Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Templating can't access all of the pod's fields #32

Open
LCaparelli opened this issue May 17, 2021 · 1 comment · May be fixed by #33
Open

Templating can't access all of the pod's fields #32

LCaparelli opened this issue May 17, 2021 · 1 comment · May be fixed by #33

Comments

@LCaparelli
Copy link

Hey folks, thanks for the work!

This project looks like a great fit for the project my team is working on, but there are some things we only know at the time the mutation is being applied, more specifically the pod's name and namespace.

Now, I understand that there is a templating feature, but it doesn't seem to work for this:

# output omitted
env:
  - name: foo
    value: '{% .ObjectMeta.Name %}.{% .ObjectMeta.Namespace %}.rest.of.my.string'

Looking around the code it seems this is the culprit:

generic-sidecar-injector/pkg/injectionwebhook/webhook.go

Lines 125 to 132 in 3a3c5d3

sidecarConfig, err := sidecarconfig.RenderTemplate(corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: pod.Annotations,
},
Spec: corev1.PodSpec{
ServiceAccountName: pod.Spec.ServiceAccountName,
},
}, whsvr.sidecarConfigTemplate)

It passes on a new pod object that only carries the original's Service Account and Annotations, but not the rest of the object (such as .ObjectMeta.Name and .ObjectMeta.Namespace.

Is there a particular reason not to pass the entire Pod that is already received on the admission review request?

// mutate method for mutation webhook
func (whsvr *WebhookServer) mutate(ar *v1beta1.AdmissionReview) (admissionResponse *v1beta1.AdmissionResponse, statusForMutations map[string]mutationStatus) {
	req := ar.Request
	var pod corev1.Pod
	if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
		glog.Errorf("api=mutate, reason=json.Unmarshal, message=invalid raw object, err=%v", err)
		return &v1beta1.AdmissionResponse{
			Result: &metav1.Status{
				Message: err.Error(),
			},
		}, nil
	}
        
// some lines later

        sidecarConfig, err := sidecarconfig.RenderTemplate(pod, whsvr.sidecarConfigTemplate)
@LCaparelli
Copy link
Author

LCaparelli commented May 17, 2021
edited
Loading

It looks like the pod's .metadata may still not be fully available depending on the order webhooks are called, including the name and namespace.

I believe we can make the namespace available from the request's field. For our particular case we'll replace the pod's name with the Service Account's name, which is already accessible via templating, and all should be good once we can use the namespace as well.

To summarize the proposed fix:

  1. get the namespace from the request, insert it into the pod
  2. pass the pod as parameter to RenderTemplate, making all information contained therein available to the template (instead of generating a new pod with the annotations and Service Account only)

We're more than willing to contribute with this fix if you agree with it, let us know your thoughts :-)

@LCaparelli LCaparelli linked a pull request May 21, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make as much info available to templating as possible gympass/generic-sidecar-injector
1 participant
@LCaparelli