k8s-sidecar-injector
k8s-sidecar-injector copied to clipboard
tumblr
Add default request from namespace annotation
My use case is that I want to mount /etc/ssl/certs for each pod inside a namespace in order to use a custom CA easily. It would be great to take the requested annotation from the namespace (as a default annotation). For example:
apiVersion: v1
kind: Namespace
metadata:
name: test
annotations:
k8s-sidecar-injector/default-request: etc-ssl-certs <--- Applies to every pod in the namespace
...
---
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: test
annotations: {} <--- No request but default-request is applied
spec:
...
I think the affected lines would be these: https://github.com/tumblr/k8s-sidecar-injector/blob/85bf83ca45dc381b9321da88a1b8c71581f77d14/pkg/server/webhook.go#L163-L167
@atorrescogollo I have the same use case. Have you found a way to make it work? Or maybe a different project that is able to do this?
Hi @domruf , In think Kyverno should work for this. The approach mentioned is similar to this clusterpolicy.
I think something like this would work:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: inject-certs
annotations:
policies.kyverno.io/title: Autoinject custom CA to pods
policies.kyverno.io/category: Certificates
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Automount custom CA certificates when an annotation `inject-certs=enabled` is found
spec:
background: false
rules:
- name: add-volume
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.metadata.annotations.\"inject-certs\"}}"
operator: Equals
value: "enabled"
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
volumeMounts:
- name: "etc-ssl-certs"
mountPath: "/etc/ssl/certs"
volumes:
- name: etc-ssl-certs
configMap:
name: ca-pemstore