New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the proxy injector MWC to include reinvocationPolicy #3750
Comments
To ensure backward compatibility, this property should only be added if users are on K8s 1.15+. The logic that copies the primary container's security context to the sidecar container in |
@ihcsim LimitRanger and PSP will participate during the reinvocation by default (after k8s 1.15) and will set the defaults on the sidecar, no config changes needed. We want to leave the injector's |
@alpeb I see what you mean - we will need to set this policy for our MWC if the proxy injector needs to be reinvoked. Closing this issue. |
Not sure why this was closed. It would be good if linkerd did support |
@jroper that makes sense. Although currently when the proxy injector runs and detects the pod has already been injected, it'll bail out, so this will require extra modifications besides making |
Preliminary for #3750 and #6267 This uses a generic [kubemod](https://github.com/kubemod/kubemod), a generic mutating webhook, in a new integration test to prove that the proxy-injector is ignoring changes made by webhooks run after it. Once we implement reinvocation for the injector, this test should also be changed to reflect that.
* Integration test for proxy-injector reinvocation Preliminary for #3750 and #6267 This uses a generic [kubemod](https://github.com/kubemod/kubemod), a generic mutating webhook, in a new integration test to prove that the proxy-injector is ignoring changes made by webhooks run after it. Once we implement reinvocation for the injector, this test should also be changed to reflect that.
Fixes #3750 and partially #6267 As of k8s 1.15 mutating webhooks can be reinvoked whenever another mutating webhook running after the current one mutates the pod being persisted. Enabling reinvocation for the injector will allow configuring the proxy with annotations generated by such other mutating webhooks. The implementation consists on adding "remove" statements into the json patch returned by the injector, implemented mostly in the new file `pkg/inject/pod_patch.go` which now holds the `podPatch`, moved from `pkg/inject/inject.go`. This also updates the "reinvocation" integration test introduced in #6309 to properly verify the reinvocation is happening. And this also means the "existing proxy sidecar" check is no longer relevant, and has been limited to "existing 3rd party sidecar". Possible followup: refactor the CLI inject and uninject commands to properly leverage the cleanup done by this patch.
K8s 1.15 introduces the
reinvocationPolicy
in the MWC and VWC allowing the webhook to be re-evaluated during a single admission request. This will ensure defaults defined by certain admission controllers like PodSecurityPolicy and LimitRanger are automatically added to the Linkerd proxy and proxy-init containers.We should update the MWC template to include this property with the value
IfNeeded
, so that K8s 1.15+ users can take advantage of it.The text was updated successfully, but these errors were encountered: