From 3b4de9db1445e0ddb7fb6f31adaca6d41fb73fb5 Mon Sep 17 00:00:00 2001 From: "Alessandro (Ale) Segala" <43508+ItalyPaleAle@users.noreply.github.com> Date: Wed, 7 Feb 2024 21:11:35 -0800 Subject: [PATCH] Injector: add option to add `DAPR_HOST_IP` env var to daprd (#7511) The `DAPR_HOST_IP` env var is used in various places in Dapr for a sidecar to know its own IP address, for example for service invocation or actor invocation. When using the Dapr injector to add the daprd container, we can use the downstream APIs to add the `DAPR_HOST_IP` env var based on data from the controller This option can be enabled by setting the Helm option `dapr_sidecar_injector.enableK8sDownwardAPIs=true` Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> --- charts/dapr/README.md | 9 +-- .../dapr_sidecar_injector_deployment.yaml | 2 + .../charts/dapr_sidecar_injector/values.yaml | 1 + pkg/injector/consts/consts.go | 1 + pkg/injector/patcher/sidecar.go | 25 +++---- pkg/injector/patcher/sidecar_container.go | 69 +++++++++++-------- .../patcher/sidecar_container_test.go | 48 ++++--------- pkg/injector/service/config.go | 7 ++ pkg/injector/service/pod_patch.go | 1 + 9 files changed, 83 insertions(+), 80 deletions(-) diff --git a/charts/dapr/README.md b/charts/dapr/README.md index 9fdd70889db..93edde32112 100644 --- a/charts/dapr/README.md +++ b/charts/dapr/README.md @@ -194,10 +194,11 @@ The Helm chart has the follow configuration options that can be supplied: | `dapr_sidecar_injector.injectorImage.name` | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`) | `dapr`| | `dapr_sidecar_injector.webhookFailurePolicy` | Failure policy for the sidecar injector | `Ignore` | | `dapr_sidecar_injector.runAsNonRoot` | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube | `true` | -| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | -| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | -| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` | -| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` | +| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` | +| `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` | +| `dapr_sidecar_injector.enableK8sDownwardAPIs` | When set to true, uses the Kubernetes downward projection APIs to inject certain environmental variables (such as pod IP) into the daprd container. (default: `false`) | `true` | +| `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` | +| `dapr_sidecar_injector.allowedServiceAccounts` | String value for extra allowed service accounts in the format of `namespace1:serviceAccount1,namespace2:serviceAccount2` | `""` | | `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` | Comma-separated list of extra allowed service accounts. Each item in the list should be in the format of namespace:serviceaccount. To match service accounts by a common prefix, you can add an asterisk (`*`) at the end of the prefix. For instance, ns1*:sa2* will match any service account that starts with sa2, whose namespace starts with ns1. For example, it will match service accounts like sa21 and sa2223 in namespaces such as ns1, ns1dapr, and so on. | `""` | | `dapr_sidecar_injector.resources` | Value of `resources` attribute. Can be used to set memory/cpu resources/limits. See the section "Resource configuration" above. Defaults to empty | `{}` | | `dapr_sidecar_injector.debug.enabled` | Boolean value for enabling debug mode | `{}` | diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml index 364b8ac9994..43300e1d014 100644 --- a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml +++ b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml @@ -150,6 +150,8 @@ spec: # Configuration for injected sidecars - name: SIDECAR_RUN_AS_NON_ROOT value: {{ .Values.sidecarRunAsNonRoot | toString | toYaml }} + - name: ENABLE_K8S_DOWNWARD_APIS + value: {{ .Values.enableK8sDownwardAPIs | toString | toYaml }} - name: SIDECAR_DROP_ALL_CAPABILITIES value: {{ .Values.sidecarDropALLCapabilities | toString | toYaml }} - name: SIDECAR_READ_ONLY_ROOT_FILESYSTEM diff --git a/charts/dapr/charts/dapr_sidecar_injector/values.yaml b/charts/dapr/charts/dapr_sidecar_injector/values.yaml index 53b08b0efc4..c9ee70306ac 100644 --- a/charts/dapr/charts/dapr_sidecar_injector/values.yaml +++ b/charts/dapr/charts/dapr_sidecar_injector/values.yaml @@ -29,6 +29,7 @@ runAsNonRoot: true sidecarRunAsNonRoot: true sidecarReadOnlyRootFilesystem: true sidecarDropALLCapabilities: false +enableK8sDownwardAPIs: false allowedServiceAccounts: "" allowedServiceAccountsPrefixNames: "" resources: {} diff --git a/pkg/injector/consts/consts.go b/pkg/injector/consts/consts.go index 82a56e954d9..340f7454530 100644 --- a/pkg/injector/consts/consts.go +++ b/pkg/injector/consts/consts.go @@ -37,6 +37,7 @@ const ( UserContainerAppProtocolName = "APP_PROTOCOL" // Name of the variable exposed to the app containing the app protocol. UserContainerDaprHTTPPortName = "DAPR_HTTP_PORT" // Name of the variable exposed to the app containing the Dapr HTTP port. UserContainerDaprGRPCPortName = "DAPR_GRPC_PORT" // Name of the variable exposed to the app containing the Dapr gRPC port. + DaprContainerHostIP = "DAPR_HOST_IP" // Name of the variable injected in the daprd container containing the pod's IP TokenVolumeKubernetesMountPath = "/var/run/secrets/dapr.io/sentrytoken" /* #nosec */ // Mount path for the Kubernetes service account volume with the sentry token. TokenVolumeName = "dapr-identity-token" /* #nosec */ // Name of the volume with the service account token for daprd. ComponentsUDSVolumeName = "dapr-components-unix-domain-socket" // Name of the Unix domain socket volume for components. diff --git a/pkg/injector/patcher/sidecar.go b/pkg/injector/patcher/sidecar.go index 491fd8dbcf8..b8334e476b5 100644 --- a/pkg/injector/patcher/sidecar.go +++ b/pkg/injector/patcher/sidecar.go @@ -45,6 +45,7 @@ type SidecarConfig struct { OperatorAddress string SentryAddress string RunAsNonRoot bool + EnableK8sDownwardAPIs bool ReadOnlyRootFilesystem bool SidecarDropALLCapabilities bool DisableTokenVolume bool @@ -62,25 +63,25 @@ type SidecarConfig struct { Enabled bool `annotation:"dapr.io/enabled"` AppPort int32 `annotation:"dapr.io/app-port"` Config string `annotation:"dapr.io/config"` - AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"` + AppProtocol string `annotation:"dapr.io/app-protocol" default:"http"` AppSSL bool `annotation:"dapr.io/app-ssl"` // TODO: Deprecated in Dapr 1.11; remove in a future Dapr version AppID string `annotation:"dapr.io/app-id"` EnableProfiling bool `annotation:"dapr.io/enable-profiling"` - LogLevel string `annotation:"dapr.io/log-level" default:"info"` + LogLevel string `annotation:"dapr.io/log-level" default:"info"` APITokenSecret string `annotation:"dapr.io/api-token-secret"` AppTokenSecret string `annotation:"dapr.io/app-token-secret"` LogAsJSON bool `annotation:"dapr.io/log-as-json"` AppMaxConcurrency *int `annotation:"dapr.io/app-max-concurrency"` - EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"` - SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"` - EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"` - SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"` + EnableMetrics bool `annotation:"dapr.io/enable-metrics" default:"true"` + SidecarMetricsPort int32 `annotation:"dapr.io/metrics-port" default:"9090"` + EnableDebug bool `annotation:"dapr.io/enable-debug" default:"false"` + SidecarDebugPort int32 `annotation:"dapr.io/debug-port" default:"40000"` Env string `annotation:"dapr.io/env"` SidecarCPURequest string `annotation:"dapr.io/sidecar-cpu-request"` SidecarCPULimit string `annotation:"dapr.io/sidecar-cpu-limit"` SidecarMemoryRequest string `annotation:"dapr.io/sidecar-memory-request"` SidecarMemoryLimit string `annotation:"dapr.io/sidecar-memory-limit"` - SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"` + SidecarListenAddresses string `annotation:"dapr.io/sidecar-listen-addresses" default:"[::1],127.0.0.1"` SidecarLivenessProbeDelaySeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-delay-seconds" default:"3"` SidecarLivenessProbeTimeoutSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-timeout-seconds" default:"3"` SidecarLivenessProbePeriodSeconds int32 `annotation:"dapr.io/sidecar-liveness-probe-period-seconds" default:"6"` @@ -93,7 +94,7 @@ type SidecarConfig struct { SidecarSeccompProfileType string `annotation:"dapr.io/sidecar-seccomp-profile-type"` HTTPMaxRequestSize *int `annotation:"dapr.io/http-max-request-size"` HTTPReadBufferSize *int `annotation:"dapr.io/http-read-buffer-size"` - GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"` + GracefulShutdownSeconds int `annotation:"dapr.io/graceful-shutdown-seconds" default:"-1"` BlockShutdownDuration *string `annotation:"dapr.io/block-shutdown-duration"` EnableAPILogging *bool `annotation:"dapr.io/enable-api-logging"` UnixDomainSocketPath string `annotation:"dapr.io/unix-domain-socket-path"` @@ -101,10 +102,10 @@ type SidecarConfig struct { VolumeMountsRW string `annotation:"dapr.io/volume-mounts-rw"` DisableBuiltinK8sSecretStore bool `annotation:"dapr.io/disable-builtin-k8s-secret-store"` EnableAppHealthCheck bool `annotation:"dapr.io/enable-app-health-check"` - AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"` - AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds - AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds - AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"` + AppHealthCheckPath string `annotation:"dapr.io/app-health-check-path" default:"/healthz"` + AppHealthProbeInterval int32 `annotation:"dapr.io/app-health-probe-interval" default:"5"` // In seconds + AppHealthProbeTimeout int32 `annotation:"dapr.io/app-health-probe-timeout" default:"500"` // In milliseconds + AppHealthThreshold int32 `annotation:"dapr.io/app-health-threshold" default:"3"` PlacementAddress string `annotation:"dapr.io/placement-host-address"` PluggableComponents string `annotation:"dapr.io/pluggable-components"` PluggableComponentsSocketsFolder string `annotation:"dapr.io/pluggable-components-sockets-folder"` diff --git a/pkg/injector/patcher/sidecar_container.go b/pkg/injector/patcher/sidecar_container.go index 8eab0f9ad1c..8a543d55a6e 100644 --- a/pkg/injector/patcher/sidecar_container.go +++ b/pkg/injector/patcher/sidecar_container.go @@ -219,6 +219,45 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core // Create the container object probeHTTPHandler := getProbeHTTPHandler(c.SidecarPublicPort, injectorConsts.APIVersionV1, injectorConsts.SidecarHealthzPath) + env := []corev1.EnvVar{ + { + Name: "NAMESPACE", + Value: c.Namespace, + }, + { + Name: securityConsts.TrustAnchorsEnvVar, + Value: string(c.CurrentTrustAnchors), + }, + { + Name: "POD_NAME", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "metadata.name", + }, + }, + }, + // TODO: @joshvanl: In v1.14, these two env vars should be moved to flags. + { + Name: securityConsts.ControlPlaneNamespaceEnvVar, + Value: c.ControlPlaneNamespace, + }, + { + Name: securityConsts.ControlPlaneTrustDomainEnvVar, + Value: c.ControlPlaneTrustDomain, + }, + } + if c.EnableK8sDownwardAPIs { + env = append(env, + corev1.EnvVar{ + Name: injectorConsts.DaprContainerHostIP, + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "status.podIP", + }, + }, + }, + ) + } container := &corev1.Container{ Name: injectorConsts.SidecarContainerName, Image: c.SidecarImage, @@ -226,34 +265,8 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core SecurityContext: securityContext, Ports: ports, Args: append(cmd, args...), - Env: []corev1.EnvVar{ - { - Name: "NAMESPACE", - Value: c.Namespace, - }, - { - Name: "POD_NAME", - ValueFrom: &corev1.EnvVarSource{ - FieldRef: &corev1.ObjectFieldSelector{ - FieldPath: "metadata.name", - }, - }, - }, - { - Name: securityConsts.TrustAnchorsEnvVar, - Value: string(c.CurrentTrustAnchors), - }, - // TODO: @joshvanl: In v1.14, this two env vars should be moved to flags. - { - Name: securityConsts.ControlPlaneNamespaceEnvVar, - Value: c.ControlPlaneNamespace, - }, - { - Name: securityConsts.ControlPlaneTrustDomainEnvVar, - Value: c.ControlPlaneTrustDomain, - }, - }, - VolumeMounts: opts.VolumeMounts, + Env: env, + VolumeMounts: opts.VolumeMounts, ReadinessProbe: &corev1.Probe{ ProbeHandler: probeHTTPHandler, InitialDelaySeconds: c.SidecarReadinessProbeDelaySeconds, diff --git a/pkg/injector/patcher/sidecar_container_test.go b/pkg/injector/patcher/sidecar_container_test.go index c195665d3e2..b90ce87658d 100644 --- a/pkg/injector/patcher/sidecar_container_test.go +++ b/pkg/injector/patcher/sidecar_container_test.go @@ -14,6 +14,7 @@ limitations under the License. package patcher import ( + "encoding/json" "strings" "testing" @@ -361,24 +362,7 @@ func TestGetSidecarContainer(t *testing.T) { // Command should be empty, image's entrypoint to be used. assert.Empty(t, container.Command) - // NAMESPACE - assert.Equal(t, "dapr-system", container.Env[0].Value) - // POD_NAME - assert.Equal(t, "metadata.name", container.Env[1].ValueFrom.FieldRef.FieldPath) - // DAPR_CONTROLPLANE_NAMESPACE - assert.Equal(t, "my-namespace", container.Env[3].Value) - // DAPR_CONTROLPLANE_TRUST_DOMAIN - assert.Equal(t, "test.example.com", container.Env[4].Value) - // DAPR_CERT_CHAIN - assert.Equal(t, "my-cert-chain", container.Env[5].Value) - // DAPR_CERT_KEY - assert.Equal(t, "my-cert-key", container.Env[6].Value) - // SENTRY_LOCAL_IDENTITY - assert.Equal(t, "pod_identity", container.Env[7].Value) - // DAPR_API_TOKEN - assert.Equal(t, "secret", container.Env[8].ValueFrom.SecretKeyRef.Name) - // DAPR_APP_TOKEN - assert.Equal(t, "appsecret", container.Env[9].ValueFrom.SecretKeyRef.Name) + assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_CERT_CHAIN","value":"my-cert-chain"},{"name":"DAPR_CERT_KEY","value":"my-cert-key"},{"name":"SENTRY_LOCAL_IDENTITY","value":"pod_identity"},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`) // default image assert.Equal(t, "daprio/dapr", container.Image) assert.EqualValues(t, expectedArgs, container.Args) @@ -412,6 +396,7 @@ func TestGetSidecarContainer(t *testing.T) { c.ControlPlaneTrustDomain = "test.example.com" c.CertChain = "my-cert-chain" c.CertKey = "my-cert-key" + c.EnableK8sDownwardAPIs = true c.SetFromPodAnnotations() @@ -451,24 +436,7 @@ func TestGetSidecarContainer(t *testing.T) { // Command should be empty, image's entrypoint to be used. assert.Empty(t, container.Command) - // NAMESPACE - assert.Equal(t, "dapr-system", container.Env[0].Value) - // POD_NAME - assert.Equal(t, "metadata.name", container.Env[1].ValueFrom.FieldRef.FieldPath) - // DAPR_CONTROLPLANE_NAMESPACE - assert.Equal(t, "my-namespace", container.Env[3].Value) - // DAPR_CONTROLPLANE_TRUST_DOMAIN - assert.Equal(t, "test.example.com", container.Env[4].Value) - // DAPR_CERT_CHAIN - assert.Equal(t, "my-cert-chain", container.Env[5].Value) - // DAPR_CERT_KEY - assert.Equal(t, "my-cert-key", container.Env[6].Value) - // SENTRY_LOCAL_IDENTITY - assert.Equal(t, "pod_identity", container.Env[7].Value) - // DAPR_API_TOKEN - assert.Equal(t, "secret", container.Env[8].ValueFrom.SecretKeyRef.Name) - // DAPR_APP_TOKEN - assert.Equal(t, "appsecret", container.Env[9].ValueFrom.SecretKeyRef.Name) + assertEqualJSON(t, container.Env, `[{"name":"NAMESPACE","value":"dapr-system"},{"name":"DAPR_TRUST_ANCHORS"},{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"DAPR_CONTROLPLANE_NAMESPACE","value":"my-namespace"},{"name":"DAPR_CONTROLPLANE_TRUST_DOMAIN","value":"test.example.com"},{"name":"DAPR_HOST_IP","valueFrom":{"fieldRef":{"fieldPath":"status.podIP"}}},{"name":"DAPR_CERT_CHAIN","value":"my-cert-chain"},{"name":"DAPR_CERT_KEY","value":"my-cert-key"},{"name":"SENTRY_LOCAL_IDENTITY","value":"pod_identity"},{"name":"DAPR_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"secret","key":"token"}}},{"name":"APP_API_TOKEN","valueFrom":{"secretKeyRef":{"name":"appsecret","key":"token"}}}]`) // default image assert.Equal(t, "daprio/dapr", container.Image) assert.EqualValues(t, expectedArgs, container.Args) @@ -1144,3 +1112,11 @@ func TestGetSidecarContainer(t *testing.T) { }, })) } + +func assertEqualJSON(t *testing.T, val any, expect string) { + t.Helper() + + actual, err := json.Marshal(val) + require.NoError(t, err) + assert.Equal(t, expect, string(actual)) +} diff --git a/pkg/injector/service/config.go b/pkg/injector/service/config.go index e240bf12690..57c60312922 100644 --- a/pkg/injector/service/config.go +++ b/pkg/injector/service/config.go @@ -41,6 +41,7 @@ type Config struct { RemindersServiceAddress string `envconfig:"REMINDERS_SERVICE_ADDRESS"` RunAsNonRoot string `envconfig:"SIDECAR_RUN_AS_NON_ROOT"` ReadOnlyRootFilesystem string `envconfig:"SIDECAR_READ_ONLY_ROOT_FILESYSTEM"` + EnableK8sDownwardAPIs string `envconfig:"ENABLE_K8S_DOWNWARD_APIS"` SidecarDropALLCapabilities string `envconfig:"SIDECAR_DROP_ALL_CAPABILITIES"` TrustAnchorsFile string `envconfig:"DAPR_TRUST_ANCHORS_FILE"` @@ -52,6 +53,7 @@ type Config struct { parsedRemindersService patcher.Service parsedRunAsNonRoot bool parsedReadOnlyRootFilesystem bool + parsedEnableK8sDownwardAPIs bool parsedSidecarDropALLCapabilities bool parsedEntrypointTolerations []corev1.Toleration } @@ -121,6 +123,10 @@ func (c Config) GetReadOnlyRootFilesystem() bool { return c.parsedReadOnlyRootFilesystem } +func (c Config) GetEnableK8sDownwardAPIs() bool { + return c.parsedEnableK8sDownwardAPIs +} + func (c Config) GetDropCapabilities() bool { return c.parsedSidecarDropALLCapabilities } @@ -169,6 +175,7 @@ func (c *Config) parse() (err error) { c.parsedActorsEnabled = isTruthyDefaultTrue(c.ActorsEnabled) c.parsedRunAsNonRoot = isTruthyDefaultTrue(c.RunAsNonRoot) c.parsedReadOnlyRootFilesystem = isTruthyDefaultTrue(c.ReadOnlyRootFilesystem) + c.parsedEnableK8sDownwardAPIs = kitutils.IsTruthy(c.EnableK8sDownwardAPIs) c.parsedSidecarDropALLCapabilities = kitutils.IsTruthy(c.SidecarDropALLCapabilities) return nil diff --git a/pkg/injector/service/pod_patch.go b/pkg/injector/service/pod_patch.go index 2ce0e4a15f6..cd6f521bec6 100644 --- a/pkg/injector/service/pod_patch.go +++ b/pkg/injector/service/pod_patch.go @@ -73,6 +73,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad sidecar.SentryAddress = sentryAddress sidecar.RunAsNonRoot = i.config.GetRunAsNonRoot() sidecar.ReadOnlyRootFilesystem = i.config.GetReadOnlyRootFilesystem() + sidecar.EnableK8sDownwardAPIs = i.config.GetEnableK8sDownwardAPIs() sidecar.SidecarDropALLCapabilities = i.config.GetDropCapabilities() sidecar.ControlPlaneNamespace = i.controlPlaneNamespace sidecar.ControlPlaneTrustDomain = i.controlPlaneTrustDomain