feat(container): support kubesolo in a container#106
Open
stevensbkang wants to merge 6 commits intodevelopfrom
Open
feat(container): support kubesolo in a container#106stevensbkang wants to merge 6 commits intodevelopfrom
stevensbkang wants to merge 6 commits intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a “container mode” runtime path so kubesolo can run reliably inside a privileged container (kubesolo-on-container / “kubesolo on a container”), adjusting kubelet/kube-proxy/CoreDNS behavior and providing container build artifacts.
Changes:
- Introduces a
container-modeflag + auto-detection, propagating the setting through embedded config and services. - Adjusts kubelet, kube-proxy, and CoreDNS configuration for container constraints (cgroups, conntrack, resolv.conf handling, resource limits), and adds a CoreDNS readiness wait.
- Adds container image build/publish support (Dockerfile + Makefile targets + dockerignore).
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
types/types.go |
Adds Embedded.ContainerMode flag to propagate container-mode configuration. |
pkg/kubernetes/kubeproxy/service.go |
Extends kube-proxy service constructor to carry containerMode. |
pkg/kubernetes/kubeproxy/flags.go |
Alters conntrack-related flags when running in container mode. |
pkg/kubernetes/kubelet/service.go |
Stores containerMode on kubelet service based on embedded config. |
pkg/kubernetes/kubelet/config.go |
Generates container-aware kubelet config (cgroup driver, eviction, resolvConf selection, QoS/cgroup settings). |
pkg/kubernetes/controller/flags.go |
Updates controller-manager enabled controllers and GC threshold. |
pkg/kubernetes/apiserver/flags.go |
Updates admission plugin enable/disable lists. |
pkg/components/portainer/service.go |
Updates headless Service to publish not-ready addresses. |
pkg/components/coredns/deployment.go |
Makes CoreDNS deployment container-aware (DNSPolicy + resource limits behavior). |
pkg/components/coredns/coredns.go |
Adds containerMode plumbing + waits for CoreDNS deployment readiness. |
pkg/components/coredns/configuration.go |
Generates CoreDNS Corefile dynamically, differing behavior in container mode. |
internal/system/mount_linux.go |
Adds linux-only helper to set / mount propagation to rshared. |
internal/system/host.go |
Adds container detection + mount/cgroup setup helpers. |
internal/runtime/network/ip.go |
Adds host resolv.conf selection/validation and fallback generation; supports container-mode /dev/null. |
internal/config/flags/flags.go |
Adds --container-mode CLI flag. |
cmd/kubesolo/main.go |
Detects container mode, performs mount/cgroup setup, and passes containerMode into services/components. |
Makefile |
Bumps Go Alpine builder image and adds image build/push targets. |
Dockerfile |
Adds a runnable container image definition and usage instructions. |
.gitignore |
Adds .claude/ directory to ignored paths. |
.dockerignore |
Adds dockerignore tuned for building images with dist/kubesolo. |
Comments suppressed due to low confidence (1)
internal/runtime/network/ip.go:126
isValidResolvConf’s docstring says it returns true when the file contains “at least one valid upstream nameserver”, but the implementation returns false on the first invalidnameserverentry (even if a valid one exists later). This can incorrectly reject resolv.conf files that contain a mix of loopback and real upstream resolvers. Either update the comment to match the stricter behavior, or change the logic to ignore invalid nameservers and succeed when at least one valid upstream is present.
// isValidResolvConf checks whether a resolv.conf file exists and contains
// at least one valid upstream nameserver (global unicast address).
func isValidResolvConf(path string) bool {
file, err := os.Open(path)
if err != nil {
return false
}
defer file.Close()
nameserver := regexp.MustCompile(`^nameserver\s+([^\s]*)`)
scanner := bufio.NewScanner(file)
foundNameserver := false
for scanner.Scan() {
ipMatch := nameserver.FindStringSubmatch(scanner.Text())
if len(ipMatch) == 2 {
if !isValidNameserver(ipMatch[1]) {
return false
}
foundNameserver = true
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
stevensbkang
changed the title
yajith
approved these changes
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.