Removed hostNetwork: true from linkerd-cni Helm chart templates (#11158)

Problem - Current does Linkerd CNI Helm chart templates have hostNetwork: true set which is unnecessary and less secure. Solution - Removed hostNetwork: true from linkerd-cni Helm chart templates PR Fixes #11141 --------- Signed-off-by: Abhijeet Gaurav <abhijeetdav24aug@gmail.com> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
2023-08-03 20:23:57 +05:30 · 2023-08-03 20:23:57 +05:30 · bca15f59ed
parent 928f2bedd8
commit bca15f59ed
9 changed files with 0 additions and 10 deletions
--- a/charts/linkerd2-cni/templates/cni-plugin.yaml
+++ b/charts/linkerd2-cni/templates/cni-plugin.yaml
@ -57,7 +57,6 @@ spec:
  {{- end }}
  fsGroup:
    rule: RunAsAny
-  hostNetwork: true
  runAsUser:
    rule: RunAsAny
  seLinux:
@ -211,7 +210,6 @@ spec:
      affinity:
      {{- include "linkerd.node-affinity" . | nindent 8 }}
      {{- end }}
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install-cni-plugin_default.golden
+++ b/cli/cmd/testdata/install-cni-plugin_default.golden
@ -108,7 +108,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
@ -108,7 +108,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
@ -108,7 +108,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
@ -108,7 +108,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
+++ b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
@ -109,7 +109,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install_cni_helm_default_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_default_output.golden
@ -101,7 +101,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/cli/cmd/testdata/install_cni_helm_override_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_override_output.golden
@ -101,7 +101,6 @@ spec:
        - operator: Exists
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
--- a/pkg/healthcheck/healthcheck_test.go
+++ b/pkg/healthcheck/healthcheck_test.go
@ -2418,7 +2418,6 @@ spec:
    spec:
      nodeSelector:
        kubernetes.io/os: linux
-      hostNetwork: true
      serviceAccountName: linkerd-cni
      containers:
      - name: install-cni