istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-cni/templates/daemonset.yaml (about) 1 # This manifest installs the Istio install-cni container, as well 2 # as the Istio CNI plugin and config on 3 # each master and worker node in a Kubernetes cluster. 4 {{- $defaultBinDir := 5 (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary 6 "/home/kubernetes/bin" 7 "/opt/cni/bin" 8 }} 9 kind: DaemonSet 10 apiVersion: apps/v1 11 metadata: 12 name: {{ template "name" . }}-node 13 namespace: {{ .Release.Namespace }} 14 labels: 15 k8s-app: {{ template "name" . }}-node 16 release: {{ .Release.Name }} 17 istio.io/rev: {{ .Values.revision | default "default" }} 18 install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} 19 operator.istio.io/component: "Cni" 20 spec: 21 selector: 22 matchLabels: 23 k8s-app: {{ template "name" . }}-node 24 updateStrategy: 25 type: RollingUpdate 26 rollingUpdate: 27 maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} 28 template: 29 metadata: 30 labels: 31 k8s-app: {{ template "name" . }}-node 32 sidecar.istio.io/inject: "false" 33 istio.io/dataplane-mode: none 34 annotations: 35 sidecar.istio.io/inject: "false" 36 # Add Prometheus Scrape annotations 37 prometheus.io/scrape: 'true' 38 prometheus.io/port: "15014" 39 prometheus.io/path: '/metrics' 40 # Custom annotations 41 {{- if .Values.cni.podAnnotations }} 42 {{ toYaml .Values.cni.podAnnotations | indent 8 }} 43 {{- end }} 44 spec: 45 {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} 46 nodeSelector: 47 kubernetes.io/os: linux 48 # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes 49 {{- with .Values.cni.affinity }} 50 affinity: 51 {{- toYaml . | nindent 8 }} 52 {{- end }} 53 tolerations: 54 # Make sure istio-cni-node gets scheduled on all nodes. 55 - effect: NoSchedule 56 operator: Exists 57 # Mark the pod as a critical add-on for rescheduling. 58 - key: CriticalAddonsOnly 59 operator: Exists 60 - effect: NoExecute 61 operator: Exists 62 priorityClassName: system-node-critical 63 serviceAccountName: {{ template "name" . }} 64 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 65 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 66 terminationGracePeriodSeconds: 5 67 containers: 68 # This container installs the Istio CNI binaries 69 # and CNI network config file on each node. 70 - name: install-cni 71 {{- if contains "/" .Values.cni.image }} 72 image: "{{ .Values.cni.image }}" 73 {{- else }} 74 image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ template "istio-tag" . }}" 75 {{- end }} 76 {{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} 77 imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} 78 {{- end }} 79 readinessProbe: 80 httpGet: 81 path: /readyz 82 port: 8000 83 securityContext: 84 privileged: true # always requires privilege to be useful (install node plugin, etc) 85 runAsGroup: 0 86 runAsUser: 0 87 runAsNonRoot: false 88 # Both ambient and sidecar repair mode require elevated node privileges to function. 89 # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. 90 # privileged is redundant with CAP_SYS_ADMIN 91 # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular 92 # capabilities we actually require 93 capabilities: 94 drop: 95 - ALL 96 add: 97 # CAP_NET_ADMIN is required to allow ipset and route table access 98 - NET_ADMIN 99 # CAP_NET_RAW is required to allow iptables mutation of the `nat` table 100 - NET_RAW 101 # CAP_SYS_ADMIN is required for both ambient and repair, in order to open 102 # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. 103 # There does not appear to be a more granular capability for this. 104 - SYS_ADMIN 105 {{- if .Values.cni.seccompProfile }} 106 seccompProfile: 107 {{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} 108 {{- end }} 109 command: ["install-cni"] 110 args: 111 {{- if .Values.global.logging.level }} 112 - --log_output_level={{ .Values.global.logging.level }} 113 {{- end}} 114 {{- if .Values.global.logAsJson }} 115 - --log_as_json 116 {{- end}} 117 envFrom: 118 - configMapRef: 119 name: {{ template "name" . }}-config 120 env: 121 - name: REPAIR_NODE_NAME 122 valueFrom: 123 fieldRef: 124 fieldPath: spec.nodeName 125 - name: REPAIR_RUN_AS_DAEMON 126 value: "true" 127 - name: REPAIR_SIDECAR_ANNOTATION 128 value: "sidecar.istio.io/status" 129 - name: NODE_NAME 130 valueFrom: 131 fieldRef: 132 apiVersion: v1 133 fieldPath: spec.nodeName 134 - name: GOMEMLIMIT 135 valueFrom: 136 resourceFieldRef: 137 resource: limits.memory 138 - name: GOMAXPROCS 139 valueFrom: 140 resourceFieldRef: 141 resource: limits.cpu 142 - name: POD_NAME 143 valueFrom: 144 fieldRef: 145 fieldPath: metadata.name 146 - name: POD_NAMESPACE 147 valueFrom: 148 fieldRef: 149 fieldPath: metadata.namespace 150 volumeMounts: 151 - mountPath: /host/opt/cni/bin 152 name: cni-bin-dir 153 {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} 154 - mountPath: /host/proc 155 name: cni-host-procfs 156 readOnly: true 157 {{- end }} 158 - mountPath: /host/etc/cni/net.d 159 name: cni-net-dir 160 - mountPath: /var/run/istio-cni 161 name: cni-socket-dir 162 {{- if .Values.cni.ambient.enabled }} 163 - mountPath: /host/var/run/netns 164 mountPropagation: HostToContainer 165 name: cni-netns-dir 166 - mountPath: /var/run/ztunnel 167 name: cni-ztunnel-sock-dir 168 {{ end }} 169 resources: 170 {{- if .Values.cni.resources }} 171 {{ toYaml .Values.cni.resources | trim | indent 12 }} 172 {{- else }} 173 {{ toYaml .Values.global.defaultResources | trim | indent 12 }} 174 {{- end }} 175 volumes: 176 # Used to install CNI. 177 - name: cni-bin-dir 178 hostPath: 179 path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} 180 {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} 181 - name: cni-host-procfs 182 hostPath: 183 path: /proc 184 type: Directory 185 {{- end }} 186 {{- if .Values.cni.ambient.enabled }} 187 - name: cni-ztunnel-sock-dir 188 hostPath: 189 path: /var/run/ztunnel 190 type: DirectoryOrCreate 191 {{- end }} 192 - name: cni-net-dir 193 hostPath: 194 path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} 195 # Used for UDS sockets for logging, ambient eventing 196 - name: cni-socket-dir 197 hostPath: 198 path: /var/run/istio-cni 199 - name: cni-netns-dir 200 hostPath: 201 path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} 202 type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, 203 # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. 204 # Once the CNI does mount this, it will get populated and we're good.