Add default request from namespace annotation

[atorrescogollo]

My use case is that I want to mount /etc/ssl/certs for each pod inside a namespace in order to use a custom CA easily. It would be great to take the requested annotation from the namespace (as a default annotation). For example:

apiVersion: v1
kind: Namespace
metadata:
  name: test
  annotations:
    k8s-sidecar-injector/default-request: etc-ssl-certs   <--- Applies to every pod in the namespace
  ...
---
apiVersion: v1
kind: Pod
metadata:
  name: demo-pod
  namespace: test
  annotations: {}  <--- No request but default-request is applied
spec:
  ...

I think the affected lines would be these:

k8s-sidecar-injector/pkg/server/webhook.go

Lines 163 to 167 in 85bf83c

	requestedInjection, ok := annotations[requestAnnotationKey]
	if !ok {
	glog.Infof("Pod %s/%s annotation %s is missing, skipping injection", metadata.Namespace, metadata.Name, requestAnnotationKey)
	return "", ErrMissingRequestAnnotation
	}

[domruf]

@atorrescogollo I have the same use case. Have you found a way to make it work? Or maybe a different project that is able to do this?

[atorrescogollo]

Hi @domruf , In think Kyverno should work for this. The approach mentioned is similar to this clusterpolicy.

[atorrescogollo]

I think something like this would work:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-certs
  annotations:
    policies.kyverno.io/title: Autoinject custom CA to pods
    policies.kyverno.io/category: Certificates
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Automount custom CA certificates when an annotation `inject-certs=enabled` is found
spec:
  background: false
  rules:
  - name: add-volume
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
        - key: "{{request.object.metadata.annotations.\"inject-certs\"}}"
          operator: Equals
          value: "enabled"
        - key: "{{request.operation}}"
          operator: In
          value:
          - CREATE
          - UPDATE
    mutate:
      foreach:
        - list: "request.object.spec.containers"
          patchStrategicMerge:
            spec:
              containers:
              - name: "{{ element.name }}"
                volumeMounts:
                  - name: "etc-ssl-certs"
                    mountPath: "/etc/ssl/certs"
              volumes:
              - name: etc-ssl-certs
                configMap:
                  name: ca-pemstore

[domruf]

@atorrescogollo thank you very much. I think this will be very helpful.