This repository has been archived by the owner on Apr 14, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathinit_container.go
50 lines (46 loc) · 1.59 KB
/
init_container.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package injector
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/pointer"
"github.com/openservicemesh/osm/pkg/configurator"
)
// GetInitContainerSpec returns the spec of init container.
func GetInitContainerSpec(containerName string, cfg configurator.Configurator, outboundIPRangeExclusionList []string,
outboundIPRangeInclusionList []string, outboundPortExclusionList []int,
inboundPortExclusionList []int, enablePrivilegedInitContainer bool, pullPolicy corev1.PullPolicy, networkInterfaceExclusionList []string) corev1.Container {
proxyMode := cfg.GetMeshConfig().Spec.Sidecar.LocalProxyMode
enabledDNSProxy := cfg.IsLocalDNSProxyEnabled()
iptablesInitCommand := GenerateIptablesCommands(proxyMode, enabledDNSProxy, outboundIPRangeExclusionList, outboundIPRangeInclusionList, outboundPortExclusionList, inboundPortExclusionList, networkInterfaceExclusionList)
return corev1.Container{
Name: containerName,
Image: cfg.GetInitContainerImage(),
ImagePullPolicy: pullPolicy,
SecurityContext: &corev1.SecurityContext{
Privileged: &enablePrivilegedInitContainer,
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{
"NET_ADMIN",
},
},
RunAsNonRoot: pointer.BoolPtr(false),
// User ID 0 corresponds to root
RunAsUser: pointer.Int64Ptr(0),
},
Command: []string{"/bin/sh"},
Args: []string{
"-c",
iptablesInitCommand,
},
Env: []corev1.EnvVar{
{
Name: "POD_IP",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
APIVersion: "v1",
FieldPath: "status.podIP",
},
},
},
},
}
}