Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POD not getting sidecar even though injection is requested #61

Open
borajuanjo opened this issue Mar 23, 2022 · 3 comments
Open

POD not getting sidecar even though injection is requested #61

borajuanjo opened this issue Mar 23, 2022 · 3 comments

Comments

@borajuanjo
Copy link

borajuanjo commented Mar 23, 2022
edited
Loading

What's going on?

PODs are not getting sidecars, even though the injection is requested. Funnily I got it to work once on a training cluster, and then I deleted the cluster and I can't get it to work again.

Expected Behavior

PODs should get created with sidecar.

Reproducer

I just went through the documentation step by step, and I can't identify what I'm doing wrong, or what I did differently that one time I got it to work.

Here are some logs for when the debian-debug POD gets deployed, but no sidecar.

10.64.4.1 - - [23/Mar/2022:15:16:18 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"
I0323 15:16:21.450826       1 webhook.go:510] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=default Name= () UID=37184454-a6e7-4f35-be04-8eeaedf85265 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:replicaset-controller 4b17f21d-590c-4d37-acf2-5096af5e70cd [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
I0323 15:16:21.450862       1 webhook.go:174] Pod / annotation injector.tumblr.com/request=test1 requesting sidecar config test1:latest
I0323 15:16:21.450961       1 webhook.go:548] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-nginx","image":"nginx:1.12.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volumeMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
I0323 15:16:21.451004       1 webhook.go:626] Ready to write reponse ...
10.64.3.7 - - [23/Mar/2022:15:16:21 +0000] "POST /mutate?timeout=10s HTTP/1.1" 200 1237 "" "kube-apiserver-admission"
10.64.4.1 - - [23/Mar/2022:15:16:28 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"

Here's the debian-debug POD with no sidecar.

$ kubectl get po | grep debian
debian-debug                                             1/1     Running   0          55m

Version Deets

  • Kubernetes Version:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.9-dispatcher", GitCommit:"2a8027f41d28b788b001389f3091c245cd0a9a60", GitTreeState:"clean", BuildDate:"2022-01-21T20:31:13Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9-gke.1002", GitCommit:"f87f9d952767b966e72a4bd75afea25dea187bbf", GitTreeState:"clean", BuildDate:"2022-02-25T18:12:32Z", GoVersion:"go1.16.12b7", Compiler:"gc", Platform:"linux/amd64"}
  • k8s-sidecar-injector Version: latest (as of March 23rd 2022)
@wiebeck
Copy link

wiebeck commented Jul 8, 2022

Very same here. Running on Azure Kubernetes with K8s v1.23.5

@karolmalyszko
Copy link

Got the same issue on AWS EKS v1.21, but made it to work. Looks like main problem lies in MutatingWebhookConfiguration. In original example manifests, webhook config had

  • apiVersion: admissionregistration.k8s.io/v1beta1

which was refused by K8s in my case, had to modify it to

  • apiVersion: admissionregistration.k8s.io/v1

To conform with K8s requirements for this API version, I had to add additional keys for sideEffects: and admissionReviewVersions: (K8s docs here).

Two WAG's followed :: first one for sideEffects where i put 'None', second one for admissionReviewVersions where i started with 'v1'. This led to successful deployment of MutatingWebhookConfiguration, but the sidecars were not being added to test pods / deployments, same as for both of you. Search through codebase got me to webhook.go line 613 ::
admissionReview := v1beta1.AdmissionReview{}

Change of admissionReviewVersions from v1 to v1beta1 got the problem solved, sidecar started as expected.
Here's a gist with example mutating-webhook-configuration.yaml

Hope this helps.

@mindovermiles262
Copy link

So helpful! Thank you! I also had this issue.

I've taken your image updates and pushed it to docker hub if anyone else would like to use it. mindovermiles262/sidecar-injector

Change the deployment.yaml image to:

spec:
  template:
    spec:
      containers:
      - name: "k8s-sidecar-injector"
        [ ... ]
        # image: tumblr/k8s-sidecar-injector:latest   <-- Comment this line out, and update
        image: mindovermiles262/sidecar-injector

Note, this image works with the updated mutating webhook configuration where the apiVersion: admissionregistration.k8s.io/v1 and webhooks.sideEffects: None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@borajuanjo @mindovermiles262 @karolmalyszko @wiebeck