https://github.com/flashbots/kube-sidecar-injector

Sidecar injector for k8s
https://github.com/flashbots/kube-sidecar-injector

admission-webhook kubernetes sidecar-injector

Last synced: 7 months ago
JSON representation

Sidecar injector for k8s

• Host: GitHub
• URL: https://github.com/flashbots/kube-sidecar-injector
• Owner: flashbots
• License: mit
• Created: 2024-04-24T14:38:12.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-01-02T17:03:07.000Z (9 months ago)
• Last Synced: 2025-02-25T15:16:46.034Z (8 months ago)
• Topics: admission-webhook, kubernetes, sidecar-injector
• Language: Go
• Homepage:
• Size: 82 KB
• Stars: 1
• Watchers: 16
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# kube-sidecar-injector

Initial implementation of the sidecar injector for k8s.

## TL;DR

1.  With configuration like this `kube-sidecar-injector` will make sure that any

    container that runs in EKS fargate will have prometheus node-exporter sidecar

    running next to it:

    ```yaml

    inject:

      - name: inject-node-exporter

        labelSelector:

          matchExpressions:

            - key: eks.amazonaws.com/fargate-profile

              operator: Exists

        namespaceSelector:

          matchExpressions:

            - key: kubernetes.io/metadata.name

              operator: NotIn

              values: [kube-system]

        labels:

          flashbots.net/prometheus-node-exporter: true

        containers:

          - name: node-exporter

            image: prom/node-exporter:v1.7.0

            args: [

              "--log.format", "json",

              "--web.listen-address", ":9100",

            ]

            ports:

              - name: node-exporter

                containerPort: 9100

            resources:

              requests:

                cpu: 10m

                memory: 64Mi

    ```

2.  In conjunction with `trust-manager` this will allow to automatically mount

    root CA in every pod:

    ```yaml

    inject:

      - name: inject-internal-ca

        volumes:

          - name: internal-ca

            configMap:

              name: internal-ca

        volumeMounts:

          - mountPath: /usr/local/share/ca-certificates

            name: internal-ca

            readOnly: true

          - mountPath: /etc/ssl/certs/internal-ca.crt

            name: internal-ca

            subPath: internal-ca.crt

            readOnly: true

    ```

### Caveats

- Single webhook configuration can be configured to apply multiple injection

  rules.  However, if these rules should interact somehow (for example rule A

  introduces changes that rule B is supposed to act upon) then these rules

  should be placed into _separate_ webhooks.

  See k8s webhook [reinvocation policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)

  for the details.

- It's not possible for the webhook to know at the runtime whether the patch it

  generates is invalid.

  For example, if you try to inject a container that has port name of more than

  15 characters long k8s will not allow the modified pod to be deployed.

  In situations like this, k8s will infinitely attempt the webhook admission,

  without ever creating the pod.  In order to troubleshoot this issue it could

  help to see actual underlying error from k8s with:

  ```shell

  kubectl get events

  ```