Configurable failurePolicy for the MutatingWebhook of the vault agent injector #399
Labels
enhancement
New feature or request
Comments
orirawlings
added a commit
to orirawlings/vault-helm
that referenced
this issue
Oct 12, 2020
orirawlings
added a commit
to orirawlings/vault-helm
that referenced
this issue
Oct 12, 2020
orirawlings
added a commit
to orirawlings/vault-helm
that referenced
this issue
Oct 12, 2020
jasonodonnell
pushed a commit
that referenced
this issue
Oct 13, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We observe some occasional race conditions between recreation of the vault agent injector pod (for ex. due to node disruption) and the creation of other pods that expect a vault agent to be injected. Currently, the MutatingWebhook is configured with the default
failurePolicy(i.e.Ignore) so when these pods are created while the injector is unavailable, they proceed through creation without the mutation. These pods often run applications that CrashLoopBackoff indefinitely because necessary access to secrets is never established.Describe the solution you'd like
We'd like to be able to temporarily block pod creation when vault agent injector is unavailable, and as such, we'd like to expose the configuration of the MutatingWebhook's
failurePolicyin the chart values.Describe alternatives you've considered
None
Additional context
None
The text was updated successfully, but these errors were encountered: