Fix linkerd-cni when using native sidecars (#362)

alpeb · web-flow · commit 295008c458e8 · 2024-04-16T14:43:16.000+01:00
Fixes linkerd/linkerd2#11597 When the cni plugin is triggered, it validates that the proxy has been injected into the pod before setting up the iptables rules. It does so by looking for the "linkerd-proxy" container. However, when the proxy is injected as a native sidecar, it gets added as an _init_ container, so it was being disregarded here. We don't have integration tests for validating native sidecars when using linkerd-cni because [Calico doesn't work in k3s since k8s 1.27](k3d-io/k3d#1375), and we require k8s 1.29 for using native sidecars. I did nevertheless successfully test this fix in an AKS cluster.
diff --git a/cni-plugin/main.go b/cni-plugin/main.go
@@ -193,14 +193,6 @@ func cmdAdd(args *skel.CmdArgs) error {
 			return err
 		}
 
-		containsLinkerdProxy := false
-		for _, container := range pod.Spec.Containers {
-			if container.Name == "linkerd-proxy" {
-				containsLinkerdProxy = true
-				break
-			}
-		}
-
 		containsInitContainer := false
 		for _, container := range pod.Spec.InitContainers {
 			if container.Name == "linkerd-init" {
@@ -209,7 +201,7 @@ func cmdAdd(args *skel.CmdArgs) error {
 			}
 		}
 
-		if containsLinkerdProxy && !containsInitContainer {
+		if !containsInitContainer && containsLinkerdProxy(&pod.Spec) {
 			logEntry.Debugf("linkerd-cni: setting up iptables firewall for %s/%s", namespace, pod)
 			options := cmd.RootOptions{
 				IncomingProxyPort:     conf.ProxyInit.IncomingProxyPort,
@@ -366,6 +358,23 @@ func cmdDel(_ *skel.CmdArgs) error {
 	return nil
 }
 
+func containsLinkerdProxy(spec *v1.PodSpec) bool {
+	for _, container := range spec.Containers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	// native sidecar proxy
+	for _, container := range spec.InitContainers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	return false
+}
+
 func getAPIServerPorts(ctx context.Context, api *kubernetes.Clientset) ([]string, error) {
 	service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
 	if err != nil {
