diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/ovncni-ds.yaml index 818a44fd0e9..1f929bfa0b7 100644 --- a/charts/kube-ovn/templates/ovncni-ds.yaml +++ b/charts/kube-ovn/templates/ovncni-ds.yaml @@ -39,7 +39,9 @@ spec: chown -R nobody: /var/log/kube-ovn chmod g+r /run/xtables.lock chmod g+w /var/run/netns + {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} iptables -V + {{- end }} securityContext: allowPrivilegeEscalation: true capabilities: @@ -126,7 +128,9 @@ spec: - NET_BIND_SERVICE - NET_RAW - SYS_ADMIN + {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} - SYS_MODULE + {{- end }} - SYS_NICE env: - name: ENABLE_SSL diff --git a/charts/kube-ovn/templates/ovsovn-ds.yaml b/charts/kube-ovn/templates/ovsovn-ds.yaml index c7599cc1be5..9a0d52f2d3b 100644 --- a/charts/kube-ovn/templates/ovsovn-ds.yaml +++ b/charts/kube-ovn/templates/ovsovn-ds.yaml @@ -49,7 +49,14 @@ spec: - -xec - | chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch + {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} iptables -V + {{- else }} + ln -s /bin/true /usr/local/sbin/iptables + ln -s /bin/true /usr/local/sbin/modprobe + ln -s /bin/true /usr/local/sbin/modinfo + ln -s /bin/true /usr/local/sbin/rmmod + {{- end }} securityContext: allowPrivilegeEscalation: true capabilities: @@ -81,18 +88,7 @@ spec: {{- if .Values.DPDK }} command: ["/kube-ovn/start-ovs-dpdk.sh"] {{- else }} - command: - {{- if .Values.DISABLE_MODULES_MANAGEMENT }} - - /bin/sh - - -ec - - | - ln -sf /bin/true /usr/sbin/modprobe - ln -sf /bin/true /usr/sbin/modinfo - ln -sf /bin/true /usr/sbin/rmmod - exec /kube-ovn/start-ovs.sh - {{- else }} - - /kube-ovn/start-ovs.sh - {{- end }} + command: ["/kube-ovn/start-ovs.sh"] {{- end }} securityContext: runAsUser: 65534 @@ -101,7 +97,9 @@ spec: add: - NET_ADMIN - NET_BIND_SERVICE + {{- if not .Values.DISABLE_MODULES_MANAGEMENT }} - SYS_MODULE + {{- end }} - SYS_NICE - SYS_ADMIN env: