fix for istio-initializer needs to ignore hostNetwork pod specs (isti…

…o#1440) Automatic merge from submit-queue fix for istio-initializer needs to ignore hostNetwork pod specs **What this PR does / why we need it**: PR for istio/istio.io#655, see istio#655 for details **Release note**: ```release-note When a pod uses hostNetwork: true, the pod will be disabled from side car injection on purpose because we don't want the envoy side car to change the network configuration at the host level. ```
vbatts · Oct 11, 2017 · 1ddd19b · 1ddd19b
1 parent cc0bfa2
commit 1ddd19b
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/pilot/platform/kube/inject/inject.go b/pilot/platform/kube/inject/inject.go
@@ -479,6 +479,16 @@ func intoObject(c *Config, in interface{}) (interface{}, error) {
 	templateObjectMeta := templateValue.FieldByName("ObjectMeta").Addr().Interface().(*metav1.ObjectMeta)
 	templatePodSpec := templateValue.FieldByName("Spec").Addr().Interface().(*v1.PodSpec)
 
+	// Skip injection when host networking is enabled. The problem is
+	// that the iptable changes are assumed to be within the pod when,
+	// in fact, they are changing the routing at the host level. This
+	// often results in routing failures within a node which can
+	// affect the network provider within the cluster causing
+	// additional pod failures.
+	if templatePodSpec.HostNetwork {
+		return out, nil
+	}
+
 	for _, m := range []*metav1.ObjectMeta{objectMeta, templateObjectMeta} {
 		if m.Annotations == nil {
 			m.Annotations = make(map[string]string)

diff --git a/pilot/platform/kube/inject/inject_test.go b/pilot/platform/kube/inject/inject_test.go
@@ -152,6 +152,10 @@ func TestIntoResourceFile(t *testing.T) {
 			in:   "testdata/replicationcontroller.yaml",
 			want: "testdata/replicationcontroller.yaml.injected",
 		},
+		{
+			in:   "testdata/hello-host-network.yaml",
+			want: "testdata/hello-host-network.yaml.injected",
+		},
 	}
 
 	for _, c := range cases {

diff --git a/pilot/platform/kube/inject/testdata/hello-host-network.yaml b/pilot/platform/kube/inject/testdata/hello-host-network.yaml
@@ -0,0 +1,20 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: hello-host-network
+spec:
+  replicas: 7
+  template:
+    metadata:
+      labels:
+        app: hello-host-network
+        tier: backend
+        track: stable
+    spec:
+      containers:
+        - name: hello-host-network
+          image: "fake.docker.io/google-samples/hello-go-gke:1.0"
+          ports:
+            - name: http
+              containerPort: 80
+      hostNetwork: true
diff --git a/pilot/platform/kube/inject/testdata/hello-host-network.yaml.injected b/pilot/platform/kube/inject/testdata/hello-host-network.yaml.injected
@@ -0,0 +1,26 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  creationTimestamp: null
+  name: hello-host-network
+spec:
+  replicas: 7
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: hello-host-network
+        tier: backend
+        track: stable
+    spec:
+      containers:
+      - image: fake.docker.io/google-samples/hello-go-gke:1.0
+        name: hello-host-network
+        ports:
+        - containerPort: 80
+          name: http
+        resources: {}
+      hostNetwork: true
+status: {}
+---