domruf
commented
2 years ago @atorrescogollo I have the same use case. Have you found a way to make it work? Or maybe a different project that is able to do this?
Open atorrescogollo opened 3 years ago
domruf
commented
2 years ago @atorrescogollo I have the same use case. Have you found a way to make it work? Or maybe a different project that is able to do this?
atorrescogollo
commented
2 years ago Hi @domruf , In think Kyverno should work for this. The approach mentioned is similar to this clusterpolicy.
atorrescogollo
commented
2 years ago I think something like this would work:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: inject-certs
annotations:
policies.kyverno.io/title: Autoinject custom CA to pods
policies.kyverno.io/category: Certificates
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Automount custom CA certificates when an annotation `inject-certs=enabled` is found
spec:
background: false
rules:
- name: add-volume
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.metadata.annotations.\"inject-certs\"}}"
operator: Equals
value: "enabled"
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
volumeMounts:
- name: "etc-ssl-certs"
mountPath: "/etc/ssl/certs"
volumes:
- name: etc-ssl-certs
configMap:
name: ca-pemstore@atorrescogollo thank you very much. I think this will be very helpful.
My use case is that I want to mount /etc/ssl/certs for each pod inside a namespace in order to use a custom CA easily. It would be great to take the requested annotation from the namespace (as a default annotation). For example:
I think the affected lines would be these: https://github.com/tumblr/k8s-sidecar-injector/blob/85bf83ca45dc381b9321da88a1b8c71581f77d14/pkg/server/webhook.go#L163-L167