Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed hostNetwork: true from linkerd-cni Helm chart templates #11158

Merged
merged 5 commits into from
Aug 3, 2023
Merged

Removed hostNetwork: true from linkerd-cni Helm chart templates #11158

merged 5 commits into from
Aug 3, 2023

Conversation

abhijeetgauravm
Copy link
Contributor

@abhijeetgauravm abhijeetgauravm commented Jul 24, 2023
edited
Loading

Problem - Current does Linkerd CNI Helm chart templates have hostNetwork: true set which is unnecessary and less secure.

Solution - Removed hostNetwork: true from linkerd-cni Helm chart templates

This PR Fixes #11141

Signed-off-by: Abhijeet Gaurav [email protected]

@abhijeetgauravm abhijeetgauravm requested a review from a team as a code owner July 24, 2023 11:44
alpeb
alpeb reviewed Jul 24, 2023
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @abhijeetgauravm . Can you please remove those lines altogether instead of replacing them with blank lines?

@abhijeetgauravm
Copy link
Contributor Author

ok sure! @alpeb

@abhijeetgauravm
Copy link
Contributor Author

Done Sir! @alpeb

alpeb
alpeb requested changes Jul 26, 2023
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run go test ./... -update to update the unit test fixtures with changes from these templates.
Also please remove this entry.

@abhijeetgauravm
Copy link
Contributor Author

abhijeetgauravm commented Jul 30, 2023
edited
Loading

@alpeb removed that entry u mentioned but dont able to run go test ./... -update in my terminal even having recent version of go installed!

alpeb
alpeb approved these changes Jul 31, 2023
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed the golden file updates into your branch, and CI is green now 👍

@abhijeetgauravm
Copy link
Contributor Author

@alpeb Thanks!

@alpeb alpeb merged commit bca15f5 into linkerd:main Aug 3, 2023
35 checks passed
@hawkw hawkw added this to the stable-2.13.6 milestone Aug 8, 2023
hawkw pushed a commit that referenced this pull request Aug 9, 2023
@abhijeetgauravm @alpeb @hawkw
Removed hostNetwork: true from linkerd-cni Helm chart templates (#11158)
874e603 
Problem - Current does Linkerd CNI Helm chart templates have hostNetwork: true set which is unnecessary and less secure.

Solution - Removed hostNetwork: true from linkerd-cni Helm chart templates

PR Fixes #11141 
---------

Signed-off-by: Abhijeet Gaurav <[email protected]>
Co-authored-by: Alejandro Pedraza <[email protected]>
hawkw added a commit that referenced this pull request Aug 9, 2023
@hawkw
stable-2.13.6
5d67ede 
This stable release fixes a regression introduced in stable-2.13.0 which
resulted in proxies shedding load too aggressively while under moderate
request load to a single service ([#11055]). In addition, it updates the
base image for the `linkerd-cni` initcontainer to resolve a CVE in
`libdb` ([#11196]), fixes a race condition in the Destination controller
that could cause it to crash ([#11163]), as well as fixing a number of
other issues.

* Control Plane
  * Fixed a race condition in the destination controller that could
    cause it to panic ([#11169]; fixes [#11193])
  * Improved the granularity of logging levels in the control plane
    ([#11147])
  * Replaced incorrect `server_port_subscribers` gauge in the
    Destination controller's metrics with `server_port_subscribes` and
    `server_port_unsubscribes` counters ([#11206]; fixes [#10764])

* Proxy
  * Changed the default HTTP request queue capacities for the inbound
    and outbound proxies back to 10,000 requests ([#11198]; fixes
    [#11055])

* CLI
  * Updated extension CLI commands to prefer the `--registry` flag over
    the `LINKERD_DOCKER_REGISTRY` environment variable, making the
    precedence more consistent (thanks @harsh020!) (see [#11144])

* CNI
  * Updated `linkerd-cni` base image to resolve [CVE-2019-8457] in
    `libdb` ([#11196])
  * Changed the CNI plugin installer to always run in 'chained' mode;
    the plugin will now wait until another CNI plugin is installed
    before appending its configuration ([#10849])
  * Removed `hostNetwork: true` from linkerd-cni Helm chart templates
    ([#11158]; fixes [#11141]) (thanks @abhijeetgauravm!)

* Multicluster
  * Fixed the `linkerd multicluster check` command failing in the
    presence of lots of mirrored services ([#10764])

[#10764]: #10764
[#10849]: #10849
[#11055]: #11055
[#11141]: #11141
[#11144]: #11144
[#11147]: #11147
[#11158]: #11158
[#11163]: #11163
[#11169]: #11169
[#11196]: #11196
[#11198]: #11198
[#11206]: #11206
[CVE-2019-8457]: https://avd.aquasec.com/nvd/2019/cve-2019-8457/
@hawkw hawkw mentioned this pull request Aug 9, 2023
Merged
hawkw added a commit that referenced this pull request Aug 9, 2023
@hawkw
stable-2.13.6
7387b54 
This stable release fixes a regression introduced in stable-2.13.0 which
resulted in proxies shedding load too aggressively while under moderate
request load to a single service ([#11055]). In addition, it updates the
base image for the `linkerd-cni` initcontainer to resolve a CVE in
`libdb` ([#11196]), fixes a race condition in the Destination controller
that could cause it to crash ([#11163]), as well as fixing a number of
other issues.

* Control Plane
  * Fixed a race condition in the destination controller that could
    cause it to panic ([#11169]; fixes [#11193])
  * Improved the granularity of logging levels in the control plane
    ([#11147])
  * Replaced incorrect `server_port_subscribers` gauge in the
    Destination controller's metrics with `server_port_subscribes` and
    `server_port_unsubscribes` counters ([#11206]; fixes [#10764])

* Proxy
  * Changed the default HTTP request queue capacities for the inbound
    and outbound proxies back to 10,000 requests ([#11198]; fixes
    [#11055])

* CLI
  * Updated extension CLI commands to prefer the `--registry` flag over
    the `LINKERD_DOCKER_REGISTRY` environment variable, making the
    precedence more consistent (thanks @harsh020!) (see [#11144])

* CNI
  * Updated `linkerd-cni` base image to resolve [CVE-2019-8457] in
    `libdb` ([#11196])
  * Changed the CNI plugin installer to always run in 'chained' mode;
    the plugin will now wait until another CNI plugin is installed
    before appending its configuration ([#10849])
  * Removed `hostNetwork: true` from linkerd-cni Helm chart templates
    ([#11158]; fixes [#11141]) (thanks @abhijeetgauravm!)

* Multicluster
  * Fixed the `linkerd multicluster check` command failing in the
    presence of lots of mirrored services ([#10764])

[#10764]: #10764
[#10849]: #10849
[#11055]: #11055
[#11141]: #11141
[#11144]: #11144
[#11147]: #11147
[#11158]: #11158
[#11163]: #11163
[#11169]: #11169
[#11196]: #11196
[#11198]: #11198
[#11206]: #11206
[CVE-2019-8457]: https://avd.aquasec.com/nvd/2019/cve-2019-8457/
hawkw added a commit that referenced this pull request Aug 9, 2023
@hawkw
stable-2.13.6
7b54511 
This stable release fixes a regression introduced in stable-2.13.0 which
resulted in proxies shedding load too aggressively while under moderate
request load to a single service ([#11055]). In addition, it updates the
base image for the `linkerd-cni` initcontainer to resolve a CVE in
`libdb` ([#11196]), fixes a race condition in the Destination controller
that could cause it to crash ([#11163]), as well as fixing a number of
other issues.

* Control Plane
  * Fixed a race condition in the destination controller that could
    cause it to panic ([#11169]; fixes [#11193])
  * Improved the granularity of logging levels in the control plane
    ([#11147])

* Proxy
  * Changed the default HTTP request queue capacities for the inbound
    and outbound proxies back to 10,000 requests ([#11198]; fixes
    [#11055])

* CLI
  * Updated extension CLI commands to prefer the `--registry` flag over
    the `LINKERD_DOCKER_REGISTRY` environment variable, making the
    precedence more consistent (thanks @harsh020!) (see [#11144])

* CNI
  * Updated `linkerd-cni` base image to resolve [CVE-2019-8457] in
    `libdb` ([#11196])
  * Changed the CNI plugin installer to always run in 'chained' mode;
    the plugin will now wait until another CNI plugin is installed
    before appending its configuration ([#10849])
  * Removed `hostNetwork: true` from linkerd-cni Helm chart templates
    ([#11158]; fixes [#11141]) (thanks @abhijeetgauravm!)

* Multicluster
  * Fixed the `linkerd multicluster check` command failing in the
    presence of lots of mirrored services ([#10764])

[#10764]: #10764
[#10849]: #10849
[#11055]: #11055
[#11141]: #11141
[#11144]: #11144
[#11147]: #11147
[#11158]: #11158
[#11163]: #11163
[#11169]: #11169
[#11196]: #11196
[#11198]: #11198
[CVE-2019-8457]: https://avd.aquasec.com/nvd/2019/cve-2019-8457/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mateiidavid mateiidavid mateiidavid approved these changes

@alpeb alpeb alpeb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
stable-2.13.6
Development

Successfully merging this pull request may close these issues.

Remove hostNetwork: true from linkerd-cni Helm chart templates
4 participants
@abhijeetgauravm @alpeb @mateiidavid @hawkw