Use initContainer for nginx ingress if it is old version

**Problem:** The nginx ingress daemonSet securityContext can not be applied to version before 0.16.0 **Solution:** When the nginx controller version is older than 0.16.0, we use the old way to set it up.
2025-08-30 13:02:45 +00:00 · 2019-01-29 21:30:26 +08:00 · 2019-01-29 21:30:26 +08:00 · 642970feb2
commit 642970feb2
parent 3094ac132d
2 changed files with 24 additions and 0 deletions
--- a/cluster/addons.go
+++ b/cluster/addons.go
@ -439,6 +439,16 @@ func (c *Cluster) deployIngress(ctx context.Context) error {
 		IngressImage:   c.SystemImages.Ingress,
 		IngressBackend: c.SystemImages.IngressBackend,
 	}
+	// since nginx ingress controller 0.16.0, it can be run as non-root and doesn't require privileged anymore.
+	// So we can use securityContext instead of setting privileges via initContainer.
+	ingressSplits := strings.SplitN(c.SystemImages.Ingress, ":", 2)
+	if len(ingressSplits) == 2 {
+		version := strings.Split(ingressSplits[1], "-")[0]
+		if version < "0.16.0" {
+			ingressConfig.AlpineImage = c.SystemImages.Alpine
+		}
+	}
+
 	// Currently only deploying nginx ingress controller
 	ingressYaml, err := addons.GetNginxIngressManifest(ingressConfig)
 	if err != nil {
--- a/templates/nginx-ingress.go
+++ b/templates/nginx-ingress.go
@ -193,6 +193,18 @@ spec:
      {{if eq .RBACConfig "rbac"}}
      serviceAccountName: nginx-ingress-serviceaccount
      {{ end }}
+      {{- if ne .AlpineImage ""}}
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+        image: {{.AlpineImage}}
+        imagePullPolicy: IfNotPresent
+        name: sysctl
+        securityContext:
+          privileged: true
+      {{- end }}
      containers:
        - name: nginx-ingress-controller
          image: {{.IngressImage}}
@ -206,6 +218,7 @@ spec:
          {{ range $k, $v := .ExtraArgs }}
            - --{{ $k }}{{if ne $v "" }}={{ $v }}{{end}}
          {{ end }}
+          {{- if eq .AlpineImage ""}}
          securityContext:
            capabilities:
                drop:
@ -213,6 +226,7 @@ spec:
                add:
                - NET_BIND_SERVICE
            runAsUser: 33
+          {{- end }}
          env:
            - name: POD_NAME
              valueFrom: