User Defined Injections - injects only one property #94

MichalGuzieniuk · 2021-04-13T10:50:12Z

For below ConfigMap, where there is more than one key/value pair NRI injects only one pair into POD specification. I observed that this injection is random. It means that only one of the pair: "top-secret" or "k8s.v1.cni.cncf.io/network" is added to the POD.

apiVersion: v1
kind: ConfigMap
metadata:
  name: nri-user-defined-injections
  namespace: kube-system
data:
  "customInjection": '{"op": "add", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "sriov-net-attach-def"}}'
  "secondInjection": '{"op": "add", "path": "/metadata/annotations", "value": {"top-secret": "password"}}'

POD specification

apiVersion: v1
kind: Pod
metadata:
  name: testpod
  labels:
    customInjection: "true"
    secondInjection: "true"
  annotations:
    k8s.v1.cni.cncf.io/networks: foo-network
spec:
  containers:
  - name: app
    image: alpine
    command: [ "/bin/sh", "-c", "sleep INF" ]

Logs:

I0413 10:45:43.523737       1 main.go:69] starting mutating admission controller for network resources injection
I0413 10:45:43.524389       1 tlsutils.go:120] added client CA to cert pool from path '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
I0413 10:45:43.524405       1 tlsutils.go:122] added '1' client CA(s) to cert pool
I0413 10:46:13.550537       1 webhook.go:943] Initializing user-defined injections with key: customInjection, value: {"op": "add", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "sriov-net-attach-def"}}
I0413 10:46:13.550584       1 webhook.go:943] Initializing user-defined injections with key: secondInjection, value: {"op": "add", "path": "/metadata/annotations", "value": {"top-secret": "password"}}
I0413 10:46:58.393901       1 webhook.go:704] Received mutation request
I0413 10:46:58.438718       1 webhook.go:677] search v1.multus-cni.io/default-network in original pod annotations
I0413 10:46:58.438742       1 webhook.go:684] search v1.multus-cni.io/default-network in user-defined injections
I0413 10:46:58.438751       1 webhook.go:698] v1.multus-cni.io/default-network is not found in either pod annotations or user-defined injections
I0413 10:46:58.438761       1 webhook.go:677] search k8s.v1.cni.cncf.io/networks in original pod annotations
I0413 10:46:58.438769       1 webhook.go:680] k8s.v1.cni.cncf.io/networks is defined in original pod annotations
I0413 10:46:58.438795       1 webhook.go:256] 'foo-network' is not in JSON format: invalid character 'o' in literal false (expecting 'a')... trying to parse as comma separated network selections list
I0413 10:46:58.450875       1 webhook.go:354] network attachment definition 'default/foo-network' found
I0413 10:46:58.450915       1 webhook.go:361] resource 'example.com/foo' needs to be requested for network 'default/foo-network'
I0413 10:46:58.450928       1 webhook.go:790] honor-resources=false
I0413 10:46:58.450955       1 webhook.go:800] injectHugepageDownApi=true
I0413 10:46:58.450981       1 webhook.go:858] patch after all mutations: [{add /spec/containers/0/resources/requests map[]} {add /spec/containers/0/resources/limits map[]} {add /spec/containers/0/resources/requests/example.com~1foo {{1 0} {<nil>}  DecimalSI}} {add /spec/containers/0/resources/limits/example.com~1foo {{1 0} {<nil>}  DecimalSI}} {add /spec/containers/0/volumeMounts/- {podnetinfo false /etc/podnetinfo  <nil> }} {add /spec/volumes/- {podnetinfo {nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil &DownwardAPIVolumeSource{Items:[]DownwardAPIVolumeFile{DownwardAPIVolumeFile{Path:labels,FieldRef:&ObjectFieldSelector{APIVersion:,FieldPath:metadata.labels,},ResourceFieldRef:nil,Mode:nil,},DownwardAPIVolumeFile{Path:annotations,FieldRef:&ObjectFieldSelector{APIVersion:,FieldPath:metadata.annotations,},ResourceFieldRef:nil,Mode:nil,},},DefaultMode:nil,} nil nil nil nil nil nil nil nil nil nil nil nil}}} {add /metadata/annotations map[k8s.v1.cni.cncf.io/networks:sriov-net-attach-def]} {add /metadata/annotations map[k8s.v1.cni.cncf.io/networks:foo-network top-secret:password]}]
I0413 10:46:58.451457       1 webhook.go:396] sending response to the Kubernetes API server
I0413 10:47:13.565255       1 webhook.go:952] Removing stale entry: customInjection from user-defined injections
I0413 10:47:13.565289       1 webhook.go:952] Removing stale entry: secondInjection from user-defined injections

The text was updated successfully, but these errors were encountered:

Allowing multiple add ops for annotations allows user not to understand the current limitation of allowing a single add op. Allow only "add" Op for annotation user defined injection. Fixes k8snetworkplumbingwg#94 Tested with k8snetworkplumbingwg#98 Signed-off-by: Kennelly, Martin <[email protected]>

Allowing multiple add ops for annotations allows user not to understand the current limitation of allowing a single add op. Allow only "add" Op for annotation user defined injection. Fixes #94 Tested with #98 Signed-off-by: Kennelly, Martin <[email protected]>

MichalGuzieniuk mentioned this issue May 5, 2021

E2E tests for numerous NRI features #98

Closed

martinkennelly mentioned this issue Jun 1, 2021

Allow multiple add patch Ops for UDI annotations #104

Merged

martinkennelly closed this as completed in #104 Jun 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User Defined Injections - injects only one property #94

User Defined Injections - injects only one property #94

MichalGuzieniuk commented Apr 13, 2021

User Defined Injections - injects only one property #94

User Defined Injections - injects only one property #94

Comments

MichalGuzieniuk commented Apr 13, 2021