Giters

k8snetworkplumbingwg / network-resources-injector

A Kubernetes Dynamic Admission Controller that patches Pods to add additional information.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

User Defined Injections - does not take into account json path operation

MichalGuzieniuk opened this issue · comments

commented

While defining custom data in ConfigMap it is possible to define JSON path operation (add, remove, replace, copy, move). Those operation are not taken into account by NRI.

For instance for ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: nri-user-defined-injections
  namespace: kube-system
data:
  "customInjection": '{"op": "remove", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "foo-network"}}'

Original POD specification is not modified

apiVersion: v1
kind: Pod
metadata:
  name: testpod
  labels:
    customInjection: "true"
  annotations:
    k8s.v1.cni.cncf.io/networks: foo-network
spec:
  containers:
  - name: app
    image: alpine
    command: [ "/bin/sh", "-c", "sleep INF" ]

Expected to remove foo-network from POD specification.

Second use case, for ConfigMap, operation add

apiVersion: v1
kind: ConfigMap
metadata:
  name: nri-user-defined-injections
  namespace: kube-system
data:
  "customInjection": '{"op": "add", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "sriov-net-attach-def"}}'

and above POD definition, I would expect for operation add to have after modification two networks

 k8s.v1.cni.cncf.io/networks: foo-network, sriov-net-attach-def

instead for given key, values are replaced. Current state:

 k8s.v1.cni.cncf.io/networks: sriov-net-attach-def
commented

@MichalGuzieniuk Thanks for the continued testing!

While defining custom data in ConfigMap it is possible to define JSON path operation (add, remove, replace, copy, move). Those operation are not taken into account by NRI.

For instance for ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: nri-user-defined-injections
  namespace: kube-system
data:
  "customInjection": '{"op": "remove", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "foo-network"}}'

Original POD specification is not modified

apiVersion: v1
kind: Pod
metadata:
  name: testpod
  labels:
    customInjection: "true"
  annotations:
    k8s.v1.cni.cncf.io/networks: foo-network
spec:
  containers:
  - name: app
    image: alpine
    command: [ "/bin/sh", "-c", "sleep INF" ]

Expected to remove foo-network from POD specification.

I only added add operation in the initial implemention as that was the use-case I'd like to use.
I think we can take this as a feature enhancement for future release.

Second use case, for ConfigMap, operation add

apiVersion: v1
kind: ConfigMap
metadata:
  name: nri-user-defined-injections
  namespace: kube-system
data:
  "customInjection": '{"op": "add", "path": "/metadata/annotations", "value": {"k8s.v1.cni.cncf.io/networks": "sriov-net-attach-def"}}'

and above POD definition, I would expect for operation add to have after modification two networks

 k8s.v1.cni.cncf.io/networks: foo-network, sriov-net-attach-def

instead for given key, values are replaced. Current state:

 k8s.v1.cni.cncf.io/networks: sriov-net-attach-def

Another good catch!
I didn't think of such case, but it sounds reasonable to expect the networks be appended to existing list.
I will consider implementing this along with the first use case.

commented

@zshi-redhat Thank you for comment, sound good for me.