Skip to content

[chore][INF-7193] agentSandbox daemonsets use hostNetwork by default#345

Merged
golfdish merged 3 commits into
mainfrom
v/sandbox-use-hostnetwork
Jun 30, 2026
Merged

[chore][INF-7193] agentSandbox daemonsets use hostNetwork by default#345
golfdish merged 3 commits into
mainfrom
v/sandbox-use-hostnetwork

Conversation

@golfdish

Copy link
Copy Markdown
Contributor

attempting to allocate 3 * num_nodes new IPs for the agent-sandbox daemonsets has led to IP exhaustion in some of our MSH clusters. there's no apparent reason to assign each pod its own IP (they have no ports defined), so configuring them to use the host network avoids this issue.

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown

Greptile Summary

This PR configures the three agent-sandbox DaemonSets (device-plugin, image-prepuller, node-installer) to use hostNetwork: true and dnsPolicy: ClusterFirstWithHostNet by default, avoiding the allocation of 3 × num_nodes new IPs that was causing exhaustion in MSH clusters. The feature is opt-out via rr.agentSandbox.hostNetwork: false.

  • Adds a guarded {{- if $as.hostNetwork }} … {{- end }} block inside each DaemonSet's pod template spec, correctly placing hostNetwork and dnsPolicy under the existing spec: key with proper indentation.
  • Defaults rr.agentSandbox.hostNetwork: true in both charts/retool/values.yaml and the top-level values.yaml, making host networking the new baseline for all three DaemonSets.
  • Template whitespace handling uses {{- end }} (left-trim only), which correctly preserves the newline before the next field (containers:, terminationGracePeriodSeconds:, initContainers:) in all three templates.

Confidence Score: 5/5

Safe to merge; the hostNetwork/dnsPolicy fields are correctly placed inside the pod template spec in all three templates, the Go template whitespace trimming is correct, and the opt-out path works as expected.

All three templates insert hostNetwork and dnsPolicy inside the existing pod template spec block with correct YAML indentation. The {{- end }} (no right-side trim) preserves the newline before the next sibling field in every case, producing valid pod specs. No duplicate keys, no whitespace concatenation bugs. The default-true value causes existing DaemonSet pods to be recreated, but that is expected and intentional.

No files require special attention; all three DaemonSet templates apply the change identically and correctly.

Important Files Changed

Filename Overview
charts/retool/templates/agent_sandbox_device_plugin.yaml Adds hostNetwork/dnsPolicy inside the pod template spec when rr.agentSandbox.hostNetwork is true; template whitespace trimming ({{- end }}, no right-trim) is correct and renders valid YAML.
charts/retool/templates/agent_sandbox_prepuller.yaml Same hostNetwork/dnsPolicy conditional added inside the pod template spec; {{- end }} (no right-trim) correctly preserves the following newline before terminationGracePeriodSeconds.
charts/retool/templates/agent_sandbox_seccomp.yaml Same hostNetwork/dnsPolicy conditional added inside the pod template spec; {{- end }} correctly preserves the newline before initContainers.
charts/retool/values.yaml Adds hostNetwork: true under rr.agentSandbox, enabling host networking for all three DaemonSets by default; users can opt out by setting the value to false.
values.yaml Mirror of charts/retool/values.yaml change; hostNetwork: true added under rr.agentSandbox consistently.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[agentSandbox DaemonSet Pod Spec] --> B{rr.agentSandbox.hostNetwork}
    B -- true default --> C["hostNetwork: true\ndnsPolicy: ClusterFirstWithHostNet"]
    B -- false opt-out --> D["hostNetwork omitted\ndnsPolicy: ClusterFirst"]
    C --> E[Pod shares node network namespace\nNo new IP allocated per pod]
    D --> F[Pod gets its own IP\n3x num_nodes IPs allocated]
    E --> G[device-plugin DaemonSet]
    E --> H[image-prepuller DaemonSet]
    E --> I[node-installer DaemonSet]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[agentSandbox DaemonSet Pod Spec] --> B{rr.agentSandbox.hostNetwork}
    B -- true default --> C["hostNetwork: true\ndnsPolicy: ClusterFirstWithHostNet"]
    B -- false opt-out --> D["hostNetwork omitted\ndnsPolicy: ClusterFirst"]
    C --> E[Pod shares node network namespace\nNo new IP allocated per pod]
    D --> F[Pod gets its own IP\n3x num_nodes IPs allocated]
    E --> G[device-plugin DaemonSet]
    E --> H[image-prepuller DaemonSet]
    E --> I[node-installer DaemonSet]
Loading

Reviews (4): Last reviewed commit: "[chore][INF-7193] agentSandbox daemonset..." | Re-trigger Greptile

Comment thread charts/retool/templates/agent_sandbox_device_plugin.yaml Outdated
Comment thread charts/retool/templates/agent_sandbox_prepuller.yaml Outdated
Comment thread charts/retool/templates/agent_sandbox_seccomp.yaml Outdated
@golfdish golfdish force-pushed the v/sandbox-use-hostnetwork branch from 3845816 to fc093f5 Compare June 30, 2026 22:19
@golfdish golfdish merged commit 90a7a75 into main Jun 30, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants