From 642970feb2f4af89834adb4fb65b3a7f6274308b Mon Sep 17 00:00:00 2001
From: orangedeng <jxfa0043379@hotmail.com>
Date: Tue, 29 Jan 2019 21:30:26 +0800
Subject: [PATCH] Use initContainer for nginx ingress if it is old version

**Problem:**
The nginx ingress daemonSet securityContext can not be applied to
version before 0.16.0

**Solution:**
When the nginx controller version is older than 0.16.0, we use the old
way to set it up.
---
 cluster/addons.go          | 10 ++++++++++
 templates/nginx-ingress.go | 14 ++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/cluster/addons.go b/cluster/addons.go
index dcb5b2af..806ebd2f 100644
--- a/cluster/addons.go
+++ b/cluster/addons.go
@@ -439,6 +439,16 @@ func (c *Cluster) deployIngress(ctx context.Context) error {
 		IngressImage:   c.SystemImages.Ingress,
 		IngressBackend: c.SystemImages.IngressBackend,
 	}
+	// since nginx ingress controller 0.16.0, it can be run as non-root and doesn't require privileged anymore.
+	// So we can use securityContext instead of setting privileges via initContainer.
+	ingressSplits := strings.SplitN(c.SystemImages.Ingress, ":", 2)
+	if len(ingressSplits) == 2 {
+		version := strings.Split(ingressSplits[1], "-")[0]
+		if version < "0.16.0" {
+			ingressConfig.AlpineImage = c.SystemImages.Alpine
+		}
+	}
+
 	// Currently only deploying nginx ingress controller
 	ingressYaml, err := addons.GetNginxIngressManifest(ingressConfig)
 	if err != nil {
diff --git a/templates/nginx-ingress.go b/templates/nginx-ingress.go
index 5f2463c0..72cb2ba7 100644
--- a/templates/nginx-ingress.go
+++ b/templates/nginx-ingress.go
@@ -193,6 +193,18 @@ spec:
       {{if eq .RBACConfig "rbac"}}
       serviceAccountName: nginx-ingress-serviceaccount
       {{ end }}
+      {{- if ne .AlpineImage ""}}
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+        image: {{.AlpineImage}}
+        imagePullPolicy: IfNotPresent
+        name: sysctl
+        securityContext:
+          privileged: true
+      {{- end }}
       containers:
         - name: nginx-ingress-controller
           image: {{.IngressImage}}
@@ -206,6 +218,7 @@ spec:
           {{ range $k, $v := .ExtraArgs }}
             - --{{ $k }}{{if ne $v "" }}={{ $v }}{{end}}
           {{ end }}
+          {{- if eq .AlpineImage ""}}
           securityContext:
             capabilities:
                 drop:
@@ -213,6 +226,7 @@ spec:
                 add:
                 - NET_BIND_SERVICE
             runAsUser: 33
+          {{- end }}
           env:
             - name: POD_NAME
               valueFrom: