Native K8s Sidecar Containers with gluetunยถ

I tried to use the new Kubernetes native Sidecar Containers introduced since v1.29. The initContainers and pod were stuck in PodInitializing state and the other containers were not starting up.

If an init container is created with its restartPolicy set to Always, it will then be a native Sidecar Conainer, it will start and remain running during the entire life of the Pod. When restartPolicy is not set it is an init container that will die once itโ€™s task is completed before the next init container is started.

In my case I incorrectly thought I had added the restartPolicy to gluetun, omitting this turned it back into an init container and since it will never exit zero, the rest of my application was forever stuck in PodInitializing waiting for gluetun to finish. This was easily fixed once I corrected the false memory and actually added the restartPolicy.

Here is an example of gluetun behaving as a K8s native sidecar container which connects to Nord VPN and causes all pod traffic to egress via the VPN. There are three containers involved:

  • gluetun is the native sidecar and will continue to run for the lifetime of the deployment.

  • The ping container is a normal init container and the main container will not start until this one completes (which will happen once the gluetun VPN is online).

  • curlpod is the main application container, in this case will continuously check itโ€™s IP address to ensure traffic is going out via the VPN, you would replace this with an actual application container.

---
apiVersion: apps/v1
kind: Deployment
metadata:
    name: gluetun-deployment
    namespace: torrent
    labels:
        app: gluetun
spec:
    replicas: 1
    selector:
        matchLabels:
            app: gluetun
    template:
        metadata:
            labels:
                app: gluetun
        spec:
            initContainers:
                - name: gluetun
                  # if you do not add restartPolicy the other init containers will never start
                  # it will be an initContainer and not a native sidecar container https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
                  restartPolicy: Always
                  image: ghcr.io/qdm12/gluetun
                  imagePullPolicy: Always
                  securityContext:
                      capabilities:
                          add:
                              - 'NET_ADMIN'
                  env:
                      - name: TZ
                        value: 'UTC'
                      - name: VPN_SERVICE_PROVIDER
                        value: nordvpn
                      - name: VPN_TYPE
                        value: openvpn
                      - name: SERVER_COUNTRIES
                        value: Netherlands
                      - name: OPENVPN_USER
                        value: USR
                      - name: OPENVPN_PASSWORD
                        value: PWD
                - name: ping
                  image: busybox
                  command:
                      - sh
                      - -c
                      - |
                          while ! ping -c 1 8.8.8.8; do
                            echo "Ping failed, retrying in 5"
                            sleep 5
                          done
                          echo "ping successful, exiting"
            containers:
                - name: curlpod
                  image: curlimages/curl
                  args:
                      - /bin/sh
                      - -c
                      - while true; do curl checkip.amazonaws.com; sleep 15;
                        done
                  imagePullPolicy: Always

This K8s Blog on Native Sidecar Containers has some good background.

Comments

comments powered by Disqus