Closed lahabana closed 5 months ago
Here's the init-containers for a Pod:
initContainers: - args: - --redirect-outbound-port - "15001" - --redirect-inbound=true - --redirect-inbound-port - "15006" - --redirect-inbound-port-v6 - "15010" - --kuma-dp-uid - "5678" - --exclude-inbound-ports - "" - --exclude-outbound-ports - "" - --verbose - --redirect-all-dns-traffic - --redirect-dns-port - "15053" command: - /usr/bin/kumactl - install - transparent-proxy image: docker.io/kong/kuma-init:0.0.0-preview.vf0ebdfa65 imagePullPolicy: IfNotPresent name: kuma-init resources: limits: cpu: 100m memory: 50M requests: cpu: 20m memory: 20M securityContext: capabilities: add: - NET_ADMIN - NET_RAW runAsGroup: 0 runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-bgpfv readOnly: true
Few things to notice:
/tmp
emptyDir
drop: all
We're doing similar work for the sidecar container so checking it might help in defining the right config.
xref https://github.com/kumahq/kuma/issues/6714
Description
Here's the init-containers for a Pod:
Few things to notice:
/tmp
as anemptyDir
emptyDir
we'll need to have a size and add request/limits on itdrop: all
to start and add back selective capabilities we need.We're doing similar work for the sidecar container so checking it might help in defining the right config.