{"id":20433865,"url":"https://github.com/flashbots/kube-sidecar-injector","last_synced_at":"2026-04-29T10:33:39.953Z","repository":{"id":235830441,"uuid":"791339272","full_name":"flashbots/kube-sidecar-injector","owner":"flashbots","description":"Sidecar injector for k8s","archived":false,"fork":false,"pushed_at":"2026-02-23T19:47:02.000Z","size":90,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":14,"default_branch":"main","last_synced_at":"2026-02-24T02:04:29.651Z","etag":null,"topics":["admission-webhook","kubernetes","sidecar-injector"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flashbots.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-24T14:38:12.000Z","updated_at":"2026-02-23T19:47:07.000Z","dependencies_parsed_at":"2024-06-19T14:43:24.196Z","dependency_job_id":"fe303780-7198-4175-b123-cc470d09bc34","html_url":"https://github.com/flashbots/kube-sidecar-injector","commit_stats":null,"previous_names":["flashbots/kube-sidecar-injector"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/flashbots/kube-sidecar-injector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fkube-sidecar-injector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fkube-sidecar-injector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fkube-sidecar-injector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fkube-sidecar-injector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flashbots","download_url":"https://codeload.github.com/flashbots/kube-sidecar-injector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fkube-sidecar-injector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32421878,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T06:29:02.080Z","status":"ssl_error","status_checked_at":"2026-04-29T06:29:00.631Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["admission-webhook","kubernetes","sidecar-injector"],"created_at":"2024-11-15T08:21:57.333Z","updated_at":"2026-04-29T10:33:39.938Z","avatar_url":"https://github.com/flashbots.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kube-sidecar-injector\n\nInitial implementation of the sidecar injector for k8s.\n\n## TL;DR\n\n1.  With configuration like this `kube-sidecar-injector` will make sure that any\n    container that runs in EKS fargate will have prometheus node-exporter sidecar\n    running next to it:\n\n    ```yaml\n    inject:\n      - name: inject-node-exporter\n\n        labelSelector:\n          matchExpressions:\n            - key: eks.amazonaws.com/fargate-profile\n              operator: Exists\n\n        namespaceSelector:\n          matchExpressions:\n            - key: kubernetes.io/metadata.name\n              operator: NotIn\n              values: [kube-system]\n\n        labels:\n          flashbots.net/prometheus-node-exporter: true\n\n        containers:\n          - name: node-exporter\n            image: prom/node-exporter:v1.7.0\n            args: [\n              \"--log.format\", \"json\",\n              \"--web.listen-address\", \":9100\",\n            ]\n            ports:\n              - name: node-exporter\n                containerPort: 9100\n            resources:\n              requests:\n                cpu: 10m\n                memory: 64Mi\n    ```\n\n2.  In conjunction with `trust-manager` this will allow to automatically mount\n    root CA in every pod:\n\n    ```yaml\n    inject:\n      - name: inject-internal-ca\n\n        volumes:\n          - name: internal-ca\n            configMap:\n              name: internal-ca\n\n        volumeMounts:\n          - mountPath: /usr/local/share/ca-certificates\n            name: internal-ca\n            readOnly: true\n\n          - mountPath: /etc/ssl/certs/internal-ca.crt\n            name: internal-ca\n            subPath: internal-ca.crt\n            readOnly: true\n    ```\n\n### Caveats\n\n- Single webhook configuration can be configured to apply multiple injection\n  rules.  However, if these rules should interact somehow (for example rule A\n  introduces changes that rule B is supposed to act upon) then these rules\n  should be placed into _separate_ webhooks.\n\n  See k8s webhook [reinvocation policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)\n  for the details.\n\n- It's not possible for the webhook to know at the runtime whether the patch it\n  generates is invalid.\n\n  For example, if you try to inject a container that has port name of more than\n  15 characters long k8s will not allow the modified pod to be deployed.\n\n  In situations like this, k8s will infinitely attempt the webhook admission,\n  without ever creating the pod.  In order to troubleshoot this issue it could\n  help to see actual underlying error from k8s with:\n\n  ```shell\n  kubectl get events\n  ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashbots%2Fkube-sidecar-injector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflashbots%2Fkube-sidecar-injector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashbots%2Fkube-sidecar-injector/lists"}