Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Make the istio annotation on jobs configurable #2652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Michael-Kruggel opened this issue Sep 10, 2024 · 4 comments
Closed

Make the istio annotation on jobs configurable #2652

Michael-Kruggel opened this issue Sep 10, 2024 · 4 comments
Assignees
@Michael-Kruggel
Labels
enhancement New feature or request

Comments

@Michael-Kruggel
Copy link
Contributor

➹ New Feature implementation request

Is your feature request related to a problem?

Jobs don't function in clusters with STRICT mTLS.

Describe the solution you'd like

The ability to overwrite the annotation that disables istio injection. This annotation: sidecar.istio.io/inject = false

Additional context

This is running in a cluster that uses UDS - Core which has an application that handles exiting the sidecar on jobs.
@Michael-Kruggel Michael-Kruggel added the enhancement New feature or request label Sep 10, 2024
@J12934
Copy link
Member

J12934 commented Sep 11, 2024

Hi @Michael-Kruggel

generally I'd really like to get rid of annotation.
The context for why this was added is here: #132
The problem was that the scans never finished because the istio sidecar would never termiante.

If Istio has changed it's sidecar behavior to work with kubernetes jobs, e.g. by using the k8s 1.29 sidecar / initContainer restart always we should be able to just remove the annotation .

I'm not sure what the best way forward here is to support your environment where the sidecar termination is already handled.
I'd rather remove the annotation (that is now set by default) and then allow people who want to disable the sidecar to set the annotation on their own and not have it set by default. This would be a breaking change though, we are planning to do a 5.0.0 breaking release in ~2 months so we could do it then.

@corang
Copy link

corang commented Sep 12, 2024

Given that the next breaking release isn't for "~2 months" would it be possible to make it configurable in the meantime? Leave the default as it is right now but allow the annotation value to be set?

@J12934
Copy link
Member

J12934 commented Sep 13, 2024

Sure 😊
I'd suggest that we just add a "disableIstioSidecarsOnAllPods" helm value to the scb operator helm chart, which then passes this to the operator via an env var to then control if the annotation is passed to the pods or not. Ideally with a note that this flag is deprecated an will be removed with v5.

@Weltraumschaf Weltraumschaf moved this from Backlog to In Progress in secureCodeBox v4 Sep 20, 2024
@J12934
Copy link
Member

J12934 commented Sep 20, 2024

Will be resolved by the next release. Hopefully next week 🤞

PR: #2665

@J12934 J12934 closed this as completed Sep 20, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in secureCodeBox v4 Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Michael-Kruggel Michael-Kruggel

Labels
enhancement New feature or request
Projects
secureCodeBox v4
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@corang @J12934 @Michael-Kruggel