diff --git a/controllers/submariner/gateway_resources.go b/controllers/submariner/gateway_resources.go index 388500382..352239189 100644 --- a/controllers/submariner/gateway_resources.go +++ b/controllers/submariner/gateway_resources.go @@ -132,19 +132,6 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe }) } - securityContext := &corev1.SecurityContext{ - Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"net_admin"}, - Drop: []corev1.Capability{"all"}, - }, - // The gateway needs to be privileged so it can write to /proc/sys - AllowPrivilegeEscalation: ptr.To(true), - Privileged: ptr.To(true), - RunAsNonRoot: ptr.To(false), - // We need to be able to update /var/lib/alternatives (for iptables) - ReadOnlyRootFilesystem: ptr.To(false), - } - podTemplate := corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: podSelectorLabels, @@ -167,9 +154,8 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe Name: name + "-init", Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent), ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]), - SecurityContext: securityContext, + Command: []string{"await-node-ready.sh"}, Env: httpproxy.AddEnvVars([]corev1.EnvVar{ - {Name: "SUBMARINER_WAITFORNODE", Value: "true"}, {Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "spec.nodeName", @@ -183,7 +169,18 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe Name: name, Image: getImagePath(cr, opnames.GatewayImage, names.GatewayComponent), ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]), - SecurityContext: securityContext, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"net_admin"}, + Drop: []corev1.Capability{"all"}, + }, + // The gateway needs to be privileged so it can write to /proc/sys + AllowPrivilegeEscalation: ptr.To(true), + Privileged: ptr.To(true), + RunAsNonRoot: ptr.To(false), + // We need to be able to update /var/lib/alternatives (for iptables) + ReadOnlyRootFilesystem: ptr.To(false), + }, Ports: []corev1.ContainerPort{ { Name: encapsPortName, diff --git a/controllers/submariner/route_agent_resources.go b/controllers/submariner/route_agent_resources.go index ddbe83bd4..6cef64190 100644 --- a/controllers/submariner/route_agent_resources.go +++ b/controllers/submariner/route_agent_resources.go @@ -110,8 +110,8 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon Name: name + "-init", Image: getImagePath(cr, opnames.RouteAgentImage, names.RouteAgentComponent), ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.RouteAgentComponent]), + Command: []string{"await-node-ready.sh"}, Env: httpproxy.AddEnvVars([]corev1.EnvVar{ - {Name: "SUBMARINER_WAITFORNODE", Value: "true"}, {Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "spec.nodeName",