Injector is not configuring the failurePolicy with the install

[muwiess]

Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting

Components and versions Select which component(s) the bug relates to with [X].

[ ] Controller, version: x.x.x (docker image tag) [ ] Env-Injector (webhook), version: x.x.x (docker image tag) [ ] Other

Describe the bug A clear and concise description of what the bug is.

AKV2K8S Injector --version=1.3.0 AKS cluster installation

We found that on the normal pod deployment there are some errors related to the AKV access that the injector is blocking the pod to start up. We tried the following option with the helm 3 version install, env_injector.failurePolicy but is not being sourced as the deployment YAML files show.

helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set addAzurePodIdentityException=true --set keyVaultAuth=azureCloudConfig --set env_injector.failurePolicy=Ignore

apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: akv2k8s meta.helm.sh/release-namespace: akv2k8s creationTimestamp: "2021-08-17T21:56:00Z" generation: 1 labels: app.kubernetes.io/instance: akv2k8s app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: akv2k8s helm.sh/chart: akv2k8s-2.1.0 name: akv2k8s-envinjector namespace: akv2k8s resourceVersion: "11442840" selfLink: /apis/apps/v1/namespaces/akv2k8s/deployments/akv2k8s-envinjector uid: 91d07063-f593-452f-ba70-18815f9c191a spec: progressDeadlineSeconds: 600 replicas: 2 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: akv2k8s-webhook app.kubernetes.io/instance: akv2k8s app.kubernetes.io/name: akv2k8s strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: checksum/config: c27c18ceb9cf546a5ed18d5391ac8519a2b056b84eaefebf1aa2546cc1620bd6 creationTimestamp: null labels: app.kubernetes.io/component: akv2k8s-webhook app.kubernetes.io/instance: akv2k8s app.kubernetes.io/name: akv2k8s spec: containers:

• args:
• --cloudconfig=/etc/kubernetes/azure.json
• --version=1.3.0
• --versionenvimage=1.3.0
• --v=2
• --logging-format=text env:
• name: HTTP_PORT value: "8080"
• name: HTTP_PORT_EXTERNAL value: "80"
• name: TLS_PORT value: "8443"
• name: TLS_PORT_EXTERNAL value: "443"
• name: MTLS_PORT value: "9443"
• name: MTLS_PORT_EXTERNAL value: "9443"
• name: MTLS_PORT value: "9443"
• name: TLS_CERT_DIR value: /var/serving-cert
• name: CA_CERT_DIR value: /var/ca-cert
• name: ENV_INJECTOR_EXEC_DIR value: /azure-keyvault/
• name: WEBHOOK_AUTH_SERVICE value: akv2k8s-envinjector
• name: AUTH_TYPE value: azureCloudConfig
• name: USE_AUTH_SERVICE value: "true"
• name: AZUREKEYVAULT_ENV_IMAGE value: spvest/azure-keyvault-env:1.3.0
• name: DOCKER_IMAGE_INSPECTION_TIMEOUT value: "20"
• name: METRICS_ENABLED value: "false" image: spvest/azure-keyvault-webhook:1.3.0 imagePullPolicy: IfNotPresent name: webhook ports:
• containerPort: 8443 name: webhook-tls protocol: TCP
• containerPort: 8080 name: http protocol: TCP
• containerPort: 9443 name: auth-tls protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 8443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: {} securityContext: allowPrivilegeEscalation: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts:
• mountPath: /var/serving-cert name: serving-cert
• mountPath: /var/ca-cert name: ca-cert
• mountPath: /etc/kubernetes/azure.json name: azureconf readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: akv2k8s-envinjector serviceAccountName: akv2k8s-envinjector terminationGracePeriodSeconds: 30 volumes:
• name: serving-cert secret: defaultMode: 420 secretName: akv2k8s-envinjector-tls
• name: ca-cert secret: defaultMode: 420 secretName: akv2k8s-envinjector-ca

• hostPath: path: /etc/kubernetes/azure.json type: File name: azureconf status: availableReplicas: 2 conditions:

  lastTransitionTime: "2021-08-17T21:56:00Z" lastUpdateTime: "2021-08-17T21:56:10Z" message: ReplicaSet "akv2k8s-envinjector-5fd899f8d9" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing lastTransitionTime: "2021-08-18T19:38:12Z" lastUpdateTime: "2021-08-18T19:38:12Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available observedGeneration: 1 readyReplicas: 2 replicas: 2 updatedReplicas: 2

To Reproduce Steps to reproduce the behavior:

helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set addAzurePodIdentityException=true --set keyVaultAuth=azureCloudConfig --set env_injector.failurePolicy=Ignore

Expected behavior A clear and concise description of what you expected to happen.

The --set env_injector.failurePolicy should be configured in the injector for the Ignore option.

Logs If applicable, add logs to help explain your problem.

paste log here...

Additional context Add any other context about the problem here.

[muwiess]

Any update on this issue?

[kristeey]

Hi @muwiess thanks for discovering this and reporting it. Do you know if this is the case for v1.2 of the env-injector as well (i.e. the v2.0 of the helmchart)?

[tspearconquest]

The failurePolicy value is not part of the Deployment resource, it is part of the MutatingWebhookConfiguration resource.

kubectl get mutatingwebhookconfiguration akv2k8s-envinjector -o yaml will show a failurePolicy line.

Can you share that output? Feel free to redact any sensitive info