kamus icon indicating copy to clipboard operation
kamus copied to clipboard
verified publisher icon Soluto

Init cotainer injection

Open omerlh opened this issue 6 years ago • 4 comments

Leverage mutation webhook to inject init container to pods instead of adding them in the deployment manifest. This will make using the init container a bit easier.

omerlh avatar Apr 15 '19 06:04 omerlh

Alternate proposal. You could write a CSI Ephemeral driver (https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190122-csi-inline-volumes.md). We're still on track I think to have it beta in 1.16.

The user facing api would then be something like:

apiVersion: v1
kind: Pod
metadata:
  name: some-pod
spec:
  containers:
    ...
  volumes:
      - name: myvol
        csi:
          driver: kamus
          volumeAttributes:
              secretName: foo

It would essentially work the same way as the init container, except do it at volumemount time instead. The api would be much cleaner too.

kfox1111 avatar Jul 22 '19 22:07 kfox1111

Yep, that what I was also thinking about. Maybe something more like :

apiVersion: v1
kind: Pod
metadata:
  name: some-pod
spec:
  containers:
    ...
  volumes:
      - name: myvol
        csi:
          driver: kamus
          volumeAttributes:
              key: <encryptedValue>

omerlh avatar Jul 23 '19 05:07 omerlh

Or the api's flexible enough to even support both. if volumeAttributes.key set, use that. if volumeAttributes secretName and secretKey, pull the key out of the secret.

kfox1111 avatar Jul 23 '19 18:07 kfox1111

Yep, sounds good. I'll be happy to see a PR, and will be happy to help...

omerlh avatar Jul 23 '19 18:07 omerlh