Disable konnectivity agent control plane proxy if not used

The control plane proxy provided by konnectivity agent is only used if k0s is running in tunneled networking mode. The konnectivity agent starts it by default. Explicitly disable konnectivity's NodeToMasterTraffic feature gate if not using tunneled networking mode, so that the unused proxy isn't launched in that case. Signed-off-by: Tom Wieczorek <[email protected]>
wizpresso-steve-cy-fan · Dec 19, 2022 · 5c89685 · 5c89685
1 parent a6b8efd
commit 5c89685
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/pkg/component/controller/konnectivity.go b/pkg/component/controller/konnectivity.go
@@ -359,9 +359,9 @@ spec:
       priorityClassName: system-cluster-critical
       tolerations:
         - operator: Exists
-      {{ if .TunneledNetworkingMode }}
+      {{- if .TunneledNetworkingMode }}
       hostNetwork: true
-      {{ end }}
+      {{- end }}
       containers:
         - image: {{ .Image }}
           imagePullPolicy: {{ .PullPolicy }}
@@ -387,11 +387,13 @@ spec:
                   "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token",
                   "--agent-identifiers=host=$(NODE_IP)",
                   "--agent-id=$(NODE_IP)",
-                  {{ if .TunneledNetworkingMode }}
+                  {{- if .TunneledNetworkingMode }}
                   # agent need to listen on the node ip to be on pair with the tunneled network reconciler
                   "--bind-address=$(NODE_IP)",
                   "--apiserver-port-mapping=6443:localhost:{{.KASPort}}"
-                  {{ end }} 
+                  {{- else }}
+                  "--feature-gates=NodeToMasterTraffic=false"
+                  {{- end }}
                   ]
           volumeMounts:
             - mountPath: /var/run/secrets/tokens