request NET_RAW capabilities in CNI manifests (#2063)

* request NET_RAW capabilities in CNI manifests * add request NET_RAW capabilities in chart and jsonnet * update format
aws · Oct 25, 2022 · 9bee3e4 · 9bee3e4
1 parent 7eeb2a9
commit 9bee3e4
Show file tree

Hide file tree

Showing 9 changed files with 9 additions and 2 deletions.
diff --git a/charts/aws-vpc-cni/README.md b/charts/aws-vpc-cni/README.md
@@ -63,7 +63,7 @@ The following table lists the configurable parameters for this chart and their d
 | `podLabels`             | Labels to add to each pod                               | `{}`                                |
 | `priorityClassName`     | Name of the priorityClass                               | `system-node-critical`              |
 | `resources`             | Resources for the pods                                  | `requests.cpu: 10m`                 |
-| `securityContext`       | Container Security context                              | `capabilities: add: - "NET_ADMIN"`  |
+| `securityContext`       | Container Security context                              | `capabilities: add: - "NET_ADMIN" - "NET_RAW"`  |
 | `serviceAccount.name`   | The name of the ServiceAccount to use                   | `nil`                               |
 | `serviceAccount.create` | Specifies whether a ServiceAccount should be created    | `true`                              |
 | `serviceAccount.annotations` | Specifies the annotations for ServiceAccount       | `{}`                                |

diff --git a/charts/aws-vpc-cni/test.yaml b/charts/aws-vpc-cni/test.yaml
@@ -67,6 +67,7 @@ securityContext:
   capabilities:
     add:
     - "NET_ADMIN"
+    - "NET_RAW"
 
 crd:
   create: true

diff --git a/charts/aws-vpc-cni/values.yaml b/charts/aws-vpc-cni/values.yaml
@@ -79,6 +79,7 @@ securityContext:
   capabilities:
     add:
     - "NET_ADMIN"
+    - "NET_RAW"
 
 crd:
   create: true

diff --git a/config/master/aws-k8s-cni-cn.yaml b/config/master/aws-k8s-cni-cn.yaml
@@ -219,6 +219,7 @@ spec:
             capabilities:
               add:
               - NET_ADMIN
+              - NET_RAW
           volumeMounts:
           - mountPath: /host/opt/cni/bin
             name: cni-bin-dir

diff --git a/config/master/aws-k8s-cni-us-gov-east-1.yaml b/config/master/aws-k8s-cni-us-gov-east-1.yaml
@@ -219,6 +219,7 @@ spec:
             capabilities:
               add:
               - NET_ADMIN
+              - NET_RAW
           volumeMounts:
           - mountPath: /host/opt/cni/bin
             name: cni-bin-dir

diff --git a/config/master/aws-k8s-cni-us-gov-west-1.yaml b/config/master/aws-k8s-cni-us-gov-west-1.yaml
@@ -219,6 +219,7 @@ spec:
             capabilities:
               add:
               - NET_ADMIN
+              - NET_RAW
           volumeMounts:
           - mountPath: /host/opt/cni/bin
             name: cni-bin-dir

diff --git a/config/master/aws-k8s-cni.yaml b/config/master/aws-k8s-cni.yaml
@@ -219,6 +219,7 @@ spec:
             capabilities:
               add:
               - NET_ADMIN
+              - NET_RAW
           volumeMounts:
           - mountPath: /host/opt/cni/bin
             name: cni-bin-dir

diff --git a/config/master/manifests.jsonnet b/config/master/manifests.jsonnet
@@ -199,7 +199,7 @@ local awsnode = {
                 requests: {cpu: "25m"},
               },
               securityContext: {
-                capabilities: {add: ["NET_ADMIN"]},
+                capabilities: {add: ["NET_ADMIN", "NET_RAW"]},
               },
               volumeMounts: [
                 {mountPath: "/host/opt/cni/bin", name: "cni-bin-dir"},

diff --git a/test/e2e/snat/snat_test.go b/test/e2e/snat/snat_test.go
@@ -141,6 +141,7 @@ func ValidateIPTableRules(randomizedSNATValue string, numOfCidrs int) {
 		Command([]string{"./snat-utils"}).
 		CapabilitiesForSecurityContext([]corev1.Capability{
 			"NET_ADMIN",
+			"NET_RAW",
 		}, nil).
 		Args(testerArgs).
 		Build()