resources.config.yaml", + cfgFile: "inject.config.yaml", }), - Entry("28. sidecar with specified service account token volume", testCase{ + Entry("28. sidecar with patch", testCase{ num: "28", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -606,7 +606,7 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("29. sidecar with specified drain time", testCase{ + Entry("29. port override #4458", testCase{ num: "29", mesh: ` apiVersion: kuma.io/v1alpha1 @@ -620,15 +620,72 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.config.yaml", + cfgFile: "inject.builtindns.config.yaml", }), - Entry("30. sidecar with patch", testCase{ - num: "30", + ) + + DescribeTable("should not inject Kuma into a Pod", + func(given testCase) { + // setup + inputFile := filepath.Join("testdata", fmt.Sprintf("skip_inject.%s.input.yaml", given.num)) + goldenFile := filepath.Join("testdata", fmt.Sprintf("skip_inject.%s.golden.yaml", given.num)) + + var cfg conf.Injector + Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) + cfg.CaCertFile = caCertPath + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, k8s.NewSimpleConverter(), 9901, systemNamespace) + Expect(err).ToNot(HaveOccurred()) + + // and create mesh + decoder := serializer.NewCodecFactory(k8sClientScheme).UniversalDeserializer() + obj, _, errMesh := decoder.Decode([]byte(given.mesh), nil, nil) + Expect(errMesh).ToNot(HaveOccurred()) + errCreate := k8sClient.Create(context.Background(), obj.(kube_client.Object)) + Expect(errCreate).ToNot(HaveOccurred()) + ns, _, errNs := decoder.Decode([]byte(given.namespace), nil, nil) + Expect(errNs).ToNot(HaveOccurred()) + errUpd := k8sClient.Update(context.Background(), ns.(kube_client.Object)) + Expect(errUpd).ToNot(HaveOccurred()) + + // given + pod := &kube_core.Pod{} + + By("loading input Pod") + // when + input, err := os.ReadFile(inputFile) + // then + Expect(err).ToNot(HaveOccurred()) + // when + err = yaml.Unmarshal(input, pod) + // then + Expect(err).ToNot(HaveOccurred()) + + By("injecting Kuma") + // when + err = injector.InjectKuma(context.Background(), pod) + // then + Expect(err).ToNot(HaveOccurred()) + for _, container := range pod.Spec.Containers { + Expect(container.Name).To(Not(BeEquivalentTo(k8s_util.KumaSidecarContainerName))) + } + + By("loading golden Pod") + // when + actual, err := yaml.Marshal(pod) + // then + Expect(err).ToNot(HaveOccurred()) + + By("comparing actual against golden") + Expect(actual).To(matchers.MatchGoldenYAML(goldenFile)) + }, + Entry("1. Pod with `kuma.io/sidecar-injection: disabled` annotation", testCase{ + num: "1", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: default`, + name: default + spec: {}`, namespace: ` apiVersion: v1 kind: Namespace @@ -638,13 +695,14 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), - Entry("31. port override #4458", testCase{ - num: "31", + Entry("2. skip injection for label exception", testCase{ + num: "2", mesh: ` apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: - name: default`, + name: default + spec: {}`, namespace: ` apiVersion: v1 kind: Namespace @@ -652,7 +710,7 @@ spec: name: default annotations: kuma.io/sidecar-injection: enabled`, - cfgFile: "inject.builtindns.config.yaml", + cfgFile: "inject.config.yaml", }), ) diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml index e342777c45a2..c6bc10f95a80 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml @@ -19,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -115,6 +108,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml index 876dd8801d8b..cbf4d0ecdafc 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml @@ -20,13 +20,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -116,6 +109,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - command: - sh diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml index bf0da65fdfd5..02030fef0212 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml @@ -27,65 +27,6 @@ metadata: uid: 844452a6-aec8-11e9-9753-0242ac110002 spec: containers: - - args: - - -conf - - /etc/coredns/Corefile - image: k8s.gcr.io/coredns:1.3.1 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /8080/health - port: 9000 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: coredns - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /8080/health - port: 9000 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - all - procMount: Default - readOnlyRootFilesystem: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /etc/coredns - name: config-volume - readOnly: true - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: coredns-token-9gmrh - readOnly: true - args: - run - --log-level=info @@ -175,6 +116,65 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: coredns-token-9gmrh readOnly: true + - args: + - -conf + - /etc/coredns/Corefile + image: k8s.gcr.io/coredns:1.3.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /8080/health + port: 9000 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /8080/health + port: 9000 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + procMount: Default + readOnlyRootFilesystem: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/coredns + name: config-volume + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: coredns-token-9gmrh + readOnly: true dnsPolicy: Default enableServiceLinks: true initContainers: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml index 1f6dac69d96a..4ed15b864c1f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml @@ -19,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -115,6 +108,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml index d365ba8b90cf..a4b71a5f11f0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml @@ -20,9 +20,6 @@ metadata: spec: automountServiceAccountToken: false containers: - - image: busybox - name: busybox - resources: {} - args: - run - --log-level=info @@ -108,6 +105,9 @@ spec: securityContext: runAsGroup: 5678 runAsUser: 5678 + - image: busybox + name: busybox + resources: {} initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml index 689f9930f195..0081dcdc6be5 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml @@ -20,13 +20,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -116,6 +109,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml index e342777c45a2..c6bc10f95a80 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml @@ -19,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -115,6 +108,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml index ed5d6a28ba53..43bba5066a78 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml @@ -22,13 +22,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -118,6 +111,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml index 27d7a1ca6a88..d5f6aa4a3857 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml @@ -21,13 +21,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -117,6 +110,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml index fcf7145efa98..3044c15290dc 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml @@ -2,13 +2,113 @@ apiVersion: v1 kind: Pod metadata: annotations: - kuma.io/sidecar-injection: disabled + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-injection: enabled + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: run: busybox name: busybox spec: containers: + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_NAME + value: $(POD_NAME).$(POD_NAMESPACE) + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + memory: 1512Mi + requests: + cpu: 150m + memory: 164Mi + securityContext: + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true - image: busybox name: busybox resources: {} @@ -16,6 +116,44 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --skip-resolv-conf + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 volumes: - name: default-token-w7dxf secret: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.input.yaml index aa56be2afc41..294fd977a412 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.input.yaml @@ -5,7 +5,7 @@ metadata: labels: run: busybox annotations: - kuma.io/sidecar-injection: disabled + kuma.io/sidecar-injection: enabled spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml index 16180f38c42a..06288ce1c903 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml @@ -3,9 +3,8 @@ kind: Pod metadata: annotations: kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default + kuma.io/mesh: mesh-name-from-ns kuma.io/sidecar-injected: "true" - kuma.io/sidecar-injection: enabled kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled kuma.io/transparent-proxying-ebpf: disabled @@ -20,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -74,7 +66,7 @@ spec: - name: KUMA_DATAPLANE_DRAIN_TIME value: 31s - name: KUMA_DATAPLANE_MESH - value: default + value: mesh-name-from-ns - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH @@ -116,6 +108,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.input.yaml index 294fd977a412..906ca86c2ce9 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.input.yaml @@ -4,18 +4,16 @@ metadata: name: busybox labels: run: busybox - annotations: - kuma.io/sidecar-injection: enabled spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf - containers: - - name: busybox - image: busybox - resources: {} - volumeMounts: - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + secret: + secretName: default-token-w7dxf + containers: + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml index aa9b8179d8d3..efeb24eb521e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: annotations: kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: mesh-name-from-ns + kuma.io/mesh: mesh-name-from-pod kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -73,7 +66,7 @@ spec: - name: KUMA_DATAPLANE_DRAIN_TIME value: 31s - name: KUMA_DATAPLANE_MESH - value: mesh-name-from-ns + value: mesh-name-from-pod - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH @@ -115,6 +108,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.input.yaml index 906ca86c2ce9..51fbc6b6cc65 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.input.yaml @@ -4,6 +4,8 @@ metadata: name: busybox labels: run: busybox + annotations: + kuma.io/mesh: mesh-name-from-pod spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml index 4f0d4d3d4594..42dee098ed59 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: annotations: kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: mesh-name-from-pod + kuma.io/mesh: default kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,13 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -73,7 +66,7 @@ spec: - name: KUMA_DATAPLANE_DRAIN_TIME value: 31s - name: KUMA_DATAPLANE_MESH - value: mesh-name-from-pod + value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH @@ -115,6 +108,25 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.input.yaml index 51fbc6b6cc65..3199ce6f1e08 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.input.yaml @@ -4,8 +4,6 @@ metadata: name: busybox labels: run: busybox - annotations: - kuma.io/mesh: mesh-name-from-pod spec: volumes: - name: default-token-w7dxf @@ -15,6 +13,18 @@ spec: - name: busybox image: busybox resources: {} + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 volumeMounts: - name: default-token-w7dxf readOnly: true diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml index f88e82df8a3a..165636d61009 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml @@ -12,32 +12,13 @@ metadata: kuma.io/transparent-proxying-inbound-v6-port: "15010" kuma.io/transparent-proxying-outbound-port: "15001" kuma.io/virtual-probes: enabled - kuma.io/virtual-probes-port: "9000" + kuma.io/virtual-probes-port: "19000" creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /8080/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - readinessProbe: - httpGet: - path: /3001/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -127,6 +108,25 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 19000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 19000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.input.yaml index 3199ce6f1e08..b33fd7623ffd 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.input.yaml @@ -4,6 +4,8 @@ metadata: name: busybox labels: run: busybox + annotations: + kuma.io/virtual-probes-port: "19000" spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml index a3b714867f67..05942deb17f8 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml @@ -11,33 +11,14 @@ metadata: kuma.io/transparent-proxying-inbound-port: "15006" kuma.io/transparent-proxying-inbound-v6-port: "15010" kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: enabled - kuma.io/virtual-probes-port: "19000" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /8080/metrics - port: 19000 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - readinessProbe: - httpGet: - path: /3001/metrics - port: 19000 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -127,6 +108,25 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.input.yaml index b33fd7623ffd..a920ece34f4a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.input.yaml @@ -5,7 +5,7 @@ metadata: labels: run: busybox annotations: - kuma.io/virtual-probes-port: "19000" + kuma.io/virtual-probes: "disabled" spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml index 0b6e18c14e57..1dc9dec095ed 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml @@ -11,33 +11,16 @@ metadata: kuma.io/transparent-proxying-inbound-port: "15006" kuma.io/transparent-proxying-inbound-v6-port: "15010" kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: disabled + kuma.io/virtual-probes: enabled kuma.io/virtual-probes-port: "9000" + traffic.kuma.io/exclude-inbound-ports: 1234,1235 + traffic.kuma.io/exclude-outbound-ports: "1236" creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /metrics - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - readinessProbe: - httpGet: - path: /metrics - port: 3001 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -127,7 +110,21 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} - args: - --redirect-outbound-port - "15001" @@ -139,9 +136,9 @@ spec: - --kuma-dp-uid - "5678" - --exclude-inbound-ports - - "" + - 1234,1235 - --exclude-outbound-ports - - "" + - "1236" - --verbose - --skip-resolv-conf command: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.input.yaml index a920ece34f4a..1c3482f14982 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.input.yaml @@ -5,29 +5,22 @@ metadata: labels: run: busybox annotations: - kuma.io/virtual-probes: "disabled" + traffic.kuma.io/exclude-inbound-ports: "1234,1235" + traffic.kuma.io/exclude-outbound-ports: "1236" spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf containers: - - name: busybox + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + initContainers: + - name: init image: busybox - resources: {} - readinessProbe: - httpGet: - path: /metrics - port: 3001 - initialDelaySeconds: 3 - periodSeconds: 3 - livenessProbe: - httpGet: - path: /metrics - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + command: ['sh', '-c', 'sleep 5'] diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml index 33284aa90e1f..d95d3c7615bf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml @@ -13,21 +13,14 @@ metadata: kuma.io/transparent-proxying-outbound-port: "15001" kuma.io/virtual-probes: enabled kuma.io/virtual-probes-port: "9000" - traffic.kuma.io/exclude-inbound-ports: 1234,1235 - traffic.kuma.io/exclude-outbound-ports: "1236" + traffic.kuma.io/exclude-inbound-ports: 1234,5678 + traffic.kuma.io/exclude-outbound-ports: 4321,7654 creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -117,6 +110,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - command: - sh @@ -136,9 +136,9 @@ spec: - --kuma-dp-uid - "5678" - --exclude-inbound-ports - - 1234,1235 + - 1234,5678 - --exclude-outbound-ports - - "1236" + - 4321,7654 - --verbose - --skip-resolv-conf command: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.input.yaml index 1c3482f14982..2a74b1a04896 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.input.yaml @@ -4,9 +4,6 @@ metadata: name: busybox labels: run: busybox - annotations: - traffic.kuma.io/exclude-inbound-ports: "1234,1235" - traffic.kuma.io/exclude-outbound-ports: "1236" spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml index c0cf571698e3..376d0e086c69 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml @@ -13,21 +13,14 @@ metadata: kuma.io/transparent-proxying-outbound-port: "15001" kuma.io/virtual-probes: enabled kuma.io/virtual-probes-port: "9000" - traffic.kuma.io/exclude-inbound-ports: 1234,5678 - traffic.kuma.io/exclude-outbound-ports: 4321,7654 + traffic.kuma.io/exclude-inbound-ports: "" + traffic.kuma.io/exclude-outbound-ports: "" creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -117,6 +110,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - command: - sh @@ -136,9 +136,9 @@ spec: - --kuma-dp-uid - "5678" - --exclude-inbound-ports - - 1234,5678 + - "" - --exclude-outbound-ports - - 4321,7654 + - "" - --verbose - --skip-resolv-conf command: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.input.yaml index 2a74b1a04896..09c0d881eeeb 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.input.yaml @@ -4,6 +4,9 @@ metadata: name: busybox labels: run: busybox + annotations: + traffic.kuma.io/exclude-inbound-ports: "" + traffic.kuma.io/exclude-outbound-ports: "" spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml index fd4110e30c69..4884a0c888ae 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml @@ -11,23 +11,14 @@ metadata: kuma.io/transparent-proxying-inbound-port: "15006" kuma.io/transparent-proxying-inbound-v6-port: "15010" kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: enabled + kuma.io/virtual-probes: disabled kuma.io/virtual-probes-port: "9000" - traffic.kuma.io/exclude-inbound-ports: "" - traffic.kuma.io/exclude-outbound-ports: "" creationTimestamp: null labels: run: busybox name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -117,14 +108,32 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true - initContainers: - - command: - - sh - - -c - - sleep 5 - image: busybox - name: init + - image: busybox + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 resources: {} + startupProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: - args: - --redirect-outbound-port - "15001" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.input.yaml index 09c0d881eeeb..34e14395731d 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.input.yaml @@ -4,23 +4,34 @@ metadata: name: busybox labels: run: busybox - annotations: - traffic.kuma.io/exclude-inbound-ports: "" - traffic.kuma.io/exclude-outbound-ports: "" spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf - containers: - - name: busybox - image: busybox - resources: {} - volumeMounts: - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" - initContainers: - - name: init + secret: + secretName: default-token-w7dxf + containers: + - name: busybox image: busybox - command: ['sh', '-c', 'sleep 5'] + resources: {} + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + startupProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml index a32309f8ed3e..1e6ca925d756 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml @@ -1,20 +1,176 @@ apiVersion: v1 kind: Pod metadata: + annotations: + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: - openshift.io/deployer-pod-for.name: "1234" run: busybox name: busybox spec: containers: + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_NAME + value: $(POD_NAME).$(POD_NAMESPACE) + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + memory: 1512Mi + requests: + cpu: 150m + memory: 164Mi + securityContext: + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 resources: {} + startupProbe: + httpGet: + path: /8081/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --skip-resolv-conf + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 volumes: - name: default-token-w7dxf secret: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.input.yaml index 9d3177edd3aa..602fd5ceb357 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.input.yaml @@ -4,17 +4,36 @@ metadata: name: busybox labels: run: busybox - openshift.io/deployer-pod-for.name: "1234" + annotations: + kuma.io/virtual-probes: enabled spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf - containers: - - name: busybox - image: busybox - resources: {} - volumeMounts: - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + secret: + secretName: default-token-w7dxf + containers: + - name: busybox + image: busybox + resources: {} + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + startupProbe: + httpGet: + path: /metrics + port: 8081 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml index c92c71459fc0..0dff37e53aa4 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml @@ -11,7 +11,7 @@ metadata: kuma.io/transparent-proxying-inbound-port: "15006" kuma.io/transparent-proxying-inbound-v6-port: "15010" kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: disabled + kuma.io/virtual-probes: enabled kuma.io/virtual-probes-port: "9000" creationTimestamp: null labels: @@ -19,31 +19,6 @@ metadata: name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /metrics - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - readinessProbe: - httpGet: - path: /metrics - port: 3001 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - startupProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -133,6 +108,38 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + ports: + - containerPort: 3001 + name: readiness-port + - containerPort: 8080 + name: liveness-port + - containerPort: 8081 + name: startup-port + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + startupProbe: + httpGet: + path: /8081/startup + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - args: - --redirect-outbound-port diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.input.yaml index 34e14395731d..a60a3872285a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.input.yaml @@ -13,22 +13,29 @@ spec: - name: busybox image: busybox resources: {} + ports: + - name: readiness-port + containerPort: 3001 + - name: liveness-port + containerPort: 8080 + - name: startup-port + containerPort: 8081 readinessProbe: httpGet: path: /metrics - port: 3001 + port: readiness-port initialDelaySeconds: 3 periodSeconds: 3 livenessProbe: httpGet: path: /metrics - port: 8080 + port: liveness-port initialDelaySeconds: 3 periodSeconds: 3 startupProbe: httpGet: - path: /ready - port: 8080 + path: /startup + port: startup-port initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml index 11eb1d3abbb4..9bdf121ba0f0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml @@ -2,8 +2,10 @@ apiVersion: v1 kind: Pod metadata: annotations: + docs: Documentation kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,31 +21,6 @@ metadata: name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /8080/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - readinessProbe: - httpGet: - path: /3001/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - startupProbe: - httpGet: - path: /8081/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -89,15 +66,19 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 31s + value: 5s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH - value: /var/run/secrets/kubernetes.io/serviceaccount/token + value: /some/other/path - name: KUMA_DNS_ENABLED value: "false" + - name: NEW_ENV_VAR + value: "123" + - name: TEST_ENV_VAR + value: test123 image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -133,7 +114,21 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} - args: - --redirect-outbound-port - "15001" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.input.yaml index 602fd5ceb357..3ce8de36a654 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.input.yaml @@ -5,35 +5,22 @@ metadata: labels: run: busybox annotations: - kuma.io/virtual-probes: enabled + docs: "Documentation" + kuma.io/sidecar-env-vars: "KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123" # drain time overrides the file, NEW_ENV_VAR is completely new var spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf containers: - - name: busybox + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + initContainers: + - name: init image: busybox - resources: {} - readinessProbe: - httpGet: - path: /metrics - port: 3001 - initialDelaySeconds: 3 - periodSeconds: 3 - livenessProbe: - httpGet: - path: /metrics - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - startupProbe: - httpGet: - path: /metrics - port: 8081 - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + command: ['sh', '-c', 'sleep 5'] diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml index 3e37a456a684..ac11b7b56a11 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml @@ -2,8 +2,14 @@ apiVersion: v1 kind: Pod metadata: annotations: + docs: Documentation + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-port: "25053" + kuma.io/builtindns: enabled + kuma.io/builtindnsport: "25053" kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,38 +25,6 @@ metadata: name: busybox spec: containers: - - image: busybox - livenessProbe: - httpGet: - path: /8080/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - name: busybox - ports: - - containerPort: 3001 - name: readiness-port - - containerPort: 8080 - name: liveness-port - - containerPort: 8081 - name: startup-port - readinessProbe: - httpGet: - path: /3001/metrics - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - resources: {} - startupProbe: - httpGet: - path: /8081/startup - port: 9000 - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info @@ -96,15 +70,25 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 31s + value: 5s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" - name: KUMA_DNS_ENABLED - value: "false" + value: "true" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" + - name: NEW_ENV_VAR + value: "123" image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -140,7 +124,21 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} - args: - --redirect-outbound-port - "15001" @@ -157,6 +155,9 @@ spec: - "" - --verbose - --skip-resolv-conf + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" command: - /usr/bin/kumactl - install diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.input.yaml index a60a3872285a..3ce8de36a654 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.input.yaml @@ -4,41 +4,23 @@ metadata: name: busybox labels: run: busybox + annotations: + docs: "Documentation" + kuma.io/sidecar-env-vars: "KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123" # drain time overrides the file, NEW_ENV_VAR is completely new var spec: volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf containers: - - name: busybox + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + initContainers: + - name: init image: busybox - resources: {} - ports: - - name: readiness-port - containerPort: 3001 - - name: liveness-port - containerPort: 8080 - - name: startup-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /metrics - port: readiness-port - initialDelaySeconds: 3 - periodSeconds: 3 - livenessProbe: - httpGet: - path: /metrics - port: liveness-port - initialDelaySeconds: 3 - periodSeconds: 3 - startupProbe: - httpGet: - path: /startup - port: startup-port - initialDelaySeconds: 3 - periodSeconds: 3 - volumeMounts: - - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" + command: ['sh', '-c', 'sleep 5'] diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml index cad85c447bbf..d8f597b40fdf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml @@ -3,10 +3,15 @@ kind: Pod metadata: annotations: docs: Documentation + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-port: "25053" + kuma.io/builtindns: enabled + kuma.io/builtindnsport: "25053" kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 kuma.io/sidecar-injected: "true" + kuma.io/sidecar-proxy-concurrency: "99" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled kuma.io/transparent-proxying-ebpf: disabled @@ -21,17 +26,10 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info - - --concurrency=2 + - --concurrency=99 env: - name: POD_NAME valueFrom: @@ -79,13 +77,19 @@ spec: - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH - value: /some/other/path + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" - name: KUMA_DNS_ENABLED - value: "false" + value: "true" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" - name: NEW_ENV_VAR value: "123" - - name: TEST_ENV_VAR - value: test123 image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -121,6 +125,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - command: - sh @@ -145,6 +156,9 @@ spec: - "" - --verbose - --skip-resolv-conf + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" command: - /usr/bin/kumactl - install diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.input.yaml index 3ce8de36a654..2b637a8c9507 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.input.yaml @@ -7,6 +7,7 @@ metadata: annotations: docs: "Documentation" kuma.io/sidecar-env-vars: "KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123" # drain time overrides the file, NEW_ENV_VAR is completely new var + kuma.io/sidecar-proxy-concurrency: "99" spec: volumes: - name: default-token-w7dxf diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml index b5aeaf6cf00b..49a33923a66c 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml @@ -25,17 +25,10 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info - - --concurrency=2 + - --concurrency=8 env: - name: POD_NAME valueFrom: @@ -119,7 +112,7 @@ spec: timeoutSeconds: 13 resources: limits: - cpu: 1100m + cpu: 8500m memory: 1512Mi requests: cpu: 150m @@ -131,6 +124,13 @@ spec: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-w7dxf readOnly: true + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true initContainers: - command: - sh diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml index b509f2c858c6..81ff71c6b808 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml @@ -2,16 +2,10 @@ apiVersion: v1 kind: Pod metadata: annotations: - docs: Documentation - kuma.io/builtin-dns: enabled - kuma.io/builtin-dns-port: "25053" - kuma.io/builtindns: enabled - kuma.io/builtindnsport: "25053" kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default - kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/service-account-token-volume: token kuma.io/sidecar-injected: "true" - kuma.io/sidecar-proxy-concurrency: "99" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled kuma.io/transparent-proxying-ebpf: disabled @@ -25,18 +19,12 @@ metadata: run: busybox name: busybox spec: + automountServiceAccountToken: false containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info - - --concurrency=99 + - --concurrency=2 env: - name: POD_NAME valueFrom: @@ -78,25 +66,15 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 5s + value: 31s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: KUMA_DNS_CORE_DNS_BINARY_PATH - value: coredns - - name: KUMA_DNS_CORE_DNS_EMPTY_PORT - value: "25054" - - name: KUMA_DNS_CORE_DNS_PORT - value: "25053" - name: KUMA_DNS_ENABLED - value: "true" - - name: KUMA_DNS_ENVOY_DNS_PORT - value: "25055" - - name: NEW_ENV_VAR - value: "123" + value: "false" image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -130,16 +108,12 @@ spec: runAsUser: 5678 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf + name: token readOnly: true - initContainers: - - command: - - sh - - -c - - sleep 5 - image: busybox - name: init + - image: busybox + name: busybox resources: {} + initContainers: - args: - --redirect-outbound-port - "15001" @@ -156,9 +130,6 @@ spec: - "" - --verbose - --skip-resolv-conf - - --redirect-all-dns-traffic - - --redirect-dns-port - - "25053" command: - /usr/bin/kumactl - install @@ -181,7 +152,11 @@ spec: runAsGroup: 0 runAsUser: 0 volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf + - name: token + projected: + sources: + - serviceAccountToken: + audience: https://kubernetes.default.svc.cluster.local + expirationSeconds: 7200 + path: token status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.input.yaml index 2b637a8c9507..b62d184f3788 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.input.yaml @@ -5,23 +5,18 @@ metadata: labels: run: busybox annotations: - docs: "Documentation" - kuma.io/sidecar-env-vars: "KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123" # drain time overrides the file, NEW_ENV_VAR is completely new var - kuma.io/sidecar-proxy-concurrency: "99" + kuma.io/service-account-token-volume: token spec: + automountServiceAccountToken: false volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf + - name: token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 7200 + audience: "https://kubernetes.default.svc.cluster.local" containers: - name: busybox image: busybox resources: {} - volumeMounts: - - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" - initContainers: - - name: init - image: busybox - command: ['sh', '-c', 'sleep 5'] diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml index f3246217464d..8f5d06cd2aa6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml @@ -2,14 +2,9 @@ apiVersion: v1 kind: Pod metadata: annotations: - docs: Documentation - kuma.io/builtin-dns: enabled - kuma.io/builtin-dns-port: "25053" - kuma.io/builtindns: enabled - kuma.io/builtindnsport: "25053" kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default - kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -25,17 +20,10 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - args: - run - --log-level=info - - --concurrency=8 + - --concurrency=2 env: - name: POD_NAME valueFrom: @@ -77,25 +65,15 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 5s + value: 10s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: KUMA_DNS_CORE_DNS_BINARY_PATH - value: coredns - - name: KUMA_DNS_CORE_DNS_EMPTY_PORT - value: "25054" - - name: KUMA_DNS_CORE_DNS_PORT - value: "25053" - name: KUMA_DNS_ENABLED - value: "true" - - name: KUMA_DNS_ENVOY_DNS_PORT - value: "25055" - - name: NEW_ENV_VAR - value: "123" + value: "false" image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -119,7 +97,7 @@ spec: timeoutSeconds: 13 resources: limits: - cpu: 8500m + cpu: 1100m memory: 1512Mi requests: cpu: 150m @@ -127,18 +105,10 @@ spec: securityContext: runAsGroup: 5678 runAsUser: 5678 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-w7dxf - readOnly: true - initContainers: - - command: - - sh - - -c - - sleep 5 - image: busybox - name: init + - image: busybox + name: busybox resources: {} + initContainers: - args: - --redirect-outbound-port - "15001" @@ -155,9 +125,6 @@ spec: - "" - --verbose - --skip-resolv-conf - - --redirect-all-dns-traffic - - --redirect-dns-port - - "25053" command: - /usr/bin/kumactl - install @@ -179,8 +146,4 @@ spec: - NET_RAW runAsGroup: 0 runAsUser: 0 - volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.input.yaml index 3ce8de36a654..1314de9a64e5 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.input.yaml @@ -5,22 +5,9 @@ metadata: labels: run: busybox annotations: - docs: "Documentation" - kuma.io/sidecar-env-vars: "KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123" # drain time overrides the file, NEW_ENV_VAR is completely new var + kuma.io/sidecar-drain-time: "10s" spec: - volumes: - - name: default-token-w7dxf - secret: - secretName: default-token-w7dxf containers: - name: busybox image: busybox resources: {} - volumeMounts: - - name: default-token-w7dxf - readOnly: true - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" - initContainers: - - name: init - image: busybox - command: ['sh', '-c', 'sleep 5'] diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml index 78f6857e7851..ae1f1da273ff 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml @@ -2,9 +2,11 @@ apiVersion: v1 kind: Pod metadata: annotations: + kuma.io/container-patches: container-patch-1 kuma.io/envoy-admin-port: "9901" + kuma.io/envoy-log-level: trace kuma.io/mesh: default - kuma.io/service-account-token-volume: token + kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -19,11 +21,7 @@ metadata: run: busybox name: busybox spec: - automountServiceAccountToken: false containers: - - image: busybox - name: busybox - resources: {} - args: - run - --log-level=info @@ -69,11 +67,13 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 31s + value: 10s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) + - name: KUMA_DATAPLANE_RUNTIME_ENVOY_LOG_LEVEL + value: trace - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: KUMA_DNS_ENABLED @@ -107,12 +107,16 @@ spec: cpu: 150m memory: 164Mi securityContext: + privileged: false runAsGroup: 5678 runAsUser: 5678 volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: token + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount/ + name: '{{ template "kong.serviceAccountTokenName" . }}' readOnly: true + - image: busybox + name: busybox + resources: {} initContainers: - args: - --redirect-outbound-port @@ -150,13 +154,4 @@ spec: - NET_ADMIN - NET_RAW runAsGroup: 0 - runAsUser: 0 - volumes: - - name: token - projected: - sources: - - serviceAccountToken: - audience: https://kubernetes.default.svc.cluster.local - expirationSeconds: 7200 - path: token status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.input.yaml index b62d184f3788..ccda35eb5a9d 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.input.yaml @@ -5,17 +5,10 @@ metadata: labels: run: busybox annotations: - kuma.io/service-account-token-volume: token + kuma.io/sidecar-drain-time: "10s" + kuma.io/envoy-log-level: "trace" + kuma.io/container-patches: container-patch-1 spec: - automountServiceAccountToken: false - volumes: - - name: token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 7200 - audience: "https://kubernetes.default.svc.cluster.local" containers: - name: busybox image: busybox diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml index 23853025e07c..ca63ee957490 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml @@ -2,9 +2,12 @@ apiVersion: v1 kind: Pod metadata: annotations: + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-port: "25053" + kuma.io/builtindns: enabled + kuma.io/builtindnsport: "25053" kuma.io/envoy-admin-port: "9901" kuma.io/mesh: default - kuma.io/sidecar-drain-time: 10s kuma.io/sidecar-injected: "true" kuma.io/sidecar-uid: "5678" kuma.io/transparent-proxying: enabled @@ -20,9 +23,6 @@ metadata: name: busybox spec: containers: - - image: busybox - name: busybox - resources: {} - args: - run - --log-level=info @@ -68,15 +68,23 @@ spec: - name: KUMA_CONTROL_PLANE_URL value: http://kuma-control-plane.kuma-system:5681 - name: KUMA_DATAPLANE_DRAIN_TIME - value: 10s + value: 31s - name: KUMA_DATAPLANE_MESH value: default - name: KUMA_DATAPLANE_NAME value: $(POD_NAME).$(POD_NAMESPACE) - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" - name: KUMA_DNS_ENABLED - value: "false" + value: "true" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" image: kuma/kuma-sidecar:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -108,6 +116,9 @@ spec: securityContext: runAsGroup: 5678 runAsUser: 5678 + - image: busybox + name: busybox + resources: {} initContainers: - args: - --redirect-outbound-port @@ -125,6 +136,9 @@ spec: - "" - --verbose - --skip-resolv-conf + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" command: - /usr/bin/kumactl - install diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.input.yaml index 1314de9a64e5..1bd31244f802 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.input.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.input.yaml @@ -5,7 +5,7 @@ metadata: labels: run: busybox annotations: - kuma.io/sidecar-drain-time: "10s" + kuma.io/builtin-dns-port: "25053" spec: containers: - name: busybox diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml deleted file mode 100644 index 1e2b100f8762..000000000000 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - kuma.io/container-patches: container-patch-1 - kuma.io/envoy-admin-port: "9901" - kuma.io/envoy-log-level: trace - kuma.io/mesh: default - kuma.io/sidecar-drain-time: 10s - kuma.io/sidecar-injected: "true" - kuma.io/sidecar-uid: "5678" - kuma.io/transparent-proxying: enabled - kuma.io/transparent-proxying-ebpf: disabled - kuma.io/transparent-proxying-inbound-port: "15006" - kuma.io/transparent-proxying-inbound-v6-port: "15010" - kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: enabled - kuma.io/virtual-probes-port: "9000" - creationTimestamp: null - labels: - run: busybox - name: busybox -spec: - containers: - - image: busybox - name: busybox - resources: {} - - args: - - run - - --log-level=info - - --concurrency=2 - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: KUMA_CONTROL_PLANE_CA_CERT - value: | - -----BEGIN CERTIFICATE----- - MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP - MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow - DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB - AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA - XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 - Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 - t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m - hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot - o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD - VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD - VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z - dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW - CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a - /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I - leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl - Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q - h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 - ypWGaanvPg== - -----END CERTIFICATE----- - - name: KUMA_CONTROL_PLANE_URL - value: http://kuma-control-plane.kuma-system:5681 - - name: KUMA_DATAPLANE_DRAIN_TIME - value: 10s - - name: KUMA_DATAPLANE_MESH - value: default - - name: KUMA_DATAPLANE_NAME - value: $(POD_NAME).$(POD_NAMESPACE) - - name: KUMA_DATAPLANE_RUNTIME_ENVOY_LOG_LEVEL - value: trace - - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: KUMA_DNS_ENABLED - value: "false" - image: kuma/kuma-sidecar:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 212 - httpGet: - path: /ready - port: 9901 - initialDelaySeconds: 260 - periodSeconds: 25 - successThreshold: 1 - timeoutSeconds: 23 - name: kuma-sidecar - readinessProbe: - failureThreshold: 112 - httpGet: - path: /ready - port: 9901 - initialDelaySeconds: 11 - periodSeconds: 15 - successThreshold: 11 - timeoutSeconds: 13 - resources: - limits: - cpu: 1100m - memory: 1512Mi - requests: - cpu: 150m - memory: 164Mi - securityContext: - privileged: false - runAsGroup: 5678 - runAsUser: 5678 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount/ - name: '{{ template "kong.serviceAccountTokenName" . }}' - readOnly: true - initContainers: - - args: - - --redirect-outbound-port - - "15001" - - --redirect-inbound=true - - --redirect-inbound-port - - "15006" - - --redirect-inbound-port-v6 - - "15010" - - --kuma-dp-uid - - "5678" - - --exclude-inbound-ports - - "" - - --exclude-outbound-ports - - "" - - --verbose - - --skip-resolv-conf - command: - - /usr/bin/kumactl - - install - - transparent-proxy - image: kuma/kuma-init:latest - imagePullPolicy: IfNotPresent - name: kuma-init - resources: - limits: - cpu: 100m - memory: 50M - requests: - cpu: 20m - memory: 20M - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - runAsGroup: 0 -status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.input.yaml deleted file mode 100644 index ccda35eb5a9d..000000000000 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.input.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: busybox - labels: - run: busybox - annotations: - kuma.io/sidecar-drain-time: "10s" - kuma.io/envoy-log-level: "trace" - kuma.io/container-patches: container-patch-1 -spec: - containers: - - name: busybox - image: busybox - resources: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml deleted file mode 100644 index 221673d23d73..000000000000 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml +++ /dev/null @@ -1,163 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - kuma.io/builtin-dns: enabled - kuma.io/builtin-dns-port: "25053" - kuma.io/builtindns: enabled - kuma.io/builtindnsport: "25053" - kuma.io/envoy-admin-port: "9901" - kuma.io/mesh: default - kuma.io/sidecar-injected: "true" - kuma.io/sidecar-uid: "5678" - kuma.io/transparent-proxying: enabled - kuma.io/transparent-proxying-ebpf: disabled - kuma.io/transparent-proxying-inbound-port: "15006" - kuma.io/transparent-proxying-inbound-v6-port: "15010" - kuma.io/transparent-proxying-outbound-port: "15001" - kuma.io/virtual-probes: enabled - kuma.io/virtual-probes-port: "9000" - creationTimestamp: null - labels: - run: busybox - name: busybox -spec: - containers: - - image: busybox - name: busybox - resources: {} - - args: - - run - - --log-level=info - - --concurrency=2 - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: KUMA_CONTROL_PLANE_CA_CERT - value: | - -----BEGIN CERTIFICATE----- - MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP - MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow - DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB - AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA - XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 - Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 - t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m - hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot - o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD - VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD - VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z - dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW - CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a - /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I - leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl - Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q - h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 - ypWGaanvPg== - -----END CERTIFICATE----- - - name: KUMA_CONTROL_PLANE_URL - value: http://kuma-control-plane.kuma-system:5681 - - name: KUMA_DATAPLANE_DRAIN_TIME - value: 31s - - name: KUMA_DATAPLANE_MESH - value: default - - name: KUMA_DATAPLANE_NAME - value: $(POD_NAME).$(POD_NAMESPACE) - - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: KUMA_DNS_CORE_DNS_BINARY_PATH - value: coredns - - name: KUMA_DNS_CORE_DNS_EMPTY_PORT - value: "25054" - - name: KUMA_DNS_CORE_DNS_PORT - value: "25053" - - name: KUMA_DNS_ENABLED - value: "true" - - name: KUMA_DNS_ENVOY_DNS_PORT - value: "25055" - image: kuma/kuma-sidecar:latest - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 212 - httpGet: - path: /ready - port: 9901 - initialDelaySeconds: 260 - periodSeconds: 25 - successThreshold: 1 - timeoutSeconds: 23 - name: kuma-sidecar - readinessProbe: - failureThreshold: 112 - httpGet: - path: /ready - port: 9901 - initialDelaySeconds: 11 - periodSeconds: 15 - successThreshold: 11 - timeoutSeconds: 13 - resources: - limits: - cpu: 1100m - memory: 1512Mi - requests: - cpu: 150m - memory: 164Mi - securityContext: - runAsGroup: 5678 - runAsUser: 5678 - initContainers: - - args: - - --redirect-outbound-port - - "15001" - - --redirect-inbound=true - - --redirect-inbound-port - - "15006" - - --redirect-inbound-port-v6 - - "15010" - - --kuma-dp-uid - - "5678" - - --exclude-inbound-ports - - "" - - --exclude-outbound-ports - - "" - - --verbose - - --skip-resolv-conf - - --redirect-all-dns-traffic - - --redirect-dns-port - - "25053" - command: - - /usr/bin/kumactl - - install - - transparent-proxy - image: kuma/kuma-init:latest - imagePullPolicy: IfNotPresent - name: kuma-init - resources: - limits: - cpu: 100m - memory: 50M - requests: - cpu: 20m - memory: 20M - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - runAsGroup: 0 - runAsUser: 0 -status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.input.yaml deleted file mode 100644 index 1bd31244f802..000000000000 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.input.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: busybox - labels: - run: busybox - annotations: - kuma.io/builtin-dns-port: "25053" -spec: - containers: - - name: busybox - image: busybox - resources: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.golden.yaml new file mode 100644 index 000000000000..fcf7145efa98 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.golden.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kuma.io/sidecar-injection: disabled + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.input.yaml new file mode 100644 index 000000000000..aa56be2afc41 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.1.input.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox + labels: + run: busybox + annotations: + kuma.io/sidecar-injection: disabled +spec: + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + containers: + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.golden.yaml new file mode 100644 index 000000000000..a32309f8ed3e --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.golden.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + openshift.io/deployer-pod-for.name: "1234" + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.input.yaml new file mode 100644 index 000000000000..9d3177edd3aa --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/skip_inject.2.input.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox + labels: + run: busybox + openshift.io/deployer-pod-for.name: "1234" +spec: + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + containers: + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/test/e2e_env/kubernetes/container_patch/container_patch.go b/test/e2e_env/kubernetes/container_patch/container_patch.go index d167a261d943..ba9f7f80ce96 100644 --- a/test/e2e_env/kubernetes/container_patch/container_patch.go +++ b/test/e2e_env/kubernetes/container_patch/container_patch.go @@ -7,6 +7,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util" "github.com/kumahq/kuma/test/e2e_env/kubernetes/env" . "github.com/kumahq/kuma/test/framework" "github.com/kumahq/kuma/test/framework/deployments/testserver" @@ -79,10 +80,12 @@ spec: // then Expect(len(pod.Spec.InitContainers)).To(Equal(1)) Expect(len(pod.Spec.Containers)).To(Equal(2)) + // and kuma-sidecar is the first container + Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) // should have default value *int64 = 0 Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(Equal(new(int64))) // kuma-sidecar container have Nil value - Expect(pod.Spec.Containers[1].SecurityContext.Privileged).To(BeNil()) + Expect(pod.Spec.Containers[0].SecurityContext.Privileged).To(BeNil()) // when // pod with patch @@ -96,10 +99,12 @@ spec: *pointerTrue = true Expect(len(pod.Spec.InitContainers)).To(Equal(1)) Expect(len(pod.Spec.Containers)).To(Equal(2)) + // and kuma-sidecar is the first container + Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) // should doesn't have defined RunAsUser Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(BeNil()) // kuma-sidecar container should have value *true - Expect(pod.Spec.Containers[1].SecurityContext.Privileged).To(Equal(pointerTrue)) + Expect(pod.Spec.Containers[0].SecurityContext.Privileged).To(Equal(pointerTrue)) }) It("should reject ContainerPatch in non-system namespace", func() {