Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rejects admission for system namespaces #25

Closed
DukeyToo opened this issue Dec 26, 2019 · 3 comments
Closed

Rejects admission for system namespaces #25

DukeyToo opened this issue Dec 26, 2019 · 3 comments

Comments

@DukeyToo
Copy link

The check for system namespaces rejects the admission request, even though the annotations are not present, because the namespace check occurs before the shouldInject check. This results in system components being unable to deploy.

vault-k8s/agent-inject/handler.go

Lines 120 to 124 in 15de548

h.Log.Debug("checking namespaces..")
if strutil.StrListContains(kubeSystemNamespaces, req.Namespace) {
err := fmt.Errorf("error with request namespace: cannot inject into system namespaces: %s", req.Namespace)
return admissionError(err)
}

(the shouldInject check should happen prior to the namespace check)
@DukeyToo
Copy link
Author

Looks like #24 will fix, if merged

@jasonodonnell
Copy link
Contributor

#24 will be merged once reviewed and released. For now namespaceSelector should be utilized to scope the eligible namespaces for injection.

@jasonodonnell
Copy link
Contributor

jasonodonnell commented Jan 2, 2020
edited
Loading

This has been fixed in vault-k8s:0.1.1, please update your injector deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DukeyToo @jasonodonnell