FEATURE/MAJOR: Remove initContainers privileged container

dkorunic · dkorunic · commit 13e556863354 · 2022-04-26T15:23:10.000+02:00
Remove privileged initContainers container with
net.ipv4.ip_unprivileged_port_start sysctl in favor of native IC
rootless container in upcoming IC 1.8 release. Also install container
with unprivileged mode by default.

Signed-off-by: Dinko Korunic &lt;dkorunic@haproxy.com&gt;
diff --git a/kubernetes-ingress/templates/controller-daemonset.yaml b/kubernetes-ingress/templates/controller-daemonset.yaml
@@ -191,21 +191,9 @@ spec:
 {{ toYaml .Values.controller.extraVolumes | indent 8 }}
         {{- end }}
       {{- end }}
-      {{- if or .Values.controller.unprivileged .Values.controller.initContainers }}
+      {{- with.Values.controller.initContainers }}
       initContainers:
-        {{- if .Values.controller.unprivileged }}
-        - name: sysctl
-          image: busybox:musl
-          command:
-            - /bin/sh
-            - -c
-            - sysctl -w net.ipv4.ip_unprivileged_port_start=0
-          securityContext:
-            privileged: true
-        {{- end }}
-        {{- with.Values.controller.initContainers }}
           {{- toYaml . | nindent 8 }}
-        {{- end }}
       {{- end }}
       {{- with .Values.controller.nodeSelector }}
       nodeSelector:
diff --git a/kubernetes-ingress/templates/controller-deployment.yaml b/kubernetes-ingress/templates/controller-deployment.yaml
@@ -186,21 +186,9 @@ spec:
 {{ toYaml .Values.controller.extraVolumes | indent 8 }}
         {{- end }}
       {{- end }}
-      {{- if or .Values.controller.unprivileged .Values.controller.initContainers }}
+      {{- with.Values.controller.initContainers }}
       initContainers:
-        {{- if .Values.controller.unprivileged }}
-        - name: sysctl
-          image: busybox:musl
-          command:
-            - /bin/sh
-            - -c
-            - sysctl -w net.ipv4.ip_unprivileged_port_start=0
-          securityContext:
-            privileged: true
-        {{- end }}
-        {{- with.Values.controller.initContainers }}
           {{- toYaml . | nindent 8 }}
-        {{- end }}
       {{- end }}
       {{- with .Values.controller.nodeSelector }}
       nodeSelector:
diff --git a/kubernetes-ingress/values.yaml b/kubernetes-ingress/values.yaml
@@ -61,7 +61,7 @@ controller:
 
   ## Running container without root privileges
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  unprivileged: false
+  unprivileged: true
 
   ## Init Containers
   ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
