Skip to content

Commit

Permalink
Fix linkerd-cni when using native sidecars (#362)
Browse files Browse the repository at this point in the history
Fixes linkerd/linkerd2#11597

When the cni plugin is triggered, it validates that the proxy has been
injected into the pod before setting up the iptables rules. It does so
by looking for the "linkerd-proxy" container. However, when the proxy is
injected as a native sidecar, it gets added as an _init_ container, so
it was being disregarded here.

We don't have integration tests for validating native sidecars when
using linkerd-cni because [Calico doesn't work in k3s since k8s
1.27](k3d-io/k3d#1375), and we require k8s
1.29 for using native sidecars.
I did nevertheless successfully test this fix in an AKS cluster.
  • Loading branch information
alpeb authored Apr 16, 2024
1 parent 0b455de commit 295008c
Showing 1 changed file with 18 additions and 9 deletions.
27 changes: 18 additions & 9 deletions cni-plugin/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,14 +193,6 @@ func cmdAdd(args *skel.CmdArgs) error {
return err
}

containsLinkerdProxy := false
for _, container := range pod.Spec.Containers {
if container.Name == "linkerd-proxy" {
containsLinkerdProxy = true
break
}
}

containsInitContainer := false
for _, container := range pod.Spec.InitContainers {
if container.Name == "linkerd-init" {
Expand All @@ -209,7 +201,7 @@ func cmdAdd(args *skel.CmdArgs) error {
}
}

if containsLinkerdProxy && !containsInitContainer {
if !containsInitContainer && containsLinkerdProxy(&pod.Spec) {
logEntry.Debugf("linkerd-cni: setting up iptables firewall for %s/%s", namespace, pod)
options := cmd.RootOptions{
IncomingProxyPort: conf.ProxyInit.IncomingProxyPort,
Expand Down Expand Up @@ -366,6 +358,23 @@ func cmdDel(_ *skel.CmdArgs) error {
return nil
}

func containsLinkerdProxy(spec *v1.PodSpec) bool {
for _, container := range spec.Containers {
if container.Name == "linkerd-proxy" {
return true
}
}

// native sidecar proxy
for _, container := range spec.InitContainers {
if container.Name == "linkerd-proxy" {
return true
}
}

return false
}

func getAPIServerPorts(ctx context.Context, api *kubernetes.Clientset) ([]string, error) {
service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
if err != nil {
Expand Down

0 comments on commit 295008c

Please sign in to comment.