This repository has been archived by the owner on Sep 28, 2023. It is now read-only.
/
node-init.go
137 lines (126 loc) · 3.84 KB
/
node-init.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
// Copyright (c) 2023 Volvo Car Corporation
// SPDX-License-Identifier: Apache-2.0
package cilium
import (
"github.com/hexops/valast"
"github.com/volvo-cars/lingon/pkg/kubeutil"
appsv1 "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var NodeInit = &appsv1.DaemonSet{
TypeMeta: kubeutil.TypeDaemonSetV1,
ObjectMeta: metav1.ObjectMeta{
Name: "cilium-node-init",
Namespace: "kube-system",
Labels: map[string]string{"app": "cilium-node-init"},
},
Spec: appsv1.DaemonSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"app": "cilium-node-init",
},
},
Template: v1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"app": "cilium-node-init"},
Annotations: map[string]string{"container.apparmor.security.beta.kubernetes.io/node-init": "unconfined"},
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "node-init",
Image: "quay.io/cilium/startup-script:d69851597ea019af980891a4628fb36b7880ec26",
Env: []v1.EnvVar{
{
Name: "STARTUP_SCRIPT",
Value: startUpScript,
},
},
Resources: v1.ResourceRequirements{
Requests: v1.ResourceList{
v1.ResourceName("cpu"): resource.MustParse("100m"),
v1.ResourceName("memory"): resource.MustParse("100Mi"),
},
},
Lifecycle: &v1.Lifecycle{
PostStart: &v1.LifecycleHandler{
Exec: &v1.ExecAction{
Command: []string{
"nsenter",
"--target=1",
"--mount",
"--",
"/bin/bash",
"-c",
editIPTableScript,
},
},
},
},
TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"),
ImagePullPolicy: v1.PullPolicy("IfNotPresent"),
SecurityContext: &v1.SecurityContext{
Capabilities: &v1.Capabilities{
Add: []v1.Capability{
v1.Capability("SYS_MODULE"),
v1.Capability("NET_ADMIN"),
v1.Capability("SYS_ADMIN"),
v1.Capability("SYS_CHROOT"),
v1.Capability("SYS_PTRACE"),
},
},
Privileged: valast.Addr(false).(*bool),
SELinuxOptions: &v1.SELinuxOptions{
Type: "spc_t",
Level: "s0",
},
},
},
},
NodeSelector: map[string]string{"kubernetes.io/os": "linux"},
HostNetwork: true,
HostPID: true,
Tolerations: []v1.Toleration{{Operator: v1.TolerationOperator("Exists")}},
PriorityClassName: "system-node-critical",
},
},
UpdateStrategy: appsv1.DaemonSetUpdateStrategy{Type: appsv1.DaemonSetUpdateStrategyType("RollingUpdate")},
},
}
var startUpScript = `#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
echo "Link information:"
ip link
echo "Routing table:"
ip route
echo "Addressing:"
ip -4 a
ip -6 a
mkdir -p "/tmp/cilium-bootstrap.d"
date > "/tmp/cilium-bootstrap.d/cilium-bootstrap-time"
echo "Node initialization complete"
`
var editIPTableScript = `#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
# When running in AWS ENI mode, it's likely that 'aws-node' has
# had a chance to install SNAT iptables rules. These can result
# in dropped traffic, so we should attempt to remove them.
# We do it using a 'postStart' hook since this may need to run
# for nodes which might have already been init'ed but may still
# have dangling rules. This is safe because there are no
# dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in
# case of a restart).
if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]];
then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore
fi
echo 'Done!'
`