Add reinitialize-pods controller to linkerd-cni DaemonSet

Followup to linkerd/linkerd2-proxy-init#306 Fixes #11073 This adds the `reinitialize-pods` container to the `linkerd-cni` DaemonSet, along with its config in `values.yaml`. Also the `linkerd-cni`'s version is bumped, to contain the new binary for this controller. ## TO-DOs - Integration test
linkerd · Dec 5, 2023 · 1ca137a · 1ca137a
1 parent 109110d
commit 1ca137a
Show file tree

Hide file tree

Showing 10 changed files with 431 additions and 3 deletions.
diff --git a/charts/linkerd2-cni/templates/cni-plugin.yaml b/charts/linkerd2-cni/templates/cni-plugin.yaml
@@ -112,6 +112,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "nodes", "namespaces", "services"]
   verbs: ["list", "get", "watch"]
+- apiGroups: [""]
+  resources: ["pods/eviction"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -274,6 +277,54 @@ spec:
         {{- if .Values.resources }}
         {{- include "partials.resources" .Values.resources | nindent 8 }}
         {{- end }}
+      # This container watches over pods whose linkerd-network-validator
+      # container failed, probably because of a race condition while setting up
+      # the CNI plugin chain, and evicts those pods so they can try acquiring a
+      # proper network config again
+      - name: reinitialize-pods
+        image: {{ .Values.reinitializePods.image.name -}}:{{- .Values.reinitializePods.image.version }}
+        imagePullPolicy: {{ .Values.reinitializePods.image.pullPolicy }}
+        {{- if .Values.reinitializePods.enableSecurityContext }}
+        env:
+        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        command:
+          - /usr/lib/linkerd/linkerd-reinitialize-pods
+        args:
+          - --admin-addr=0.0.0.0:9990
+          - --log-format
+          - {{ .Values.reinitializePods.logFormat }}
+          - --log-level
+          - {{ .Values.reinitializePods.logLevel }}
+        livenessProbe:
+          httpGet:
+            path: /live
+            port: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: admin-http
+          initialDelaySeconds: 10
+        ports:
+        - containerPort: 9990
+          name: admin-http
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end }}
+        {{- if .Values.resources }}
+        {{- include "partials.resources" .Values.resources | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-cluster-critical
       volumes:
       {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
       - name: cni-bin-dir

diff --git a/charts/linkerd2-cni/values.yaml b/charts/linkerd2-cni/values.yaml
@@ -53,7 +53,7 @@ image:
   # -- Docker image for the CNI plugin
   name: "cr.l5d.io/linkerd/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.2.2"
+  version: "v1.3.0"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 
@@ -86,7 +86,7 @@ extraInitContainers: []
 #     - mountPath: /host/etc/cni/net.d
 #       name: cni-net-dir
 
-# -- Resource requests and limits for linkerd-cni daemonset containers
+# -- Resource requests and limits for linkerd-cni daemonset container
 resources:
   cpu:
     # -- Maximum amount of CPU units that the cni container can use
@@ -103,3 +103,39 @@ resources:
     limit: ""
     # -- Amount of ephemeral storage that the cni container requests
     request: ""
+
+reinitializePods:
+  image:
+    # -- Docker image for the reinitialize-pods container
+    name: "cr.l5d.io/linkerd/cni-plugin"
+    # -- Tag for the reinitialize-pods container Docker image
+    version: "v1.3.0"
+    # -- Pull policy for the reinitialize-pods container
+    pullPolicy: IfNotPresent
+
+  # -- Log level for the reinitialize-pods container
+  # @default -- info
+  logLevel: info
+  # -- Log format (`plain` or `json`) for the reinitialize-pods container
+  # @default -- plain
+  logFormat: plain
+
+  # -- Include a securityContext in the reinitialize-pods container
+  enableSecurityContext: true
+
+  resources:
+    cpu:
+      # -- Maximum amount of CPU units that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of CPU units that the reinitialize-pods container requests
+      request: ""
+    memory:
+      # -- Maximum amount of memory that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of memory that the reinitialize-pods container requests
+      request: ""
+    ephemeral-storage:
+      # -- Maximum amount of ephemeral storage that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of ephemeral storage that the reinitialize-pods container requests
+      request: ""
diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden