From f1c3671e57230fae79f8e2b4e9f439001b707449 Mon Sep 17 00:00:00 2001 From: Denis Meshkov Date: Mon, 19 Jan 2026 16:43:31 +0300 Subject: [PATCH 1/5] Added helm_lib_module_init_container_iptables_wrapper Signed-off-by: Denis Meshkov --- charts/helm_lib/Chart.yaml | 2 +- .../templates/_module_init_container.tpl | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 2451956..34d1cad 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.69.3 +version: 1.70.0 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl index 4045af9..1eb34b5 100644 --- a/charts/helm_lib/templates/_module_init_container.tpl +++ b/charts/helm_lib/templates/_module_init_container.tpl @@ -64,3 +64,35 @@ requests: {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 6 }} {{- end }} + +{{- /* Usage: {{ include "helm_lib_module_init_container_iptables_wrapper" . }} */ -}} +{{- /* returns initContainer with iptables-wrapper */ -}} +{{- define "helm_lib_module_init_container_iptables_wrapper" -}} + {{- /* Template context with .Values, .Chart, etc */ -}} + - name: iptables-wrapper-init + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "NET_ADMIN" "NET_RAW")) | nindent 2 }} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + image: {{ include "helm_lib_module_image" (list . "iptablesWrapperInit") }} + command: + - /bin/bash + - -ec + - | + /usr/bin/cp /iptables-wrapper /sbin/ -rv + /usr/bin/cp /_sbin/* /sbin/ -rv + /usr/bin/cp /relocate/sbin/* /sbin/ -rv + /sbin/iptables --version + /usr/bin/rm /sbin/iptables-wrapper -v + volumeMounts: + - mountPath: /sbin + name: sbin + - name: xtables-lock + mountPath: /run/xtables.lock + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 6 }} + {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler") }} + {{- include "iptables_wrapper_init_resources" . | nindent 4 }} + {{- end }} +{{- end }} From 6151509b6baeaf4e861142c9d7c323343bcc94fb Mon Sep 17 00:00:00 2001 From: Denis Meshkov Date: Mon, 19 Jan 2026 17:00:51 +0300 Subject: [PATCH 2/5] added built doc Signed-off-by: Denis Meshkov --- charts/helm_lib/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index 825aeb5..73012ed 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -78,6 +78,7 @@ | [helm_lib_module_init_container_chown_nobody_volume](#helm_lib_module_init_container_chown_nobody_volume) | | [helm_lib_module_init_container_chown_deckhouse_volume](#helm_lib_module_init_container_chown_deckhouse_volume) | | [helm_lib_module_init_container_check_linux_kernel](#helm_lib_module_init_container_check_linux_kernel) | +| [helm_lib_module_init_container_iptables_wrapper](#helm_lib_module_init_container_iptables_wrapper) | | **Module Labels** | | [helm_lib_module_labels](#helm_lib_module_labels) | | **Module Public Domain** | @@ -900,6 +901,19 @@ list: - Template context with .Values, .Chart, etc - Semver constraint + +### helm_lib_module_init_container_iptables_wrapper + + returns initContainer with iptables-wrapper + +#### Usage + +`{{ include "helm_lib_module_init_container_iptables_wrapper" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + ## Module Labels ### helm_lib_module_labels From 8cf182e88bc79983e58761466c251cc95a238333 Mon Sep 17 00:00:00 2001 From: Denis Meshkov Date: Mon, 19 Jan 2026 20:56:20 +0300 Subject: [PATCH 3/5] Added unit tests, updated snapshot Signed-off-by: Denis Meshkov --- .../templates/_module_init_container.tpl | 9 +- .../helm_lib_module_init_container.yaml | 3 + .../helm_lib_module_init_container_test.yaml | 108 ++++++++++++++++++ 3 files changed, 116 insertions(+), 4 deletions(-) diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl index 1eb34b5..998e889 100644 --- a/charts/helm_lib/templates/_module_init_container.tpl +++ b/charts/helm_lib/templates/_module_init_container.tpl @@ -68,13 +68,13 @@ {{- /* Usage: {{ include "helm_lib_module_init_container_iptables_wrapper" . }} */ -}} {{- /* returns initContainer with iptables-wrapper */ -}} {{- define "helm_lib_module_init_container_iptables_wrapper" -}} - {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - name: iptables-wrapper-init {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "NET_ADMIN" "NET_RAW")) | nindent 2 }} runAsNonRoot: false runAsUser: 0 runAsGroup: 0 - image: {{ include "helm_lib_module_image" (list . "iptablesWrapperInit") }} + image: {{ include "helm_lib_module_image" (list $context "iptablesWrapperInit") }} command: - /bin/bash - -ec @@ -92,7 +92,8 @@ resources: requests: {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 6 }} - {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler") }} - {{- include "iptables_wrapper_init_resources" . | nindent 4 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler") }} + cpu: 10m + memory: 10Mi {{- end }} {{- end }} diff --git a/tests/templates/helm_lib_module_init_container.yaml b/tests/templates/helm_lib_module_init_container.yaml index 6ac2370..179c867 100644 --- a/tests/templates/helm_lib_module_init_container.yaml +++ b/tests/templates/helm_lib_module_init_container.yaml @@ -3,3 +3,6 @@ chownDeckhouseVolume: checkLinuxKernel: {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} + +checkIptablesWrapper: +{{ include "helm_lib_module_init_container_iptables_wrapper" . }} \ No newline at end of file diff --git a/tests/tests/helm_lib_module_init_container_test.yaml b/tests/tests/helm_lib_module_init_container_test.yaml index 8314c33..cb2f86e 100644 --- a/tests/tests/helm_lib_module_init_container_test.yaml +++ b/tests/tests/helm_lib_module_init_container_test.yaml @@ -14,6 +14,8 @@ tests: init: sha256 alpine: sha2 checkKernelVersion: sha256:kernel123 + testModule: + iptablesWrapperInit: sha256:iptables123 asserts: - equal: @@ -47,6 +49,8 @@ tests: common: alpine: sha2 checkKernelVersion: sha256:kernel123 + testModule: + iptablesWrapperInit: sha256:iptables123 asserts: - equal: path: "chownDeckhouseVolume" @@ -79,6 +83,8 @@ tests: common: checkKernelVersion: sha256:kernel123 alpine: sha256:alpine123 + testModule: + iptablesWrapperInit: sha256:iptables123 asserts: - equal: path: "checkLinuxKernel" @@ -103,3 +109,105 @@ tests: runAsUser: 64535 seccompProfile: type: RuntimeDefault + - it: should render the iptables wrapper container if not has enabledModules "vertical-pod-autoscaler" + set: + global: + modulesImages: + registry: + base: "deckhouse.io/deckhouse/ce" + digests: + common: + alpine: alp + checkKernelVersion: kernel + iptablesWrapperInit: s:d + testModule: + iptablesWrapperInit: sha256:iptables123 + asserts: + - equal: + path: "checkIptablesWrapper" + value: + - command: + - /bin/bash + - -ec + - | + /usr/bin/cp /iptables-wrapper /sbin/ -rv + /usr/bin/cp /_sbin/* /sbin/ -rv + /usr/bin/cp /relocate/sbin/* /sbin/ -rv + /sbin/iptables --version + /usr/bin/rm /sbin/iptables-wrapper -v + image: deckhouse.io/deckhouse/ce@sha256:iptables123 + name: iptables-wrapper-init + resources: + cpu: 10m + memory: 10Mi + requests: + ephemeral-storage: 60Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + volumeMounts: + - mountPath: /sbin + name: sbin + - mountPath: /run/xtables.lock + name: xtables-lock + - it: should render the iptables wrapper container if has enabledModules "vertical-pod-autoscaler" + set: + global: + enabledModules: + - vertical-pod-autoscaler + modulesImages: + registry: + base: "deckhouse.io/deckhouse/ce" + digests: + common: + alpine: alp + checkKernelVersion: kernel + iptablesWrapperInit: s:d + testModule: + iptablesWrapperInit: sha256:iptables123 + asserts: + - equal: + path: "checkIptablesWrapper" + value: + - command: + - /bin/bash + - -ec + - | + /usr/bin/cp /iptables-wrapper /sbin/ -rv + /usr/bin/cp /_sbin/* /sbin/ -rv + /usr/bin/cp /relocate/sbin/* /sbin/ -rv + /sbin/iptables --version + /usr/bin/rm /sbin/iptables-wrapper -v + image: deckhouse.io/deckhouse/ce@sha256:iptables123 + name: iptables-wrapper-init + resources: + requests: + ephemeral-storage: 60Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + volumeMounts: + - mountPath: /sbin + name: sbin + - mountPath: /run/xtables.lock + name: xtables-lock + + From 6a694edbcf2f44fd3c430b3585995f4d88df4be8 Mon Sep 17 00:00:00 2001 From: Denis Meshkov Date: Mon, 19 Jan 2026 20:59:05 +0300 Subject: [PATCH 4/5] fixed endfile new lines Signed-off-by: Denis Meshkov --- tests/templates/helm_lib_module_init_container.yaml | 2 +- tests/tests/helm_lib_module_init_container_test.yaml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/templates/helm_lib_module_init_container.yaml b/tests/templates/helm_lib_module_init_container.yaml index 179c867..8aa5e3d 100644 --- a/tests/templates/helm_lib_module_init_container.yaml +++ b/tests/templates/helm_lib_module_init_container.yaml @@ -5,4 +5,4 @@ checkLinuxKernel: {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} checkIptablesWrapper: -{{ include "helm_lib_module_init_container_iptables_wrapper" . }} \ No newline at end of file +{{ include "helm_lib_module_init_container_iptables_wrapper" . }} diff --git a/tests/tests/helm_lib_module_init_container_test.yaml b/tests/tests/helm_lib_module_init_container_test.yaml index cb2f86e..0368ce1 100644 --- a/tests/tests/helm_lib_module_init_container_test.yaml +++ b/tests/tests/helm_lib_module_init_container_test.yaml @@ -209,5 +209,3 @@ tests: name: sbin - mountPath: /run/xtables.lock name: xtables-lock - - From 9d6c09a418affbccccd9d276165068d582ed160b Mon Sep 17 00:00:00 2001 From: Denis Meshkov Date: Tue, 20 Jan 2026 10:30:24 +0300 Subject: [PATCH 5/5] fixed hash Signed-off-by: Denis Meshkov --- tests/tests/helm_lib_module_init_container_test.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/tests/helm_lib_module_init_container_test.yaml b/tests/tests/helm_lib_module_init_container_test.yaml index 0368ce1..e980afd 100644 --- a/tests/tests/helm_lib_module_init_container_test.yaml +++ b/tests/tests/helm_lib_module_init_container_test.yaml @@ -117,9 +117,8 @@ tests: base: "deckhouse.io/deckhouse/ce" digests: common: - alpine: alp - checkKernelVersion: kernel - iptablesWrapperInit: s:d + alpine: sha256:alpine + checkKernelVersion: sha256:kernel testModule: iptablesWrapperInit: sha256:iptables123 asserts: @@ -169,9 +168,8 @@ tests: base: "deckhouse.io/deckhouse/ce" digests: common: - alpine: alp - checkKernelVersion: kernel - iptablesWrapperInit: s:d + alpine: sha256:alpine + checkKernelVersion: sha256:kernel testModule: iptablesWrapperInit: sha256:iptables123 asserts: