Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable connect-injector Dynamic Admission Control in kube-system namespace #745

Closed
davidesalerno opened this issue Sep 27, 2021 · 6 comments
Closed

Disable connect-injector Dynamic Admission Control in kube-system namespace #745

davidesalerno opened this issue Sep 27, 2021 · 6 comments

Comments

@davidesalerno
Copy link

When a Kubernetes cluster-wide crash happens and all the services in all the namespaces (also the system ones like kube-system) will crash, if in the exclusion list of the Consul Connect Injector Mutating Webhook is not included also the systems namespace (like kube-systems), when all the system services will be restarted after the crash they will try to reach the Mutating Webhook services and it is still down (due to the unavailability of the services in the kube-system namespace for example), all the Kubernetes cluster won't restart at all.

It will be really useful the chance to add the kube-system and other critical namespaces in the NotIn condition to avoid this issue that could be solved only manually deleting the mutatingwebhook configuration and re-applying it when Kubernetes is restarted.

consul-k8s/charts/consul/templates/connect-inject-mutatingwebhook.yaml

Line 20 in 24be51c

values: [ {{ template "consul.name" . }} ]

@davidesalerno
Copy link
Author

Reading the documentation the way to do this is using a namepaceSelector -> https://www.consul.io/docs/k8s/helm#v-connectinject-namespaceselector

@lkysow
Copy link
Member

lkysow commented Sep 27, 2021

#726 will make this the default too so we don't require users to set it.

@davidesalerno it's worth nothing that that PR only works for kube 1.21+ though since they only set that label there by default on that version

@davidesalerno
Copy link
Author

davidesalerno commented Sep 28, 2021
edited
Loading

@lkysow So on kube < 1.21.1 to achieve the same result, should we put the kube-system in the k8sdenynamespaces (https://www.consul.io/docs/k8s/helm#v-connectinject-k8sdenynamespaces) ?

Or maybe we could simply add a label to the kube-system namespace.

@lkysow
Copy link
Member

lkysow commented Sep 28, 2021

You would need to label it. The k8sdenynamespaces is only respected by the injector so k8s will still send pod mutation requests for kube-system to the injector. The namespaceSelector is the only way to get kube to not send those mutation requests.

lawliet89 pushed a commit to lawliet89/consul-k8s that referenced this issue Oct 6, 2021
@lkysow
Add missing newline to code generation (hashicorp#745)
5523886 
We need to have a newline between the codegen comment and the start of
the generated docs because the markdown formatter will add it later.
@trenslow
Copy link

trenslow commented Oct 7, 2021

@lkysow Which version of Consul should we expect to have this change of default?

@lkysow
Copy link
Member

lkysow commented Oct 7, 2021

Hi Tyler, this is still in review so should make it into our next release. You can get the feature now though by setting:

connectInject:
  namespaceSelector: |
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: "NotIn"
        values: ["kube-system","local-path-storage"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidesalerno @lkysow @trenslow