Move linkerd2-network-validator init container functionality into sidecar proxy

[andrewdinunzio]

What problem are you trying to solve?

Startup time is very important for us, and each init container adds 1s to startup time.

How should the problem be solved?

It seems possible for the functionality in the network validator to be part of the linkerd-proxy sidecar container. Since the proxy has a postStart hook anyway, it will complete before the main app container starts anyway. If the network validation fails, the proxy could just exit with an error.

Any alternatives you've considered?

I am not aware of alternatives. Maybe the new sidecar functionality recently added to k8s could improve this.

How would users interact with this feature?

No response

Would you like to work on this feature?

yes

[andrewdinunzio]

Also, I'm working on a controller that has a mutating webhook for nodes to add a taint, which gets removed when it observes the linkerd-cni pod on that node is Ready. So it would be nice to have the option to disable this check altogether, since this scenario should be impossible.

[kflynn]

Hey @andrewdinunzio, correct me if I'm wrong here, but wouldn't the check just be a noop with the tainting webhook?

[andrewdinunzio]

Hey yeah that was my understanding too, which is why I would like the option to disable the init container altogether. But in any case, I think this network validation could be part of the sidecar proxy to remove that 1s of startup time that comes with init containers.

[wmorgan]

We would probably accept a PR to disable the network validator.

[andrewdinunzio]

I will submit a PR for this in the near future

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.