Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to run initContainer in privileged mode #7

Merged
merged 1 commit into from
Jul 17, 2017
Merged

Add option to run initContainer in privileged mode #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ initContainers:
capabilities:
add:
- NET_ADMIN
privileged: false # set to true for SELinux
```

It is based on Istio's method of
Expand All @@ -49,7 +50,10 @@ Install linkerd-inject
go get github.com/linkerd/linkerd-inject
```

Inject init container into your yaml and apply (see [example/](example/README.md) for minikube instructions)
Inject init container into your yaml and apply.
If you're using minikube, see [example/](example/README.md) for minikube instructions.
If you're running in OpenShift (SELinux), you'll need to use `-privileged`.

```
kubectl apply -f <(linkerd-inject -f example/hello-world.yml -linkerdPort 4140)
```
Expand Down
2 changes: 2 additions & 0 deletions example/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ $ LINKERD_PORT=4140
$ kubectl apply -f <(linkerd-inject -f hello-world.yml -linkerdPort $LINKERD_PORT)
```

(If you're running in OpenShift (SELinux), you'll need to use `-privileged`.)

Test it out! Our services now talk to each other using linkerd.
```
$ INGRESS_LB=$(kubectl get svc l5d -o jsonpath="{.status.loadBalancer.ingress[0].*}")
Expand Down
7 changes: 6 additions & 1 deletion inject.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import (
capabilities:
add:
- NET_ADMIN
privileged: false # set to true for SELinux
*/

const (
Expand All @@ -67,6 +68,7 @@ type Params struct {
LinkerdDaemonsetPort string
LinkerdDaemonsetService string
UseServiceVip bool
RunInitInPrivileged bool
}

func dieIf(err error) {
Expand Down Expand Up @@ -121,6 +123,7 @@ func injectIntoPodTemplateSpec(p *Params, t *v1.PodTemplateSpec) error {
"capabilities": map[string]interface{}{
"add": []string{"NET_ADMIN"},
},
"privileged": p.RunInitInPrivileged,
},
}

Expand Down Expand Up @@ -218,8 +221,9 @@ func main() {
inputFile := flag.String("f", "", "Input Kubernetes resource filename")
outputFile := flag.String("o", "", "Modified output Kubernetes resource filename")
linkerdPort := flag.String("linkerdPort", "4140", "linkerd daemonset port which will handle outgoing requests")
useServiceVip := flag.Bool("useServiceVip", false, "for use in k8s envs without downward api access")
linkerdSvcName := flag.String("linkerdSvcName", "l5d", "linkerd daemonset service name")
useServiceVip := flag.Bool("useServiceVip", false, "for use in k8s envs without downward api access")
privileged := flag.Bool("privileged", false, "run initContainer in privileged mode")

flag.Parse()
var err error
Expand Down Expand Up @@ -255,6 +259,7 @@ func main() {
LinkerdDaemonsetPort: *linkerdPort,
LinkerdDaemonsetService: *linkerdSvcName,
UseServiceVip: *useServiceVip,
RunInitInPrivileged: *privileged,
}

err = intoResourceFile(params, reader, writer)
Expand Down