Merge pull request #117 from secureCodeBox/disable-istio-injection

Disable Istio Injection for Scan/Parser/Hook Pods
secureCodeBox · Sep 29, 2020 · 3dfcc92 · 3dfcc92
2 parents d59daec + d379001
commit 3dfcc92
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -376,6 +376,9 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
 					},
+					Labels: map[string]string{
+						"sidecar.istio.io/inject": "false",
+					},
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: serviceAccountName,

diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -94,6 +94,9 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
 					},
+					Labels: map[string]string{
+						"sidecar.istio.io/inject": "false",
+					},
 				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyNever,

diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -187,6 +187,16 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		},
 	})
 
+	// Ensuring that istio doesn't inject a sidecar proxy.
+	// This currently messes with
+	if job.Spec.Template.ObjectMeta.Labels != nil {
+		job.Spec.Template.ObjectMeta.Labels["sidecar.istio.io/inject"] = "true"
+	} else {
+		job.Spec.Template.ObjectMeta.Labels = map[string]string{
+			"sidecar.istio.io/inject": "false",
+		}
+	}
+
 	// merging volume mounts (for the primary scanner container) from ScanType (if existing) with standard results volume mount
 	if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{}