From f5bb4d92daa3d0276e37230ad1c5ea68982fdb08 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 19 Feb 2024 16:15:57 +0100 Subject: [PATCH 1/9] feat(k8s): sidecar containers Signed-off-by: Mike Beaumont --- app/cni/pkg/cni/main.go | 2 +- .../k8s/controllers/inbound_converter.go | 8 ++--- .../k8s/controllers/pod_status_controller.go | 1 + pkg/plugins/runtime/k8s/plugin.go | 26 ++++++++++++-- pkg/plugins/runtime/k8s/util/util.go | 5 +-- .../runtime/k8s/webhooks/injector/injector.go | 35 ++++++++++++------- .../k8s/webhooks/injector/injector_test.go | 15 ++++---- .../runtime/k8s/webhooks/injector/precheck.go | 3 +- 8 files changed, 64 insertions(+), 31 deletions(-) diff --git a/app/cni/pkg/cni/main.go b/app/cni/pkg/cni/main.go index 86aa3e0252ce..ece02e88b17c 100644 --- a/app/cni/pkg/cni/main.go +++ b/app/cni/pkg/cni/main.go @@ -170,7 +170,7 @@ func cmdAdd(args *skel.CmdArgs) error { return prepareResult(conf, logger) } - if containerCount < 2 { + if _, sidecarInInitContainers := initContainersMap[util.KumaSidecarContainerName]; containerCount < 2 && !sidecarInInitContainers { logger.Info("pod excluded - not enough containers in pod. Kuma-sidecar container required") return prepareResult(conf, logger) } diff --git a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go index eeeb7d550993..e1140643353b 100644 --- a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go +++ b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go @@ -46,14 +46,14 @@ func inboundForService(zone string, pod *kube_core.Pod, service *kube_core.Servi // to figure out which container implements which service. Since we know container we can check its status // and map it to the Dataplane health if container != nil { - if cs := util_k8s.FindContainerStatus(pod, container.Name); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerStatus(container.Name, pod.Status.ContainerStatuses); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } } // also we're checking whether kuma-sidecar container is ready - if cs := util_k8s.FindContainerStatus(pod, util_k8s.KumaSidecarContainerName); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerStatus(util_k8s.KumaSidecarContainerName, pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } @@ -98,7 +98,7 @@ func inboundForServiceless(zone string, pod *kube_core.Pod, name string) *mesh_p for _, container := range pod.Spec.Containers { if container.Name != util_k8s.KumaSidecarContainerName { - if cs := util_k8s.FindContainerStatus(pod, container.Name); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerStatus(container.Name, pod.Status.ContainerStatuses); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } @@ -106,7 +106,7 @@ func inboundForServiceless(zone string, pod *kube_core.Pod, name string) *mesh_p } // also we're checking whether kuma-sidecar container is ready - if cs := util_k8s.FindContainerStatus(pod, util_k8s.KumaSidecarContainerName); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerStatus(util_k8s.KumaSidecarContainerName, pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } diff --git a/pkg/plugins/runtime/k8s/controllers/pod_status_controller.go b/pkg/plugins/runtime/k8s/controllers/pod_status_controller.go index aa67d9390f6c..983dcc103573 100644 --- a/pkg/plugins/runtime/k8s/controllers/pod_status_controller.go +++ b/pkg/plugins/runtime/k8s/controllers/pod_status_controller.go @@ -24,6 +24,7 @@ import ( ) // PodStatusReconciler tracks pods status changes and signals kuma-dp when it has to complete +// but only when Kuma isn't using the SidecarContainer feature type PodStatusReconciler struct { kube_client.Client kube_record.EventRecorder diff --git a/pkg/plugins/runtime/k8s/plugin.go b/pkg/plugins/runtime/k8s/plugin.go index 48980dcad2dc..d8290b1c4bd4 100644 --- a/pkg/plugins/runtime/k8s/plugin.go +++ b/pkg/plugins/runtime/k8s/plugin.go @@ -3,7 +3,9 @@ package k8s import ( "fmt" + "github.com/Masterminds/semver/v3" "github.com/pkg/errors" + "k8s.io/client-go/discovery" kube_ctrl "sigs.k8s.io/controller-runtime" kube_webhook "sigs.k8s.io/controller-runtime/pkg/webhook" kube_admission "sigs.k8s.io/controller-runtime/pkg/webhook/admission" @@ -29,9 +31,11 @@ import ( "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/webhooks/injector" ) -var log = core.Log.WithName("plugin").WithName("runtime").WithName("k8s") - -var _ core_plugins.RuntimePlugin = &plugin{} +var ( + log = core.Log.WithName("plugin").WithName("runtime").WithName("k8s") + sidecarContainerVersion = semver.New(1, 29, 0, "", "") + _ core_plugins.RuntimePlugin = &plugin{} +) type plugin struct{} @@ -302,10 +306,26 @@ func addValidators(mgr kube_ctrl.Manager, rt core_runtime.Runtime, converter k8s func addMutators(mgr kube_ctrl.Manager, rt core_runtime.Runtime, converter k8s_common.Converter) error { if rt.Config().Mode != config_core.Global { address := fmt.Sprintf("https://%s.%s:%d", rt.Config().Runtime.Kubernetes.ControlPlaneServiceName, rt.Config().Store.Kubernetes.SystemNamespace, rt.Config().DpServer.Port) + kubeConfig := mgr.GetConfig() + discClient, err := discovery.NewDiscoveryClientForConfig(kubeConfig) + if err != nil { + return err + } + k8sVersion, err := discClient.ServerVersion() + if err != nil { + return err + } + var sidecarContainersEnabled bool + if v, err := semver.NewVersion( + fmt.Sprintf("%s.%s.0", k8sVersion.Major, k8sVersion.Minor), + ); err == nil && !v.LessThan(sidecarContainerVersion) { + sidecarContainersEnabled = true + } kumaInjector, err := injector.New( rt.Config().Runtime.Kubernetes.Injector, address, mgr.GetClient(), + sidecarContainersEnabled, converter, rt.Config().GetEnvoyAdminPort(), rt.Config().Store.Kubernetes.SystemNamespace, diff --git a/pkg/plugins/runtime/k8s/util/util.go b/pkg/plugins/runtime/k8s/util/util.go index bba9b0e44d7a..dc76f1be247f 100644 --- a/pkg/plugins/runtime/k8s/util/util.go +++ b/pkg/plugins/runtime/k8s/util/util.go @@ -2,6 +2,7 @@ package util import ( "fmt" + "slices" "sort" "github.com/go-logr/logr" @@ -122,8 +123,8 @@ func FindPort(pod *kube_core.Pod, svcPort *kube_core.ServicePort) (int, *kube_co return 0, nil, fmt.Errorf("no suitable port for manifest: %s", pod.UID) } -func FindContainerStatus(pod *kube_core.Pod, containerName string) *kube_core.ContainerStatus { - for _, cs := range pod.Status.ContainerStatuses { +func FindContainerStatus(containerName string, status []kube_core.ContainerStatus, otherStatuses ...[]kube_core.ContainerStatus) *kube_core.ContainerStatus { + for _, cs := range append(status, slices.Concat(otherStatuses...)...) { if cs.Name == containerName { return &cs } diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go index b5e499c0fe50..c97858f7d0c6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go @@ -40,6 +40,7 @@ func New( cfg runtime_k8s.Injector, controlPlaneURL string, client kube_client.Client, + sidecarContainersEnabled bool, converter k8s_common.Converter, envoyAdminPort uint32, systemNamespace string, @@ -53,10 +54,11 @@ func New( caCert = string(bytes) } return &KumaInjector{ - cfg: cfg, - client: client, - converter: converter, - defaultAdminPort: envoyAdminPort, + cfg: cfg, + client: client, + sidecarContainersEnabled: sidecarContainersEnabled, + converter: converter, + defaultAdminPort: envoyAdminPort, proxyFactory: containers.NewDataplaneProxyFactory(controlPlaneURL, caCert, envoyAdminPort, cfg.SidecarContainer.DataplaneContainer, cfg.BuiltinDNS, cfg.SidecarContainer.WaitForDataplaneReady), systemNamespace: systemNamespace, @@ -64,12 +66,13 @@ func New( } type KumaInjector struct { - cfg runtime_k8s.Injector - client kube_client.Client - converter k8s_common.Converter - proxyFactory *containers.DataplaneProxyFactory - defaultAdminPort uint32 - systemNamespace string + cfg runtime_k8s.Injector + client kube_client.Client + sidecarContainersEnabled bool + converter k8s_common.Converter + proxyFactory *containers.DataplaneProxyFactory + defaultAdminPort uint32 + systemNamespace string } func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error { @@ -121,9 +124,6 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error pod.Annotations[kube_podcmd.DefaultContainerAnnotationName] = pod.Spec.Containers[0].Name } - // inject sidecar as first container - pod.Spec.Containers = append([]kube_core.Container{patchedContainer}, pod.Spec.Containers...) - annotations, err := i.NewAnnotations(pod, meshName, logger) if err != nil { return errors.Wrap(err, "could not generate annotations for pod") @@ -172,6 +172,15 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error } } + if i.sidecarContainersEnabled { + // inject sidecar after init + patchedContainer.RestartPolicy = pointer.To(kube_core.ContainerRestartPolicyAlways) + pod.Spec.InitContainers = append(pod.Spec.InitContainers, patchedContainer) + } else { + // inject sidecar as first container + pod.Spec.Containers = append([]kube_core.Container{patchedContainer}, pod.Spec.Containers...) + } + if err := i.overrideHTTPProbes(pod); err != nil { return err } diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go index da63adb0a372..63bacefced42 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go @@ -32,10 +32,11 @@ var _ = Describe("Injector", func() { ) type testCase struct { - num string - mesh string - cfgFile string - namespace string + num string + mesh string + cfgFile string + namespace string + sidecarContainersEnabled bool } BeforeAll(func() { @@ -85,7 +86,7 @@ spec: var cfg conf.Injector Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, k8s.NewSimpleConverter(), 9901, systemNamespace) + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) Expect(err).ToNot(HaveOccurred()) // and create mesh @@ -682,7 +683,7 @@ spec: var cfg conf.Injector Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, k8s.NewSimpleConverter(), 9901, systemNamespace) + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) Expect(err).ToNot(HaveOccurred()) // and create mesh @@ -788,7 +789,7 @@ spec: var cfg conf.Injector Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, k8s.NewSimpleConverter(), 9901, systemNamespace) + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) Expect(err).ToNot(HaveOccurred()) // and create mesh diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go index 2005b3e54113..219ebb8ee210 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go @@ -3,6 +3,7 @@ package injector import ( "context" "fmt" + "slices" "github.com/go-logr/logr" "github.com/pkg/errors" @@ -87,7 +88,7 @@ func (i *KumaInjector) needToInject(pod *kube_core.Pod, ns *kube_core.Namespace) return false, nil } - for _, container := range pod.Spec.Containers { + for _, container := range slices.Concat(pod.Spec.Containers, pod.Spec.InitContainers) { if container.Name == k8s_util.KumaSidecarContainerName { log.V(1).Info("pod already has Kuma sidecar") return false, nil From c3d5fc8fa61144b62274fcfb796e7bb2ae9c1211 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Tue, 20 Feb 2024 19:38:44 +0100 Subject: [PATCH 2/9] test(e2e_env): adjust container patch e2e test Signed-off-by: Mike Beaumont --- .../container_patch/container_patch.go | 49 ++++++++++++++----- 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/test/e2e_env/kubernetes/container_patch/container_patch.go b/test/e2e_env/kubernetes/container_patch/container_patch.go index 4a5bb8f112a9..bcad2099899e 100644 --- a/test/e2e_env/kubernetes/container_patch/container_patch.go +++ b/test/e2e_env/kubernetes/container_patch/container_patch.go @@ -6,6 +6,7 @@ import ( "github.com/gruntwork-io/terratest/modules/k8s" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + kube_core "k8s.io/api/core/v1" k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util" . "github.com/kumahq/kuma/test/framework" @@ -78,14 +79,26 @@ spec: Expect(err).ToNot(HaveOccurred()) // then - Expect(pod.Spec.InitContainers).To(HaveLen(1)) - Expect(pod.Spec.Containers).To(HaveLen(2)) - // and kuma-sidecar is the first container - Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) + Expect(pod.Spec.InitContainers).To( + Or(HaveLen(1), HaveLen(2)), + ) // should have default value *int64 = 0 Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(Equal(new(int64))) - // kuma-sidecar container have Nil value - Expect(pod.Spec.Containers[0].SecurityContext.Privileged).To(BeNil()) + Expect(pod.Spec.Containers).To( + Or(HaveLen(2), HaveLen(1)), + ) + beSidecarWithoutPrivileged := And( + WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)), + WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, BeNil()), + ) + if len(pod.Spec.Containers) == 2 { + // kuma-sidecar is the first container + Expect(pod.Spec.Containers[0]).To(beSidecarWithoutPrivileged) + } else { + Expect(pod.Spec.InitContainers).To(HaveLen(2)) + // kuma-sidecar is the second init container + Expect(pod.Spec.InitContainers[1]).To(beSidecarWithoutPrivileged) + } // when // pod with patch @@ -97,14 +110,26 @@ spec: // then pointerTrue := new(bool) *pointerTrue = true - Expect(pod.Spec.InitContainers).To(HaveLen(1)) - Expect(pod.Spec.Containers).To(HaveLen(2)) - // and kuma-sidecar is the first container - Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) + Expect(pod.Spec.InitContainers).To( + Or(HaveLen(1), HaveLen(2)), + ) // should doesn't have defined RunAsUser Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(BeNil()) - // kuma-sidecar container should have value *true - Expect(pod.Spec.Containers[0].SecurityContext.Privileged).To(Equal(pointerTrue)) + Expect(pod.Spec.Containers).To( + Or(HaveLen(2), HaveLen(1)), + ) + beSidecarWithPrivileged := And( + WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)), + WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, Equal(pointerTrue)), + ) + if len(pod.Spec.Containers) == 2 { + // kuma-sidecar is the first container + Expect(pod.Spec.Containers[0]).To(beSidecarWithPrivileged) + } else { + Expect(pod.Spec.InitContainers).To(HaveLen(2)) + // kuma-sidecar is the second init container + Expect(pod.Spec.InitContainers[1]).To(beSidecarWithPrivileged) + } }) It("should reject ContainerPatch in non-system namespace", func() { From 653fd37d1946591f7f9e31ed16000f456066bfcf Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 21 Feb 2024 12:33:21 +0100 Subject: [PATCH 3/9] feat(kuma-cp): add experimental config for sidecar containers Signed-off-by: Mike Beaumont --- docs/generated/raw/kuma-cp.yaml | 3 +++ pkg/config/app/kuma-cp/config.go | 4 ++++ pkg/config/app/kuma-cp/kuma-cp.defaults.yaml | 3 +++ pkg/config/loader_test.go | 3 +++ pkg/plugins/runtime/k8s/plugin.go | 2 +- 5 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/generated/raw/kuma-cp.yaml b/docs/generated/raw/kuma-cp.yaml index d1f063f11b82..74204cb08ebb 100644 --- a/docs/generated/raw/kuma-cp.yaml +++ b/docs/generated/raw/kuma-cp.yaml @@ -736,6 +736,9 @@ experimental: # If true then control plane computes reachable services automatically based on MeshTrafficPermission. # Lack of MeshTrafficPermission is treated as Deny the traffic. autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES + # Enables sidecar containers in Kubernetes if supported by the Kubernetes + # environment. + sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS proxy: gateway: # Sets the envoy runtime value to limit maximum number of incoming diff --git a/pkg/config/app/kuma-cp/config.go b/pkg/config/app/kuma-cp/config.go index f6c62e86679b..31da2274a78a 100644 --- a/pkg/config/app/kuma-cp/config.go +++ b/pkg/config/app/kuma-cp/config.go @@ -268,6 +268,7 @@ var DefaultConfig = func() Config { FullResyncInterval: config_types.Duration{Duration: 1 * time.Minute}, DelayFullResync: false, }, + SidecarContainers: false, }, Proxy: xds.DefaultProxyConfig(), InterCp: intercp.DefaultInterCpConfig(), @@ -424,6 +425,9 @@ type ExperimentalConfig struct { // If true then control plane computes reachable services automatically based on MeshTrafficPermission. // Lack of MeshTrafficPermission is treated as Deny the traffic. AutoReachableServices bool `json:"autoReachableServices" envconfig:"KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES"` + // Enables sidecar containers in Kubernetes if supported by the Kubernetes + // environment. + SidecarContainers bool `json:"sidecarContainers" envconfig:"KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS"` } type ExperimentalKDSEventBasedWatchdog struct { diff --git a/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml b/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml index d1f063f11b82..74204cb08ebb 100644 --- a/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml +++ b/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml @@ -736,6 +736,9 @@ experimental: # If true then control plane computes reachable services automatically based on MeshTrafficPermission. # Lack of MeshTrafficPermission is treated as Deny the traffic. autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES + # Enables sidecar containers in Kubernetes if supported by the Kubernetes + # environment. + sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS proxy: gateway: # Sets the envoy runtime value to limit maximum number of incoming diff --git a/pkg/config/loader_test.go b/pkg/config/loader_test.go index c665c429a56c..929e47661927 100644 --- a/pkg/config/loader_test.go +++ b/pkg/config/loader_test.go @@ -358,6 +358,7 @@ var _ = Describe("Config loader", func() { Expect(cfg.Experimental.KDSEventBasedWatchdog.FullResyncInterval.Duration).To(Equal(15 * time.Second)) Expect(cfg.Experimental.KDSEventBasedWatchdog.DelayFullResync).To(BeTrue()) Expect(cfg.Experimental.AutoReachableServices).To(BeTrue()) + Expect(cfg.Experimental.SidecarContainers).To(BeTrue()) Expect(cfg.Proxy.Gateway.GlobalDownstreamMaxConnections).To(BeNumerically("==", 1)) Expect(cfg.EventBus.BufferSize).To(Equal(uint(30))) @@ -709,6 +710,7 @@ experimental: fullResyncInterval: 15s delayFullResync: true autoReachableServices: true + sidecarContainers: true proxy: gateway: globalDownstreamMaxConnections: 1 @@ -983,6 +985,7 @@ tracing: "KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL": "15s", "KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC": "true", "KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES": "true", + "KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS": "true", "KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS": "1", "KUMA_TRACING_OPENTELEMETRY_ENDPOINT": "otel-collector:4317", "KUMA_TRACING_OPENTELEMETRY_ENABLED": "true", diff --git a/pkg/plugins/runtime/k8s/plugin.go b/pkg/plugins/runtime/k8s/plugin.go index d8290b1c4bd4..19101445e619 100644 --- a/pkg/plugins/runtime/k8s/plugin.go +++ b/pkg/plugins/runtime/k8s/plugin.go @@ -319,7 +319,7 @@ func addMutators(mgr kube_ctrl.Manager, rt core_runtime.Runtime, converter k8s_c if v, err := semver.NewVersion( fmt.Sprintf("%s.%s.0", k8sVersion.Major, k8sVersion.Minor), ); err == nil && !v.LessThan(sidecarContainerVersion) { - sidecarContainersEnabled = true + sidecarContainersEnabled = rt.Config().Experimental.SidecarContainers } kumaInjector, err := injector.New( rt.Config().Runtime.Kubernetes.Injector, From d4f3afa858cb62f5d61eb3fe40ced58c3e274d3e Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 21 Feb 2024 14:17:44 +0100 Subject: [PATCH 4/9] test(injector): add unit test for sidecar feature Signed-off-by: Mike Beaumont --- .../k8s/webhooks/injector/injector_test.go | 127 +++++---- .../injector/testdata/inject.01.golden.yaml | 4 +- .../injector/testdata/inject.02.golden.yaml | 4 +- .../injector/testdata/inject.03.golden.yaml | 4 +- .../injector/testdata/inject.04.golden.yaml | 4 +- .../injector/testdata/inject.05.golden.yaml | 4 +- .../injector/testdata/inject.06.golden.yaml | 4 +- .../injector/testdata/inject.07.golden.yaml | 4 +- .../injector/testdata/inject.08.golden.yaml | 4 +- .../injector/testdata/inject.09.golden.yaml | 4 +- .../injector/testdata/inject.10.golden.yaml | 4 +- .../injector/testdata/inject.11.golden.yaml | 4 +- .../injector/testdata/inject.12.golden.yaml | 4 +- .../injector/testdata/inject.13.golden.yaml | 4 +- .../injector/testdata/inject.14.golden.yaml | 4 +- .../injector/testdata/inject.15.golden.yaml | 4 +- .../injector/testdata/inject.16.golden.yaml | 4 +- .../injector/testdata/inject.17.golden.yaml | 4 +- .../injector/testdata/inject.18.golden.yaml | 4 +- .../injector/testdata/inject.19.golden.yaml | 4 +- .../injector/testdata/inject.20.golden.yaml | 4 +- .../injector/testdata/inject.21.golden.yaml | 4 +- .../injector/testdata/inject.22.golden.yaml | 4 +- .../injector/testdata/inject.23.golden.yaml | 4 +- .../injector/testdata/inject.24.golden.yaml | 4 +- .../injector/testdata/inject.25.golden.yaml | 4 +- .../injector/testdata/inject.26.golden.yaml | 4 +- .../injector/testdata/inject.27.golden.yaml | 4 +- .../injector/testdata/inject.28.golden.yaml | 4 +- .../injector/testdata/inject.29.golden.yaml | 4 +- .../injector/testdata/inject.30.golden.yaml | 4 +- .../injector/testdata/inject.31.golden.yaml | 4 +- .../injector/testdata/inject.32.golden.yaml | 4 +- .../inject.sidecar-feature.01.golden.yaml | 167 +++++++++++ .../inject.sidecar-feature.02.golden.yaml | 175 ++++++++++++ .../inject.sidecar-feature.03.golden.yaml | 259 ++++++++++++++++++ .../inject.sidecar-feature.04.golden.yaml | 167 +++++++++++ .../inject.sidecar-feature.05.golden.yaml | 158 +++++++++++ .../inject.sidecar-feature.06.golden.yaml | 168 ++++++++++++ .../inject.sidecar-feature.07.golden.yaml | 167 +++++++++++ .../inject.sidecar-feature.08.golden.yaml | 170 ++++++++++++ .../inject.sidecar-feature.09.golden.yaml | 169 ++++++++++++ .../inject.sidecar-feature.10.golden.yaml | 168 ++++++++++++ .../inject.sidecar-feature.11.golden.yaml | 167 +++++++++++ .../inject.sidecar-feature.12.golden.yaml | 167 +++++++++++ .../inject.sidecar-feature.13.golden.yaml | 179 ++++++++++++ .../inject.sidecar-feature.14.golden.yaml | 179 ++++++++++++ .../inject.sidecar-feature.15.golden.yaml | 179 ++++++++++++ .../inject.sidecar-feature.16.golden.yaml | 176 ++++++++++++ .../inject.sidecar-feature.17.golden.yaml | 176 ++++++++++++ .../inject.sidecar-feature.18.golden.yaml | 176 ++++++++++++ .../inject.sidecar-feature.19.golden.yaml | 185 +++++++++++++ .../inject.sidecar-feature.20.golden.yaml | 185 +++++++++++++ .../inject.sidecar-feature.21.golden.yaml | 192 +++++++++++++ .../inject.sidecar-feature.22.golden.yaml | 180 ++++++++++++ .../inject.sidecar-feature.23.golden.yaml | 194 +++++++++++++ .../inject.sidecar-feature.24.golden.yaml | 195 +++++++++++++ .../inject.sidecar-feature.25.golden.yaml | 194 +++++++++++++ .../inject.sidecar-feature.26.golden.yaml | 169 ++++++++++++ .../inject.sidecar-feature.27.golden.yaml | 158 +++++++++++ .../inject.sidecar-feature.28.golden.yaml | 165 +++++++++++ .../inject.sidecar-feature.29.golden.yaml | 173 ++++++++++++ .../inject.sidecar-feature.30.golden.yaml | 188 +++++++++++++ .../inject.sidecar-feature.31.golden.yaml | 168 ++++++++++++ .../inject.sidecar-feature.32.golden.yaml | 161 +++++++++++ 65 files changed, 5811 insertions(+), 118 deletions(-) create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go index 63bacefced42..99020aed4f2a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go @@ -32,11 +32,10 @@ var _ = Describe("Injector", func() { ) type testCase struct { - num string - mesh string - cfgFile string - namespace string - sidecarContainersEnabled bool + num string + mesh string + cfgFile string + namespace string } BeforeAll(func() { @@ -77,57 +76,77 @@ spec: Expect(err).ToNot(HaveOccurred()) }) - DescribeTable("should inject Kuma into a Pod", + DescribeTableSubtree("should inject Kuma into a Pod", func(given testCase) { // setup inputFile := filepath.Join("testdata", fmt.Sprintf("inject.%s.input.yaml", given.num)) - goldenFile := filepath.Join("testdata", fmt.Sprintf("inject.%s.golden.yaml", given.num)) - var cfg conf.Injector - Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) - cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) - Expect(err).ToNot(HaveOccurred()) - - // and create mesh - decoder := serializer.NewCodecFactory(k8sClientScheme).UniversalDeserializer() - obj, _, errMesh := decoder.Decode([]byte(given.mesh), nil, nil) - Expect(errMesh).ToNot(HaveOccurred()) - errCreate := k8sClient.Create(context.Background(), obj.(kube_client.Object)) - Expect(errCreate).ToNot(HaveOccurred()) - ns, _, errNs := decoder.Decode([]byte(given.namespace), nil, nil) - Expect(errNs).ToNot(HaveOccurred()) - errUpd := k8sClient.Update(context.Background(), ns.(kube_client.Object)) - Expect(errUpd).ToNot(HaveOccurred()) - - // given - pod := &kube_core.Pod{} - - By("loading input Pod") - // when - input, err := os.ReadFile(inputFile) - // then - Expect(err).ToNot(HaveOccurred()) - // when - err = yaml.Unmarshal(input, pod) - // then - Expect(err).ToNot(HaveOccurred()) - - By("injecting Kuma") - // when - err = injector.InjectKuma(context.Background(), pod) - // then - Expect(err).ToNot(HaveOccurred()) - Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) - - By("loading golden Pod") - // when - actual, err := yaml.Marshal(pod) - // then - Expect(err).ToNot(HaveOccurred()) - - By("comparing actual against golden") - Expect(actual).To(matchers.MatchGoldenYAML(goldenFile)) + run := func(sidecarsEnabled bool) { + var goldenFile string + if sidecarsEnabled { + goldenFile = filepath.Join("testdata", fmt.Sprintf("inject.sidecar-feature.%s.golden.yaml", given.num)) + } else { + goldenFile = filepath.Join("testdata", fmt.Sprintf("inject.%s.golden.yaml", given.num)) + } + + var cfg conf.Injector + Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) + cfg.CaCertFile = caCertPath + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, sidecarsEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) + Expect(err).ToNot(HaveOccurred()) + + // and create mesh + decoder := serializer.NewCodecFactory(k8sClientScheme).UniversalDeserializer() + obj, _, errMesh := decoder.Decode([]byte(given.mesh), nil, nil) + Expect(errMesh).ToNot(HaveOccurred()) + errCreate := k8sClient.Create(context.Background(), obj.(kube_client.Object)) + Expect(errCreate).ToNot(HaveOccurred()) + ns, _, errNs := decoder.Decode([]byte(given.namespace), nil, nil) + Expect(errNs).ToNot(HaveOccurred()) + errUpd := k8sClient.Update(context.Background(), ns.(kube_client.Object)) + Expect(errUpd).ToNot(HaveOccurred()) + + // given + pod := &kube_core.Pod{} + + By("loading input Pod") + // when + input, err := os.ReadFile(inputFile) + // then + Expect(err).ToNot(HaveOccurred()) + // when + err = yaml.Unmarshal(input, pod) + // then + Expect(err).ToNot(HaveOccurred()) + + By("injecting Kuma") + // when + err = injector.InjectKuma(context.Background(), pod) + // then + Expect(err).ToNot(HaveOccurred()) + if !sidecarsEnabled { + Expect(pod.Spec.Containers[0].Name).To(BeEquivalentTo(k8s_util.KumaSidecarContainerName)) + } else { + Expect(pod.Spec.InitContainers).To(ContainElement( + WithTransform(func(c kube_core.Container) string { return c.Name }, Equal(k8s_util.KumaSidecarContainerName))), + ) + } + + By("loading golden Pod") + // when + actual, err := yaml.Marshal(pod) + // then + Expect(err).ToNot(HaveOccurred()) + + By("comparing actual against golden") + Expect(actual).To(matchers.MatchGoldenYAML(goldenFile)) + } + It("injects as traditional sidecar container", func() { + run(false) + }) + It("injects with sidecar containers feature", func() { + run(true) + }) }, Entry("01. Pod without init containers and annotations", testCase{ num: "01", @@ -683,7 +702,7 @@ spec: var cfg conf.Injector Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, false, k8s.NewSimpleConverter(), 9901, systemNamespace) Expect(err).ToNot(HaveOccurred()) // and create mesh @@ -789,7 +808,7 @@ spec: var cfg conf.Injector Expect(config.Load(filepath.Join("testdata", given.cfgFile), &cfg)).To(Succeed()) cfg.CaCertFile = caCertPath - injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, given.sidecarContainersEnabled, k8s.NewSimpleConverter(), 9901, systemNamespace) + injector, err := inject.New(cfg, "http://kuma-control-plane.kuma-system:5681", k8sClient, false, k8s.NewSimpleConverter(), 9901, systemNamespace) Expect(err).ToNot(HaveOccurred()) // and create mesh diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml index ecf0136b2742..fa2eaa570e83 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml index 3b4cfd877f35..c5b470638160 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml index 966c04d4ff01..1cf6e0fa99aa 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml @@ -104,12 +104,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml index 3e3de8ed70fd..626a917eed24 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml index aea4a3db93be..2398474efaaf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml index 136a645de8e0..7d7712a57794 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml index ecf0136b2742..fa2eaa570e83 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml index 1cdbda80c5e8..874a2870d9ed 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml @@ -99,12 +99,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml index 2731c9da816a..8478a29bc74c 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml @@ -98,12 +98,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml index e6df431007aa..36d6223f260a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml index 64027b9e18ef..2ee74db70c90 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml index c7c09a3b58e6..90b2899ec449 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml index 83fbee65c3a4..140bc75990d7 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml index deea5d69b190..a1256761280b 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml index 65ca89077eac..1923ab79efbf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml index 6dc387bd75bf..7f25cd5addd1 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml @@ -98,12 +98,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml index 73fa71c4b1e8..57f985d33784 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml @@ -98,12 +98,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml index 5f3e72fd27b0..358b03ab1a04 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml @@ -98,12 +98,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml index e69bd0ecf867..f44eb80922d7 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml index e19df0f9133f..c28121330a12 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml index 23150717feb0..e63382d56131 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml index 0d87c371da58..ba938ba85499 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml @@ -102,12 +102,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml index 229a41ed50e5..075e1c1b8296 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml @@ -113,12 +113,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml index 4caddee8e814..5b6df75b06cf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml @@ -114,12 +114,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml index 442e458653f6..e44c385c3404 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml @@ -113,12 +113,12 @@ spec: resources: limits: cpu: 8500m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml index 2e1a917cfcf3..1a2ad47c9b08 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml @@ -98,12 +98,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml index 7076b1ce2348..7ad9b95317d6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml index 399685c8c622..bdf5f70b79b3 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml @@ -101,12 +101,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: privileged: false readOnlyRootFilesystem: true diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml index 8aa0776f5d64..50ff9ae4496c 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml @@ -109,12 +109,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml index 3be23a9d1162..ea3edb773d48 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml @@ -101,12 +101,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml index b356ce0e1011..8058ff47865e 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml @@ -96,12 +96,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml index 0c13f6f3bae9..604bb7023566 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml @@ -97,12 +97,12 @@ spec: resources: limits: cpu: 1100m - memory: 1512Mi ephemeral-storage: 1G + memory: 1512Mi requests: cpu: 150m - memory: 164Mi ephemeral-storage: 50M + memory: 164Mi securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml new file mode 100644 index 000000000000..18e4ec44575b --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.01.golden.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml new file mode 100644 index 000000000000..1e52055e77d2 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.02.golden.yaml @@ -0,0 +1,175 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + docs: Documentation + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml new file mode 100644 index 000000000000..bdde6d89e5aa --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.03.golden.yaml @@ -0,0 +1,259 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: coredns + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + generateName: coredns-fb8b8dccf- + labels: + k8s-app: kube-dns + pod-template-hash: fb8b8dccf + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: coredns-fb8b8dccf + uid: 844452a6-aec8-11e9-9753-0242ac110002 +spec: + containers: + - args: + - -conf + - /etc/coredns/Corefile + image: registry.k8s.io/coredns:1.3.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /8080/health + port: 9000 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /8080/health + port: 9000 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + procMount: Default + readOnlyRootFilesystem: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/coredns + name: config-volume + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: coredns-token-9gmrh + readOnly: true + dnsPolicy: Default + enableServiceLinks: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: coredns-token-9gmrh + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + nodeSelector: + beta.kubernetes.io/os: linux + priority: 2000000000 + priorityClassName: system-cluster-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: coredns + serviceAccountName: coredns + terminationGracePeriodSeconds: 30 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + volumes: + - configMap: + defaultMode: 420 + items: + - key: Corefile + path: Corefile + name: coredns + name: config-volume + - name: coredns-token-9gmrh + secret: + secretName: coredns-token-9gmrh + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml new file mode 100644 index 000000000000..8cf2cd71a1d9 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.04.golden.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: demo + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: demo + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml new file mode 100644 index 000000000000..6bd7ecf4e477 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.05.golden.yaml @@ -0,0 +1,158 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + automountServiceAccountToken: false + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml new file mode 100644 index 000000000000..a88ccd5a2d06 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.06.golden.yaml @@ -0,0 +1,168 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/gateway: enabled + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=false + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml new file mode 100644 index 000000000000..18e4ec44575b --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.07.golden.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml new file mode 100644 index 000000000000..6799ccf4cc47 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.08.golden.yaml @@ -0,0 +1,170 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + prometheus.io/path: /appmetrics + prometheus.io/port: "5678" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml new file mode 100644 index 000000000000..0a34f417ef3c --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.09.golden.yaml @@ -0,0 +1,169 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + prometheus.metrics.kuma.io/path: /custom-metrics + prometheus.metrics.kuma.io/port: "5678" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml new file mode 100644 index 000000000000..fb93cab9c5cc --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.10.golden.yaml @@ -0,0 +1,168 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + kuma.io/sidecar-injection: enabled + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml new file mode 100644 index 000000000000..f165e1ebd1db --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.11.golden.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: mesh-name-from-ns + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: mesh-name-from-ns + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml new file mode 100644 index 000000000000..5c21fbff86c7 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.12.golden.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: mesh-name-from-pod + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: mesh-name-from-pod + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml new file mode 100644 index 000000000000..8307870658cd --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.13.golden.yaml @@ -0,0 +1,179 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml new file mode 100644 index 000000000000..6b61b973f3a4 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.14.golden.yaml @@ -0,0 +1,179 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "19000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 19000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 19000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml new file mode 100644 index 000000000000..0f729e0cfce5 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.15.golden.yaml @@ -0,0 +1,179 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml new file mode 100644 index 000000000000..e5827570e3e9 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.16.golden.yaml @@ -0,0 +1,176 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + traffic.kuma.io/exclude-inbound-ports: 1234,1235 + traffic.kuma.io/exclude-outbound-ports: "1236" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - 1234,1235 + - --exclude-outbound-ports + - "1236" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml new file mode 100644 index 000000000000..03cab09bb053 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.17.golden.yaml @@ -0,0 +1,176 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + traffic.kuma.io/exclude-inbound-ports: 1234,5678 + traffic.kuma.io/exclude-outbound-ports: 4321,7654 + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - 1234,5678 + - --exclude-outbound-ports + - 4321,7654 + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml new file mode 100644 index 000000000000..37f47149533d --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.18.golden.yaml @@ -0,0 +1,176 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + traffic.kuma.io/exclude-inbound-ports: "" + traffic.kuma.io/exclude-outbound-ports: "" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml new file mode 100644 index 000000000000..391b00ab1140 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.19.golden.yaml @@ -0,0 +1,185 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /metrics + port: 3001 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + startupProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml new file mode 100644 index 000000000000..2604e353f1e0 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.20.golden.yaml @@ -0,0 +1,185 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + startupProbe: + httpGet: + path: /8081/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml new file mode 100644 index 000000000000..c9cda2182212 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.21.golden.yaml @@ -0,0 +1,192 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + livenessProbe: + httpGet: + path: /8080/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + name: busybox + ports: + - containerPort: 3001 + name: readiness-port + - containerPort: 8080 + name: liveness-port + - containerPort: 8081 + name: startup-port + readinessProbe: + httpGet: + path: /3001/metrics + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: {} + startupProbe: + httpGet: + path: /8081/startup + port: 9000 + initialDelaySeconds: 3 + periodSeconds: 3 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml new file mode 100644 index 000000000000..882484228975 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.22.golden.yaml @@ -0,0 +1,180 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + docs: Documentation + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 5s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /some/other/path + - name: KUMA_DNS_ENABLED + value: "false" + - name: NEW_ENV_VAR + value: "123" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: TEST_ENV_VAR + value: test123 + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml new file mode 100644 index 000000000000..12909403333e --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.23.golden.yaml @@ -0,0 +1,194 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + docs: Documentation + kubectl.kubernetes.io/default-container: busybox + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-logging: "false" + kuma.io/builtin-dns-port: "25053" + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 5s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" + - name: KUMA_DNS_ENABLED + value: "true" + - name: KUMA_DNS_ENABLE_LOGGING + value: "false" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" + - name: NEW_ENV_VAR + value: "123" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml new file mode 100644 index 000000000000..fa1af5747883 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.24.golden.yaml @@ -0,0 +1,195 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + docs: Documentation + kubectl.kubernetes.io/default-container: busybox + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-logging: "false" + kuma.io/builtin-dns-port: "25053" + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-proxy-concurrency: "99" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=99 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 5s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" + - name: KUMA_DNS_ENABLED + value: "true" + - name: KUMA_DNS_ENABLE_LOGGING + value: "false" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" + - name: NEW_ENV_VAR + value: "123" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml new file mode 100644 index 000000000000..946ccd8888bd --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.25.golden.yaml @@ -0,0 +1,194 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + docs: Documentation + kubectl.kubernetes.io/default-container: busybox + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-logging: "false" + kuma.io/builtin-dns-port: "25053" + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-env-vars: KUMA_DATAPLANE_DRAIN_TIME=5s;NEW_ENV_VAR=123 + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=8 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 5s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" + - name: KUMA_DNS_ENABLED + value: "true" + - name: KUMA_DNS_ENABLE_LOGGING + value: "false" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" + - name: NEW_ENV_VAR + value: "123" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 8500m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml new file mode 100644 index 000000000000..4ec6f6259f32 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.26.golden.yaml @@ -0,0 +1,169 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/service-account-token-volume: token + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + automountServiceAccountToken: false + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: token + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: token + projected: + sources: + - serviceAccountToken: + audience: https://kubernetes.default.svc.cluster.local + expirationSeconds: 7200 + path: token + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml new file mode 100644 index 000000000000..21b5d18130e5 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.27.golden.yaml @@ -0,0 +1,158 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-drain-time: 10s + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 10s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml new file mode 100644 index 000000000000..5a404cf1c84d --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.28.golden.yaml @@ -0,0 +1,165 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/container-patches: container-patch-1 + kuma.io/envoy-admin-port: "9901" + kuma.io/envoy-log-level: trace + kuma.io/mesh: default + kuma.io/sidecar-drain-time: 10s + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 10s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_ENVOY_LOG_LEVEL + value: trace + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount/ + name: '{{ template "kong.serviceAccountTokenName" . }}' + readOnly: true + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml new file mode 100644 index 000000000000..82d699eaa7f6 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.29.golden.yaml @@ -0,0 +1,173 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/builtin-dns: enabled + kuma.io/builtin-dns-logging: "false" + kuma.io/builtin-dns-port: "25053" + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --redirect-all-dns-traffic + - --redirect-dns-port + - "25053" + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_CORE_DNS_BINARY_PATH + value: coredns + - name: KUMA_DNS_CORE_DNS_EMPTY_PORT + value: "25054" + - name: KUMA_DNS_CORE_DNS_PORT + value: "25053" + - name: KUMA_DNS_ENABLED + value: "true" + - name: KUMA_DNS_ENABLE_LOGGING + value: "false" + - name: KUMA_DNS_ENVOY_DNS_PORT + value: "25055" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml new file mode 100644 index 000000000000..d9643b7bd45e --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.30.golden.yaml @@ -0,0 +1,188 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + ignore-check.kube-linter.io/privileged-container: ebpf requires privileged-container + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: enabled + kuma.io/transparent-proxying-ebpf-bpf-fs-path: /sys/fs/bpf + kuma.io/transparent-proxying-ebpf-cgroup-path: /sys/fs/cgroup + kuma.io/transparent-proxying-ebpf-programs-source-path: /kuma/ebpf + kuma.io/transparent-proxying-ebpf-tc-attach-iface: eth0 + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + - --ebpf-enabled + - --ebpf-instance-ip + - $(INSTANCE_IP) + - --ebpf-bpffs-path + - /sys/fs/bpf + - --ebpf-cgroup-path + - /sys/fs/cgroup + - --ebpf-tc-attach-iface + - eth0 + - --ebpf-programs-source-path + - /kuma/ebpf + command: + - /usr/bin/kumactl + - install + - transparent-proxy + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 80M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: {} + privileged: true + runAsGroup: 0 + runAsUser: 0 + volumeMounts: + - mountPath: /sys/fs/cgroup + name: sys-fs-cgroup + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-fs + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp + - hostPath: + path: /sys/fs/cgroup + name: sys-fs-cgroup + - hostPath: + path: /sys/fs/bpf + name: bpf-fs +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml new file mode 100644 index 000000000000..a6e82dbfffb6 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.31.golden.yaml @@ -0,0 +1,168 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + securityContext: + runAsUser: 10000 + initContainers: + - command: + - sh + - -c + - sleep 5 + image: busybox + name: init + resources: {} + securityContext: + runAsUser: 5678 + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml new file mode 100644 index 000000000000..7abec8f4dd64 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.32.golden.yaml @@ -0,0 +1,161 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubectl.kubernetes.io/default-container: busybox + kuma.io/envoy-admin-port: "9901" + kuma.io/init-first: "true" + kuma.io/mesh: default + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-ebpf: disabled + kuma.io/transparent-proxying-inbound-port: "15006" + kuma.io/transparent-proxying-inbound-v6-port: "15010" + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: enabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + initContainers: + - args: + - --redirect-outbound-port + - "15001" + - --redirect-inbound=true + - --redirect-inbound-port + - "15006" + - --redirect-inbound-port-v6 + - "15010" + - --kuma-dp-uid + - "5678" + - --exclude-inbound-ports + - "" + - --exclude-outbound-ports + - "" + - --verbose + command: + - /usr/bin/kumactl + - install + - transparent-proxy + image: kuma/kuma-init:latest + imagePullPolicy: IfNotPresent + name: kuma-init + resources: + limits: + cpu: 100m + memory: 50M + requests: + cpu: 20m + memory: 20M + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + runAsGroup: 0 + runAsUser: 0 + - image: busybox + name: busybox + resources: {} + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} From 494a194e52d73ef45aae0a2a1c825c050f84755e Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 21 Feb 2024 12:39:15 +0100 Subject: [PATCH 5/9] ci: add job for sidecar container feature Signed-off-by: Mike Beaumont --- .circleci/config.yml | 34 +++---- .github/workflows/build-test-distribute.yaml | 6 +- .github/workflows/e2e.yaml | 6 +- test/framework/config.go | 98 ++++++++++---------- test/framework/envs/kubernetes/env.go | 19 ++-- 5 files changed, 85 insertions(+), 78 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d5d96d36efdc..cc8718ea2ad8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -36,9 +36,9 @@ parameters: e2e_param_cniNetworkPlugin: type: string default: flannel - e2e_param_legacyKDS: - type: boolean - default: false + e2e_param_sidecarContainers: + type: string + default: "" # See https://circleci.com/docs/2.0/configuration-reference/#commands-requires-version-21. commands: install_build_tools: @@ -265,8 +265,8 @@ jobs: description: The CNI networking plugin to use [flannel | calico] type: string default: flannel - legacyKDS: - description: if should run tests with new implementation of KDS + sidecarContainers: + description: if should run tests with sidecar containers type: boolean default: false executor: @@ -285,7 +285,7 @@ jobs: - {equal: [calico, << parameters.cniNetworkPlugin >>]} - {equal: [kindIpv6, << parameters.k8sVersion >>]} - {equal: [arm64, << parameters.arch >>]} - - {equal: [true, << parameters.legacyKDS >>]} + # - {equal: [true, << parameters.sidecarContainers >>]} - {equal: [<< pipeline.parameters.first_k8s_version >>, << parameters.k8sVersion >>]} steps: - halt_non_priority_job @@ -362,8 +362,8 @@ jobs: export MAKE_PARAMETERS="-j2" fi - if [[ "<< parameters.legacyKDS >>" == true ]]; then - export KUMA_LEGACY_KDS=true + if [[ "<< parameters.sidecarContainers >>" == true ]]; then + export KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS=true fi if [[ "<< parameters.target >>" == "" ]]; then @@ -403,8 +403,8 @@ jobs: description: The CNI networking plugin to use [flannel | calico] type: string default: flannel - legacyKDS: - description: if should run tests with new implementation of KDS + sidecarContainers: + description: if should run tests with sidecar containers type: boolean executor: name: vm-<< parameters.arch >> @@ -471,8 +471,8 @@ jobs: export MAKE_PARAMETERS="-j2" fi - if [[ "<< parameters.legacyKDS >>" == true ]]; then - export KUMA_LEGACY_KDS=true + if [[ "<< parameters.sidecarContainers >>" == true ]]; then + export KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS=true fi if [[ "<< parameters.target >>" == "" ]]; then @@ -625,14 +625,14 @@ workflows: arch: [amd64, arm64] requires: [build, go_cache-<< matrix.arch >>] - e2e: - name: << matrix.target >>:<< matrix.arch >>-<< matrix.k8sVersion >>-legacy-kds + name: << matrix.target >>:<< matrix.arch >>-<< matrix.k8sVersion >>-sidecar-containers matrix: - alias: legacy-kds + alias: sidecar-containers parameters: k8sVersion: [<< pipeline.parameters.last_k8s_version >>] - target: [multizone] + target: [kubernetes] arch: [amd64] - legacyKDS: [true] + sidecarContainers: [true] requires: [build, go_cache-amd64] - e2e: name: << matrix.target >>:<< matrix.arch >>-<< matrix.k8sVersion >>-calico @@ -661,6 +661,6 @@ workflows: k8sVersion: << pipeline.parameters.e2e_param_k8sVersion >> target: << pipeline.parameters.e2e_param_target >> arch: << pipeline.parameters.e2e_param_arch >> - legacyKDS: << pipeline.parameters.e2e_param_legacyKDS >> + sidecarContainers: {not: {equal: [<< pipeline.parameters.e2e_param_sidecarContainers >>, ""]}} cniNetworkPlugin: << pipeline.parameters.e2e_param_cniNetworkPlugin >> parallelism: << pipeline.parameters.e2e_param_parallelism >> diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index 4845a202f7d0..98b84eb33a15 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -221,7 +221,7 @@ jobs: "arch": ["amd64"], "parallelism": [4], "cniNetworkPlugin": ["flannel"], - "legacyKDS": [false] + "sidecarContainers": [""] }, "test_e2e_env": { "target": ["kubernetes", "universal", "multizone"], @@ -229,7 +229,7 @@ jobs: "arch": ["amd64"], "parallelism": [1], "cniNetworkPlugin": ["flannel"], - "legacyKDS": [false], + "sidecarContainers": [""], "exclude":[ {"target": "kubernetes", "k8sVersion":"kind"}, {"target": "multizone", "k8sVersion":"kind"}, @@ -237,7 +237,7 @@ jobs: {"target":"universal", "k8sVersion":"${{ env.K8S_MAX_VERSION }}"} ], "include":[ - {"legacyKDS": true, "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "multizone", "arch": "amd64"}, + {"sidecarContainers": "sidecarContainers", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "kubernetes", "arch": "amd64"}, {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "multizone", "arch": "arm64"}, {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "kubernetes", "arch": "arm64"}, {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "universal", "arch": "arm64"}, diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 73f43e06ac2c..117ad5573b0d 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -17,7 +17,7 @@ env: E2E_PARAM_K8S_VERSION: ${{ fromJSON(inputs.matrix).k8sVersion }} E2E_PARAM_CNI_NETWORK_PLUGIN: ${{ fromJSON(inputs.matrix).cniNetworkPlugin }} E2E_PARAM_ARCH: ${{ fromJSON(inputs.matrix).arch }} - E2E_PARAM_LEGACY_KDS: ${{ fromJSON(inputs.matrix).legacyKDS }} + E2E_PARAM_SIDECAR_CONTAINERS: ${{ fromJSON(inputs.matrix).sidecarContainers }} E2E_PARAM_TARGET: ${{ fromJSON(inputs.matrix).target }} E2E_PARAM_PARALLELISM: ${{ fromJSON(inputs.matrix).parallelism }} CI_TOOLS_DIR: /home/runner/work/kuma/kuma/.ci_tools @@ -124,8 +124,8 @@ jobs: export MAKE_PARAMETERS="-j2" fi - if [[ "${{ env.E2E_PARAM_LEGACY_KDS }}" == "true" ]]; then - export KUMA_LEGACY_KDS=true + if [[ "${{ env.E2E_PARAM_SIDECAR_CONTAINERS }}" != "" ]]; then + export KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS=true fi if [[ "${{ env.E2E_PARAM_TARGET }}" == "" ]]; then diff --git a/test/framework/config.go b/test/framework/config.go index 7ed204fa4817..7bfcda26c082 100644 --- a/test/framework/config.go +++ b/test/framework/config.go @@ -18,49 +18,50 @@ var _ config.Config = E2eConfig{} type E2eConfig struct { config.BaseConfig - KumaImageRegistry string `json:"imageRegistry,omitempty" envconfig:"KUMA_GLOBAL_IMAGE_REGISTRY"` - KumaImageTag string `json:"imageTag,omitempty" envconfig:"KUMA_GLOBAL_IMAGE_TAG"` - KumaNamespace string `json:"namespace,omitempty"` - KumaServiceName string `json:"serviceName,omitempty"` - HelmChartPath string `json:"helmChartPath,omitempty"` - HelmSubChartPrefix string `json:"helmSubChartPrefix,omitempty"` - HelmChartName string `json:"helmChartName,omitempty"` - HelmRepoUrl string `json:"helmRepoUrl,omitempty"` - HelmGlobalExtraYaml string `json:"HelmGlobalExtraYaml,omitempty"` - CNIApp string `json:"CNIApp,omitempty"` - CNINamespace string `json:"CNINamespace,omitempty"` - CNIConf CniConf `json:"CNIConf,omitempty"` - KumaGlobalZoneSyncServiceName string `json:"globalZoneSyncServiceName,omitempty"` - KumaUniversalEnvVars map[string]string `json:"universalEnvVars,omitempty"` - KumaZoneUniversalEnvVars map[string]string `json:"universalZoneEnvVars,omitempty"` - KumaK8sCtlFlags map[string]string `json:"k8sCtlFlags,omitempty"` - KumaZoneK8sCtlFlags map[string]string `json:"k8sZoneCtlFlags,omitempty"` - DefaultObservabilityNamespace string `json:"observabilityNamespace,omitempty"` - DefaultGatewayNamespace string `json:"gatewayNamespace,omitempty"` - KumactlImageRepo string `json:"ctlImageRepo,omitempty" envconfig:"KUMACTL_IMAGE_REPOSITORY"` - KumaCPImageRepo string `json:"cpImageRepo,omitempty" envconfig:"KUMA_CP_IMAGE_REPOSITORY"` - KumaDPImageRepo string `json:"dpImageRepo,omitempty" envconfig:"KUMA_DP_IMAGE_REPOSITORY"` - KumaInitImageRepo string `json:"initImageRepo,omitempty" envconfig:"KUMA_INIT_IMAGE_REPOSITORY"` - KumaCNIImageRepo string `json:"cniImageRepo,omitempty" envconfig:"KUMA_CNI_IMAGE_REPOSITORY"` - KumaUniversalImageRepo string `json:"universalImageRepo,omitempty"` - XDSApiVersion string `json:"xdsVersion,omitempty" envconfig:"API_VERSION"` - K8sType K8sType `json:"k8sType,omitempty" envconfig:"KUMA_K8S_TYPE"` - IPV6 bool `json:"ipv6,omitempty" envconfig:"IPV6"` - UseHostnameInsteadOfIP bool `json:"useHostnameInsteadOfIP,omitempty" envconfig:"KUMA_USE_HOSTNAME_INSTEAD_OF_ID"` - UseLoadBalancer bool `json:"useLoadBalancer,omitempty" envconfig:"KUMA_USE_LOAD_BALANCER"` - CIDR string `json:"kumaCidr,omitempty"` - DefaultClusterStartupRetries int `json:"defaultClusterStartupRetries,omitempty" envconfig:"KUMA_DEFAULT_RETRIES"` - DefaultClusterStartupTimeout time.Duration `json:"defaultClusterStartupTimeout,omitempty" envconfig:"KUMA_DEFAULT_TIMEOUT"` - KumactlBin string `json:"kumactlBin,omitempty" envconfig:"KUMACTLBIN"` - ZoneEgressApp string `json:"zoneEgressApp,omitempty" envconfig:"KUMA_ZONE_EGRESS_APP"` - ZoneIngressApp string `json:"zoneIngressApp,omitempty" envconfig:"KUMA_ZONE_INGRESS_APP"` - Arch string `json:"arch,omitempty" envconfig:"ARCH"` - OS string `json:"os,omitempty" envconfig:"OS"` - KumaCpConfig KumaCpConfig `json:"kumaCpConfig,omitempty" envconfig:"KUMA_CP_CONFIG"` - UniversalE2ELogsPath string `json:"universalE2ELogsPath,omitempty" envconfig:"UNIVERSAL_E2E_LOGS_PATH"` - CleanupLogsOnSuccess bool `json:"cleanupLogsOnSuccess,omitempty" envconfig:"CLEANUP_LOGS_ON_SUCCESS"` - KumaLegacyKDS bool `json:"kumaLegacyKDS,omitempty" envconfig:"KUMA_LEGACY_KDS"` - VersionsYamlPath string `json:"versionsYamlPath,omitempty" envconfig:"VERSIONS_YAML_PATH"` + KumaImageRegistry string `json:"imageRegistry,omitempty" envconfig:"KUMA_GLOBAL_IMAGE_REGISTRY"` + KumaImageTag string `json:"imageTag,omitempty" envconfig:"KUMA_GLOBAL_IMAGE_TAG"` + KumaNamespace string `json:"namespace,omitempty"` + KumaServiceName string `json:"serviceName,omitempty"` + HelmChartPath string `json:"helmChartPath,omitempty"` + HelmSubChartPrefix string `json:"helmSubChartPrefix,omitempty"` + HelmChartName string `json:"helmChartName,omitempty"` + HelmRepoUrl string `json:"helmRepoUrl,omitempty"` + HelmGlobalExtraYaml string `json:"HelmGlobalExtraYaml,omitempty"` + CNIApp string `json:"CNIApp,omitempty"` + CNINamespace string `json:"CNINamespace,omitempty"` + CNIConf CniConf `json:"CNIConf,omitempty"` + KumaGlobalZoneSyncServiceName string `json:"globalZoneSyncServiceName,omitempty"` + KumaUniversalEnvVars map[string]string `json:"universalEnvVars,omitempty"` + KumaZoneUniversalEnvVars map[string]string `json:"universalZoneEnvVars,omitempty"` + KumaK8sCtlFlags map[string]string `json:"k8sCtlFlags,omitempty"` + KumaZoneK8sCtlFlags map[string]string `json:"k8sZoneCtlFlags,omitempty"` + DefaultObservabilityNamespace string `json:"observabilityNamespace,omitempty"` + DefaultGatewayNamespace string `json:"gatewayNamespace,omitempty"` + KumactlImageRepo string `json:"ctlImageRepo,omitempty" envconfig:"KUMACTL_IMAGE_REPOSITORY"` + KumaCPImageRepo string `json:"cpImageRepo,omitempty" envconfig:"KUMA_CP_IMAGE_REPOSITORY"` + KumaDPImageRepo string `json:"dpImageRepo,omitempty" envconfig:"KUMA_DP_IMAGE_REPOSITORY"` + KumaInitImageRepo string `json:"initImageRepo,omitempty" envconfig:"KUMA_INIT_IMAGE_REPOSITORY"` + KumaCNIImageRepo string `json:"cniImageRepo,omitempty" envconfig:"KUMA_CNI_IMAGE_REPOSITORY"` + KumaUniversalImageRepo string `json:"universalImageRepo,omitempty"` + XDSApiVersion string `json:"xdsVersion,omitempty" envconfig:"API_VERSION"` + K8sType K8sType `json:"k8sType,omitempty" envconfig:"KUMA_K8S_TYPE"` + IPV6 bool `json:"ipv6,omitempty" envconfig:"IPV6"` + UseHostnameInsteadOfIP bool `json:"useHostnameInsteadOfIP,omitempty" envconfig:"KUMA_USE_HOSTNAME_INSTEAD_OF_ID"` + UseLoadBalancer bool `json:"useLoadBalancer,omitempty" envconfig:"KUMA_USE_LOAD_BALANCER"` + CIDR string `json:"kumaCidr,omitempty"` + DefaultClusterStartupRetries int `json:"defaultClusterStartupRetries,omitempty" envconfig:"KUMA_DEFAULT_RETRIES"` + DefaultClusterStartupTimeout time.Duration `json:"defaultClusterStartupTimeout,omitempty" envconfig:"KUMA_DEFAULT_TIMEOUT"` + KumactlBin string `json:"kumactlBin,omitempty" envconfig:"KUMACTLBIN"` + ZoneEgressApp string `json:"zoneEgressApp,omitempty" envconfig:"KUMA_ZONE_EGRESS_APP"` + ZoneIngressApp string `json:"zoneIngressApp,omitempty" envconfig:"KUMA_ZONE_INGRESS_APP"` + Arch string `json:"arch,omitempty" envconfig:"ARCH"` + OS string `json:"os,omitempty" envconfig:"OS"` + KumaCpConfig KumaCpConfig `json:"kumaCpConfig,omitempty" envconfig:"KUMA_CP_CONFIG"` + UniversalE2ELogsPath string `json:"universalE2ELogsPath,omitempty" envconfig:"UNIVERSAL_E2E_LOGS_PATH"` + CleanupLogsOnSuccess bool `json:"cleanupLogsOnSuccess,omitempty" envconfig:"CLEANUP_LOGS_ON_SUCCESS"` + KumaLegacyKDS bool `json:"kumaLegacyKDS,omitempty" envconfig:"KUMA_LEGACY_KDS"` + VersionsYamlPath string `json:"versionsYamlPath,omitempty" envconfig:"VERSIONS_YAML_PATH"` + KumaExperimentalSidecarContainers bool `json:"kumaSidecarContainers,omitempty" envconfig:"KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS"` SuiteConfig SuiteConfig `json:"suites,omitempty"` } @@ -257,11 +258,12 @@ var defaultConf = E2eConfig{ }, }, }, - ZoneEgressApp: "kuma-egress", - ZoneIngressApp: "kuma-ingress", - UniversalE2ELogsPath: path.Join(os.TempDir(), "e2e"), - CleanupLogsOnSuccess: false, - KumaLegacyKDS: false, + ZoneEgressApp: "kuma-egress", + ZoneIngressApp: "kuma-ingress", + UniversalE2ELogsPath: path.Join(os.TempDir(), "e2e"), + CleanupLogsOnSuccess: false, + KumaLegacyKDS: false, + KumaExperimentalSidecarContainers: false, } func init() { diff --git a/test/framework/envs/kubernetes/env.go b/test/framework/envs/kubernetes/env.go index c0e20dec13aa..7b2d5145cc85 100644 --- a/test/framework/envs/kubernetes/env.go +++ b/test/framework/envs/kubernetes/env.go @@ -23,13 +23,18 @@ func SetupAndGetState() []byte { framework.GatewayAPICRDs, )).To(Succeed()) - kumaOptions := append([]framework.KumaDeploymentOption{ - framework.WithCtlOpts(map[string]string{ - "--experimental-gatewayapi": "true", - }), - framework.WithEgress(), - }, - framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Standalone.Kubernetes)...) + kumaOptions := append( + []framework.KumaDeploymentOption{ + framework.WithCtlOpts(map[string]string{ + "--experimental-gatewayapi": "true", + }), + framework.WithEgress(), + }, + framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Standalone.Kubernetes)..., + ) + if framework.Config.KumaExperimentalSidecarContainers { + kumaOptions = append(kumaOptions, framework.WithEnv("KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS", "true")) + } Eventually(func() error { return Cluster.Install(framework.Kuma(core.Zone, kumaOptions...)) From a48e1446b0de2398f842c6a749ce968ff8279e0b Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 21 Feb 2024 17:53:46 +0100 Subject: [PATCH 6/9] ci(.circleci): only run sidecar containers feature job on master Signed-off-by: Mike Beaumont --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cc8718ea2ad8..8cf1f0b81983 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -285,7 +285,7 @@ jobs: - {equal: [calico, << parameters.cniNetworkPlugin >>]} - {equal: [kindIpv6, << parameters.k8sVersion >>]} - {equal: [arm64, << parameters.arch >>]} - # - {equal: [true, << parameters.sidecarContainers >>]} + - {equal: [true, << parameters.sidecarContainers >>]} - {equal: [<< pipeline.parameters.first_k8s_version >>, << parameters.k8sVersion >>]} steps: - halt_non_priority_job From 5b6255dc35724b45650e2111118dfb2808a194a3 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 21 Feb 2024 18:15:56 +0100 Subject: [PATCH 7/9] ci: don't support sidecar containers on circleci Signed-off-by: Mike Beaumont --- .circleci/config.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8cf1f0b81983..ce9be341c364 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -36,9 +36,6 @@ parameters: e2e_param_cniNetworkPlugin: type: string default: flannel - e2e_param_sidecarContainers: - type: string - default: "" # See https://circleci.com/docs/2.0/configuration-reference/#commands-requires-version-21. commands: install_build_tools: @@ -265,10 +262,6 @@ jobs: description: The CNI networking plugin to use [flannel | calico] type: string default: flannel - sidecarContainers: - description: if should run tests with sidecar containers - type: boolean - default: false executor: name: vm-<< parameters.arch >> parallelism: << parameters.parallelism >> @@ -285,7 +278,6 @@ jobs: - {equal: [calico, << parameters.cniNetworkPlugin >>]} - {equal: [kindIpv6, << parameters.k8sVersion >>]} - {equal: [arm64, << parameters.arch >>]} - - {equal: [true, << parameters.sidecarContainers >>]} - {equal: [<< pipeline.parameters.first_k8s_version >>, << parameters.k8sVersion >>]} steps: - halt_non_priority_job @@ -362,10 +354,6 @@ jobs: export MAKE_PARAMETERS="-j2" fi - if [[ "<< parameters.sidecarContainers >>" == true ]]; then - export KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS=true - fi - if [[ "<< parameters.target >>" == "" ]]; then export GINKGO_E2E_LABEL_FILTERS="job-$CIRCLE_NODE_INDEX" fi @@ -403,9 +391,6 @@ jobs: description: The CNI networking plugin to use [flannel | calico] type: string default: flannel - sidecarContainers: - description: if should run tests with sidecar containers - type: boolean executor: name: vm-<< parameters.arch >> parallelism: << parameters.parallelism >> @@ -471,10 +456,6 @@ jobs: export MAKE_PARAMETERS="-j2" fi - if [[ "<< parameters.sidecarContainers >>" == true ]]; then - export KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS=true - fi - if [[ "<< parameters.target >>" == "" ]]; then export GINKGO_E2E_LABEL_FILTERS="job-$CIRCLE_NODE_INDEX" fi @@ -624,16 +605,6 @@ workflows: target: [kubernetes, universal, multizone] arch: [amd64, arm64] requires: [build, go_cache-<< matrix.arch >>] - - e2e: - name: << matrix.target >>:<< matrix.arch >>-<< matrix.k8sVersion >>-sidecar-containers - matrix: - alias: sidecar-containers - parameters: - k8sVersion: [<< pipeline.parameters.last_k8s_version >>] - target: [kubernetes] - arch: [amd64] - sidecarContainers: [true] - requires: [build, go_cache-amd64] - e2e: name: << matrix.target >>:<< matrix.arch >>-<< matrix.k8sVersion >>-calico matrix: @@ -661,6 +632,5 @@ workflows: k8sVersion: << pipeline.parameters.e2e_param_k8sVersion >> target: << pipeline.parameters.e2e_param_target >> arch: << pipeline.parameters.e2e_param_arch >> - sidecarContainers: {not: {equal: [<< pipeline.parameters.e2e_param_sidecarContainers >>, ""]}} cniNetworkPlugin: << pipeline.parameters.e2e_param_cniNetworkPlugin >> parallelism: << pipeline.parameters.e2e_param_parallelism >> From 3e680801b5b50bd1562fc5be6bbe1e10bb543992 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Thu, 22 Feb 2024 10:34:35 +0100 Subject: [PATCH 8/9] refactor: expose two explicit functions Signed-off-by: Mike Beaumont --- .../runtime/k8s/controllers/inbound_converter.go | 12 ++++++++++-- pkg/plugins/runtime/k8s/util/util.go | 13 ++++++++++--- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go index e1140643353b..5ba15d37b848 100644 --- a/pkg/plugins/runtime/k8s/controllers/inbound_converter.go +++ b/pkg/plugins/runtime/k8s/controllers/inbound_converter.go @@ -53,7 +53,11 @@ func inboundForService(zone string, pod *kube_core.Pod, service *kube_core.Servi } // also we're checking whether kuma-sidecar container is ready - if cs := util_k8s.FindContainerStatus(util_k8s.KumaSidecarContainerName, pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerOrInitContainerStatus( + util_k8s.KumaSidecarContainerName, + pod.Status.ContainerStatuses, + pod.Status.InitContainerStatuses, + ); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } @@ -106,7 +110,11 @@ func inboundForServiceless(zone string, pod *kube_core.Pod, name string) *mesh_p } // also we're checking whether kuma-sidecar container is ready - if cs := util_k8s.FindContainerStatus(util_k8s.KumaSidecarContainerName, pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses); cs != nil && !cs.Ready { + if cs := util_k8s.FindContainerOrInitContainerStatus( + util_k8s.KumaSidecarContainerName, + pod.Status.ContainerStatuses, + pod.Status.InitContainerStatuses, + ); cs != nil && !cs.Ready { state = mesh_proto.Dataplane_Networking_Inbound_NotReady health.Ready = false } diff --git a/pkg/plugins/runtime/k8s/util/util.go b/pkg/plugins/runtime/k8s/util/util.go index dc76f1be247f..5d606740c5d1 100644 --- a/pkg/plugins/runtime/k8s/util/util.go +++ b/pkg/plugins/runtime/k8s/util/util.go @@ -2,7 +2,6 @@ package util import ( "fmt" - "slices" "sort" "github.com/go-logr/logr" @@ -123,8 +122,8 @@ func FindPort(pod *kube_core.Pod, svcPort *kube_core.ServicePort) (int, *kube_co return 0, nil, fmt.Errorf("no suitable port for manifest: %s", pod.UID) } -func FindContainerStatus(containerName string, status []kube_core.ContainerStatus, otherStatuses ...[]kube_core.ContainerStatus) *kube_core.ContainerStatus { - for _, cs := range append(status, slices.Concat(otherStatuses...)...) { +func findContainerStatus(containerName string, status []kube_core.ContainerStatus, initStatus []kube_core.ContainerStatus) *kube_core.ContainerStatus { + for _, cs := range append(status, initStatus...) { if cs.Name == containerName { return &cs } @@ -132,6 +131,14 @@ func FindContainerStatus(containerName string, status []kube_core.ContainerStatu return nil } +func FindContainerStatus(containerName string, status []kube_core.ContainerStatus) *kube_core.ContainerStatus { + return findContainerStatus(containerName, status, nil) +} + +func FindContainerOrInitContainerStatus(containerName string, status []kube_core.ContainerStatus, initStatus []kube_core.ContainerStatus) *kube_core.ContainerStatus { + return findContainerStatus(containerName, status, initStatus) +} + func CopyStringMap(in map[string]string) map[string]string { if in == nil { return nil From f83219a68324488656e1a4a0b21e7cd20bb5ad3a Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Thu, 22 Feb 2024 10:38:13 +0100 Subject: [PATCH 9/9] chore: add warning if feature enabled but not supported Signed-off-by: Mike Beaumont --- pkg/plugins/runtime/k8s/plugin.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/plugins/runtime/k8s/plugin.go b/pkg/plugins/runtime/k8s/plugin.go index 19101445e619..c253dc441f6d 100644 --- a/pkg/plugins/runtime/k8s/plugin.go +++ b/pkg/plugins/runtime/k8s/plugin.go @@ -320,6 +320,8 @@ func addMutators(mgr kube_ctrl.Manager, rt core_runtime.Runtime, converter k8s_c fmt.Sprintf("%s.%s.0", k8sVersion.Major, k8sVersion.Minor), ); err == nil && !v.LessThan(sidecarContainerVersion) { sidecarContainersEnabled = rt.Config().Experimental.SidecarContainers + } else if rt.Config().Experimental.SidecarContainers { + log.Info("WARNING: sidecarContainers feature is enabled but Kubernetes server does not support it") } kumaInjector, err := injector.New( rt.Config().Runtime.Kubernetes.Injector,