Support configuring file permission for the Antrea CNI configuration file (#7098)

Signed-off-by: Lan Luo <[email protected]>

Author: luolanzone

build/charts/antrea/README.md

@@ -67,6 +67,7 @@ Kubernetes: `>= 1.19.0-0`
 | auditLogging.maxBackups | int | `3` | MaxBackups is the maximum number of old log files to retain. If set to 0, all log files will be retained (unless MaxAge causes them to be deleted). |
 | auditLogging.maxSize | int | `500` | MaxSize is the maximum size in MB of a log file before it gets rotated. |
 | clientCAFile | string | `""` | File path of the certificate bundle for all the signers that is recognized for incoming client certificates. |
+| cni.configFileMode | string | `"644"` | The file permission for 10-antrea.conflist when it is installed in the CNI configuration directory on the host. |
 | cni.hostBinPath | string | `"/opt/cni/bin"` | Installation path of CNI binaries on the host. |
 | cni.plugins | object | `{"bandwidth":true,"portmap":true}` | Chained plugins to use alongside antrea-cni. |
 | cni.skipBinaries | list | `[]` | CNI binaries shipped with Antrea for which installation should be skipped. |

build/charts/antrea/templates/agent/daemonset.yaml

@@ -105,6 +105,10 @@ spec:
             - name: SKIP_LOADING_KERNEL_MODULES
               value: "1"
             {{- end }}
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "{{ .Values.cni.configFileMode }}"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist

build/charts/antrea/values.yaml

@@ -429,6 +429,9 @@ cni:
   # -- CNI binaries shipped with Antrea for which installation should be
   # skipped.
   skipBinaries: []
+  # -- The file permission for 10-antrea.conflist when it is installed in
+  # the CNI configuration directory on the host.
+  configFileMode: "644"
 
 webhooks:
   labelsMutator:

build/images/scripts/install_cni

@@ -49,7 +49,7 @@ fi
 # Install Antrea configuration file.
 # Note that it needs to be executed after installing the above binaries because container runtimes such as cri-o may
 # watch the conf directory and try to validate the config and binaries immediately once there is a change.
-install -m 644 /etc/antrea/antrea-cni.conflist /host/etc/cni/net.d/10-antrea.conflist
+install -m "${CONFIG_FILE_MODE:-644}" /etc/antrea/antrea-cni.conflist /host/etc/cni/net.d/10-antrea.conflist
 
 # If more than one CNI config file exists, the file with the lowest name is
 # chosen i.e. existing 10-antrea.conf will be chosen over 10-antrea.conflist.

build/yamls/antrea-aks.yml

@@ -5486,6 +5486,10 @@ spec:
             # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
             - name: SKIP_CNI_BINARIES
               value: ""
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "644"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist

build/yamls/antrea-eks.yml

@@ -5485,6 +5485,10 @@ spec:
             # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
             - name: SKIP_CNI_BINARIES
               value: ""
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "644"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist

build/yamls/antrea-gke.yml

@@ -5483,6 +5483,10 @@ spec:
             # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
             - name: SKIP_CNI_BINARIES
               value: ""
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "644"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist

build/yamls/antrea-ipsec.yml

@@ -5497,6 +5497,10 @@ spec:
             # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
             - name: SKIP_CNI_BINARIES
               value: ""
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "644"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist

build/yamls/antrea.yml

@@ -5483,6 +5483,10 @@ spec:
             # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
             - name: SKIP_CNI_BINARIES
               value: ""
+            # CONFIG_FILE_MODE set the file permission for 10-antrea.conflist.
+            # The default value will be '644' if it's empty.
+            - name: CONFIG_FILE_MODE
+              value: "644"
           volumeMounts:
           - name: antrea-config
             mountPath: /etc/antrea/antrea-cni.conflist