linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add `iptablesMode` flag to proxy-init (#8887) 

This change introduces a new value to be used at install (or upgrade)
time. The value (`proxyInit.iptablesMode=nft|legacy`) is responsible
for starting the proxy-init container in nft or legacy mode.

By default, the init container will use iptables-nft. When the mode is set to
`nft`, it will instead use iptables-nft. Most modern Linux distributions
support both, but a subset (such as RHEL based families) only support
iptables-nft and nf_tables.

Signed-off-by: Matei David <matei@buoyant.io>
This commit is contained in:
Matei David 2022-07-28 07:45:19 +03:00 committed by GitHub
parent b9915ad557
commit 9dd51d3897
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
53 changed files with 378 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
charts/linkerd-control-plane/README.md
View File

@ -228,6 +228,7 @@ Kubernetes: `>=1.21.0-0`
| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image |
| proxyInit.image.version | string | `"v1.6.2"` | Tag for the proxy-init container Docker image |
| proxyInit.iptablesMode | string | `"nft"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
| proxyInit.logLevel | string | info | Log level for the proxy-init |
| proxyInit.resources.cpu.limit | string | `"100m"` | Maximum amount of CPU units that the proxy-init container can use |

5
charts/linkerd-control-plane/values.yaml
View File

@ -175,6 +175,11 @@ proxy:
# proxy-init configuration
proxyInit:
# -- Variant of iptables that will be used to configure routing. Currently,
# proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
# control which utility binary will be called. The host must support
# whichever mode will be used
iptablesMode: "nft"
# -- Default set of inbound ports to skip via iptables
# - Galera (4567,4568)
ignoreInboundPorts: "4567,4568"

8
charts/partials/templates/_proxy-init.tpl
View File

@ -1,5 +1,13 @@
{{- define "partials.proxy-init" -}}
args:
{{- if (eq .Values.proxyInit.iptablesMode "nft") }}
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
{{- end }}
- --incoming-proxy-port
- {{.Values.proxy.ports.inbound | quote}}
- --outgoing-proxy-port

1
cli/cmd/install_test.go
View File

@ -101,6 +101,7 @@ func TestRender(t *testing.T) {
OpaquePorts: "25,443,587,3306,5432,11211",
},
ProxyInit: &charts.ProxyInit{
IptablesMode: "nft",
Image: &charts.Image{
Name: "ProxyInitImageName",
PullPolicy: "ImagePullPolicy",

4
cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml vendored
View File

@ -149,6 +149,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

8
cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml vendored
View File

@ -149,6 +149,10 @@ spec:
name: server
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -347,6 +351,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml vendored
View File

@ -149,6 +149,10 @@ spec:
name: server
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_contour.golden.yml generated vendored
View File

@ -189,6 +189,10 @@ spec:
- mountPath: /config
name: contour-config
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

16
cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml generated vendored
View File

@ -160,6 +160,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -369,6 +373,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -578,6 +586,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -787,6 +799,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment.golden.yml generated vendored
View File

@ -160,6 +160,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_access_log.golden.yml generated vendored
View File

@ -163,6 +163,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml generated vendored
View File

@ -152,6 +152,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml generated vendored
View File

@ -173,6 +173,10 @@ spec:
runAsUser: 33
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml generated vendored
View File

@ -177,6 +177,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

8
cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml generated vendored
View File

@ -160,6 +160,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -369,6 +373,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml generated vendored
View File

@ -165,6 +165,10 @@ spec:
terminationMessagePolicy: FallbackToLogsOnError
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml generated vendored
View File

@ -160,6 +160,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml generated vendored
View File

@ -161,6 +161,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_opaque_ports.golden.yml generated vendored
View File

@ -161,6 +161,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml generated vendored
View File

@ -161,6 +161,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml generated vendored
View File

@ -162,6 +162,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml generated vendored
View File

@ -162,6 +162,10 @@ spec:
protocol: UDP
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

8
cli/cmd/testdata/inject_emojivoto_list.golden.yml generated vendored
View File

@ -162,6 +162,10 @@ items:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -365,6 +369,10 @@ items:
protocol: TCP
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

8
cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml generated vendored
View File

@ -162,6 +162,10 @@ items:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -365,6 +369,10 @@ items:
protocol: TCP
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_pod.golden.yml generated vendored
View File

@ -144,6 +144,10 @@ spec:
name: vote-bot
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_pod_ingress.golden.yml generated vendored
View File

@ -147,6 +147,10 @@ spec:
name: vote-bot
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml generated vendored
View File

@ -146,6 +146,10 @@ spec:
name: vote-bot
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml generated vendored
View File

@ -155,6 +155,10 @@ spec:
name: vote-bot
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml generated vendored
View File

@ -161,6 +161,10 @@ spec:
name: http
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

8
cli/cmd/testdata/inject_gettest_deployment.good.golden.yml generated vendored
View File

@ -162,6 +162,10 @@ spec:
- containerPort: 9090
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -373,6 +377,10 @@ spec:
- containerPort: 9090
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
cli/cmd/testdata/inject_tap_deployment_debug.golden.yml generated vendored
View File

@ -214,6 +214,10 @@ spec:
dnsPolicy: ClusterFirst
initContainers:
- args:
- --firewall-bin-path
- iptables-nft
- --firewall-save-bin-path
- iptables-nft-save
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_controlplane_tracing_output.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -881,6 +882,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1296,6 +1301,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1597,6 +1606,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_custom_domain.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_custom_registry.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: my.custom.registry/linkerd-io/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_default.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_default_override_dst_get_nets.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_default_token.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -878,6 +879,10 @@ spec:
name: linkerd-identity-end-entity
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1283,6 +1288,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1575,6 +1584,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_ha_output.golden generated vendored
View File

@ -591,6 +591,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -962,6 +963,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1422,6 +1427,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1759,6 +1768,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_ha_with_overrides_output.golden generated vendored
View File

@ -591,6 +591,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -962,6 +963,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1422,6 +1427,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1759,6 +1768,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_heartbeat_disabled_output.golden generated vendored
View File

@ -495,6 +495,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -811,6 +812,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1225,6 +1230,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1476,6 +1485,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_helm_control_plane_output.golden generated vendored
View File

@ -540,6 +540,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: test-proxy-init-version
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -850,6 +851,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1267,6 +1272,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1573,6 +1582,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_helm_control_plane_output_ha.golden generated vendored
View File

@ -567,6 +567,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: test-proxy-init-version
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -932,6 +933,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1395,6 +1400,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1737,6 +1746,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_helm_output_ha_labels.golden generated vendored
View File

@ -571,6 +571,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: test-proxy-init-version
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -940,6 +941,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1407,6 +1412,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1757,6 +1766,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden generated vendored
View File

@ -562,6 +562,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: test-proxy-init-version
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -922,6 +923,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1385,6 +1390,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1727,6 +1736,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

1
cli/cmd/testdata/install_no_init_container.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:

13
cli/cmd/testdata/install_output.golden generated vendored
View File

@ -557,6 +557,7 @@ data:
name: ProxyInitImageName
pullPolicy: ImagePullPolicy
version: ProxyInitVersion
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -871,6 +872,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1290,6 +1295,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1591,6 +1600,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_proxy_ignores.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

13
cli/cmd/testdata/install_values_file.golden generated vendored
View File

@ -564,6 +564,7 @@ data:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.6.2
iptablesMode: nft
logFormat: ""
logLevel: ""
resources:
@ -880,6 +881,10 @@ spec:
name: linkerd-identity-token
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1294,6 +1299,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
@ -1595,6 +1604,10 @@ spec:
readOnly: true
initContainers:
- args:
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port

4
controller/proxy-injector/fake/data/pod-with-debug.patch.json generated
View File

@ -42,6 +42,10 @@
"path": "/spec/initContainers/-",
"value": {
"args": [
"--firewall-bin-path",
"iptables-nft",
"--firewall-save-bin-path",
"iptables-nft-save",
"--incoming-proxy-port",
"4143",
"--outgoing-proxy-port",

4
controller/proxy-injector/fake/data/pod-with-ns-annotations.patch.json generated
View File

@ -52,6 +52,10 @@
"path": "/spec/initContainers/-",
"value": {
"args": [
"--firewall-bin-path",
"iptables-nft",
"--firewall-save-bin-path",
"iptables-nft-save",
"--incoming-proxy-port",
"4143",
"--outgoing-proxy-port",

4
controller/proxy-injector/fake/data/pod.patch.json generated
View File

@ -42,6 +42,10 @@
"path": "/spec/initContainers/-",
"value": {
"args": [
"--firewall-bin-path",
"iptables-nft",
"--firewall-save-bin-path",
"iptables-nft-save",
"--incoming-proxy-port",
"4143",
"--outgoing-proxy-port",

1
pkg/charts/linkerd2/values.go
View File

@ -129,6 +129,7 @@ type (
Resources *Resources `json:"resources"`
CloseWaitTimeoutSecs int64 `json:"closeWaitTimeoutSecs"`
RunAsRoot bool `json:"runAsRoot"`
IptablesMode string `json:"iptablesMode"`
}
// DebugContainer contains the fields to set the debugging sidecar

1
pkg/charts/linkerd2/values_test.go
View File

@ -116,6 +116,7 @@ func TestNewValues(t *testing.T) {
Await: true,
},
ProxyInit: &ProxyInit{
IptablesMode: "nft",
IgnoreInboundPorts: "4567,4568",
IgnoreOutboundPorts: "4567,4568",
LogLevel: "",