remove-psp-in-flannel (#9365)

2025-12-15 22:34:21 +03:00 · 2022-10-14 15:16:47 +08:00
parent 131bd933a6
commit 859df84b45
2 changed files with 9 additions and 54 deletions
--- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
@@ -79,7 +79,7 @@ spec:
        securityContext:
          privileged: false
          capabilities:
-            add: ["NET_ADMIN"]
+            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
@@ -89,11 +89,15 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
@@ -146,6 +150,10 @@ spec:
        - name: flannel-cfg
          configMap:
            name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
        - name: cni-plugin
          hostPath:
            path: /opt/cni/bin