Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

injector: add new injectedAnnotations to support PSP #17334

Merged
merged 2 commits into from
Oct 9, 2019
Merged

injector: add new injectedAnnotations to support PSP #17334

merged 2 commits into from
Oct 9, 2019

Conversation

howardjohn
Copy link
Member

Add a new injectedAnnotations setting for the injector. Any annotations
here will be added to the final pod spec. This is required for PSPs to
work. See #17331 for details.

Note - a lot of changes here are to existing tests just to allow setting
all config options on the webhook rather than just the template.

Fixes #17331

@howardjohn
injector: add new injectedAnnotations to support PSP
98be1dd 
Add a new injectedAnnotations setting for the injector. Any annotations
here will be added to the final pod spec. This is required for PSPs to
work. See istio#17331 for details.

Note - a lot of changes here are to existing tests just to allow setting
all config options on the webhook rather than just the template.
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Sep 24, 2019
@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 24, 2019
morvencao
morvencao reviewed Sep 24, 2019
View reviewed changes
pkg/kube/inject/webhook.go Outdated
@@ -460,7 +461,16 @@ func addLabels(target map[string]string, added map[string]string) []rfc6902Patch
}

func updateAnnotation(target map[string]string, added map[string]string) (patch []rfc6902PatchOperation) {
for key, value := range added {
log.Errorf("howardjohn: added %v", added)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this debugging message?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is his secret plan for becoming famous and getting his name printed on all the elasticsearches and splunks in the planet :P

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You caught me... just reverted

@howardjohn
Copy link
Member Author

/retest

@howardjohn
Copy link
Member Author

@rshriram mind approving the changes to injector? (we should probably add an owner to this)

@howardjohn
Copy link
Member Author

/test gencheck_istio

@howardjohn
Copy link
Member Author

/retest

@istio-testing istio-testing merged commit 245e0b7 into istio:master Oct 9, 2019
@howardjohn howardjohn mentioned this pull request Oct 15, 2019
Merged
@ayj ayj mentioned this pull request Oct 21, 2019
Closed
@thecodejunkie
Copy link

thecodejunkie commented Nov 25, 2019
edited
Loading

@howardjohn

I can't for the life of me figure out the syntax for passing in values to the sidecarInjectorWebhook.injectedAnnotations parameter, to set the apparmor annotation 🙂My issue is that the "key" part contains dot-notation so it attempts to split it up no matter how I try to encapsulate it

Using Helm I think the proper way is to encapsulate it in quotes and escape dots

istioctl manifest generate \
    --set cni.enabled=true \
    --set values.sidecarInjectorWebhook.injectedAnnotations."container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy"=runtime/default \
    --output ./generated

However this results in a mess in the actual manifest

injectedAnnotations:
  "container\": "map[apparmor\:map[security\:map[beta\:map[kubernetes\:map[io/istio-proxy:runtime/default]]]]]"

Doesn't matter if I try to escape the dots or not

Thanks!

@howardjohn
Copy link
Member Author

@thecodejunkie adding complex stuff like this is really painful with helm --set and may not even be possible with istioctl.. I am not sure. What I would recommend is just to use a file. This will work:

ik manifest generate -f <(echo 'apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    sidecarInjectorWebhook:
      injectedAnnotations:
        container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default')

@richardwxn is this the expected behavior?

@thecodejunkie
Copy link

@howardjohn thanks for the update! I believe setting it with helm --set should work if you use the syntax that I used above https://stackoverflow.com/a/50399612 but it might be that istioctl incorrectly (?) handles the escaping? You offered solution definitly works as it saves me from having to manually edit the configmap afterwards (eww to manual steps in a setup process 😄)

@howardjohn
Copy link
Member Author

Yeah the istioctl set is not as complete as helm, might not be supported. Let me open an issue for this so we don't loose the info here

@howardjohn howardjohn mentioned this pull request Nov 25, 2019
Closed
@thecodejunkie
Copy link

@howardjohn awesome! Thanks

What would be the proper way to move the cni.enabled=true config into that file? Straight under values?

k manifest generate -f <(echo 'apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    cni:
      enabled: true
    sidecarInjectorWebhook:
      injectedAnnotations:
        container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default')

@howardjohn
Copy link
Member Author

@thecodejunkie youll want to do

k manifest generate -f <(echo 'apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  cni:
    enabled: true
  values:
    sidecarInjectorWebhook:
      injectedAnnotations:
        container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default')

The --set path is basically just a flattened version of the ICP CRD. It is admittedly a bit confusing where things should be under values and when things shouldn't, we are still iterating on this and trying to improve

@thecodejunkie
Copy link

thecodejunkie commented Nov 25, 2019
edited
Loading

Thanks! I guess one way to think about it is if it's in a "sub-chart" then it goes under values

@rlenglet rlenglet mentioned this pull request Dec 5, 2019
Closed
howardjohn added a commit to howardjohn/istio that referenced this pull request Jan 12, 2020
@howardjohn @istio-testing
Backport changes (istio#433)
d14e006 
* istio#16223

* istio#16272

* istio#16187

* istio#16466

* istio#16634

* istio#16594

* istio#16666

* istio#16483

* istio#16820

* istio#16842

* istio#16852

* istio#16835

* istio#16863

* istio#16892

* istio#16991

* istio#16957

* istio#17013

* istio#17134

* istio#17155

* istio#17235

* istio#17342

* istio#17477

* istio#17615

* istio#17334

* istio#17708

* istio#17737

* Fix injection template

* Fix quoting

* Fix test values

* Add accidentally deleted affinity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morvencao morvencao morvencao approved these changes

@rshriram rshriram rshriram approved these changes

@geeknoid geeknoid Awaiting requested review from geeknoid

@linsun linsun Awaiting requested review from linsun

Assignees

@rshriram rshriram

@geeknoid geeknoid

Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend injection template to support injecting custom annotations
7 participants
@howardjohn @thecodejunkie @morvencao @rshriram @googlebot @geeknoid @istio-testing