| 25 | } |
| 26 | |
| 27 | func hostNetworkPodForNodeDebug(config Config, debugPodNamespace, nodeName string) *v1.Pod { |
| 28 | pod := &v1.Pod{ |
| 29 | ObjectMeta: metav1.ObjectMeta{ |
| 30 | Name: randomRetinaShellContainerName(), |
| 31 | Namespace: debugPodNamespace, |
| 32 | }, |
| 33 | Spec: v1.PodSpec{ |
| 34 | NodeName: nodeName, |
| 35 | RestartPolicy: v1.RestartPolicyNever, |
| 36 | Tolerations: []v1.Toleration{{Operator: v1.TolerationOpExists}}, |
| 37 | HostNetwork: true, |
| 38 | HostPID: config.HostPID, |
| 39 | Containers: []v1.Container{ |
| 40 | { |
| 41 | Name: "retina-shell", |
| 42 | Image: config.RetinaShellImage, |
| 43 | Stdin: true, |
| 44 | TTY: true, |
| 45 | SecurityContext: &v1.SecurityContext{ |
| 46 | Capabilities: &v1.Capabilities{ |
| 47 | Drop: []v1.Capability{"ALL"}, |
| 48 | Add: stringSliceToCapabilities(config.Capabilities), |
| 49 | }, |
| 50 | }, |
| 51 | }, |
| 52 | }, |
| 53 | }, |
| 54 | } |
| 55 | |
| 56 | if config.MountHostFilesystem || config.AllowHostFilesystemWrite { |
| 57 | pod.Spec.Volumes = append(pod.Spec.Volumes, |
| 58 | v1.Volume{ |
| 59 | Name: "host-filesystem", |
| 60 | VolumeSource: v1.VolumeSource{ |
| 61 | HostPath: &v1.HostPathVolumeSource{ |
| 62 | Path: "/", |
| 63 | }, |
| 64 | }, |
| 65 | }, |
| 66 | v1.Volume{ |
| 67 | Name: "run", |
| 68 | VolumeSource: v1.VolumeSource{ |
| 69 | HostPath: &v1.HostPathVolumeSource{ |
| 70 | Path: "/run", |
| 71 | }, |
| 72 | }, |
| 73 | }, |
| 74 | ) |
| 75 | pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, |
| 76 | v1.VolumeMount{ |
| 77 | Name: "host-filesystem", |
| 78 | MountPath: "/host", |
| 79 | ReadOnly: !config.AllowHostFilesystemWrite, |
| 80 | }, |
| 81 | v1.VolumeMount{ |
| 82 | Name: "run", |
| 83 | MountPath: "/run", |
| 84 | }, |