diff --git a/pkg/plugins/runtime/k8s/containers/factory.go b/pkg/plugins/runtime/k8s/containers/factory.go index 35829aa45fad..09f204393075 100644 --- a/pkg/plugins/runtime/k8s/containers/factory.go +++ b/pkg/plugins/runtime/k8s/containers/factory.go @@ -13,6 +13,7 @@ import ( runtime_k8s "github.com/kumahq/kuma/pkg/config/plugins/runtime/k8s" "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/metadata" + "github.com/kumahq/kuma/pkg/util/pointer" ) type EnvVarsByName []kube_core.EnvVar @@ -158,12 +159,14 @@ func (i *DataplaneProxyFactory) NewContainer( }, Resources: kube_core.ResourceRequirements{ Requests: kube_core.ResourceList{ - kube_core.ResourceCPU: kube_api.MustParse(i.ContainerConfig.Resources.Requests.CPU), - kube_core.ResourceMemory: kube_api.MustParse(i.ContainerConfig.Resources.Requests.Memory), + kube_core.ResourceCPU: kube_api.MustParse(i.ContainerConfig.Resources.Requests.CPU), + kube_core.ResourceMemory: kube_api.MustParse(i.ContainerConfig.Resources.Requests.Memory), + kube_core.ResourceEphemeralStorage: pointer.Deref(kube_api.NewScaledQuantity(50, kube_api.Mega)), }, Limits: kube_core.ResourceList{ - kube_core.ResourceCPU: kube_api.MustParse(i.ContainerConfig.Resources.Limits.CPU), - kube_core.ResourceMemory: kube_api.MustParse(i.ContainerConfig.Resources.Limits.Memory), + kube_core.ResourceCPU: kube_api.MustParse(i.ContainerConfig.Resources.Limits.CPU), + kube_core.ResourceMemory: kube_api.MustParse(i.ContainerConfig.Resources.Limits.Memory), + kube_core.ResourceEphemeralStorage: pointer.Deref(kube_api.NewScaledQuantity(1, kube_api.Giga)), }, }, } diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go index 01ba8c26d4dd..b5e499c0fe50 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go @@ -73,27 +73,10 @@ type KumaInjector struct { } func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error { - ns, err := i.namespaceFor(ctx, pod) - if err != nil { - return errors.Wrap(err, "could not retrieve namespace for pod") - } logger := log.WithValues("pod", pod.GenerateName, "namespace", pod.Namespace) - // Log deprecated annotations - for _, d := range metadata.PodAnnotationDeprecations { - if _, exists := pod.Annotations[d.Key]; exists { - logger.Info("WARNING: using deprecated pod annotation", "key", d.Key, "message", d.Message) - } - } - if inject, err := i.needInject(pod, ns); err != nil { - return err - } else if !inject { - logger.V(1).Info("skip injecting Kuma") - return nil - } - meshName := k8s_util.MeshOfByAnnotation(pod, ns) - logger = logger.WithValues("mesh", meshName) - // Check mesh exists - if err := i.client.Get(ctx, kube_types.NamespacedName{Name: meshName}, &mesh_k8s.Mesh{}); err != nil { + + meshName, err := i.preCheck(ctx, pod, logger) + if meshName == "" || err != nil { return err } @@ -107,48 +90,12 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error if err != nil { return err } - - // Warn if an init container in the pod is using the same UID as the sidecar. This traffic will be exempt from - // redirection and may be unintended behavior. - for _, c := range pod.Spec.InitContainers { - if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { - if *c.SecurityContext.RunAsUser == i.cfg.SidecarContainer.UID { - logger.Info( - "WARNING: init container using ignored sidecar UID", - "container", - c.Name, - "uid", - i.cfg.SidecarContainer.UID, - ) - } - } - } - - var duplicateUidContainers []string - // Error if a container in the pod is using the same UID as the sidecar. This scenario is not supported. - for _, c := range pod.Spec.Containers { - if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { - if *c.SecurityContext.RunAsUser == i.cfg.SidecarContainer.UID { - duplicateUidContainers = append(duplicateUidContainers, c.Name) - } - } - } - - if len(duplicateUidContainers) > 0 { - err := fmt.Errorf( - "containers using same UID as sidecar is unsupported: %q", - duplicateUidContainers, - ) - - logger.Error(err, "injection failed") - - return err - } - sidecarTmp := kube_core.Volume{ Name: "kuma-sidecar-tmp", VolumeSource: kube_core.VolumeSource{ - EmptyDir: &kube_core.EmptyDirVolumeSource{}, + EmptyDir: &kube_core.EmptyDirVolumeSource{ + SizeLimit: kube_api.NewScaledQuantity(10, kube_api.Mega), + }, }, } pod.Spec.Volumes = append(pod.Spec.Volumes, sidecarTmp) @@ -232,54 +179,6 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error return nil } -func (i *KumaInjector) needInject(pod *kube_core.Pod, ns *kube_core.Namespace) (bool, error) { - log.WithValues("name", pod.Name, "namespace", pod.Namespace) - if i.isInjectionException(pod) { - log.V(1).Info("pod fulfills exception requirements") - return false, nil - } - - for _, container := range pod.Spec.Containers { - if container.Name == k8s_util.KumaSidecarContainerName { - log.V(1).Info("pod already has Kuma sidecar") - return false, nil - } - } - - enabled, exist, err := metadata.Annotations(pod.Labels).GetEnabled(metadata.KumaSidecarInjectionAnnotation) - if err != nil { - return false, err - } - if exist { - if !enabled { - log.V(1).Info(`pod has "kuma.io/sidecar-injection: disabled" label`) - } - return enabled, nil - } - - enabled, exist, err = metadata.Annotations(ns.Labels).GetEnabled(metadata.KumaSidecarInjectionAnnotation) - if err != nil { - return false, err - } - if exist { - if !enabled { - log.V(1).Info(`namespace has "kuma.io/sidecar-injection: disabled" label`) - } - return enabled, nil - } - return false, err -} - -func (i *KumaInjector) isInjectionException(pod *kube_core.Pod) bool { - for key, value := range i.cfg.Exceptions.Labels { - podValue, exist := pod.Labels[key] - if exist && (value == "*" || value == podValue) { - return true - } - } - return false -} - type namedContainerPatches struct { names []string patches []mesh_k8s.JsonPatchBlock @@ -404,7 +303,6 @@ func (i *KumaInjector) NewSidecarContainer( } container.Name = k8s_util.KumaSidecarContainerName - return container, nil } @@ -482,13 +380,10 @@ func (i *KumaInjector) NewInitContainer(pod *kube_core.Pod) (kube_core.Container } if i.cfg.EBPF.Enabled { - // container.SecurityContext.Privileged expects to have a reference - // to the bool value - tru := true bidirectional := kube_core.MountPropagationBidirectional container.SecurityContext.Capabilities = &kube_core.Capabilities{} - container.SecurityContext.Privileged = &tru + container.SecurityContext.Privileged = pointer.To(true) container.Env = []kube_core.EnvVar{ { diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go new file mode 100644 index 000000000000..2005b3e54113 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/precheck.go @@ -0,0 +1,129 @@ +package injector + +import ( + "context" + "fmt" + + "github.com/go-logr/logr" + "github.com/pkg/errors" + kube_core "k8s.io/api/core/v1" + kube_types "k8s.io/apimachinery/pkg/types" + + mesh_k8s "github.com/kumahq/kuma/pkg/plugins/resources/k8s/native/api/v1alpha1" + "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/metadata" + k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util" +) + +func (i *KumaInjector) preCheck(ctx context.Context, pod *kube_core.Pod, logger logr.Logger) (string, error) { + ns, err := i.namespaceFor(ctx, pod) + if err != nil { + return "", errors.Wrap(err, "could not retrieve namespace for pod") + } + + // Log deprecated annotations + for _, d := range metadata.PodAnnotationDeprecations { + if _, exists := pod.Annotations[d.Key]; exists { + logger.Info("WARNING: using deprecated pod annotation", "key", d.Key, "message", d.Message) + } + } + + if inject, err := i.needToInject(pod, ns); err != nil { + return "", err + } else if !inject { + logger.V(1).Info("skipping Kuma injection") + return "", nil + } + + meshName := k8s_util.MeshOfByAnnotation(pod, ns) + logger = logger.WithValues("mesh", meshName) + // Check mesh exists + if err := i.client.Get(ctx, kube_types.NamespacedName{Name: meshName}, &mesh_k8s.Mesh{}); err != nil { + return "", err + } + + // Warn if an init container in the pod is using the same UID as the sidecar. This traffic will be exempt from + // redirection and may be unintended behavior. + for _, c := range pod.Spec.InitContainers { + if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { + if *c.SecurityContext.RunAsUser == i.cfg.SidecarContainer.UID { + logger.Info( + "WARNING: init container using ignored sidecar UID", + "container", + c.Name, + "uid", + i.cfg.SidecarContainer.UID, + ) + } + } + } + + var duplicateUidContainers []string + // Error if a container in the pod is using the same UID as the sidecar. This scenario is not supported. + for _, c := range pod.Spec.Containers { + if c.SecurityContext != nil && c.SecurityContext.RunAsUser != nil { + if *c.SecurityContext.RunAsUser == i.cfg.SidecarContainer.UID { + duplicateUidContainers = append(duplicateUidContainers, c.Name) + } + } + } + + if len(duplicateUidContainers) > 0 { + err := fmt.Errorf( + "containers using same UID as sidecar is unsupported: %q", + duplicateUidContainers, + ) + + logger.Error(err, "injection failed") + + return "", err + } + return meshName, nil +} + +func (i *KumaInjector) needToInject(pod *kube_core.Pod, ns *kube_core.Namespace) (bool, error) { + log.WithValues("name", pod.Name, "namespace", pod.Namespace) + if i.isInjectionException(pod) { + log.V(1).Info("pod fulfills exception requirements") + return false, nil + } + + for _, container := range pod.Spec.Containers { + if container.Name == k8s_util.KumaSidecarContainerName { + log.V(1).Info("pod already has Kuma sidecar") + return false, nil + } + } + + enabled, exist, err := metadata.Annotations(pod.Labels).GetEnabled(metadata.KumaSidecarInjectionAnnotation) + if err != nil { + return false, err + } + if exist { + if !enabled { + log.V(1).Info(`pod has "kuma.io/sidecar-injection: disabled" label`) + } + return enabled, nil + } + + enabled, exist, err = metadata.Annotations(ns.Labels).GetEnabled(metadata.KumaSidecarInjectionAnnotation) + if err != nil { + return false, err + } + if exist { + if !enabled { + log.V(1).Info(`namespace has "kuma.io/sidecar-injection: disabled" label`) + } + return enabled, nil + } + return false, err +} + +func (i *KumaInjector) isInjectionException(pod *kube_core.Pod) bool { + for key, value := range i.cfg.Exceptions.Labels { + podValue, exist := pod.Labels[key] + if exist && (value == "*" || value == podValue) { + return true + } + } + return false +} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml index 5cf0bd8a8bab..ecf0136b2742 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -158,6 +160,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml index bd63179e76ce..3b4cfd877f35 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -166,6 +168,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml index 7cdab2cef6be..966c04d4ff01 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml @@ -105,9 +105,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -250,6 +252,7 @@ spec: - name: coredns-token-9gmrh secret: secretName: coredns-token-9gmrh - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml index f99828835d41..3e3de8ed70fd 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -158,6 +160,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml index a14acb378d8c..aea4a3db93be 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -149,6 +151,7 @@ spec: runAsGroup: 0 runAsUser: 0 volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml index 5da665df7164..136a645de8e0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -159,6 +161,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml index 5cf0bd8a8bab..ecf0136b2742 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -158,6 +160,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml index 1de647377ce1..1cdbda80c5e8 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml @@ -100,9 +100,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -161,6 +163,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml index ec9485ac420a..2731c9da816a 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml @@ -99,9 +99,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -160,6 +162,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml index 908bc0902f51..e6df431007aa 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.10.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -159,6 +161,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml index b004b0384a5d..64027b9e18ef 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -158,6 +160,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml index bdf3f32d320d..c7c09a3b58e6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -158,6 +160,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml index d4ee9a0c3c20..83fbee65c3a4 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -170,6 +172,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml index debf44f931b3..deea5d69b190 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -170,6 +172,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml index 0e3ac5dbe886..65ca89077eac 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -170,6 +172,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml index 8094d27a6ba4..6dc387bd75bf 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml @@ -99,9 +99,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -167,6 +169,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml index 6f8b04687fe3..73fa71c4b1e8 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml @@ -99,9 +99,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -167,6 +169,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml index 961b31e0c1d7..5f3e72fd27b0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml @@ -99,9 +99,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -167,6 +169,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml index 9bf31fe0b8c8..e69bd0ecf867 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -176,6 +178,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml index 8b103b71f2b9..e19df0f9133f 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.20.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -176,6 +178,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml index 4b8a0695cd5d..23150717feb0 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -183,6 +185,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml index ad603d7e2ed0..0d87c371da58 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml @@ -103,9 +103,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -171,6 +173,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml index 3b50a380b657..229a41ed50e5 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml @@ -114,9 +114,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -185,6 +187,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml index 2662813d04e5..4caddee8e814 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml @@ -115,9 +115,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -186,6 +188,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml index 218b2bd54c9b..442e458653f6 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.25.golden.yaml @@ -114,9 +114,11 @@ spec: limits: cpu: 8500m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -185,6 +187,7 @@ spec: - name: default-token-w7dxf secret: secretName: default-token-w7dxf - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml index 9683c09c37a2..2e1a917cfcf3 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.26.golden.yaml @@ -99,9 +99,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -160,6 +162,7 @@ spec: audience: https://kubernetes.default.svc.cluster.local expirationSeconds: 7200 path: token - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml index befee3383d19..7076b1ce2348 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.27.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -149,6 +151,7 @@ spec: runAsGroup: 0 runAsUser: 0 volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml index 47105ddd3ebd..399685c8c622 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.28.golden.yaml @@ -102,9 +102,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: privileged: false readOnlyRootFilesystem: true @@ -156,6 +158,7 @@ spec: - NET_RAW runAsGroup: 0 volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml index b7d73102352e..8aa0776f5d64 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.29.golden.yaml @@ -110,9 +110,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -164,6 +166,7 @@ spec: runAsGroup: 0 runAsUser: 0 volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml index 6a2cc5ad99fc..3be23a9d1162 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.30.golden.yaml @@ -102,9 +102,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -173,7 +175,8 @@ spec: mountPropagation: Bidirectional name: bpf-fs volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp - hostPath: path: /sys/fs/cgroup diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml index d0d3145a2fec..b356ce0e1011 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.31.golden.yaml @@ -97,9 +97,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -159,6 +161,7 @@ spec: runAsGroup: 0 runAsUser: 0 volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml index 7bfdf252617f..0c13f6f3bae9 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.32.golden.yaml @@ -98,9 +98,11 @@ spec: limits: cpu: 1100m memory: 1512Mi + ephemeral-storage: 1G requests: cpu: 150m memory: 164Mi + ephemeral-storage: 50M securityContext: readOnlyRootFilesystem: true runAsGroup: 5678 @@ -152,6 +154,7 @@ spec: name: busybox resources: {} volumes: - - emptyDir: {} + - emptyDir: + sizeLimit: 10M name: kuma-sidecar-tmp status: {}