tumblr / k8s-sidecar-injector Goto Github PK
View Code? Open in Web Editor NEWKubernetes sidecar injection service
License: Apache License 2.0
Kubernetes sidecar injection service
License: Apache License 2.0
Does k8s-sidecar-injector has default injection support for all creating containers?
It would be convenient to add cluster-wide envs to all pods
hello,
i create injector with the document /docs/deployment.md step by setp and everything is ok except operation:kubectl create -f service-monitor.yaml.
is anything forget?
error: unable to recognize "service-monitor.yaml": no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
glog is annoying to configure, confusing to look at, and poorly documented. Lets gut this and replace with a better logger. See #32
I use k8s-sidecar-injector 0.1.8 before on kubernetes 1.14.3 and found sidecar container inject suceessfully like below:
I0521 03:55:42.351044 1 webhook.go:480] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/-","value":{"name":"exporter","image":"docker.inspur.com:5000/service/lma/consul-exporter:0.6.0","args":["--consul.server=localhost:8500","--log.level=warn"],"ports":[{"name":"metric","containerPort":9107}],"resources":{},"livenessProbe":{"tcpSocket":{"port":"metric"},"initialDelaySeconds":60,"timeoutSeconds":10,"periodSeconds":60},"readinessProbe":{"tcpSocket":{"port":"metric"},"initialDelaySeconds":60,"timeoutSeconds":10,"periodSeconds":60},"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/metadata/annotations/injector.inspur.com~1status","value":"injected"}]
But when I upgrade k8s-sidecar-injector to 0.4.0 and found sidecar container inject failed like below:
I0521 06:20:35.624586 1 webhook.go:468] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=monitoring Name= (consul-0) UID=2e9e0283-9b2b-11ea-9df2-5254009197f9 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:statefulset-controller c7bb22c8-6cef-11ea-9df2-5254009197f9 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
I0521 06:20:35.624673 1 webhook.go:165] Pod monitoring/consul-0 annotation injector.tumblr.com/request is missing, skipping injection
I0521 06:20:35.624688 1 webhook.go:474] Skipping mutation of monitoring/consul-0: Missing injection request annotation
I0521 06:20:35.624733 1 webhook.go:584] Ready to write reponse ...
The config of sidecar container is like below and not be modified after k8s-sidecar-injector upgrade
apiVersion: v1
kind: ConfigMap
metadata:
name: sidecar-exporter-consul
labels:
app: k8s-sidecar-injector
data:
sidecar-exporter-consul: |
name: sidecar-exporter-consul
containers:
- name: exporter
image: docker.inspur.com:5000/service/lma/consul-exporter:0.6.0
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --consul.server=localhost:8500
- --log.level=warn
ports:
- containerPort: 9107
name: metric
The config of pod is like below and has request annotation, but sidecar container inject failed
apiVersion: v1
kind: Pod
metadata:
annotations:
injector.inspur.com/request: sidecar-exporter-consul
prometheus.io/port: "9107"
prometheus.io/scrape: "true"
I want to inject configmap of telegraf for rabbbitmq cluster, and rabbitmq run in one statefulset with three replicas. And the need of monitor is config rabbitmq node self for rabbitmq pod like this:
[[inputs.rabbitmq]]
url = "http://172.16.1.26:15672"
username = "admin"
password = "QINtwo5P16SsCmPv"
header_timeout = "3s"
client_timeout = "4s"
nodes = ["rabbit@msg01"]
So how can I config for telegraf configmap of rabbitmq to achieve this need, when one pod of rabbitmq statefulset start, it config nodes with pod hostname for pod configmap thank you!
The metadata of the CREATE request object doesn't always contain the namespace or the name of the pod. This seems to be the case when the pod is launched on behalf of a Deployment. It doesn't seem to be the case with StatefulSets or a bare Pod. I haven't tested Jobs or CronJobs or any other controllers.
The check for ignored namespaces uses metadata.namespace
to perform the comparison, so pods in kube-system and kube-public aren't skipped for Deployment pods.
Additionally, some logging statements are missing the namespace and name:
I0925 13:20:51.062652 1 webhook.go:165] Pod / annotation injector.tumblr.com/request is missing, skipping injection
List of ignored namespaces should be respected for all pod admission requests, regardless of the source.
This is the Deployment I've been using to test:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
annotations:
injector.tumblr.com/request: my-sidecar
labels:
app: test
spec:
containers:
- name: test
image: alpine
command:
- ash
- -c
- |
while true; do sleep 86400; done
1.18.5
, 1.19.1
k8s-sidecar-injector
Version: release-v0.5.0
My use case is that I want to mount /etc/ssl/certs for each pod inside a namespace in order to use a custom CA easily. It would be great to take the requested annotation from the namespace (as a default annotation). For example:
apiVersion: v1
kind: Namespace
metadata:
name: test
annotations:
k8s-sidecar-injector/default-request: etc-ssl-certs <--- Applies to every pod in the namespace
...
---
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: test
annotations: {} <--- No request but default-request is applied
spec:
...
I think the affected lines would be these:
k8s-sidecar-injector/pkg/server/webhook.go
Lines 163 to 167 in 85bf83c
I'm trying to inject a sidecar, using which I want to create some CRDs. I need the sidecar to come up "in-cluster". However, I don't see a service account token getting mapped in the injected sidecar.
I'm using the configmap provided in the docs folder. With these lines added:
data:
test1: |
name: test1
env:
- name: HELLO
value: world
- name: TEST
value: test_that
volumeMounts:
- name: test-vol
mountPath: /tmp/test
volumes:
- name: test-vol
configMap:
name: test-config
serviceAccount: k8s-sidecar-injector
serviceAccountName: k8s-sidecar-injector
automountServiceAccountToken: true
I have cherry picked the serviceAccount related PRs.
A brief description of your problem, here, please!
2019-10-18T14:34:30.401690495-07:00 stderr F I1018 21:34:30.401614 1 webhook.go:494] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-wiper","image":"d
iamanti/wiper:0.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volu
meMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"
/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"
/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
Happens always. All the yamls are from the example in the docs folder.
1.15.3
k8s-sidecar-injector
Top of treeWe would like to be able to inject sidecars inside kube-system namespace. Currently kube-system is hardcoded to be ignored: https://github.com/tumblr/k8s-sidecar-injector/blob/master/pkg/server/webhook.go#L81-L84
I guess this serves as protection from borking your cluster, but the controller fails open, so at worst it would slow down Pods starting in kube-system.
Is this something you would be open to having as a flag with current defaults, to allow setting an empty list?
Am I missing something more critical why kube-system and kube-public are ignored?
Thanks!
Setting a custom annotation namespace -annotation-namespace
does not effect the injector.tumblr.com/status
annotation.
The root cause seems quite clear from reading the source. The /status
annotation is set in webhook.go#L462, using the config.InjectionStatusAnnotation package-level variable. This variable is hardcoded to use annotationNamespaceDefault
, which is set to "injector.tumblr.com"
. This pretty clearly explains why the user-specified configuration is ignored.
Interestingly, both /request
and /status
are properly formatted using AnnotationNamespace
in (*WebhookServer).getSidecarConfigurationRequested. Seems like that configuration format just needs to be used in both places.
Setting -annotation-namespace=sidecar-injector.eks.qcinternal.io
should cause Pods with injected sidecars to have the annotation sidecar-injector.eks.qcinternal.io/status: injected
. Instead, we see injector.tumblr.com/status: injected
. The annotation setting which sidecar configuration to use is sidecar-injector.eks.qcinternal.io/request
.
The injector is launched with the following arguments:
- --v
- "2"
- --tls-cert-file
- /var/lib/tls-cert/tls.crt
- --tls-key-file
- /var/lib/tls-cert/tls.key
- --annotation-namespace
- sidecar-injector.eks.qcinternal.io
- --configmap-labels
- app.kubernetes.io/instance=k8s-sidecar-injector-batch-production-blue,app.kubernetes.io/component=sidecar-config
I'm going to omit sidecar configurations in particular, as the root cause seems quite obvious and the configurations are for internal tools. I can provide similar information if necessary.
v1.13.8
v0.1.7
Hi, I've been testing sidecar-injector and just wonder how to identify configmaps with the same name?
In my opinion, it should have injected the latest one, but it didn't.
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.11", GitCommit:"5824e3251d294d324320db85bf63a53eb0767af2", GitTreeState:"clean", BuildDate:"2022-06-16T05:33:55Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}
k8s-sidecar-injector
Version: latesti run injector with help of deployment.md
yaml files is in project example directory.every thing is ok,then i run a diferent instances.
pod yaml file:
apiVersion: v1
kind: Pod
metadata:
name: debian-debug
namespace: monitoring
annotations:
injector.tumblr.com/request: sidecar-telegraf-basic
spec:
containers:
- image: debian:jessie
command: ["/bin/sh"]
args: ["-c", "while true; do echo hello; sleep 10; done"]
imagePullPolicy: IfNotPresent
name: debian-debug
resources:
requests:
memory: "200M"
cpu: "500m"
restartPolicy: Never
sidecar config file:
k8s-sidecar-injector logs show " requested injection sidecar-telegraf-basic was not in configuration".
then i modify sidecar config file.modify namespaces which is equal with k8s-sidecar-injector's namespace.
why??in my opinion,the target pods which namespace is monitoring, k8s-sidecar-injector should use sidecar config which namespace is monitirng.not kube-system.
I install k8s-injector referencing examples/kubernetes/deployment.yaml, but no matter what value I config for LOG_LEVEL, the pod always output info level log and so many kube-probe logs like this:
10.233.98.0 - - [15/Oct/2019:02:05:07 +0000] "POST /mutate?timeout=30s HTTP/2.0" 200 74 "" "kube-apiserver-admission"
I1015 02:05:07.968371 1 webhook.go:584] Ready to write reponse ...
10.233.98.0 - - [15/Oct/2019:02:05:07 +0000] "POST /mutate?timeout=30s HTTP/2.0" 200 74 "" "kube-apiserver-admission"
10.110.18.103 - - [15/Oct/2019:02:05:10 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:13 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:20 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:23 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
As a part of injection for sidecars I want to be able to call a preStop hook , so we can cleanup before exit.
ConfigMap Change.
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec: ["/bin/bash", "-c", "/opt/bin/prestop"]
E1104 19:09:48.504599 1 main.go:132] error reconciling configmaps: error getting ConfigMaps from API: error parsing ConfigMap sidecar-test item test1 into injection config: e rror unmarshaling JSON: json: cannot unmarshal array into Go struct field Handler.exec of type v1.ExecAction
I guess we will have to add to InjectionConfig structure
k8s-sidecar-injector
Version: Top of Tree.On openshift standard behavior is to run each pod with a certain uid. This uid is dependant of the namespace the pod is running in. Pods are automaticaly injected with the right Security context and runAsUser settings. This is done before the mutating webhook is called to inject the sidecar. The sidecar can not be configured with the right uid because this is namespace dependent and will not run if the setting is not correct.
Example of the security context info
securityContext:
capabilities:
drop:
- KILL
- MKNOD
- SETGID
- SETUID
runAsUser: 1001550000
I have writen some code to add the runAsUser of container 0 to the injected containers.
Is it possible to open a pull request to integrate this feature
PODs are not getting sidecars, even though the injection is requested. Funnily I got it to work once on a training cluster, and then I deleted the cluster and I can't get it to work again.
PODs should get created with sidecar.
I just went through the documentation step by step, and I can't identify what I'm doing wrong, or what I did differently that one time I got it to work.
Here are some logs for when the debian-debug
POD gets deployed, but no sidecar.
10.64.4.1 - - [23/Mar/2022:15:16:18 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"
I0323 15:16:21.450826 1 webhook.go:510] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=default Name= () UID=37184454-a6e7-4f35-be04-8eeaedf85265 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:replicaset-controller 4b17f21d-590c-4d37-acf2-5096af5e70cd [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
I0323 15:16:21.450862 1 webhook.go:174] Pod / annotation injector.tumblr.com/request=test1 requesting sidecar config test1:latest
I0323 15:16:21.450961 1 webhook.go:548] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-nginx","image":"nginx:1.12.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volumeMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
I0323 15:16:21.451004 1 webhook.go:626] Ready to write reponse ...
10.64.3.7 - - [23/Mar/2022:15:16:21 +0000] "POST /mutate?timeout=10s HTTP/1.1" 200 1237 "" "kube-apiserver-admission"
10.64.4.1 - - [23/Mar/2022:15:16:28 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"
Here's the debian-debug
POD with no sidecar.
$ kubectl get po | grep debian
debian-debug 1/1 Running 0 55m
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.9-dispatcher", GitCommit:"2a8027f41d28b788b001389f3091c245cd0a9a60", GitTreeState:"clean", BuildDate:"2022-01-21T20:31:13Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9-gke.1002", GitCommit:"f87f9d952767b966e72a4bd75afea25dea187bbf", GitTreeState:"clean", BuildDate:"2022-02-25T18:12:32Z", GoVersion:"go1.16.12b7", Compiler:"gc", Platform:"linux/amd64"}
k8s-sidecar-injector
Version: latest
(as of March 23rd 2022)Given that the sidecar containers KEP seem to be a ways off, I would love to take advantage of this workaround for delaying application startup until sidecar containers are ready by injecting sidecars at the top of the list of containers, rather than at the bottom, and using a post-startup lifecycle hook to check that the sidecar has started up.
At the moment containers are appended to the bottom of the pod's containers. To take advantage of the workaround with this sidecar injector it would need to be possible to prepend to the top of the list.
I'm not sure what the best way to implement this would be. This may be one of a few, if not the only, cases where the order of containers in the list makes any appreciable difference to the functionality of the pod, so it could be acceptable to simply switch the logic to append at the top of the containers, rather than the bottom.
Or, perhaps a separate field? A separate list of containers like containersPrepend: []
?
Hi, I've been testing your sidecar-injector and just wonder if there is a way to request more than one sidecar injection configurations?
Multiple annotation "injector.tumblr.com/request" with request assigned to the different names won't raise an error but only the last injection will be applied.
Thanks for reply!
K8S: 1.18
sidecar: 0.1.7
the side-car gets injected though the required configmap is not created, therefore the init does not come up. this only happens in one namespace. similar setup works in 2 other namespaces. some suggestions on which additional logs to enable and check? problem is still happening, so should be fairly easy to get more logs. thanks
MountVolume.SetUp failed for volume "vault-agent-init-config" : configmap "vault-agent-init-config" not found
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector E0616 19:10:19.980139 1 main.go:118] watcher got error, try to restart watcher: watcher channel has closed
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:19.980145 1 main.go:113] launching watcher for ConfigMaps
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector 10.50.5.106 - - [16/Jun/2021:19:10:22 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:22.982614 1 main.go:129] triggering ConfigMap reconciliation
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:22.982640 1 watcher.go:151] Fetching ConfigMaps...
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028036 1 watcher.go:158] Fetched 1 ConfigMaps
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028520 1 watcher.go:179] Loaded InjectionConfig vault-auth from ConfigMap sidecar-injector-default:vault-auth
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028897 1 watcher.go:179] Loaded InjectionConfig vault-auth-init from ConfigMap sidecar-injector-default:vault-auth-init
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028909 1 watcher.go:164] Found 2 InjectionConfigs in sidecar-injector-default
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028914 1 main.go:135] got 2 updated InjectionConfigs from reconciliation
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028919 1 main.go:149] updating server with newly loaded configurations (3 loaded from disk, 2 loaded from k8s api)
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028925 1 main.go:151] configuration replaced
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600191 1 webhook.go:435] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=external-god-connectedvehicle-services Name= () UID=b9f0adb9-96ea-4994-be36-d9cfe10e6cf5 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:job-controller 503d64d0-aa05-11e9-8bbd-0a71b5a65c66 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600224 1 webhook.go:163] Pod / annotation injector.tumblr.com/request=vault-auth-init requesting sidecar config vault-auth-init
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600316 1 webhook.go:473] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"secrets","mountPath":"/etc/secrets"}]},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"vault-token","mountPath":"/home/vault"}},{"op":"add","path":"/spec/initContainers","value":[{"name":"vault-agent-auth","image":"harbor.infrastructure.volvo.care/infrastructure/vault:1.2.3","args":["agent","-config=/etc/vault/vault-agent-init-config.hcl"],"env":[{"name":"SKIP_SETCAP","value":"true"}],"resources":{"limits":{"cpu":"150m","memory":"250Mi"},"requests":{"cpu":"50m","memory":"64Mi"}},"volumeMounts":[{"name":"vault-agent-init-config","mountPath":"/etc/vault"},{"name":"vault-auth","readOnly":true,"mountPath":"/var/run/secret"},{"name":"secrets","mountPath":"/etc/secrets"},{"name":"vault-token","mountPath":"/home/vault"}],"securityContext":{"privileged":false,"runAsUser":100,"runAsGroup":1000,"runAsNonRoot":true,"allowPrivilegeEscalation":false}}]},{"op":"add","path":"/spec/volumes","value":[{"name":"vault-auth","secret":{"secretName":"vault-sa-token","items":[{"key":"token","path":"token","mode":292}]}}]},{"op":"add","path":"/spec/volumes/-","value":{"name":"vault-token","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/volumes/-","value":{"name":"vault-agent-init-config","configMap":{"name":"vault-agent-init-config"}}},{"op":"add","path":"/spec/volumes/-","value":{"name":"secrets","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600352 1 webhook.go:551] Ready to write reponse ...
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector 100.107.171.128 - - [16/Jun/2021:19:15:08 +0000] "POST /mutate?timeout=30s HTTP/1.1" 200 2145 "" "kube-apiserver-admission"
config serviceaccount in sidecar want to inject into a pod with another serviceaccount
sidecar serviceaccount should inject successfullly in pod sidecar container
But pod container still mount old serviceaccount, serviceaccount in sidecar not inject into pod
sidecar config add seviceaccount
apiVersion: v1
data:
sidecar-telegraf-elasticsearch: |
name: sidecar-telegraf-elasticsearch
containers:
- name: telegraf
image: registry-jinan-lab.inspurcloud.cn/library/common/telegraf:1.9.1-14
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9126
name: prometheus
volumeMounts:
- name: telegraf
mountPath: /etc/telegraf
serviceAccountName: lma-sidecar
volumes:
- name: telegraf
configMap:
name: telegraf-elasticsearch
sidecar inject pod but not with lma-sidecar serviceaccount but with elasticsearch serviceaccount
- image: registry-jinan-lab.inspurcloud.cn/library/common/telegraf:1.9.1-14
imagePullPolicy: IfNotPresent
name: telegraf
ports:
- containerPort: 9126
name: prometheus
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/telegraf
name: telegraf
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: elasticsearch-token-m5bs9
readOnly: true
Injector deployment crash frequently. I got crash log:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0xef548b]
goroutine 35 [running]:
github.com/tumblr/k8s-sidecar-injector/internal/pkg/config/watcher.(*K8sConfigMapWatcher).Watch(0xc0002cca00, 0x12d1f60, 0xc0002d8600, 0xc000300600, 0x0, 0x0)
/src/internal/pkg/config/watcher/watcher.go:109 +0x36b
main.main.func1.1(0xc0002cca00, 0x12d1f60, 0xc0002d8600, 0xc000300600)
/src/cmd/main.go:114 +0x77
created by main.main.func1
/src/cmd/main.go:111 +0xd7
I think it just because watcher got a Event with a nil Object
and try to use it. I find this bug is caused by kubernetes/client-go#334
can reproduce with any valid sidecar configurations, just wait a few minutes
v1.13.3
k8s-sidecar-injector
Version: release-v0.1.6
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.