v1.10 AlwaysPullImages admission control order breaks MutatingAdmissionWebhook functionality like Istio #64333
Description
Is this a BUG REPORT or FEATURE REQUEST?:
Uncomment only one, leave it on its own line:
/kind bug
/kind feature
What happened:
In v1.10, 7c5f9e0 introduced the ability to not worry about admission control order because it's handled here
AlwaysPullImages is before MutatingAdmissionWebhook. When trying to use Istio sidecar injection, the pod fails to initialize stating
Error creating: pods "sleep-86f6b99f94-qxvq6" is forbidden: spec.initContainers[0].imagePullPolicy: Unsupported value: "IfNotPresent": supported values: "Always"
In v1.9, everything works as expected when placing AlwaysPullImages after MutatingAdmissionWebhook. If you put AlwaysPullImages before MutatingAdmissionWebhook, the same error above occurs.
What you expected to happen:
In v1.10, when AlwaysPullImages and MutatingAdmissionWebhook are turned on, sidecar injection like Istio should work.
How to reproduce it (as minimally and precisely as possible):
- In v1.10, enable
AlwaysPullImagesandMutatingAdmissionWebhookadmission controllers. - Install latest Istio
- Enable sidecar injection
- Enabled istio injection on a namespace ie
kubectl label namespace default istio-injection=enabled - Deploy anything in that namespace
- Run
kubectl describe rs [REPLICA_SET_NAME]. You should see error events similar toError creating: pods "sleep-86f6b99f94-qxvq6" is forbidden: spec.initContainers[0].imagePullPolicy: Unsupported value: "IfNotPresent": supported values: "Always" - Turning off
AlwaysPullImagesseems to fix Istio
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version): v1.10.3 - Cloud provider or hardware configuration: acs-engine
- OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a): - Install tools:
- Others: