Comments (8)
Hey @kgunjikar, thanks for the issue! This should be fixed by #30. Mind taking a peek?
from k8s-sidecar-injector.
Thanks for the response. if you could please add a sample config, it would be great.
from k8s-sidecar-injector.
Thanks for the response. if you could please add a sample config, it would be great.
https://github.com/tumblr/k8s-sidecar-injector/pull/30/files#diff-67e99b25c650f7fe0288309c725f40ad is used by the unit tests to assert that the serviceAccountName is overwritten (https://github.com/tumblr/k8s-sidecar-injector/pull/30/files#diff-31dfa6243f3cee9b9b95fdc19408f98b is the generated response). Just serviceAccountName
should be enough to make it work. Your log output makes me think either it isnt using the PR code 🤔
from k8s-sidecar-injector.
Hmm, maybe I'm missing some config wrt service account. Will get back
from k8s-sidecar-injector.
I can see the serviceAccount but it doesn't mount in the container. There is nothing in the /var/run/secrets
Codewise, do we need to add a specific volume-mount for the serviceAccount ?
I1024 02:32:21.459356 1 webhook.go:493] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-wiper","image":"diamanti/wiper:0.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volumeMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}},{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},**{"op":"replace","path":"/spec/serviceAccountName","value":"default"},**{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
I1024 02:32:21.459650 1 webhook.go:571] Ready to write reponse ...
172.16.190.12 - - [24/Oct/2019:02:32:21 +0000] "POST /mutate?timeout=30s HTTP/2.0" 200 1389 "" "kube-apiserver-admission"
172.16.190.14 - - [24/Oct/2019:02:32:27 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
-bash-4.2$ kubectl exec -it debian-debug -c sidecar-wiper /bin/bash
[root@debian-debug /]# ls
anaconda-post.log bin dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
[root@debian-debug /]# cd /var/run/
[root@debian-debug run]# ls
console cryptsetup faillock lock log secrets sepermit setrans systemd user utmp
[root@debian-debug run]# cd secrets/
[root@debian-debug secrets]# ls
[root@debian-debug secrets]# exit
from k8s-sidecar-injector.
@kgunjikar that seems like the correct config. The kubernetes Service account controller should handle creating the volumemount when we attach the service account to the pod. Can you show the pod's full yaml after injection? This can show whether the pod actually has mounts and SAs configured.
There is an outside possibility that the version of k8s you are running is not rerunning the Service account controller after we mutate the pod, so the SA volumes do not get added to the pod when we inject the serviceAccountName field. There was a bug that was supposedly fixed in 1.15 but I have not verified it myself.
from k8s-sidecar-injector.
My apologies, it was 1.14.3 . With 1.15.3 it works. Thanks for the help
from k8s-sidecar-injector.
@kgunjikar thats great, I am glad you got it sorted out! 😄
from k8s-sidecar-injector.
Related Issues (20)
- Status annotation ignores custom annotation namespace HOT 2
- serviceMonitor error HOT 2
- injected pod has no volume and hostPid property HOT 4
- sidercar-configmap namesapces must equal with k8s-sidecar-injector-prod namespace HOT 2
- deployment LOG_LEVEL don't have effect HOT 1
- Remove glog
- Feature Request: Add ExecAction to config(map)
- how to config different configmap for different pod in one statefulset HOT 1
- Default injection for all new containers? HOT 2
- sidecar container inject failed on kubernetes 1.14.3 HOT 5
- Question: Being able to inject in kube-system namespace
- Feature request: inject container at the top of the list of containers
- Ignored namespaces aren't skipped for Deployment pods HOT 3
- openshift copy runAsUser form main container
- serviceaccount in sidecar not inject into pod with another serviceaccount
- sidecar injected though no configmap created, therefore init does not come up
- Add default request from namespace annotation HOT 4
- POD not getting sidecar even though injection is requested HOT 3
- cofigmaps have the same name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k8s-sidecar-injector.