-
Notifications
You must be signed in to change notification settings - Fork 11
/
init_container.go
69 lines (64 loc) · 2.14 KB
/
init_container.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package injector
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/pointer"
"github.com/flomesh-io/fsm/pkg/configurator"
)
// GetInitContainerSpec returns the spec of init container.
func GetInitContainerSpec(containerName string, cfg configurator.Configurator, outboundIPRangeExclusionList []string,
outboundIPRangeInclusionList []string, outboundPortExclusionList []int,
inboundPortExclusionList []int, enablePrivilegedInitContainer bool, pullPolicy corev1.PullPolicy, networkInterfaceExclusionList []string) corev1.Container {
proxyMode := cfg.GetMeshConfig().Spec.Sidecar.LocalProxyMode
enabledDNSProxy := cfg.IsLocalDNSProxyEnabled()
iptablesInitCommand := GenerateIptablesCommands(proxyMode, enabledDNSProxy, outboundIPRangeExclusionList, outboundIPRangeInclusionList, outboundPortExclusionList, inboundPortExclusionList, networkInterfaceExclusionList)
return corev1.Container{
Name: containerName,
Image: cfg.GetInitContainerImage(),
ImagePullPolicy: pullPolicy,
SecurityContext: &corev1.SecurityContext{
Privileged: &enablePrivilegedInitContainer,
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{
"NET_ADMIN",
},
},
RunAsNonRoot: pointer.BoolPtr(false),
// User ID 0 corresponds to root
RunAsUser: pointer.Int64Ptr(0),
},
Resources: getInjectedInitResources(cfg),
Command: []string{"/bin/sh"},
Args: []string{
"-c",
iptablesInitCommand,
},
Env: []corev1.EnvVar{
{
Name: "POD_IP",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
APIVersion: "v1",
FieldPath: "status.podIP",
},
},
},
},
}
}
func getInjectedInitResources(cfg configurator.Configurator) corev1.ResourceRequirements {
cfgResources := cfg.GetInjectedInitResources()
resources := corev1.ResourceRequirements{}
if cfgResources.Limits != nil {
resources.Limits = make(corev1.ResourceList)
for k, v := range cfgResources.Limits {
resources.Limits[k] = v
}
}
if cfgResources.Requests != nil {
resources.Requests = make(corev1.ResourceList)
for k, v := range cfgResources.Requests {
resources.Requests[k] = v
}
}
return resources
}