Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

imagePullPolicy for the injected agent image fails admission control #44

Closed
goffinf opened this issue Jan 10, 2020 · 6 comments
Closed

imagePullPolicy for the injected agent image fails admission control #44

goffinf opened this issue Jan 10, 2020 · 6 comments
Labels
bug Something isn't working enhancement New feature or request injector Area: mutating webhook service

Comments

@goffinf
Copy link

goffinf commented Jan 10, 2020
edited
Loading

The following message is output when deploying a test application with the vault-k8s annotations:

Pods "vault-k8s-agent-webhook-demo-5b945c994b-g8xfn" is forbidden: spec.initContainers[0].imagePullPolicy: Unsupported value: "IfNotPresent": supported values: "Always"; Deployment does not have minimum availability.

We have admission controllers applied to the cluster in this order:

...,AlwaysPullImages,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,...

We have tried moving AlwaysPullImages to come AFTER MutatingAdmissionWebhook but that didn't help (same error).

Looking at injector-deployment.yaml I wonder whether it would be possible for you to expose the imagePullPolicy for the agent image as you do for the injector itself ? ..

      containers:
        - name: sidecar-injector
          {{ template "injector.resources" . }}
          image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
          env:
            - name: AGENT_INJECT_LISTEN
              value: ":8080"
            - name: AGENT_INJECT_LOG_LEVEL
              value: {{ .Values.injector.logLevel | default "info" }}
            - name: AGENT_INJECT_VAULT_ADDR
              value: {{ .Values.server.addr }}
            - name: AGENT_INJECT_VAULT_IMAGE
              value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
            ...
            MAYBE SOMETHING LIKE THIS ???
            ...
            - name: AGENT_INJECT_VAULT_IMAGE_PULLPOLICY
              value: "{{ .Values.injector.agentImage.pullPolicy}}"

Regards

Fraser Goffin
@goffinf goffinf changed the title imagePullPolicy for the injected agent image fails admissions control imagePullPolicy for the injected agent image fails admission control Jan 10, 2020
@jasonodonnell
Copy link
Contributor

Hi @goffinf, this is interesting because we aren't actually setting the pull policy for the init container: https://github.com/hashicorp/vault-k8s/blob/master/agent-inject/agent/container_init_sidecar.go#L57-L70. Regardless I think this is a good option to have.

As a work around, I think you can set .Values.injector.agentImage.tag to "latest", Kube will default to "Always" in this case.

@jasonodonnell jasonodonnell added bug Something isn't working enhancement New feature or request labels Jan 13, 2020
@goffinf
Copy link
Author

goffinf commented Jan 16, 2020

Hey Jason,

I can confirm that using the latest tag does default the imagePullPolicy to 'Always' and thus is a reasonable workaround for now. Clearly we want to remove that when this enhancement is implemented and merged.

@tvoran tvoran added the injector Area: mutating webhook service label Jan 22, 2020
@prune998
Copy link

Even make it configurable, default to Always or allow it to be changed using an annotation.
It seems so trivial, I can PR if you want.

Thanks

@SohamJ
Copy link

SohamJ commented Jan 13, 2021
edited
Loading

I can confirm that using the latest tag does default the imagePullPolicy to 'Always' and thus is a reasonable workaround for now. Clearly we want to remove that when this enhancement is implemented and merged.

@jasonodonnell , one of the use-cases of not using latest was to pin specific versions to know which versions were running in each of our kubernetes clusters/environments. That way, we could easily track the updates across our SDLC process. We also had an egde case where we had to compile and build a s390x arch agent to support our zLinux k8s workloads which had specific version associated to it.

Like @prune998 mentioned, this should be a change in the helm templates. I can take a stab at it if it's not in the works (and it seems there's no design consideration on limiting the pull policy based on the above discussion)

I however am not familar with Go to contribute to the agent-inject part in this repo (will still read through if I can)

@jghal
Copy link

jghal commented Jun 18, 2021

We're having a related issue. We deployed a POD annotated for secrets and I see the init and agent containers when I describe the POD, but the POD is failing on ImagePullBackOff even though the image already exists on the node.

@benashz
Copy link
Contributor

benashz commented Nov 22, 2022
edited
Loading

In v1.1.0 we added support for JSON-patch via annotations. You should now be able to specify the vault-agent ImagePullPolicy from the vault.hashicorp.com/agent-json-patch annotation.

Example:

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-json-patch: '[{"op": "replace", "path": "/imagePullPolicy", "value": "IfNotPresent"}]'

@benashz benashz closed this as completed Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request injector Area: mutating webhook service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@tvoran @prune998 @jasonodonnell @goffinf @SohamJ @benashz @jghal