mirror of https://github.com/linkerd/linkerd2.git
a11012819c
### What When a namespace has the opaque ports annotation, pods and services should inherit it if they do not have one themselves. Currently, services do this but pods do not. This can lead to surprising behavior where services are correctly marked as opaque, but pods are not. This changes the proxy-injector so that it now passes down the opaque ports annotation to pods from their namespace if they do not have their own annotation set. Closes #5736. ### How The proxy-injector webhook receives admission requests for pods and services. Regardless of the resource kind, it now checks if the resource should inherit the opaque ports annotation from its namespace. It should inherit it if the namespace has the annotation but the resource does not. If the resource should inherit the annotation, the webhook creates an annotation patch which is only responsible for adding the opaque ports annotation. After generating the annotation patch, it checks if the resource is injectable. From here there are a few scenarios: 1. If no annotation patch was created and the resource is not injectable, then admit the request with no changes. Examples of this are services with no OP annotation and inject-disabled pods with no OP annotation. 2. If the resource is a pod and it is injectable, create a patch that includes the proxy and proxy-init containers—as well as any other annotations and labels. 3. The above two scenarios lead to a patch being generated at this point, so no matter the resource the patch is returned. ### UI changes Resources are now reported to either be "injected", "skipped", or "annotated". The first pass at this PR worked around the fact that injection reports consider services and namespaces injectable. This is not accurate because they don't have pod templates that could be injected; they can however be annotated. To fix this, an injection report now considers resources "annotatable" and uses this to clean up some logic in the `inject` command, as well as avoid a more complex proxy-injector webhook. What's cool about this is it fixes some `inject` command output that would label resources as "injected" when they were not even mutated. For example, namespaces were always reported as being injected even if annotations were not added. Now, it will properly report that a namespace has been "annotated" or "skipped". ### Tests For testing, unit tests and integration tests have been added. Manual testing can be done by installing linkerd with `debug` controller log levels, and tailing the proxy-injector's app container when creating pods or services. Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com> |
||
|---|---|---|
| .. | ||
| fake | ||
| metrics.go | ||
| webhook.go | ||
| webhook_test.go | ||