This mutating webhook transforms all volumeMounts of ALL pods which use a PersistentVolumeClaim to use mountPropagation: HostToContainer which is needed in order for juiceFS volumes to recover.

• have helm installed on your computer
• have cert-manager installed in your cluster

kubectl create namespace juicefs
helm repo add juicefs-volume-hook https://breuerfelix.github.io/juicefs-volume-hook
helm repo update
helm install juicefs-volume-hook juicefs-volume-hook/juicefs-volume-hook -n juicefs

The controller will convert ALL volumeMount.mountPropagation fields which have a PersistentVolumeClaim to HostToContainer.

Start the controller with the --pod-annotation flag and the controller will ONLY process pods which have set the juicefs.volume.hook/mount-propagation annotation to "true".

Start the controller with the --storage-classes=foobar flag in order to ONLY process volumeMounts that have the given storage classes. Multiple storage classes have to be comma separated.

The controller-runtime package always creates a Webhook Server that relies on TLS, and therefore requires a certificate. As this complicates local development, you can use the following approach to tunnel the server running locally with a self-signed certificate through localtunnel, exposing it via public TLS which the Kubernetes API server accepts.

Generate selfsigned certificates:

bash hack/gen-certs.sh

Start the local webhook server with the certs configured:

go run main.go --cert-dir certs --key-name server.key --cert-name server.crt

Create a tunnel that exposes your local server:

npx localtunnel --port 9443 --local-https --local-ca certs/ca.crt --local-cert certs/server.crt --local-key certs/server.key --subdomain juicefs

Finally, apply the MutatingWebhookConfiguration:

kubectl apply -f example/webhook.yaml

• add serviceaccount, role and rolebinding for controller to list PVC

I wrote a Blog Post on how to create a minimal Kubernetes Admission Webhook like this one. Just check it out :)