From d5cc261fa89d4b824423ad13e1e7bdfb64af4df2 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Wed, 24 Jan 2024 21:55:25 +0000 Subject: [PATCH] Only run flannel host-network CIS netpol controller when using canal CNI This will leave the existing policy in place in case anyone was depending on it, but new clusters will not have it. Administrators can delete if if they wish, without risk of the controller putting it back. Signed-off-by: Brad Davidson (cherry picked from commit 18d5dbe9b1ebf2bdb6ea74b29b6d7104babbebda) Signed-off-by: Brad Davidson --- pkg/controllers/cisnetworkpolicy/controller.go | 2 +- pkg/rke2/rke2.go | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/controllers/cisnetworkpolicy/controller.go b/pkg/controllers/cisnetworkpolicy/controller.go index ae39b289de..b8e20f9bf6 100644 --- a/pkg/controllers/cisnetworkpolicy/controller.go +++ b/pkg/controllers/cisnetworkpolicy/controller.go @@ -34,7 +34,7 @@ func register(ctx context.Context, ctx: ctx, k8s: k8s, } - logrus.Debugf("CISNetworkPolicyController: Registering controller hooks") + logrus.Debugf("CISNetworkPolicyController: Registering controller hooks for NetworkPolicy %s", flannelHostNetworkPolicyName) nodes.OnChange(ctx, "cisnetworkpolicy-node", h.handle) nodes.OnRemove(ctx, "cisnetworkpolicy-node", h.handle) return nil diff --git a/pkg/rke2/rke2.go b/pkg/rke2/rke2.go index ef38e92c9e..35ac9e514d 100644 --- a/pkg/rke2/rke2.go +++ b/pkg/rke2/rke2.go @@ -22,6 +22,7 @@ import ( "github.com/pkg/errors" "github.com/rancher/rke2/pkg/controllers/cisnetworkpolicy" "github.com/rancher/rke2/pkg/images" + "github.com/rancher/wrangler/pkg/slice" "github.com/sirupsen/logrus" "github.com/urfave/cli" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -114,7 +115,8 @@ func Server(clx *cli.Context, cfg Config) error { var leaderControllers rawServer.CustomControllers - if cisMode { + cnis := clx.StringSlice("cni") + if cisMode && (len(cnis) == 0 || slice.ContainsString(cnis, "canal")) { leaderControllers = append(leaderControllers, cisnetworkpolicy.Controller) }