Does k8s-sidecar-injector has default injection support for all creating containers?

It would be convenient to add cluster-wide envs to all pods

hello,
i create injector with the document /docs/deployment.md step by setp and everything is ok except operation:kubectl create -f service-monitor.yaml.
is anything forget?

error: unable to recognize "service-monitor.yaml": no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"

What's going on?

glog is annoying to configure, confusing to look at, and poorly documented. Lets gut this and replace with a better logger. See #32

Expected Behavior

1. glog is replaced by something less annoying to configure and use
2. gorilla's CombinedLogger for HTTP middleware uses the same logger

I use k8s-sidecar-injector 0.1.8 before on kubernetes 1.14.3 and found sidecar container inject suceessfully like below:

I0521 03:55:42.351044       1 webhook.go:480] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/-","value":{"name":"exporter","image":"docker.inspur.com:5000/service/lma/consul-exporter:0.6.0","args":["--consul.server=localhost:8500","--log.level=warn"],"ports":[{"name":"metric","containerPort":9107}],"resources":{},"livenessProbe":{"tcpSocket":{"port":"metric"},"initialDelaySeconds":60,"timeoutSeconds":10,"periodSeconds":60},"readinessProbe":{"tcpSocket":{"port":"metric"},"initialDelaySeconds":60,"timeoutSeconds":10,"periodSeconds":60},"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/metadata/annotations/injector.inspur.com~1status","value":"injected"}]

But when I upgrade k8s-sidecar-injector to 0.4.0 and found sidecar container inject failed like below:

I0521 06:20:35.624586       1 webhook.go:468] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=monitoring Name= (consul-0) UID=2e9e0283-9b2b-11ea-9df2-5254009197f9 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:statefulset-controller c7bb22c8-6cef-11ea-9df2-5254009197f9 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
I0521 06:20:35.624673       1 webhook.go:165] Pod monitoring/consul-0 annotation injector.tumblr.com/request is missing, skipping injection
I0521 06:20:35.624688       1 webhook.go:474] Skipping mutation of monitoring/consul-0: Missing injection request annotation
I0521 06:20:35.624733       1 webhook.go:584] Ready to write reponse ...

The config of sidecar container is like below and not be modified after k8s-sidecar-injector upgrade

apiVersion: v1
kind: ConfigMap
metadata:
  name: sidecar-exporter-consul
  labels:
    app: k8s-sidecar-injector
data:
  sidecar-exporter-consul: |
    name: sidecar-exporter-consul
    containers:
    - name: exporter
      image: docker.inspur.com:5000/service/lma/consul-exporter:0.6.0
      imagePullPolicy: {{ .Values.image.pullPolicy }}
      args:
      - --consul.server=localhost:8500
      - --log.level=warn
      ports:
      - containerPort: 9107
        name: metric

The config of pod is like below and has request annotation, but sidecar container inject failed

apiVersion: v1
kind: Pod
metadata:
  annotations:
    injector.inspur.com/request: sidecar-exporter-consul
    prometheus.io/port: "9107"
    prometheus.io/scrape: "true"

I want to inject configmap of telegraf for rabbbitmq cluster, and rabbitmq run in one statefulset with three replicas. And the need of monitor is config rabbitmq node self for rabbitmq pod like this:
[[inputs.rabbitmq]]
url = "http://172.16.1.26:15672"
username = "admin"
password = "QINtwo5P16SsCmPv"
header_timeout = "3s"
client_timeout = "4s"
nodes = ["rabbit@msg01"]
So how can I config for telegraf configmap of rabbitmq to achieve this need, when one pod of rabbitmq statefulset start, it config nodes with pod hostname for pod configmap thank you!

What's going on?

The metadata of the CREATE request object doesn't always contain the namespace or the name of the pod. This seems to be the case when the pod is launched on behalf of a Deployment. It doesn't seem to be the case with StatefulSets or a bare Pod. I haven't tested Jobs or CronJobs or any other controllers.

The check for ignored namespaces uses metadata.namespace to perform the comparison, so pods in kube-system and kube-public aren't skipped for Deployment pods.

Additionally, some logging statements are missing the namespace and name:

I0925 13:20:51.062652       1 webhook.go:165] Pod / annotation injector.tumblr.com/request is missing, skipping injection

Expected Behavior

List of ignored namespaces should be respected for all pod admission requests, regardless of the source.

Reproducer

This is the Deployment I've been using to test:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test 
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      annotations:
        injector.tumblr.com/request: my-sidecar
      labels:
        app: test
    spec:
      containers:
        - name: test
          image: alpine
          command:
            - ash
            - -c
            - |
              while true; do sleep 86400; done

Version Deets

• Kubernetes Version: 1.18.5, 1.19.1
• k8s-sidecar-injector Version: release-v0.5.0

My use case is that I want to mount /etc/ssl/certs for each pod inside a namespace in order to use a custom CA easily. It would be great to take the requested annotation from the namespace (as a default annotation). For example:

apiVersion: v1
kind: Namespace
metadata:
  name: test
  annotations:
    k8s-sidecar-injector/default-request: etc-ssl-certs   <--- Applies to every pod in the namespace
  ...
---
apiVersion: v1
kind: Pod
metadata:
  name: demo-pod
  namespace: test
  annotations: {}  <--- No request but default-request is applied
spec:
  ...

I think the affected lines would be these:

I'm trying to inject a sidecar, using which I want to create some CRDs. I need the sidecar to come up "in-cluster". However, I don't see a service account token getting mapped in the injected sidecar.

I'm using the configmap provided in the docs folder. With these lines added:

data:
test1: |
name: test1
env:
- name: HELLO
value: world
- name: TEST
value: test_that
volumeMounts:
- name: test-vol
mountPath: /tmp/test
volumes:
- name: test-vol
configMap:
name: test-config
serviceAccount: k8s-sidecar-injector
serviceAccountName: k8s-sidecar-injector
automountServiceAccountToken: true

I have cherry picked the serviceAccount related PRs.

A brief description of your problem, here, please!

2019-10-18T14:34:30.401690495-07:00 stderr F I1018 21:34:30.401614       1 webhook.go:494] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-wiper","image":"d
iamanti/wiper:0.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volu
meMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"
/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"
/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]

Happens always. All the yamls are from the example in the docs folder.

Version Deets

• Kubernetes Version: 1.15.3
• k8s-sidecar-injector Top of tree

We would like to be able to inject sidecars inside kube-system namespace. Currently kube-system is hardcoded to be ignored: https://github.com/tumblr/k8s-sidecar-injector/blob/master/pkg/server/webhook.go#L81-L84

I guess this serves as protection from borking your cluster, but the controller fails open, so at worst it would slow down Pods starting in kube-system.

Is this something you would be open to having as a flag with current defaults, to allow setting an empty list?

Am I missing something more critical why kube-system and kube-public are ignored?

Thanks!

What's going on?

Setting a custom annotation namespace -annotation-namespace does not effect the injector.tumblr.com/status annotation.

The root cause seems quite clear from reading the source. The /status annotation is set in webhook.go#L462, using the config.InjectionStatusAnnotation package-level variable. This variable is hardcoded to use annotationNamespaceDefault, which is set to "injector.tumblr.com". This pretty clearly explains why the user-specified configuration is ignored.

Interestingly, both /request and /status are properly formatted using AnnotationNamespace in (*WebhookServer).getSidecarConfigurationRequested. Seems like that configuration format just needs to be used in both places.

Expected Behavior

Setting -annotation-namespace=sidecar-injector.eks.qcinternal.io should cause Pods with injected sidecars to have the annotation sidecar-injector.eks.qcinternal.io/status: injected. Instead, we see injector.tumblr.com/status: injected. The annotation setting which sidecar configuration to use is sidecar-injector.eks.qcinternal.io/request.

Reproducer

The injector is launched with the following arguments:

    - --v
    - "2"
    - --tls-cert-file
    - /var/lib/tls-cert/tls.crt
    - --tls-key-file
    - /var/lib/tls-cert/tls.key
    - --annotation-namespace
    - sidecar-injector.eks.qcinternal.io
    - --configmap-labels
    - app.kubernetes.io/instance=k8s-sidecar-injector-batch-production-blue,app.kubernetes.io/component=sidecar-config

I'm going to omit sidecar configurations in particular, as the root cause seems quite obvious and the configurations are for internal tools. I can provide similar information if necessary.

Version Deets

• Kubernetes Version: v1.13.8
• k8s-sidecar-injector Version: v0.1.7

What's going on?

Hi, I've been testing sidecar-injector and just wonder how to identify configmaps with the same name？

Expected Behavior

In my opinion, it should have injected the latest one, but it didn't.

Version Deets

• Kubernetes Version:
  Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.11", GitCommit:"5824e3251d294d324320db85bf63a53eb0767af2", GitTreeState:"clean", BuildDate:"2022-06-16T05:39:23Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.11", GitCommit:"5824e3251d294d324320db85bf63a53eb0767af2", GitTreeState:"clean", BuildDate:"2022-06-16T05:33:55Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

• k8s-sidecar-injector Version: latest

i run injector with help of deployment.md
yaml files is in project example directory.every thing is ok,then i run a diferent instances.
pod yaml file:

apiVersion: v1
kind: Pod
metadata:
  name: debian-debug
  namespace: monitoring
  annotations:
    injector.tumblr.com/request: sidecar-telegraf-basic
spec:
  containers:
  - image: debian:jessie
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo hello; sleep 10; done"]
    imagePullPolicy: IfNotPresent
    name: debian-debug
    resources:
      requests:
        memory: "200M"
        cpu: "500m"
  restartPolicy: Never

sidecar config file:

k8s-sidecar-injector logs show " requested injection sidecar-telegraf-basic was not in configuration".

then i modify sidecar config file.modify namespaces which is equal with k8s-sidecar-injector's namespace.

and it works.

why??in my opinion,the target pods which namespace is monitoring, k8s-sidecar-injector should use sidecar config which namespace is monitirng.not kube-system.

I install k8s-injector referencing examples/kubernetes/deployment.yaml, but no matter what value I config for LOG_LEVEL, the pod always output info level log and so many kube-probe logs like this:
10.233.98.0 - - [15/Oct/2019:02:05:07 +0000] "POST /mutate?timeout=30s HTTP/2.0" 200 74 "" "kube-apiserver-admission"
I1015 02:05:07.968371 1 webhook.go:584] Ready to write reponse ...
10.233.98.0 - - [15/Oct/2019:02:05:07 +0000] "POST /mutate?timeout=30s HTTP/2.0" 200 74 "" "kube-apiserver-admission"
10.110.18.103 - - [15/Oct/2019:02:05:10 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:13 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:20 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"
10.110.18.103 - - [15/Oct/2019:02:05:23 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.14"

As a part of injection for sidecars I want to be able to call a preStop hook , so we can cleanup before exit.

ConfigMap Change.

imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec: ["/bin/bash", "-c", "/opt/bin/prestop"]

E1104 19:09:48.504599 1 main.go:132] error reconciling configmaps: error getting ConfigMaps from API: error parsing ConfigMap sidecar-test item test1 into injection config: e rror unmarshaling JSON: json: cannot unmarshal array into Go struct field Handler.exec of type v1.ExecAction

I guess we will have to add to InjectionConfig structure

Version Deets

• Kubernetes Version: 1.15.3
• k8s-sidecar-injector Version: Top of Tree.

What's going on?

On openshift standard behavior is to run each pod with a certain uid. This uid is dependant of the namespace the pod is running in. Pods are automaticaly injected with the right Security context and runAsUser settings. This is done before the mutating webhook is called to inject the sidecar. The sidecar can not be configured with the right uid because this is namespace dependent and will not run if the setting is not correct.

Example of the security context info

      securityContext:
        capabilities:
          drop:
            - KILL
            - MKNOD
            - SETGID
            - SETUID
        runAsUser: 1001550000

I have writen some code to add the runAsUser of container 0 to the injected containers.
Is it possible to open a pull request to integrate this feature

What's going on?

We should support initContainers in our injection configs

#9 and #8 address this

What's going on?

PODs are not getting sidecars, even though the injection is requested. Funnily I got it to work once on a training cluster, and then I deleted the cluster and I can't get it to work again.

Expected Behavior

PODs should get created with sidecar.

Reproducer

I just went through the documentation step by step, and I can't identify what I'm doing wrong, or what I did differently that one time I got it to work.

Here are some logs for when the debian-debug POD gets deployed, but no sidecar.

10.64.4.1 - - [23/Mar/2022:15:16:18 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"
I0323 15:16:21.450826       1 webhook.go:510] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=default Name= () UID=37184454-a6e7-4f35-be04-8eeaedf85265 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:replicaset-controller 4b17f21d-590c-4d37-acf2-5096af5e70cd [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
I0323 15:16:21.450862       1 webhook.go:174] Pod / annotation injector.tumblr.com/request=test1 requesting sidecar config test1:latest
I0323 15:16:21.450961       1 webhook.go:548] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/env","value":[{"name":"HELLO","value":"world"}]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"TEST","value":"test_that"}},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"test-vol","mountPath":"/tmp/test"}},{"op":"add","path":"/spec/containers/-","value":{"name":"sidecar-nginx","image":"nginx:1.12.2","ports":[{"containerPort":80}],"env":[{"name":"ENV_IN_SIDECAR","value":"test-in-sidecar"},{"name":"HELLO","value":"world"},{"name":"TEST","value":"test_that"}],"resources":{},"volumeMounts":[{"name":"test-vol","mountPath":"/tmp/test"}],"imagePullPolicy":"IfNotPresent"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"test-vol","configMap":{"name":"test-config"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
I0323 15:16:21.451004       1 webhook.go:626] Ready to write reponse ...
10.64.3.7 - - [23/Mar/2022:15:16:21 +0000] "POST /mutate?timeout=10s HTTP/1.1" 200 1237 "" "kube-apiserver-admission"
10.64.4.1 - - [23/Mar/2022:15:16:28 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.21"

Here's the debian-debug POD with no sidecar.

$ kubectl get po | grep debian

debian-debug                                             1/1     Running   0          55m

Version Deets

• Kubernetes Version:

$ kubectl version

Client Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.9-dispatcher", GitCommit:"2a8027f41d28b788b001389f3091c245cd0a9a60", GitTreeState:"clean", BuildDate:"2022-01-21T20:31:13Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9-gke.1002", GitCommit:"f87f9d952767b966e72a4bd75afea25dea187bbf", GitTreeState:"clean", BuildDate:"2022-02-25T18:12:32Z", GoVersion:"go1.16.12b7", Compiler:"gc", Platform:"linux/amd64"}

• k8s-sidecar-injector Version: latest (as of March 23rd 2022)

hello ,i run k8s-sidecar-injector use yamls in example directory .then i modify debug-pod.yaml file:

and sidercar configmap:

then describe pod：

no volumounts hostnetwork and hostPid property. why?

Given that the sidecar containers KEP seem to be a ways off, I would love to take advantage of this workaround for delaying application startup until sidecar containers are ready by injecting sidecars at the top of the list of containers, rather than at the bottom, and using a post-startup lifecycle hook to check that the sidecar has started up.

At the moment containers are appended to the bottom of the pod's containers. To take advantage of the workaround with this sidecar injector it would need to be possible to prepend to the top of the list.

I'm not sure what the best way to implement this would be. This may be one of a few, if not the only, cases where the order of containers in the list makes any appreciable difference to the functionality of the pod, so it could be acceptable to simply switch the logic to append at the top of the containers, rather than the bottom.

Or, perhaps a separate field? A separate list of containers like containersPrepend: []?

Hi, I've been testing your sidecar-injector and just wonder if there is a way to request more than one sidecar injection configurations?
Multiple annotation "injector.tumblr.com/request" with request assigned to the different names won't raise an error but only the last injection will be applied.

Thanks for reply!

K8S: 1.18
sidecar: 0.1.7

the side-car gets injected though the required configmap is not created, therefore the init does not come up. this only happens in one namespace. similar setup works in 2 other namespaces. some suggestions on which additional logs to enable and check? problem is still happening, so should be fairly easy to get more logs. thanks

MountVolume.SetUp failed for volume "vault-agent-init-config" : configmap "vault-agent-init-config" not found

sidecar-injector-6b9977dfdf-fwk75 sidecar-injector E0616 19:10:19.980139       1 main.go:118] watcher got error, try to restart watcher: watcher channel has closed
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:19.980145       1 main.go:113] launching watcher for ConfigMaps
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector 10.50.5.106 - - [16/Jun/2021:19:10:22 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:22.982614       1 main.go:129] triggering ConfigMap reconciliation
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:22.982640       1 watcher.go:151] Fetching ConfigMaps...
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028036       1 watcher.go:158] Fetched 1 ConfigMaps
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028520       1 watcher.go:179] Loaded InjectionConfig vault-auth from ConfigMap sidecar-injector-default:vault-auth
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028897       1 watcher.go:179] Loaded InjectionConfig vault-auth-init from ConfigMap sidecar-injector-default:vault-auth-init
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028909       1 watcher.go:164] Found 2 InjectionConfigs in sidecar-injector-default
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028914       1 main.go:135] got 2 updated InjectionConfigs from reconciliation
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028919       1 main.go:149] updating server with newly loaded configurations (3 loaded from disk, 2 loaded from k8s api)
sidecar-injector-6b9977dfdf-fwk75 sidecar-injector I0616 19:10:23.028925       1 main.go:151] configuration replaced

sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600191       1 webhook.go:435] AdmissionReview for Kind=/v1, Kind=Pod, Namespace=external-god-connectedvehicle-services Name= () UID=b9f0adb9-96ea-4994-be36-d9cfe10e6cf5 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:job-controller 503d64d0-aa05-11e9-8bbd-0a71b5a65c66 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600224       1 webhook.go:163] Pod / annotation injector.tumblr.com/request=vault-auth-init requesting sidecar config vault-auth-init
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600316       1 webhook.go:473] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"secrets","mountPath":"/etc/secrets"}]},{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"vault-token","mountPath":"/home/vault"}},{"op":"add","path":"/spec/initContainers","value":[{"name":"vault-agent-auth","image":"harbor.infrastructure.volvo.care/infrastructure/vault:1.2.3","args":["agent","-config=/etc/vault/vault-agent-init-config.hcl"],"env":[{"name":"SKIP_SETCAP","value":"true"}],"resources":{"limits":{"cpu":"150m","memory":"250Mi"},"requests":{"cpu":"50m","memory":"64Mi"}},"volumeMounts":[{"name":"vault-agent-init-config","mountPath":"/etc/vault"},{"name":"vault-auth","readOnly":true,"mountPath":"/var/run/secret"},{"name":"secrets","mountPath":"/etc/secrets"},{"name":"vault-token","mountPath":"/home/vault"}],"securityContext":{"privileged":false,"runAsUser":100,"runAsGroup":1000,"runAsNonRoot":true,"allowPrivilegeEscalation":false}}]},{"op":"add","path":"/spec/volumes","value":[{"name":"vault-auth","secret":{"secretName":"vault-sa-token","items":[{"key":"token","path":"token","mode":292}]}}]},{"op":"add","path":"/spec/volumes/-","value":{"name":"vault-token","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/volumes/-","value":{"name":"vault-agent-init-config","configMap":{"name":"vault-agent-init-config"}}},{"op":"add","path":"/spec/volumes/-","value":{"name":"secrets","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/metadata/annotations/injector.tumblr.com~1status","value":"injected"}]
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector I0616 19:15:08.600352       1 webhook.go:551] Ready to write reponse ...
sidecar-injector-6b9977dfdf-hrmvt sidecar-injector 100.107.171.128 - - [16/Jun/2021:19:15:08 +0000] "POST /mutate?timeout=30s HTTP/1.1" 200 2145 "" "kube-apiserver-admission"

What's going on?

config serviceaccount in sidecar want to inject into a pod with another serviceaccount

Expected Behavior

sidecar serviceaccount should inject successfullly in pod sidecar container
But pod container still mount old serviceaccount, serviceaccount in sidecar not inject into pod

Reproducer

sidecar config add seviceaccount

apiVersion: v1
data:
  sidecar-telegraf-elasticsearch: |
    name: sidecar-telegraf-elasticsearch
    containers:
    - name: telegraf
      image: registry-jinan-lab.inspurcloud.cn/library/common/telegraf:1.9.1-14
      imagePullPolicy: IfNotPresent
      ports:
      - containerPort: 9126
        name: prometheus
      volumeMounts:
      - name: telegraf
        mountPath: /etc/telegraf
    serviceAccountName: lma-sidecar
    volumes:
    - name: telegraf
      configMap:
        name: telegraf-elasticsearch

sidecar inject pod but not with lma-sidecar serviceaccount but with elasticsearch serviceaccount

  - image: registry-jinan-lab.inspurcloud.cn/library/common/telegraf:1.9.1-14
    imagePullPolicy: IfNotPresent
    name: telegraf
    ports:
    - containerPort: 9126
      name: prometheus
      protocol: TCP
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /etc/telegraf
      name: telegraf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: elasticsearch-token-m5bs9
      readOnly: true

Version Deets

• Kubernetes Version: v1.20.1
• k8s-sidecar-injector Version: 0.5.0

What's going on?

Injector deployment crash frequently. I got crash log:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0xef548b]

goroutine 35 [running]:
github.com/tumblr/k8s-sidecar-injector/internal/pkg/config/watcher.(*K8sConfigMapWatcher).Watch(0xc0002cca00, 0x12d1f60, 0xc0002d8600, 0xc000300600, 0x0, 0x0)
	/src/internal/pkg/config/watcher/watcher.go:109 +0x36b
main.main.func1.1(0xc0002cca00, 0x12d1f60, 0xc0002d8600, 0xc000300600)
	/src/cmd/main.go:114 +0x77
created by main.main.func1
	/src/cmd/main.go:111 +0xd7

I think it just because watcher got a Event with a nil Object and try to use it. I find this bug is caused by kubernetes/client-go#334

Expected Behavior

Reproducer

can reproduce with any valid sidecar configurations, just wait a few minutes

Version Deets

• Kubernetes Version: v1.13.3
• k8s-sidecar-injector Version: release-v0.1.6