-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
imagePullPolicy for the injected agent image fails admission control #44
Comments
Hi @goffinf, this is interesting because we aren't actually setting the pull policy for the init container: https://github.com/hashicorp/vault-k8s/blob/master/agent-inject/agent/container_init_sidecar.go#L57-L70. Regardless I think this is a good option to have. As a work around, I think you can set |
Hey Jason, I can confirm that using the latest tag does default the imagePullPolicy to 'Always' and thus is a reasonable workaround for now. Clearly we want to remove that when this enhancement is implemented and merged. |
Even make it configurable, default to Thanks |
@jasonodonnell , one of the use-cases of not using Like @prune998 mentioned, this should be a change in the helm templates. I can take a stab at it if it's not in the works (and it seems there's no design consideration on limiting the pull policy based on the above discussion) I however am not familar with Go to contribute to the agent-inject part in this repo (will still read through if I can) |
We're having a related issue. We deployed a POD annotated for secrets and I see the init and agent containers when I describe the POD, but the POD is failing on ImagePullBackOff even though the image already exists on the node. |
In v1.1.0 we added support for JSON-patch via annotations. You should now be able to specify the vault-agent Example: spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-json-patch: '[{"op": "replace", "path": "/imagePullPolicy", "value": "IfNotPresent"}]' |
The following message is output when deploying a test application with the vault-k8s annotations:
Pods "vault-k8s-agent-webhook-demo-5b945c994b-g8xfn" is forbidden: spec.initContainers[0].imagePullPolicy: Unsupported value: "IfNotPresent": supported values: "Always"; Deployment does not have minimum availability.
We have admission controllers applied to the cluster in this order:
...,AlwaysPullImages,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,...
We have tried moving AlwaysPullImages to come AFTER MutatingAdmissionWebhook but that didn't help (same error).
Looking at injector-deployment.yaml I wonder whether it would be possible for you to expose the imagePullPolicy for the agent image as you do for the injector itself ? ..
Regards
Fraser Goffin
The text was updated successfully, but these errors were encountered: