install: Enable iptables in a cloud-api-adaptor pod

This patch updates the manifest of the cloud-api-adaptor daemonset to run the iptables command it. The cloud-api-adaptor daemonset runs in host network mode, and iptables can manage netfilter of the network namespace of the worker node. The iptables command needs to access a lock file and kernel modules in the host, and this patch adds volume mounts for them. Signed-off-by: Yohei Ueda <[email protected]>
confidential-containers · Aug 23, 2024 · f0fde55 · f0fde55
1 parent 6e87a6f
commit f0fde55
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/src/cloud-api-adaptor/install/yamls/caa-pod.yaml b/src/cloud-api-adaptor/install/yamls/caa-pod.yaml
@@ -59,6 +59,11 @@ spec:
         - mountPath: /run/netns
           mountPropagation: HostToContainer
           name: netns
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
+        - mountPath: /lib/modules
+          name: lib-modules
+          readOnly: true
         # # setting for cloud provider external plugin
         # - mountPath: /cloud-providers
         #   name: provider-dir
@@ -83,6 +88,14 @@ spec:
       - hostPath:
           path: /run/netns
         name: netns
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
+      - hostPath:
+          path: /lib/modules
+          type: ""
+        name: lib-modules
       # # setting for cloud provider external plugin
       # - hostPath:
       #     path: /opt/cloud-api-adaptor/plugins