bugfix(Octavia): add capabilities to health-manager

Change-Id: Ic02d6823f94166b7c5c6b7669a030c008eaceeec
2025-06-05 00:56:55 +00:00
parent abd55b4a71
commit 22a0ee44b2
3 changed files with 27 additions and 10 deletions
--- a/octavia/templates/daemonset-health-manager.yaml
+++ b/octavia/templates/daemonset-health-manager.yaml
@@ -76,11 +76,7 @@ spec:
        - name: octavia-health-manager-nic-init
 {{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: 0
-            capabilities:
-              add:
-                - NET_ADMIN
+{{ dict "envAll" $envAll "application" "octavia_health_manager" "container" "octavia_health_manager_nic_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/octavia-health-manager-nic-init.sh
          volumeMounts:
@@ -96,11 +92,7 @@ spec:
        - name: octavia-health-manager
 {{ tuple $envAll "octavia_health_manager" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: 0
-            capabilities:
-              add:
-                - NET_ADMIN
+{{ dict "envAll" $envAll "application" "octavia_health_manager" "container" "octavia_health_manager" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/octavia-health-manager.sh
            - start
--- a/octavia/values.yaml
+++ b/octavia/values.yaml
@@ -590,6 +590,20 @@ pod:
      container:
        octavia_housekeeping:
          runAsUser: 42424
+    octavia_health_manager:
+      container:
+        octavia_health_manager_nic_init:
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
+              - NET_RAW
+              - NET_BIND_SERVICE
+        octavia_health_manager:
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
  affinity:
    anti:
      type:
--- a/releasenotes/notes/octavia-health-manager-net-caps-49adc645e1d03456.yaml
+++ b/releasenotes/notes/octavia-health-manager-net-caps-49adc645e1d03456.yaml
@@ -0,0 +1,11 @@
+---
+# To create a new release note related to a specific chart:
+# reno new <chart_name>
+#
+# To create a new release note for a common change (when multiple charts
+# are changed):
+# reno new common
+octavia:
+  - |
+    Health manager requires NET_RAW and NET_BIND_SERVICE for allowing ISC DHCPD to work
+...