Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Weird behaviour with agent injector w.r.t volume mount paths #335

Open
sig-abyreddy opened this issue Apr 22, 2022 · 0 comments
Open

Weird behaviour with agent injector w.r.t volume mount paths #335

sig-abyreddy opened this issue Apr 22, 2022 · 0 comments
Labels
bug Something isn't working injector Area: mutating webhook service

Comments

@sig-abyreddy
Copy link

Describe the bug
We have a deployment resource that is configured to use the Vault agent injector. This deployment resource also has some additional volume mounts with a mount path containing serviceaccount keyword. Recently we have upgraded to Vault 1.9.4. And somehow the agent injector integration is broken and the process couldn't able to find the token injected by the Vault agent.

We are suspecting this piece of code at https://github.com/hashicorp/vault-k8s/blob/main/agent-inject/agent/agent.go#L700:L714 might be doing something.

Can someone confirm?

To Reproduce
Steps to reproduce the behavior:

  1. Deploy application annotated for vault-agent injection
  2. Define additional volumes and mounts for the deployment. Configure one of the mount path to have serviceaccount keyword. Eg. /opt/app/serviceaccount/data .
  3. See error (vault injector logs, vault-agent logs, etc.)

Expected behavior
The agent should ignore volume mounts other than vault related or filter the volumes based on specfic name.

Environment

  • vault: vault:1.9.4
  • vault-k8s version: hashicorp/vault-k8s:0.14.2
@sig-abyreddy sig-abyreddy added the bug Something isn't working label Apr 22, 2022
@heatherezell heatherezell added the injector Area: mutating webhook service label Apr 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working injector Area: mutating webhook service
Projects
None yet
Development

No branches or pull requests

2 participants