Open alculquicondor opened 11 months ago
tomhjp
commented
11 months ago Thanks for the report, I think this was fixed in v1.3.0 with https://github.com/hashicorp/vault-k8s/commit/adb76bff82bcdfc6d9361f7177b56f1a4436d58e. It sounds like you were probably on an older version than that if it was very old?
alculquicondor
commented
11 months ago Not my cluster, unfortunately, but this was detected by our monitoring system.
alculquicondor
commented
11 months ago /close
Let's hope the SEO directs affected users to this ticket :)
alculquicondor
commented
11 months ago In case you are interested, I'm also adding this to the k8s documentation: https://github.com/kubernetes/website/pull/43773
Describe the bug
Somehow, the vault-injector missed a Pod with a
vault.hashicorp.com/agent-inject: trueduring CREATE, that is, this Pod doesn't have the vault initContainer. However, this is not the problem.The problem is that the webhook is now trying to add the initContainer during Pod UPDATEs, which is not allowed by the k8s API. If this Pod belongs to a Job, it means that the k8s control plane cannot remove the tracking finalizer, with 2 consequences:
To Reproduce
I don't know how the cluster that I investigated got into this situation, but I imagine that these steps should reproduce the problem:
vault.hashicorp.com/agent-inject: true.vault.hashicorp.com/agent-inject: true.Expected behavior
The vault injector should not try to add the initContainer during UPDATE, as this is disallowed by the API and it doesn't work under any circumstances.
Environment
Additional context Add any other context about the problem here.