From 295008c458e8c8310306170970c0614940c75d1f Mon Sep 17 00:00:00 2001
From: Alejandro Pedraza <alejandro@buoyant.io>
Date: Tue, 16 Apr 2024 08:43:16 -0500
Subject: [PATCH] Fix linkerd-cni when using native sidecars (#362)

Fixes linkerd/linkerd2#11597

When the cni plugin is triggered, it validates that the proxy has been
injected into the pod before setting up the iptables rules. It does so
by looking for the "linkerd-proxy" container. However, when the proxy is
injected as a native sidecar, it gets added as an _init_ container, so
it was being disregarded here.

We don't have integration tests for validating native sidecars when
using linkerd-cni because [Calico doesn't work in k3s since k8s
1.27](https://github.com/k3d-io/k3d/issues/1375), and we require k8s
1.29 for using native sidecars.
I did nevertheless successfully test this fix in an AKS cluster.
---
 cni-plugin/main.go | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/cni-plugin/main.go b/cni-plugin/main.go
index b966da66..5cfac75b 100644
--- a/cni-plugin/main.go
+++ b/cni-plugin/main.go
@@ -193,14 +193,6 @@ func cmdAdd(args *skel.CmdArgs) error {
 			return err
 		}
 
-		containsLinkerdProxy := false
-		for _, container := range pod.Spec.Containers {
-			if container.Name == "linkerd-proxy" {
-				containsLinkerdProxy = true
-				break
-			}
-		}
-
 		containsInitContainer := false
 		for _, container := range pod.Spec.InitContainers {
 			if container.Name == "linkerd-init" {
@@ -209,7 +201,7 @@ func cmdAdd(args *skel.CmdArgs) error {
 			}
 		}
 
-		if containsLinkerdProxy && !containsInitContainer {
+		if !containsInitContainer && containsLinkerdProxy(&pod.Spec) {
 			logEntry.Debugf("linkerd-cni: setting up iptables firewall for %s/%s", namespace, pod)
 			options := cmd.RootOptions{
 				IncomingProxyPort:     conf.ProxyInit.IncomingProxyPort,
@@ -366,6 +358,23 @@ func cmdDel(_ *skel.CmdArgs) error {
 	return nil
 }
 
+func containsLinkerdProxy(spec *v1.PodSpec) bool {
+	for _, container := range spec.Containers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	// native sidecar proxy
+	for _, container := range spec.InitContainers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	return false
+}
+
 func getAPIServerPorts(ctx context.Context, api *kubernetes.Clientset) ([]string, error) {
 	service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
 	if err != nil {