From bca15f59ed9bc870adbfe562f9424a39fc5c7615 Mon Sep 17 00:00:00 2001
From: Abhijeet Gaurav <65087356+abhijeetgauravm@users.noreply.github.com>
Date: Thu, 3 Aug 2023 20:23:57 +0530
Subject: [PATCH] Removed hostNetwork: true from linkerd-cni Helm chart
 templates (#11158)

Problem - Current does Linkerd CNI Helm chart templates have hostNetwork: true set which is unnecessary and less secure.

Solution - Removed hostNetwork: true from linkerd-cni Helm chart templates

PR Fixes #11141
---------

Signed-off-by: Abhijeet Gaurav <abhijeetdav24aug@gmail.com>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
---
 charts/linkerd2-cni/templates/cni-plugin.yaml                   | 2 --
 cli/cmd/testdata/install-cni-plugin_default.golden              | 1 -
 cli/cmd/testdata/install-cni-plugin_fully_configured.golden     | 1 -
 .../install-cni-plugin_fully_configured_equal_dsts.golden       | 1 -
 .../install-cni-plugin_fully_configured_no_namespace.golden     | 1 -
 cli/cmd/testdata/install-cni-plugin_skip_ports.golden           | 1 -
 cli/cmd/testdata/install_cni_helm_default_output.golden         | 1 -
 cli/cmd/testdata/install_cni_helm_override_output.golden        | 1 -
 pkg/healthcheck/healthcheck_test.go                             | 1 -
 9 files changed, 10 deletions(-)

diff --git a/charts/linkerd2-cni/templates/cni-plugin.yaml b/charts/linkerd2-cni/templates/cni-plugin.yaml
index a50c63931027e..160449ee36620 100644
--- a/charts/linkerd2-cni/templates/cni-plugin.yaml
+++ b/charts/linkerd2-cni/templates/cni-plugin.yaml
@@ -57,7 +57,6 @@ spec:
   {{- end }}
   fsGroup:
     rule: RunAsAny
-  hostNetwork: true
   runAsUser:
     rule: RunAsAny
   seLinux:
@@ -211,7 +210,6 @@ spec:
       affinity:
       {{- include "linkerd.node-affinity" . | nindent 8 }}
       {{- end }}
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden
index c1d7cca30e7b4..938442369fffb 100644
--- a/cli/cmd/testdata/install-cni-plugin_default.golden
+++ b/cli/cmd/testdata/install-cni-plugin_default.golden
@@ -108,7 +108,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
index 2f5120858f606..8585608c9c5f6 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
@@ -108,7 +108,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
index 82f66494688e1..e8c7cff830409 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
@@ -108,7 +108,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
index 2f5120858f606..8585608c9c5f6 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
@@ -108,7 +108,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
index 63706c0ec3402..81d0c745f9039 100644
--- a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
+++ b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
@@ -109,7 +109,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install_cni_helm_default_output.golden b/cli/cmd/testdata/install_cni_helm_default_output.golden
index f01cf4e6d2197..f6340d7549cd6 100644
--- a/cli/cmd/testdata/install_cni_helm_default_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_default_output.golden
@@ -101,7 +101,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/cli/cmd/testdata/install_cni_helm_override_output.golden b/cli/cmd/testdata/install_cni_helm_override_output.golden
index 862bd4bc0164b..bfd629f942c4c 100644
--- a/cli/cmd/testdata/install_cni_helm_override_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_override_output.golden
@@ -101,7 +101,6 @@ spec:
         - operator: Exists
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       securityContext:
         seccompProfile:
           type: RuntimeDefault
diff --git a/pkg/healthcheck/healthcheck_test.go b/pkg/healthcheck/healthcheck_test.go
index a8cd0a170f5e7..e89b61d5fd161 100644
--- a/pkg/healthcheck/healthcheck_test.go
+++ b/pkg/healthcheck/healthcheck_test.go
@@ -2418,7 +2418,6 @@ spec:
     spec:
       nodeSelector:
         kubernetes.io/os: linux
-      hostNetwork: true
       serviceAccountName: linkerd-cni
       containers:
       - name: install-cni