build(controller)!: eliminate policy-controller image #14348
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olix0r
force-pushed
the
ver/no-policy-controller-image
branch
2 times, most recently
from
6534a37 to
d83177a
Compare
Long ago, the policy-controller image shipped with a distroless base image, but we have since been able to remove all runtime dependencies and ship with a scratch image. There's no reason to manage this binary seperately from the rest of the controller. This change moves the controller/Dockerfile to Dockerfile.controller, and it is updated to subsume the policy-controller/Dockerfile. This should *not* impact users, except to reduce the overhead of extra image pulls. BREAKING CHANGE: with this change, we no longer ship a seperate policy-controller image.
olix0r
force-pushed
the
ver/no-policy-controller-image
branch
from
d83177a to
083a165
Compare
We frequently hit flakes and have to retry failed jobs. We do not disable fail-fast so, when a job fails, we cancel all other in-flight tests. It's preferable to let all jobs have a chance to pass to reduce redundant work.
olix0r
changed the title
sfleen
approved these changes
Aug 13, 2025
alpeb
reviewed
Aug 13, 2025
cratelyn
approved these changes
Aug 13, 2025
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Dec 5, 2025
see linkerd/linkerd-proxy#4333 for previous context. this commit makes changes to the Dockerfile provided in this repository, for use in the proxy's development process. rather than using `debian:bookworm-slim` as the base image, this commit helps deduplicate the tricky business of setting networking capabilities on executables needed when running as an init container. this has one negative consequence, which is that we can no longer attach to a `bash` shell in a running pod when using this image. this is unfortunate, but in my experience isn't often needed by proxy developers. i believe that, should we need to revisit the need for a shell in this image, we should do instead make use of the `Dockerfile-debug` image provided in the linkerd2 repo. if we ran a command like `just docker --build-arg LINKERD2_IMAGE='ghcr.io/linkerd/debug:edge-25-11.3'` we could specify the debug image as a base image instead, providing developers not only with a shell, but also other helpful utilities like `curl`, `tcpdump`, and so on. unfortunately, this does not work today, because the image appears to no longer be published, and has drifted from our latest edge release. i have not pulled on that string further at the time of writing. one explicit _benefit_ of the changes in this commit is that we bring proxy development closer to the real world, meaning that CI in this repository runs using the same image that the proxy will run inside of in the linkerd2 repository and in typical clusters. --- * linkerd/linkerd2#14348 * linkerd/linkerd2#14577 * linkerd/linkerd-proxy#4333 Signed-off-by: katelyn martin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Long ago, the policy-controller image shipped with a distroless base image, but we have since been able to remove all runtime dependencies and ship with a scratch image. There's no reason to manage this binary seperately from the rest of the controller.
This change moves the controller/Dockerfile to Dockerfile.controller, and it is updated to subsume the policy-controller/Dockerfile.
This should not impact users, except to reduce the overhead of extra image pulls.
BREAKING CHANGE: with this change, we no longer ship a seperate policy-controller image and the policyController.image helm values are no longer honored.