Noop container image problems #10679
-
|
Hi, We have RKE2 k8s cluster based on Kubernetes 1.25 in private organization. We want to use linkerd stable-2.12.4 HA mode with linkerd-cni plugin enabled so we don't have proxy-init container in our pods. The problem is that, every pod injected with linkerd, want to run noop container with image gcr.io/google_containers/pause:3.2 . Kubernetes can't download this image from the Internet because we have to use artifactory private registry. I tried clean install by linkerd cli or helm charts. I was looking to override this image with our private image repo address, but I cant find it in any of k8s manifest. Noop container appears always when I install linkerd with We can't use default linkerd-init containers ( Any ideas, how to override image for this container? Or can we somehow disable it? Kind Regards, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi Darek, Unfortunately, as a result of poor interoperability between certain CNI network policy engines and k8s' lifecycle hooks, we had to introduce a noop container to ensure workloads come up successfully. For more context, you can check #9504. We have replaced the noop container with an iptables validator for CNI plugins, and this will ship as part of 2.13. The validator will use the same image as the proxy, which means you can import it into your own registry. At the moment, you cannot change the noop container's registry or disable it. You can use an edge version if you want, that should include the validator instead of the noop container. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Thanks for your reply. I tested edge-23.4.1 version, and as you said earlier, there is no noop container but linkerd-network-validator which has cusomizable image repo. Which is good for us. Kind regards, |
Beta Was this translation helpful? Give feedback.
-
|
A couple of days ago we release edge-23.4.1, which is considered to be the first RC for stable-2.13, which should then come out very soon. |
Beta Was this translation helpful? Give feedback.
Hi Darek,
Unfortunately, as a result of poor interoperability between certain CNI network policy engines and k8s' lifecycle hooks, we had to introduce a noop container to ensure workloads come up successfully. For more context, you can check #9504.
We have replaced the noop container with an iptables validator for CNI plugins, and this will ship as part of 2.13. The validator will use the same image as the proxy, which means you can import it into your own registry. At the moment, you cannot change the noop container's registry or disable it.
You can use an edge version if you want, that should include the validator instead of the noop container.