From 309e8d12102b26997267ef720a0af9b76dd31ab5 Mon Sep 17 00:00:00 2001 From: Steve Jenson Date: Wed, 26 Oct 2022 03:14:45 -0700 Subject: [PATCH] Validate CNI configurations during pod startup (#9678) When users use CNI, we want to ensure that network rewriting inside the pod is setup before allowing linkerd to start. When rewriting isn't happening, we want to exit with a clear error message and enough information in the container log for the administrator to either file a bug report with us or fix their configuration. This change adds a validator initContainer to all injected workloads, when linkerd is installed with "cniEnabled=false". The validator replaces the noop init container, and will prevent pods from starting up if iptables is not configured. Part of #8120 Signed-off-by: Steve Jenson --- Dockerfile-proxy | 3 + charts/linkerd-control-plane/README.md | 5 ++ .../templates/destination.yaml | 2 +- .../templates/identity.yaml | 2 +- .../templates/proxy-injector.yaml | 2 +- charts/linkerd-control-plane/values.yaml | 18 +++- .../partials/templates/_network-validator.tpl | 24 ++++++ charts/partials/templates/_noop.tpl | 6 -- charts/patch/templates/patch.json | 2 +- cli/cmd/install_test.go | 7 ++ ...to_deployment_no_init_container.golden.yml | 23 +++++- ...install_controlplane_tracing_output.golden | 6 ++ cli/cmd/testdata/install_custom_domain.golden | 6 ++ .../testdata/install_custom_registry.golden | 6 ++ cli/cmd/testdata/install_default.golden | 6 ++ ...stall_default_override_dst_get_nets.golden | 6 ++ cli/cmd/testdata/install_default_token.golden | 6 ++ cli/cmd/testdata/install_ha_output.golden | 6 ++ .../install_ha_with_overrides_output.golden | 6 ++ .../install_heartbeat_disabled_output.golden | 6 ++ .../install_helm_control_plane_output.golden | 6 ++ ...nstall_helm_control_plane_output_ha.golden | 6 ++ .../install_helm_output_ha_labels.golden | 6 ++ ...l_helm_output_ha_namespace_selector.golden | 6 ++ .../testdata/install_no_init_container.golden | 82 ++++++++++++++++--- cli/cmd/testdata/install_output.golden | 9 ++ cli/cmd/testdata/install_proxy_ignores.golden | 6 ++ cli/cmd/testdata/install_values_file.golden | 6 ++ pkg/charts/charts.go | 2 +- pkg/charts/linkerd2/values.go | 9 ++ pkg/charts/linkerd2/values_test.go | 7 ++ 31 files changed, 266 insertions(+), 27 deletions(-) create mode 100644 charts/partials/templates/_network-validator.tpl delete mode 100644 charts/partials/templates/_noop.tpl diff --git a/Dockerfile-proxy b/Dockerfile-proxy index 2bf9e440c..cb9640a6e 100644 --- a/Dockerfile-proxy +++ b/Dockerfile-proxy @@ -20,6 +20,8 @@ RUN (proxy=$(bin/fetch-proxy $(cat proxy-version) $TARGETARCH) && \ mv "$proxy" linkerd2-proxy) ARG LINKERD_AWAIT_VERSION=v0.2.6 RUN bin/scurl -o linkerd-await https://github.com/linkerd/linkerd-await/releases/download/release%2F${LINKERD_AWAIT_VERSION}/linkerd-await-${LINKERD_AWAIT_VERSION}-${TARGETARCH} && chmod +x linkerd-await +ARG LINKERD_VALIDATOR_VERSION=v0.1.0 +RUN bin/scurl -o linkerd-network-validator https://github.com/linkerd/linkerd2-proxy-init/releases/download/validator%2F${LINKERD_VALIDATOR_VERSION}/linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH} && chmod +x linkerd-network-validator ## compile proxy-identity agent FROM go-deps as golang @@ -38,6 +40,7 @@ COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy COPY --from=fetch /build/linkerd-await /usr/lib/linkerd/linkerd-await +COPY --from=fetch /build/linkerd-network-validator /usr/lib/linkerd/linkerd2-network-validator COPY --from=golang /out/proxy-identity /usr/lib/linkerd/linkerd2-proxy-identity COPY --from=debian:bullseye-slim /bin/sleep /bin/sleep ARG LINKERD_VERSION diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index f79519e83..d303e2c59 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -166,6 +166,11 @@ Kubernetes: `>=1.21.0-0` | imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. we expect this to be rewritten | +| networkValidator.listenAddr | string | `"0.0.0.0:4140"` | Address to which network-validator listens to requests from itself | +| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator | +| networkValidator.logLevel | string | debug | Log level for the network-validator | +| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | | podAnnotations | object | `{}` | Additional annotations to add to all pods | | podLabels | object | `{}` | Additional labels to add to all pods | diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index 23a70eee6..4a860aaf8 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -304,7 +304,7 @@ spec: readOnly: true initContainers: {{ if .Values.cniEnabled -}} - - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ else -}} {{- /* The destination controller needs to connect to the Kubernetes API before the proxy is able diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index 2d292275c..9834d6ee9 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -201,7 +201,7 @@ spec: - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: {{ if .Values.cniEnabled -}} - - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ else -}} {{- /* The identity controller needs to connect to the Kubernetes API before the proxy is able to diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index cd98d7082..b948b6e60 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -108,7 +108,7 @@ spec: readOnly: true initContainers: {{ if .Values.cniEnabled -}} - - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ else -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index b8c3f8830..52d04dc9e 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -231,6 +231,23 @@ proxyInit: mountPath: /run name: linkerd-proxy-init-xtables-lock +# network validator configuration +# This runs on a host that uses iptables to reroute network traffic. The validator +# ensures that iptables is correctly routing requests before we start linkerd. +networkValidator: + # -- Log level for the network-validator + # @default -- debug + logLevel: debug + # -- Log format (`plain` or `json`) for network-validator + # @default -- plain + logFormat: plain + # -- Address to which the network-validator will attempt to connect. we expect this to be rewritten + connectAddr: "1.1.1.1:20001" + # -- Address to which network-validator listens to requests from itself + listenAddr: "0.0.0.0:4140" + # -- Timeout before network-validator fails to validate the pod's network connectivity + timeout: "10s" + # -- For Private docker registries, authentication is needed. # Registry secrets are applied to the respective service accounts imagePullSecrets: [] @@ -298,7 +315,6 @@ identity: # install keyPEM: | - # -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields) #identityResources: # -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) diff --git a/charts/partials/templates/_network-validator.tpl b/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..1411450ec --- /dev/null +++ b/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,24 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +securityContext: + runAsUser: 65534 + capabilities: + drop: + - all +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + - {{ .Values.networkValidator.connectAddr }} + - --listen-addr + - {{ .Values.networkValidator.listenAddr }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/partials/templates/_noop.tpl b/charts/partials/templates/_noop.tpl deleted file mode 100644 index 716bcc546..000000000 --- a/charts/partials/templates/_noop.tpl +++ /dev/null @@ -1,6 +0,0 @@ -{{- define "partials.noop" -}} -args: -- -v -image: gcr.io/google_containers/pause:3.2 -name: noop -{{- end -}} diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index 3b281ce66..ea652aad7 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -71,7 +71,7 @@ "op": "add", "path": "{{$prefix}}/spec/initContainers/-", "value": - {{- include "partials.noop" . | fromYaml | toPrettyJson | nindent 6 }} + {{- include "partials.network-validator" . | fromYaml | toPrettyJson | nindent 6 }} }, {{- end }} {{- if .Values.debugContainer }} diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index c88268b17..067ec421f 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -127,6 +127,13 @@ func TestRender(t *testing.T) { RunAsRoot: false, RunAsUser: 65534, }, + NetworkValidator: &charts.NetworkValidator{ + LogLevel: "debug", + LogFormat: "plain", + ConnectAddr: "1.1.1.1:20001", + ListenAddr: "0.0.0.0:4140", + Timeout: "10s", + }, Configs: charts.ConfigJSONs{ Global: "GlobalConfig", Proxy: "ProxyConfig", diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml index 3bb765a81..e90173bda 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml @@ -165,9 +165,26 @@ spec: name: http initContainers: - args: - - -v - image: gcr.io/google_containers/pause:3.2 - name: noop + - --log-format + - plain + - --log-level + - debug + - --connect-addr + - 1.1.1.1:20001 + - --listen-addr + - 0.0.0.0:4140 + - --timeout + - 10s + command: + - /usr/lib/linkerd/linkerd2-network-validator + image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version + imagePullPolicy: IfNotPresent + name: linkerd-network-validator + securityContext: + capabilities: + drop: + - all + runAsUser: 65534 volumes: - emptyDir: medium: Memory diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index 4e8fd309a..b33903a86 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 97b13c9b9..84fae1cd1 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index de341f147..7fc27b3ca 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 97b13c9b9..84fae1cd1 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 03538f4bb..49479d259 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index c0ab06626..1985fdf03 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index b721a4b4d..4d05b5857 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -494,6 +494,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: null linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 7be54eb38..27fb95449 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -494,6 +494,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: null linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index c9980790b..33d931452 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -398,6 +398,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index abce1f5d7..7f3396b07 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -445,6 +445,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: linkerd-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 457b229bd..0fb1f12a9 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -472,6 +472,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: null linkerdVersion: linkerd-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 13fc36454..914805c4a 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -472,6 +472,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: null linkerdVersion: linkerd-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index d49b85298..03f1a6d5e 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: null linkerdVersion: linkerd-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 70c1c9f50..73c85c6fd 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -293,6 +293,7 @@ metadata: labels: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd + --- ### ### Proxy Injector RBAC @@ -467,6 +468,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux @@ -901,10 +908,27 @@ spec: - mountPath: /var/run/secrets/tokens name: linkerd-identity-token initContainers: - - args: - - -v - image: gcr.io/google_containers/pause:3.2 - name: noop + - name: linkerd-network-validator + image: cr.l5d.io/linkerd/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 65534 + capabilities: + drop: + - all + command: + - /usr/lib/linkerd/linkerd2-network-validator + args: + - --log-format + - plain + - --log-level + - debug + - --connect-addr + - 1.1.1.1:20001 + - --listen-addr + - 0.0.0.0:4140 + - --timeout + - 10s serviceAccountName: linkerd-identity volumes: - name: identity-issuer @@ -1289,10 +1313,27 @@ spec: name: policy-tls readOnly: true initContainers: - - args: - - -v - image: gcr.io/google_containers/pause:3.2 - name: noop + - name: linkerd-network-validator + image: cr.l5d.io/linkerd/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 65534 + capabilities: + drop: + - all + command: + - /usr/lib/linkerd/linkerd2-network-validator + args: + - --log-format + - plain + - --log-level + - debug + - --connect-addr + - 1.1.1.1:20001 + - --listen-addr + - 0.0.0.0:4140 + - --timeout + - 10s serviceAccountName: linkerd-destination volumes: - name: sp-tls @@ -1563,10 +1604,27 @@ spec: name: tls readOnly: true initContainers: - - args: - - -v - image: gcr.io/google_containers/pause:3.2 - name: noop + - name: linkerd-network-validator + image: cr.l5d.io/linkerd/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 65534 + capabilities: + drop: + - all + command: + - /usr/lib/linkerd/linkerd2-network-validator + args: + - --log-format + - plain + - --log-level + - debug + - --connect-addr + - 1.1.1.1:20001 + - --listen-addr + - 0.0.0.0:4140 + - --timeout + - 10s serviceAccountName: linkerd-proxy-injector volumes: - configMap: diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index f6f51d430..d29982531 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -290,6 +290,7 @@ metadata: labels: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd + --- ### ### Proxy Injector RBAC @@ -460,6 +461,12 @@ data: imagePullPolicy: ImagePullPolicy imagePullSecrets: null linkerdVersion: LinkerdVersion + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux @@ -879,6 +886,7 @@ spec: - mountPath: /var/run/secrets/tokens name: linkerd-identity-token initContainers: + - args: - --incoming-proxy-port - "4143" @@ -1305,6 +1313,7 @@ spec: name: policy-tls readOnly: true initContainers: + - args: - --incoming-proxy-port - "4143" diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index d374dce4a..d69f88998 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 804cbe5be..a79db5e24 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -467,6 +467,12 @@ data: imagePullPolicy: IfNotPresent imagePullSecrets: [] linkerdVersion: install-control-plane-version + networkValidator: + connectAddr: 1.1.1.1:20001 + listenAddr: 0.0.0.0:4140 + logFormat: plain + logLevel: debug + timeout: 10s nodeAffinity: null nodeSelector: kubernetes.io/os: linux diff --git a/pkg/charts/charts.go b/pkg/charts/charts.go index 5ee1e8692..7ed1bcde6 100644 --- a/pkg/charts/charts.go +++ b/pkg/charts/charts.go @@ -27,7 +27,7 @@ var ( "charts/partials/templates/_helpers.tpl", "charts/partials/templates/_metadata.tpl", "charts/partials/templates/_nodeselector.tpl", - "charts/partials/templates/_noop.tpl", + "charts/partials/templates/_network-validator.tpl", "charts/partials/templates/_proxy-config-ann.tpl", "charts/partials/templates/_proxy-init.tpl", "charts/partials/templates/_proxy.tpl", diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index fffeed596..bbb3f424d 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -64,6 +64,7 @@ type ( PolicyController *PolicyController `json:"policyController"` Proxy *Proxy `json:"proxy"` ProxyInit *ProxyInit `json:"proxyInit"` + NetworkValidator *NetworkValidator `json:"networkValidator"` Identity *Identity `json:"identity"` DebugContainer *DebugContainer `json:"debugContainer"` ProxyInjector *Webhook `json:"proxyInjector"` @@ -134,6 +135,14 @@ type ( IptablesMode string `json:"iptablesMode"` } + NetworkValidator struct { + LogLevel string `json:"logLevel"` + LogFormat string `json:"logFormat"` + ConnectAddr string `json:"connectAddr"` + ListenAddr string `json:"listenAddr"` + Timeout string `json:"timeout"` + } + // DebugContainer contains the fields to set the debugging sidecar DebugContainer struct { Image *Image `json:"image"` diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 4ddcd9a31..d74679625 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -158,6 +158,13 @@ func TestNewValues(t *testing.T) { RunAsRoot: false, RunAsUser: 65534, }, + NetworkValidator: &NetworkValidator{ + LogLevel: "debug", + LogFormat: "plain", + ConnectAddr: "1.1.1.1:20001", + ListenAddr: "0.0.0.0:4140", + Timeout: "10s", + }, Identity: &Identity{ ServiceAccountTokenProjection: true, Issuer: &Issuer{