DE-11 fix iptables for arm64

files/template.yaml.tpl

@@ -229,7 +229,7 @@ volumes:
       value: "{{ template `applicationPort` . }}"
     - name: NGINX_PORT
       value: "{{ getAnnotation .ObjectMeta (withAP "nginx-listen-port") .Config.nginx.listenPort }}"
-  command: ["iptables"]
+  command: ["iptables-nft"]
   args: ["-t", "nat", "-A", "PREROUTING", "-p", "tcp", "-d", "$(POD_IP)", "--dport", "$(APP_PORT)", "-j", "REDIRECT", "--to-ports", "$(NGINX_PORT)"]
   securityContext:
     {{ toYaml .Config.sidecar.initContainers.iptables.securityContext | indent 4 }}

helm/test/integration_test.py

@@ -13,7 +13,7 @@
 FORBIDDEN_HTTP_PATH = '/?id=\'or+1=1--a-<script>prompt(1)</script>\''
 SCRIPT_PATH = os.path.dirname(os.path.realpath(__file__))
 PATCHES_PATH = f'{SCRIPT_PATH}/kustomize/patches'
-WAIT_PODS_TIMEOUT = '120s'
+WAIT_PODS_TIMEOUT = '180s'
 
 print('PATCHES_PATH: ${PATCHES_PATH}')
 patchList = []
@@ -93,11 +93,6 @@ def test_main_functionality(self, config, helpers, teardown_namespace):
         # Register teardown and setup resources for test
         teardown_namespace['namespace'] = namespace
 
-        # Skip tests with ip-tables if run on arm64
-        if ("iptables_enabled" in config) and ("aarch64" in sysconfig.get_platform().split("-")[-1].lower()):
-            pytest.skip(f'Skip {config} test since aarch64')
-            return
-
         helpers.setup_resources(config_path, namespace)
 
         # Need delay here to ensure that service is ready to send traffic to pods

helm/values.yaml

@@ -273,6 +273,8 @@ config:
         ### Security context for `iptables` container
         ###
         securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
           capabilities:
             add:
               - NET_ADMIN